Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bgsTrRPJh0.exe

Overview

General Information

Sample name:bgsTrRPJh0.exe
renamed because original name is a hash value
Original sample name:2413841b2f5f656e269f61644d3957847b199107bb6b141c3208a03df59f0759.exe
Analysis ID:1543072
MD5:7c62976c8d0e7434b327ce3c402d8a62
SHA1:0d91b68c7b1a1fb5471258591676fcf89025e238
SHA256:2413841b2f5f656e269f61644d3957847b199107bb6b141c3208a03df59f0759
Tags:BlackBastaexeuser-JAMESWT_MHT
Infos:

Detection

BlackBasta
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Found ransom note / readme
Multi AV Scanner detection for submitted file
Yara detected BlackBasta ransomware
AI detected suspicious sample
Deletes shadow drive data (may be related to ransomware)
Drops a file containing file decryption instructions (likely related to ransomware)
Drops executable to a common third party application directory
Found Tor onion address
Infects executable files (exe, dll, sys, html)
Machine Learning detection for sample
May disable shadow drive data (uses vssadmin)
Potential evasive VBS script found (sleep loop)
Potential evasive VBS script found (use of timer() function in loop)
Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
Writes a notice file (html or txt) to demand a ransom
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: PowerShell Module File Created By Non-PowerShell Process
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • bgsTrRPJh0.exe (PID: 7396 cmdline: "C:\Users\user\Desktop\bgsTrRPJh0.exe" MD5: 7C62976C8D0E7434B327CE3C402D8A62)
    • cmd.exe (PID: 7552 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7560 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • vssadmin.exe (PID: 7608 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: B58073DB8892B67A672906C9358020EC)
  • bgsTrRPJh0.exe (PID: 8092 cmdline: "C:\Users\user\Desktop\bgsTrRPJh0.exe" MD5: 7C62976C8D0E7434B327CE3C402D8A62)
    • cmd.exe (PID: 1836 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • vssadmin.exe (PID: 6380 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: B58073DB8892B67A672906C9358020EC)
  • bgsTrRPJh0.exe (PID: 6920 cmdline: "C:\Users\user\Desktop\bgsTrRPJh0.exe" MD5: 7C62976C8D0E7434B327CE3C402D8A62)
    • cmd.exe (PID: 6448 cmdline: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3840 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • vssadmin.exe (PID: 7320 cmdline: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet MD5: B58073DB8892B67A672906C9358020EC)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Black Basta"Black Basta" is a new ransomware strain discovered during April 2022 - looks in dev since at least early February 2022 - and due to their ability to quickly amass new victims and the style of their negotiations, this is likely not a new operation but rather a rebrand of a previous top-tier ransomware gang that brought along their affiliates.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.blackbasta

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
    0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
      00000000.00000003.1343855548.0000000003150000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
        0000000A.00000003.1540348428.00000000027A0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
          0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            14.2.bgsTrRPJh0.exe.28f0000.1.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
              0.3.bgsTrRPJh0.exe.3150000.0.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                14.2.bgsTrRPJh0.exe.28f0000.1.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                  10.3.bgsTrRPJh0.exe.27a0000.0.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                    10.2.bgsTrRPJh0.exe.2880000.1.raw.unpackJoeSecurity_BlackBastaYara detected BlackBasta ransomwareJoe Security
                      Click to see the 5 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Shadow Copies Deletion Using Operating Systems Utilities
                      Source: Process startedAuthor: Florian Roth (Nextron Systems), Michael Haag, Teymur Kheirkhabarov, Daniil Yugoslavskiy, oscd.community, Andreas Hunkeler (@Karneades): Data: Command: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet, CommandLine: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet, CommandLine|base64offset|contains: u^, Image: C:\Windows\System32\vssadmin.exe, NewProcessName: C:\Windows\System32\vssadmin.exe, OriginalFileName: C:\Windows\System32\vssadmin.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 7552, ParentProcessName: cmd.exe, ProcessCommandLine: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet, ProcessId: 7608, ProcessName: vssadmin.exe
                      Sigma detected: CurrentVersion Autorun Keys Modification
                      Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Desktop\bgsTrRPJh0.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\bgsTrRPJh0.exe, ProcessId: 7396, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Skype
                      Sigma detected: PowerShell Module File Created By Non-PowerShell Process
                      Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\Desktop\bgsTrRPJh0.exe, ProcessId: 7396, TargetFilename: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txt

                      Suricata Signatures

                      No Suricata rule has matched

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Multi AV Scanner detection for submitted file
                      Source: bgsTrRPJh0.exeVirustotal: Detection: 72%Perma Link
                      Source: bgsTrRPJh0.exeReversingLabs: Detection: 71%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.8% probability
                      Machine Learning detection for sample
                      Source: bgsTrRPJh0.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_028BEC50 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,CryptAcquireContextA,___std_exception_copy,10_2_028BEC50
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_028BF220 CryptReleaseContext,10_2_028BF220
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_028BF330 CryptGenRandom,CryptReleaseContext,10_2_028BF330
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0292EC50 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,CryptAcquireContextA,___std_exception_copy,14_2_0292EC50
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0292F220 CryptReleaseContext,14_2_0292F220
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0292F330 CryptGenRandom,CryptReleaseContext,14_2_0292F330
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0299A720 CryptReleaseContext,14_2_0299A720
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0292EDB0 CryptAcquireContextA,GetLastError,CryptReleaseContext,14_2_0292EDB0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0292F190 CryptGenRandom,14_2_0292F190
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0292F150 CryptReleaseContext,14_2_0292F150

                      Compliance

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeUnpacked PE file: 10.2.bgsTrRPJh0.exe.2880000.1.unpack
                      Source: bgsTrRPJh0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\7-Zip\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Google\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Internet Explorer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Microsoft Office 15\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\MSBuild\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Reference Assemblies\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Uninstall Information\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Mail\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows NT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Security\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\7-Zip\Lang\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Services\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Google\Chrome\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Internet Explorer\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Internet Explorer\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Internet Explorer\images\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Internet Explorer\SIGNUP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Microsoft\OneDrive\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Microsoft Office 15\ClientX64\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\defaults\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\fonts\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender\Platform\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows NT\Accessories\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows NT\TableTextService\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Esl\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Resource\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\Acrobat\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\HelpCfg\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VGX\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\ado\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\msadc\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\Ole DB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\features\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows NT\Accessories\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows NT\Accessories\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows NT\TableTextService\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Javascripts\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Resource\CMap\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Resource\SaslPrep\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OnlineInteraction\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\es-MX\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fr-CA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\ado\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\msadc\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\Ole DB\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\instructions_read_me.txtJump to behavior
                      Source: bgsTrRPJh0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: bgsTrRPJh0.exe
                      Source: Binary string: AppVISVSubsystems64.pdbGCTL source: AppvIsvSubsystems64.dll.0.dr
                      Source: Binary string: mavinject32.pdbGCTL source: MavInject32.exe.0.dr
                      Source: Binary string: AppVISVSubsystems64.pdb source: AppvIsvSubsystems64.dll.0.dr
                      Source: Binary string: AppVShNotify.pdb source: AppVShNotify.exe.0.dr
                      Source: Binary string: >rome_proxy.exe.pdb source: chrome_proxy.exe.0.dr
                      Source: Binary string: mavinject32.pdb source: MavInject32.exe.0.dr
                      Source: Binary string: $pe.pdb source: pe.dll.0.dr
                      Source: Binary string: AppVShNotify.pdbGCTL source: AppVShNotify.exe.0.dr

                      Spreading

                      barindex
                      Infects executable files (exe, dll, sys, html)
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\7-zip.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\7z.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\lgpllibs.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\7-zip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\gkcodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\libGLESv2.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\freebl3.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\libEGL.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0019617C FindFirstFileExW,10_2_0019617C
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0014E510 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW,10_2_0014E510
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00196566 FindFirstFileExW,FindNextFileW,FindClose,FindClose,10_2_00196566
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0288CB00 FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,GetTempPathW,RegCreateKeyExW,GetTickCount,10_2_0288CB00
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0019617C FindFirstFileExW,14_2_0019617C
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0014E510 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW,14_2_0014E510
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00196566 FindFirstFileExW,FindNextFileW,FindClose,FindClose,14_2_00196566
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_028FCB00 FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,GetTempPathW,RegCreateKeyExW,GetTickCount,14_2_028FCB00
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_02988602 FindFirstFileExW,14_2_02988602
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_028FC4DE FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__Thrd_sleep,__Mtx_unlock,14_2_028FC4DE

                      Networking

                      barindex
                      Found Tor onion address
                      Source: bgsTrRPJh0.exe, 00000000.00000003.1343855548.0000000003150000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: bgsTrRPJh0.exeString found in binary or memory: ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd *!* To access .onion websites downlo
                      Source: bgsTrRPJh0.exeString found in binary or memory: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd*!* To access .onion websites downlo
                      Source: bgsTrRPJh0.exe, 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: bgsTrRPJh0.exe, 0000000A.00000002.1558935200.00000000025D0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: bgsTrRPJh0.exe, 0000000A.00000003.1540348428.00000000027A0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: bgsTrRPJh0.exeString found in binary or memory: ATTENTION! Your network has been breached and all data was encrypted. Please contact us at: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd *!* To access .onion websites downlo
                      Source: bgsTrRPJh0.exeString found in binary or memory: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd*!* To access .onion websites downlo
                      Source: bgsTrRPJh0.exe, 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: bgsTrRPJh0.exe, 0000000E.00000002.1653485581.0000000000B50000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: bgsTrRPJh0.exe, 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt74.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt236.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt169.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt85.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt3.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt170.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt33.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt60.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt89.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt132.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt82.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt2.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: instructions_read_me.txt148.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: pe.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
                      Source: pe.dll.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                      Source: chrome_proxy.exe.0.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampi
                      Source: chrome_proxy.exe.0.drString found in binary or memory: http://crl3.digicert
                      Source: chrome_proxy.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                      Source: pe.dll.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
                      Source: chrome_proxy.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeS
                      Source: chrome_proxy.exe.0.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                      Source: pe.dll.0.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                      Source: pe.dll.0.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                      Source: pe.dll.0.drString found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
                      Source: pe.dll.0.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts
                      Source: AppvIsvSubsystems64.dll.0.drString found in binary or memory: http://file://sftldr.dll
                      Source: chrome_proxy.exe.0.drString found in binary or memory: http://ocsp.digicert.com0C
                      Source: pe.dll.0.drString found in binary or memory: http://ocsp.digicert.com0H
                      Source: chrome_proxy.exe.0.drString found in binary or memory: http://ocsp.digicert.com0X
                      Source: chrome_proxy.exe.0.drString found in binary or memory: http://www.digicert.com/CPS0
                      Source: pe.dll.0.drString found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
                      Source: bgsTrRPJh0.exe, bgsTrRPJh0.exe, 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, bgsTrRPJh0.exe, 0000000E.00000002.1653485581.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, bgsTrRPJh0.exe, 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmp, instructions_read_me.txt74.0.dr, instructions_read_me.txt236.0.dr, instructions_read_me.txt169.0.dr, instructions_read_me.txt85.0.dr, instructions_read_me.txt3.0.dr, instructions_read_me.txt170.0.dr, instructions_read_me.txt33.0.dr, instructions_read_me.txt60.0.dr, instructions_read_me.txt89.0.dr, instructions_read_me.txt132.0.dr, instructions_read_me.txt82.0.dr, instructions_read_me.txt2.0.dr, instructions_read_me.txt148.0.drString found in binary or memory: https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/
                      Source: pe.dll.0.drString found in binary or memory: https://www.digicert.com/CPS0
                      Source: bgsTrRPJh0.exeString found in binary or memory: https://www.flos-freeware.ch
                      Source: bgsTrRPJh0.exeString found in binary or memory: https://www.flos-freeware.chopenmailto:florian.balmer
                      Source: bgsTrRPJh0.exeString found in binary or memory: https://www.rizonesoft.com
                      Source: bgsTrRPJh0.exe, bgsTrRPJh0.exe, 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, bgsTrRPJh0.exe, 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmp, instructions_read_me.txt74.0.dr, instructions_read_me.txt236.0.dr, instructions_read_me.txt169.0.dr, instructions_read_me.txt85.0.dr, instructions_read_me.txt3.0.dr, instructions_read_me.txt170.0.dr, instructions_read_me.txt33.0.dr, instructions_read_me.txt60.0.dr, instructions_read_me.txt89.0.dr, instructions_read_me.txt132.0.dr, instructions_read_me.txt82.0.dr, instructions_read_me.txt2.0.dr, instructions_read_me.txt148.0.drString found in binary or memory: https://www.torproject.org/
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0014BF90 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,10_2_0014BF90
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0014BF90 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,10_2_0014BF90
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0014BF90 GetFileAttributesW,GetFileAttributesW,MessageBeep,DialogBoxIndirectParamW,LocalFree,ShellExecuteExW,GetShortPathNameW,StrCatBuffW,StrCatBuffW,StrCatBuffW,StrCatBuffW,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,SendMessageW,SendMessageW,SendMessageW,StrRetToBufW,PathRemoveBackslashW,PathIsSameRootW,SetFocus,SendMessageW,SendMessageW,SendMessageW,SendMessageW,PostMessageW,GetFocus,GetDlgCtrlID,GetDlgItem,SetFocus,GetDlgItem,SetFocus,PathFileExistsW,lstrcpyW,StrRChrW,PathIsRootW,SetCurrentDirectoryW,SendMessageW,SendMessageW,lstrcpynW,MessageBeep,lstrcpynW,PathIsRootW,PathIsRootW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,14_2_0014BF90
                      Source: AutoIt.chm.0.drBinary or memory string: ./html/libfunctions/_WinAPI_GetRawInputData.htmemstr_2d35a436-2

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Found ransom note / readme
                      Source: C:\instructions_read_me.txtDropped file: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd*!* To access .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us)*!* To restore all your PCs and get your network working again, follow these instructions:- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.Please follow these simple rules to avoid data corruption:- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself.Waiting you in a chat.Jump to dropped file
                      Yara detected BlackBasta ransomware
                      Source: Yara matchFile source: 14.2.bgsTrRPJh0.exe.28f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.bgsTrRPJh0.exe.3150000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.bgsTrRPJh0.exe.28f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.bgsTrRPJh0.exe.27a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.bgsTrRPJh0.exe.2880000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.bgsTrRPJh0.exe.2880000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.3.bgsTrRPJh0.exe.27a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.bgsTrRPJh0.exe.2810000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.3.bgsTrRPJh0.exe.2810000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.3.bgsTrRPJh0.exe.3150000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000003.1343855548.0000000003150000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000003.1540348428.00000000027A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: bgsTrRPJh0.exe PID: 7396, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bgsTrRPJh0.exe PID: 8092, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: bgsTrRPJh0.exe PID: 6920, type: MEMORYSTR
                      Deletes shadow drive data (may be related to ransomware)
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: bgsTrRPJh0.exe, 00000000.00000003.1343855548.0000000003150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: bgsTrRPJh0.exe, 00000000.00000003.1343855548.0000000003150000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @xh.xuy08dak6C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: cmd.exe, 00000003.00000002.1354752642.00000000031D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietROWS0
                      Source: cmd.exe, 00000003.00000002.1354752642.00000000031D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000003.00000002.1353270402.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000003.00000002.1353270402.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 00000003.00000002.1353270402.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 00000003.00000002.1353270402.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet@8
                      Source: cmd.exe, 00000003.00000002.1353270402.0000000002DA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet8
                      Source: cmd.exe, 00000003.00000002.1352958977.0000000002BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 00000003.00000002.1352958977.0000000002BF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\Default\Ap=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\useres\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiers6)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 \Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideamDataProgr2
                      Source: vssadmin.exe, 00000005.00000002.1350484719.0000025B1B355000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
                      Source: vssadmin.exe, 00000005.00000002.1349256268.0000025B1AFF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default
                      Source: vssadmin.exe, 00000005.00000002.1349256268.0000025B1AFF0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: bgsTrRPJh0.exeBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: bgsTrRPJh0.exe, 0000000A.00000002.1558828644.00000000008F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: bgsTrRPJh0.exe, 0000000A.00000002.1558828644.00000000008F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietO
                      Source: bgsTrRPJh0.exe, 0000000A.00000002.1558828644.00000000008F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: bgsTrRPJh0.exe, 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: bgsTrRPJh0.exe, 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: xh.xuy08dak6C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: bgsTrRPJh0.exe, 0000000A.00000002.1558555497.00000000003A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default
                      Source: bgsTrRPJh0.exe, 0000000A.00000003.1540348428.00000000027A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: bgsTrRPJh0.exe, 0000000A.00000003.1540348428.00000000027A0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @xh.xuy08dak6C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000B.00000002.1556887958.00000000034B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietROWS
                      Source: cmd.exe, 0000000B.00000002.1556887958.00000000034B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000B.00000002.1556583369.0000000003040000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000B.00000002.1556583369.0000000003040000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\Default\Ap=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\useres\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiers6)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 \Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideamDataProgr2
                      Source: cmd.exe, 0000000B.00000002.1556644176.0000000003140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000B.00000002.1556644176.0000000003140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000B.00000002.1556644176.0000000003140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000B.00000002.1556644176.0000000003140000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 0000000D.00000002.1555747148.000001DFECA85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quiet
                      Source: vssadmin.exe, 0000000D.00000002.1555612216.000001DFEC888000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00006380- TID: 00006420- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: user-PC\user, SID:S-1-5-21-2246122658-3693405117-2476756634-1003
                      Source: vssadmin.exe, 0000000D.00000002.1555612216.000001DFEC880000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default<\R
                      Source: vssadmin.exe, 0000000D.00000002.1555612216.000001DFEC880000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 0000000D.00000002.1555612216.000001DFEC880000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietx\RL
                      Source: bgsTrRPJh0.exeBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: bgsTrRPJh0.exe, 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: bgsTrRPJh0.exe, 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmpBinary or memory string: xh.xuy08dak6C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: bgsTrRPJh0.exe, 0000000E.00000002.1653008057.00000000008B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: bgsTrRPJh0.exe, 0000000E.00000002.1653150327.00000000009F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: bgsTrRPJh0.exe, 0000000E.00000002.1653150327.00000000009F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet~
                      Source: bgsTrRPJh0.exe, 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: bgsTrRPJh0.exe, 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: @xh.xuy08dak6C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet4
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: cmd.exe, 0000000F.00000002.1641110489.0000000003500000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe/cC:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietROWSQj
                      Source: cmd.exe, 0000000F.00000002.1641110489.0000000003500000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: indows\system32\cmd.exe c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000F.00000002.1638378929.0000000002FA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000F.00000002.1638378929.0000000002FA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000F.00000002.1638378929.0000000002FA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000F.00000002.1638378929.0000000002FA0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: cmd.exe, 0000000F.00000002.1639691767.0000000003130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\system32\cmd.exeWinsta0\Default@
                      Source: cmd.exe, 0000000F.00000002.1639691767.0000000003130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exexeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietnsC:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet=CWinsta0\Default\Ap=::=::\ALLUSERSPROFILE=C:\ProgramDataAPPDATA=C:\Users\useres\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideiers6)=C:\Program Files (x86)\Common FilesCommonProgramW6432=C:\Program Files\Common FilesCOMPUTERNAME=user-PCComSpec=C:\Windows\system32\cmd.exeDriverData=C:\Windows\System32\Drivers\DriverDataFPS_BROWSER_APP_PROFILE_STRING=Internet ExplorerFPS_BROWSER_USER_PROFILE_STRING=DefaultHOMEDRIVE=C:HOMEPATH=\Users\userLOCALAPPDATA=C:\Users\user\AppData\LocalLOGONSERVER=\\user-PCNUMBER_OF_PROCESSORS=2OneDrive=C:\Users\user\OneDriveOS=Windows_NTPath=C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Users\user\AppData\Local\Microsoft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCPROCESSOR_ARCHITECTURE=AMD64PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 143 \Regi\Registry\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\SideBySideamDataProgr2
                      Source: vssadmin.exe, 00000011.00000002.1633474325.000001A0F6250000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Users\user\Desktop\C:\Windows\system32\vssadmin.exeC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietC:\Windows\SysNative\vssadmin.exe delete shadows /all /quietWinsta0\Default,
                      Source: vssadmin.exe, 00000011.00000002.1633474325.000001A0F6250000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: vssadmin.exe, 00000011.00000002.1633474325.000001A0F6250000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quieth
                      Source: vssadmin.exe, 00000011.00000002.1635706109.000001A0F64B5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: C:\Windows\SysNative\vssadmin.exedeleteshadows/all/quietj
                      Source: vssadmin.exe, 00000011.00000002.1633474325.000001A0F627A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: - Code: ADMPROCC00001737- Call: ADMPROCC00001712- PID: 00007320- TID: 00007348- CMD: C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet - User: Name: user-PC\user, SID:S-1-5-21-2246122658-3693405117-2476756634-1003
                      Drops a file containing file decryption instructions (likely related to ransomware)
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\$WinREAgent\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\PerfLogs\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files (x86)\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\ProgramData\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Users\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\$WinREAgent\Scratch\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\7-Zip\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\Adobe\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\Common Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\Google\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\Internet Explorer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\Microsoft Office 15\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\Mozilla Firefox\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\MSBuild\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\Reference Assemblies\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\Uninstall Information\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\Windows Defender\instructions_read_me.txtJump to behavior
                      May disable shadow drive data (uses vssadmin)
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Writes a notice file (html or txt) to demand a ransom
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile dropped: C:\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile dropped: C:\$WinREAgent\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile dropped: C:\PerfLogs\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile dropped: C:\Program Files\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile dropped: C:\Program Files (x86)\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile dropped: C:\ProgramData\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile dropped: C:\Users\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile dropped: C:\$WinREAgent\Scratch\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile dropped: C:\Program Files\Adobe\Acrobat DC\Esl\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile dropped: C:\Program Files\Adobe\Acrobat DC\Resource\instructions_read_me.txt -> decrypt or rename the files will lead to its fatal corruption. it doesn't matter, who are trying to do this, either it will be your it guys or a recovery agency.please follow these simple rules to avoid data corruption:- do not modify, rename or delete files. any attempts to modify, decrypt or rename the files will lead to its fatal corruption. - do not hire a recovery company. they can't decrypt without the key. they also don't care about your business. they believe that they are good negotiators, but it is not. they usually fail. so speak for yourself.waiting you in a chat.Jump to dropped file
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00134B9010_2_00134B90
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0016427010_2_00164270
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0017A2A410_2_0017A2A4
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_001783C610_2_001783C6
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_001646B010_2_001646B0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0017A6C510_2_0017A6C5
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_001A86E010_2_001A86E0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0017870E10_2_0017870E
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0014A93010_2_0014A930
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00178A6510_2_00178A65
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0017AAF510_2_0017AAF5
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0019EBAA10_2_0019EBAA
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00178DAD10_2_00178DAD
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00190FE210_2_00190FE2
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0014910010_2_00149100
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0017913B10_2_0017913B
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0016119A10_2_0016119A
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_001794D810_2_001794D8
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0017986610_2_00179866
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00159A5110_2_00159A51
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00179BCB10_2_00179BCB
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0019BC0410_2_0019BC04
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00161C7110_2_00161C71
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00163CF010_2_00163CF0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0019FEDC10_2_0019FEDC
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00157F0310_2_00157F03
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00179F3F10_2_00179F3F
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0288CB0010_2_0288CB00
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_028835D010_2_028835D0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_028D03F010_2_028D03F0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_028DA0C010_2_028DA0C0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_029001BC10_2_029001BC
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_029161D910_2_029161D9
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_028AA15010_2_028AA150
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0288E16110_2_0288E161
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00134B9014_2_00134B90
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0016427014_2_00164270
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0017A2A414_2_0017A2A4
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_001783C614_2_001783C6
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_001646B014_2_001646B0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0017A6C514_2_0017A6C5
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_001A86E014_2_001A86E0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0017870E14_2_0017870E
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0014A93014_2_0014A930
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00178A6514_2_00178A65
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0017AAF514_2_0017AAF5
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0019EBAA14_2_0019EBAA
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00178DAD14_2_00178DAD
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00190FE214_2_00190FE2
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0014910014_2_00149100
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0017913B14_2_0017913B
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0016119A14_2_0016119A
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_001794D814_2_001794D8
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0017986614_2_00179866
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00159A5114_2_00159A51
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00179BCB14_2_00179BCB
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0019BC0414_2_0019BC04
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00161C7114_2_00161C71
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00163CF014_2_00163CF0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0019FEDC14_2_0019FEDC
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00157F0314_2_00157F03
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00179F3F14_2_00179F3F
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_028FCB0014_2_028FCB00
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_029403F014_2_029403F0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0294A0C014_2_0294A0C0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_029701BC14_2_029701BC
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_029861D914_2_029861D9
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0291A15014_2_0291A150
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_028FE16114_2_028FE161
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0293268014_2_02932680
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0298067C14_2_0298067C
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_028FC4DE14_2_028FC4DE
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0294A5C014_2_0294A5C0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0297054A14_2_0297054A
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_02940B8014_2_02940B80
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_02974BD014_2_02974BD0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0296681C14_2_0296681C
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0291AE2014_2_0291AE20
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0298CCC314_2_0298CCC3
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0291EDB014_2_0291EDB0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_02932D0014_2_02932D00
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0297D38514_2_0297D385
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0293F38014_2_0293F380
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_029413B414_2_029413B4
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_029773A814_2_029773A8
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_029113E014_2_029113E0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0297935014_2_02979350
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0293D0B014_2_0293D0B0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0294119014_2_02941190
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_029496B014_2_029496B0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0297B60A14_2_0297B60A
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_029157F014_2_029157F0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0298B46014_2_0298B460
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_029355B014_2_029355B0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_028F35D014_2_028F35D0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_028F151014_2_028F1510
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: String function: 00153EC0 appears 128 times
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: String function: 00132D20 appears 32 times
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: String function: 00193236 appears 108 times
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: String function: 02905D90 appears 34 times
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: String function: 00195C37 appears 72 times
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: String function: 00192068 appears 38 times
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: String function: 02962275 appears 56 times
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: String function: 00132AD0 appears 46 times
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: String function: 02962242 appears 72 times
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: String function: 00132CC0 appears 38 times
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: String function: 02962320 appears 45 times
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: String function: 0296147D appears 51 times
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: String function: 001329E0 appears 34 times
                      Source: bgsTrRPJh0.exe, 00000000.00000000.1298020417.0000000000295000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameminipath.exeD vs bgsTrRPJh0.exe
                      Source: bgsTrRPJh0.exe, 0000000A.00000000.1472969717.0000000000295000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameminipath.exeD vs bgsTrRPJh0.exe
                      Source: bgsTrRPJh0.exe, 0000000E.00000000.1563242697.0000000000295000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameminipath.exeD vs bgsTrRPJh0.exe
                      Source: bgsTrRPJh0.exeBinary or memory string: OriginalFilenameminipath.exeD vs bgsTrRPJh0.exe
                      Source: bgsTrRPJh0.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: vssadmin.exe, 0000000D.00000002.1555612216.000001DFEC888000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HEXT=.COM;.EXE;.BAT;.CMD;.VBP
                      Source: classification engineClassification label: mal100.rans.spre.evad.winEXE@18/1723@0/0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00142F30 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,LocalFree,GetFocus,MessageBoxExW,LocalFree,LocalFree,10_2_00142F30
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00146080 CoCreateInstance,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW,10_2_00146080
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0015144D LoadResource,10_2_0015144D
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0290F660 GetTickCount,GetTickCount,OpenSCManagerW,OpenServiceW,ChangeServiceConfigW,CloseServiceHandle,QueryServiceStatusEx,Sleep,QueryServiceStatusEx,GetTickCount,ControlService,Sleep,QueryServiceStatusEx,GetTickCount,GetTickCount,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,14_2_0290F660
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Program Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Users\instructions_read_me.txtJump to behavior
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7560:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3840:120:WilError_03
                      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1648:120:WilError_03
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeMutant created: \Sessions\1\BaseNamedObjects\ofijweiuhuewhcsaxs.mutex
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile created: C:\Users\user~1\AppData\Local\Temp\fkdjsadasd.icoJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: *.*10_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: TaskbarCreated10_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: 33310_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: MiniPath10_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: *.*10_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: TaskbarCreated10_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: 33310_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: MiniPath10_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: *.*14_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: TaskbarCreated14_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: 33314_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: MiniPath14_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: *.*14_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: TaskbarCreated14_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: 33314_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCommand line argument: MiniPath14_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile read: C:\Program Files\Mozilla Firefox\crashreporter.iniJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: bgsTrRPJh0.exeVirustotal: Detection: 72%
                      Source: bgsTrRPJh0.exeReversingLabs: Detection: 71%
                      Source: unknownProcess created: C:\Users\user\Desktop\bgsTrRPJh0.exe "C:\Users\user\Desktop\bgsTrRPJh0.exe"
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: unknownProcess created: C:\Users\user\Desktop\bgsTrRPJh0.exe "C:\Users\user\Desktop\bgsTrRPJh0.exe"
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: unknownProcess created: C:\Users\user\Desktop\bgsTrRPJh0.exe "C:\Users\user\Desktop\bgsTrRPJh0.exe"
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSection loaded: ????????????.dllJump to behavior
                      Source: C:\Windows\System32\vssadmin.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F2C2787D-95AB-40D4-942D-298F5F757874}\InProcServer32Jump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.iniJump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\7-Zip\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Google\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Internet Explorer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Microsoft Office 15\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\MSBuild\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Reference Assemblies\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Uninstall Information\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Mail\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Multimedia Platform\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows NT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Photo Viewer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Portable Devices\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Security\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\7-Zip\Lang\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Services\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Google\Chrome\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Internet Explorer\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Internet Explorer\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Internet Explorer\images\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Internet Explorer\SIGNUP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Microsoft\OneDrive\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Microsoft Office 15\ClientX64\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\defaults\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\fonts\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\MSBuild\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender\Offline\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender\Platform\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\Classification\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\Skins\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows NT\Accessories\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows NT\TableTextService\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Photo Viewer\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Esl\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Resource\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\Acrobat\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\HelpCfg\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\VGX\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\ado\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\msadc\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\Ole DB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Google\Chrome\Application\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\features\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\browser\VisualElements\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\defaults\pref\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows NT\Accessories\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows NT\Accessories\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows NT\TableTextService\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Pester\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Air\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Assets\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Browser\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocSettings\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\DocTemplates\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\HostedServicesTemplates\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\IDTemplates\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Javascripts\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Legal\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Locale\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\NGL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\ngl_resources\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\plug_ins3d\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RDCNotificationClient\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\RdrApp\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Sequences\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\Tracker\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Acrobat\x86\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Resource\CMap\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Resource\Font\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Resource\SaslPrep\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Adobe\Acrobat DC\Resource\TypeSupport\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\Acrobat\DC\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\Acrobat\Setup Files\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\Adobe\HelpCfg\en_US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ClickToRun\OnlineInteraction\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ar-SA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\bg-BG\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\cs-CZ\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\da-DK\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\de-DE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\el-GR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\es-ES\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\es-MX\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\et-EE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fi-FI\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fr-CA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fr-FR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\he-IL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\hr-HR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\hu-HU\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\HWRCustomization\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\it-IT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ja-JP\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ko-KR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\LanguageModel\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\lt-LT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\lv-LV\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\nb-NO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\nl-NL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pl-PL\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pt-BR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\pt-PT\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ro-RO\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\ru-RU\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sk-SK\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sl-SI\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\sv-SE\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\th-TH\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\tr-TR\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\uk-UA\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\zh-CN\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\ink\zh-TW\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-GB\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\MSInfo\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\TextConv\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\microsoft shared\Triedit\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\ado\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\msadc\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Common Files\System\Ole DB\en-US\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Google\Chrome\Application\117.0.5938.134\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Google\Chrome\Application\SetupMetrics\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Microsoft\OneDrive\ListSync\settings\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\instructions_read_me.txtJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDirectory created: C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\instructions_read_me.txtJump to behavior
                      Source: bgsTrRPJh0.exeStatic file information: File size 2026496 > 1048576
                      Source: bgsTrRPJh0.exeStatic PE information: section name: RT_CURSOR
                      Source: bgsTrRPJh0.exeStatic PE information: section name: RT_BITMAP
                      Source: bgsTrRPJh0.exeStatic PE information: section name: RT_ICON
                      Source: bgsTrRPJh0.exeStatic PE information: section name: RT_MENU
                      Source: bgsTrRPJh0.exeStatic PE information: section name: RT_DIALOG
                      Source: bgsTrRPJh0.exeStatic PE information: section name: RT_STRING
                      Source: bgsTrRPJh0.exeStatic PE information: section name: RT_ACCELERATOR
                      Source: bgsTrRPJh0.exeStatic PE information: section name: RT_GROUP_ICON
                      Source: bgsTrRPJh0.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                      Source: bgsTrRPJh0.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: Binary string: E:\cpp\calc\Bin\Release_x86_v143\minipath.pdb source: bgsTrRPJh0.exe
                      Source: Binary string: AppVISVSubsystems64.pdbGCTL source: AppvIsvSubsystems64.dll.0.dr
                      Source: Binary string: mavinject32.pdbGCTL source: MavInject32.exe.0.dr
                      Source: Binary string: AppVISVSubsystems64.pdb source: AppvIsvSubsystems64.dll.0.dr
                      Source: Binary string: AppVShNotify.pdb source: AppVShNotify.exe.0.dr
                      Source: Binary string: >rome_proxy.exe.pdb source: chrome_proxy.exe.0.dr
                      Source: Binary string: mavinject32.pdb source: MavInject32.exe.0.dr
                      Source: Binary string: $pe.pdb source: pe.dll.0.dr
                      Source: Binary string: AppVShNotify.pdbGCTL source: AppVShNotify.exe.0.dr

                      Data Obfuscation

                      barindex
                      Detected unpacking (creates a PE file in dynamic memory)
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeUnpacked PE file: 10.2.bgsTrRPJh0.exe.2880000.1.unpack
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0014A370 CreateWindowExW,LoadLibraryW,GetProcAddress,FreeLibrary,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,#410,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSystemMetrics,CreateWindowExW,SendMessageW,SendMessageW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,DragAcceptFiles,SendMessageW,SendMessageW,GetSystemMenu,DeleteMenu,DeleteMenu,DeleteMenu,GetMenuItemInfoW,SetMenuItemInfoW,LoadStringW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,10_2_0014A370
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_001A9A81 push ecx; ret 10_2_001A9A94
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_001C3C9B push edi; retf 10_2_001C3C9C
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00153F10 push ecx; ret 10_2_00153F23
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_028F221F push ecx; ret 10_2_028F2232
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_001A9A81 push ecx; ret 14_2_001A9A94
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_001C3C9B push edi; retf 14_2_001C3C9C
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00153F10 push ecx; ret 14_2_00153F23
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0296221F push ecx; ret 14_2_02962232
                      Source: bgsTrRPJh0.exeStatic PE information: section name: .data entropy: 7.703272639276241

                      Persistence and Installation Behavior

                      barindex
                      Drops executable to a common third party application directory
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\freebl3.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\freebl3.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\freebl3.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\gkcodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\gkcodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\gkcodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\lgpllibs.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\libEGL.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\lgpllibs.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\lgpllibs.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\libEGL.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\libEGL.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\libGLESv2.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\libGLESv2.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeFile written: C:\Program Files\Mozilla Firefox\libGLESv2.dllJump to behavior
                      Infects executable files (exe, dll, sys, html)
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\7-zip.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\default-browser-agent.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\7z.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\7z.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\lgpllibs.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\7-zip32.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\Uninstall.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\gkcodecs.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\ipcclientcerts.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\libGLESv2.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\crashreporter.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\firefox.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\AccessibleMarshal.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\freebl3.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\7zG.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\Mozilla Firefox\libEGL.dllJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeSystem file written: C:\Program Files\7-Zip\7zFM.exeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SkypeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SkypeJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00150030 GetSysColor,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,SetForegroundWindow,GlobalSize,PathIsRelativeW,GetCurrentDirectoryW,PathAppendW,lstrcpyW,GlobalSize,SendMessageW,GlobalFree,LoadStringW,LoadStringW,LoadStringW,StrChrW,MessageBoxW,10_2_00150030
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_001505C0 lstrcpyW,lstrcpyW,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,SetForegroundWindow,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,PostMessageW,StrChrW,MessageBoxW,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ShellExecuteExW,lstrcpynW,wsprintfW,DdeInitializeW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeFreeStringHandle,DdeConnect,lstrlenW,DdeClientTransaction,DdeDisconnect,DdeFreeStringHandle,DdeFreeStringHandle,DdeFreeStringHandle,DdeUninitialize,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW,ShellExecuteExW,DialogBoxIndirectParamW,LocalFree,10_2_001505C0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00150C10 lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos,10_2_00150C10
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00149100 SetTimer,KillTimer,FindCloseChangeNotification,GetWindowPlacement,DragAcceptFiles,LocalFree,LocalFree,PostQuitMessage,DefWindowProcW,SendMessageW,DefWindowProcW,WaitForSingleObject,FindNextChangeNotification,SendMessageW,SetWindowPos,SetWindowPos,DefWindowProcW,ShowOwnedPopups,ShowOwnedPopups,SystemParametersInfoW,GetWindowRect,DrawAnimatedRects,ShowWindow,SetBkColor,SetTextColor,SendMessageW,SetWindowPos,RedrawWindow,IsIconic,ShowWindow,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragFinish,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,SendMessageW,DestroyWindow,DestroyWindow,DestroyWindow,DestroyWindow,GetClientRect,SendMessageW,SendMessageW,UpdateWindow,IsWindowVisible,LoadMenuW,GetSubMenu,SetForegroundWindow,GetCursorPos,SetMenuDefaultItem,TrackPopupMenu,PostMessageW,DestroyMenu,PostMessageW,ShowOwnedPopups,10_2_00149100
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0014DAEB lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos,10_2_0014DAEB
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00150030 GetSysColor,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,IsWindowVisible,SendMessageW,SendMessageW,SendMessageW,SetForegroundWindow,GlobalSize,PathIsRelativeW,GetCurrentDirectoryW,PathAppendW,lstrcpyW,GlobalSize,SendMessageW,GlobalFree,LoadStringW,LoadStringW,LoadStringW,StrChrW,MessageBoxW,14_2_00150030
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_001505C0 lstrcpyW,lstrcpyW,EnumWindows,IsWindowEnabled,IsIconic,ShowWindowAsync,SetForegroundWindow,lstrlenW,GlobalAlloc,GlobalLock,lstrcpyW,GlobalUnlock,PostMessageW,StrChrW,MessageBoxW,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ShellExecuteExW,lstrcpynW,wsprintfW,DdeInitializeW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeCreateStringHandleW,DdeFreeStringHandle,DdeConnect,lstrlenW,DdeClientTransaction,DdeDisconnect,DdeFreeStringHandle,DdeFreeStringHandle,DdeFreeStringHandle,DdeUninitialize,GetShortPathNameW,StrCatBuffW,StrCpyNW,StrCatBuffW,StrCatBuffW,lstrcpyW,ExpandEnvironmentStringsW,lstrcpynW,ShellExecuteExW,DialogBoxIndirectParamW,LocalFree,14_2_001505C0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00150C10 lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos,14_2_00150C10
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00149100 SetTimer,KillTimer,FindCloseChangeNotification,GetWindowPlacement,DragAcceptFiles,LocalFree,LocalFree,PostQuitMessage,DefWindowProcW,SendMessageW,DefWindowProcW,WaitForSingleObject,FindNextChangeNotification,SendMessageW,SetWindowPos,SetWindowPos,DefWindowProcW,ShowOwnedPopups,ShowOwnedPopups,SystemParametersInfoW,GetWindowRect,DrawAnimatedRects,ShowWindow,SetBkColor,SetTextColor,SendMessageW,SetWindowPos,RedrawWindow,IsIconic,ShowWindow,DragQueryFileW,DragQueryFileW,DragQueryFileW,DragFinish,GetWindowLongW,GetWindowLongW,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,SendMessageW,DestroyWindow,DestroyWindow,DestroyWindow,DestroyWindow,GetClientRect,SendMessageW,SendMessageW,UpdateWindow,IsWindowVisible,LoadMenuW,GetSubMenu,SetForegroundWindow,GetCursorPos,SetMenuDefaultItem,TrackPopupMenu,PostMessageW,DestroyMenu,PostMessageW,ShowOwnedPopups,14_2_00149100
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0014DAEB lstrcpyW,EnumWindows,IsIconic,IsZoomed,SendMessageW,SetForegroundWindow,SetForegroundWindow,BringWindowToTop,SetForegroundWindow,GetSystemMetrics,GetWindowRect,GetWindowRect,GetWindowRect,EqualRect,SystemParametersInfoW,DrawAnimatedRects,SetWindowPos,14_2_0014DAEB
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_028DE145 GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,10_2_028DE145
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Potential evasive VBS script found (sleep loop)
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDropped file: Do While objScriptExec.Status = 0 WScript.Sleep 100Jump to dropped file
                      Potential evasive VBS script found (use of timer() function in loop)
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDropped file: Do While objScriptEg>0uYjQtcrI22n_f"ZJWGU If iTimer = 50 ThenJump to dropped file
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeDropped file: Do While objScriptExec.Status = 0a&w0hW+F&~;D2k-6;8WW If iTimer = 50 ThenJump to dropped file
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeWindow / User API: threadDelayed 4658Jump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeAPI coverage: 4.2 %
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeAPI coverage: 3.8 %
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exe TID: 7884Thread sleep count: 150 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exe TID: 7400Thread sleep count: 4658 > 30Jump to behavior
                      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0019617C FindFirstFileExW,10_2_0019617C
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0014E510 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW,10_2_0014E510
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00196566 FindFirstFileExW,FindNextFileW,FindClose,FindClose,10_2_00196566
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0288CB00 FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,GetTempPathW,RegCreateKeyExW,GetTickCount,10_2_0288CB00
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0019617C FindFirstFileExW,14_2_0019617C
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0014E510 PathCompactPathExW,LoadStringW,LoadStringW,LoadStringW,SendMessageW,GetParent,DoDragDrop,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SHGetDataFromIDListW,FindFirstFileW,FindClose,StrFormatByteSizeW,FileTimeToLocalFileTime,FileTimeToSystemTime,GetDateFormatW,GetTimeFormatW,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,wsprintfW,SendMessageW,wsprintfW,lstrcmpW,SendMessageW,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,StrRetToBufW,StrRetToBufW,StrRetToBufW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,lstrcmpW,14_2_0014E510
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00196566 FindFirstFileExW,FindNextFileW,FindClose,FindClose,14_2_00196566
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_028FCB00 FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,GetTempPathW,RegCreateKeyExW,GetTickCount,14_2_028FCB00
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_02988602 FindFirstFileExW,14_2_02988602
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_028FC4DE FindFirstFileW,lstrcmpW,FindNextFileW,GetLastError,FindClose,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__allrem,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__Xtime_get_ticks,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,__Thrd_sleep,__Mtx_unlock,14_2_028FC4DE
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0015261D VirtualQuery,GetSystemInfo,10_2_0015261D
                      Source: bgsTrRPJh0.exe, 0000000E.00000002.1653150327.00000000009F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtray.exe
                      Source: bgsTrRPJh0.exe, 0000000E.00000002.1653150327.00000000009F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice
                      Source: bgsTrRPJh0.exe, 0000000A.00000002.1558828644.00000000008F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice.exeH
                      Source: bgsTrRPJh0.exe, 0000000A.00000002.1558828644.00000000008F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxtray.exeG
                      Source: bgsTrRPJh0.exe, 0000000A.00000002.1558828644.00000000008F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice>
                      Source: bgsTrRPJh0.exe, 0000000E.00000002.1653150327.00000000009F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice|
                      Source: bgsTrRPJh0.exe, 0000000E.00000002.1653150327.00000000009F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vboxservice.exe
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeAPI call chain: ExitProcess graph end nodegraph_10-64153
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeAPI call chain: ExitProcess graph end nodegraph_14-106244
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00180F9D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00180F9D
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0014A370 CreateWindowExW,LoadLibraryW,GetProcAddress,FreeLibrary,GetWindowLongW,SetWindowLongW,SetWindowPos,SendMessageW,SendMessageW,#410,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetSystemMetrics,CreateWindowExW,SendMessageW,SendMessageW,SHGetFileInfoW,SendMessageW,SendMessageW,SendMessageW,DragAcceptFiles,SendMessageW,SendMessageW,GetSystemMenu,DeleteMenu,DeleteMenu,DeleteMenu,GetMenuItemInfoW,SetMenuItemInfoW,LoadStringW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,LoadStringW,LoadStringW,InsertMenuW,InsertMenuW,10_2_0014A370
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0018AB08 mov ecx, dword ptr fs:[00000030h]10_2_0018AB08
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00193CBB mov eax, dword ptr fs:[00000030h]10_2_00193CBB
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00193CFE mov eax, dword ptr fs:[00000030h]10_2_00193CFE
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00193D41 mov eax, dword ptr fs:[00000030h]10_2_00193D41
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00193D9C mov eax, dword ptr fs:[00000030h]10_2_00193D9C
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00193E62 mov eax, dword ptr fs:[00000030h]10_2_00193E62
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00193EA6 mov eax, dword ptr fs:[00000030h]10_2_00193EA6
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00193EEA mov eax, dword ptr fs:[00000030h]10_2_00193EEA
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00193F1B mov eax, dword ptr fs:[00000030h]10_2_00193F1B
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0018AB08 mov ecx, dword ptr fs:[00000030h]14_2_0018AB08
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00193CBB mov eax, dword ptr fs:[00000030h]14_2_00193CBB
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00193CFE mov eax, dword ptr fs:[00000030h]14_2_00193CFE
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00193D41 mov eax, dword ptr fs:[00000030h]14_2_00193D41
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00193D9C mov eax, dword ptr fs:[00000030h]14_2_00193D9C
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00193E62 mov eax, dword ptr fs:[00000030h]14_2_00193E62
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00193EA6 mov eax, dword ptr fs:[00000030h]14_2_00193EA6
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00193EEA mov eax, dword ptr fs:[00000030h]14_2_00193EEA
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00193F1B mov eax, dword ptr fs:[00000030h]14_2_00193F1B
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_02972DFB mov ecx, dword ptr fs:[00000030h]14_2_02972DFB
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00198AA2 GetProcessHeap,10_2_00198AA2
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00180F9D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00180F9D
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0015333F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,10_2_0015333F
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00153ACD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_00153ACD
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00153C63 SetUnhandledExceptionFilter,10_2_00153C63
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_028F2375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,10_2_028F2375
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00180F9D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00180F9D
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0015333F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_0015333F
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00153ACD IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_00153ACD
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_00153C63 SetUnhandledExceptionFilter,14_2_00153C63
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_02962375 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_02962375
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_02962508 SetUnhandledExceptionFilter,14_2_02962508
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_02962572 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,14_2_02962572
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 14_2_0296C983 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,14_2_0296C983
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\vssadmin.exe C:\Windows\SysNative\vssadmin.exe delete shadows /all /quietJump to behavior
                      Source: bgsTrRPJh0.exeBinary or memory string: Shell_TrayWnd
                      Source: bgsTrRPJh0.exe, 00000000.00000000.1297922158.00000000001AE000.00000002.00000001.01000000.00000003.sdmp, bgsTrRPJh0.exe, 0000000A.00000000.1472708636.00000000001AE000.00000002.00000001.01000000.00000003.sdmp, bgsTrRPJh0.exe, 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: uxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES es-MX fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TWTaskbarCreatederherthgrgherhre.erhgergMinPathNotepad3...AutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe
                      Source: bgsTrRPJh0.exeBinary or memory string: MAuxtheme.dllIsAppThemed - []\]%i %i%CSIDL:MYDOCUMENTS%.lnk"...%1%.2i"%s"Segoe UIMicrosoft JhengHei UIMicrosoft YaHei UIYu Gothic UIMalgun GothicWINDOWSTYLE;WINDOWShell_TrayWndTrayNotifyWndaf-ZA be-BY de-DE el-GR en-GB en-US es-ES es-MX fr-FR hi-IN hu-HU id-ID it-IT ja-JP ko-KR nl-NL pl-PL pt-BR pt-PT ru-RU sk-SK sv-SE tr-TR vi-VN zh-CN zh-TWTaskbarCreatederherthgrgherhre.erhgergMinPathNotepad3...AutoRefreshRateSysListView32ComboBoxEx32ToolbarWindow32Toolbar Labels%02i(none)msctls_statusbar32ReBarWindow32Toolbar -f0 -n -p %i,%i,%i,%iok\A-RHS%s | %s %s | %s%u-/%i,%i,%i,%iNotepad3.exe
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00153CD0 cpuid 10_2_00153CD0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetUserPreferredUILanguages,GetUserPreferredUILanguages,LocalAlloc,GetUserPreferredUILanguages,LocalFree,GetLocaleInfoEx,10_2_001484F0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,10_2_0019C199
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: EnumSystemLocalesW,10_2_0019C43B
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: ResolveLocaleName,GetLocaleInfoEx,10_2_00148460
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: EnumSystemLocalesW,10_2_0019C4A4
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: EnumSystemLocalesW,10_2_0019C53F
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,10_2_0019C5CA
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoEx,SendMessageW,lstrlenW,ResetEvent,lstrlenW,CharPrevW,lstrlenW,CharPrevW,lstrlenW,10_2_001466E0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,10_2_0019C81D
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_2_0019C946
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,10_2_0019CA4C
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,10_2_0019CB1B
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: EnumSystemLocalesW,10_2_00192C34
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: EnumSystemLocalesW,10_2_00192D93
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: EnumSystemLocalesW,10_2_00192DC5
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,10_2_00150FE9
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: LCIDToLocaleName,GetLocaleInfoEx,10_2_0015126B
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,10_2_001936F0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,10_2_0291C244
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,10_2_0291C313
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,10_2_0291C015
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,10_2_0291C13E
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetUserPreferredUILanguages,GetUserPreferredUILanguages,LocalAlloc,GetUserPreferredUILanguages,LocalFree,GetLocaleInfoEx,14_2_001484F0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetACP,IsValidCodePage,GetLocaleInfoW,14_2_0019C199
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: EnumSystemLocalesW,14_2_0019C43B
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: ResolveLocaleName,GetLocaleInfoEx,14_2_00148460
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: EnumSystemLocalesW,14_2_0019C4A4
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: EnumSystemLocalesW,14_2_0019C53F
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,14_2_0019C5CA
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoEx,SendMessageW,lstrlenW,ResetEvent,lstrlenW,CharPrevW,lstrlenW,CharPrevW,lstrlenW,14_2_001466E0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,14_2_0019C81D
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_0019C946
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,14_2_0019CA4C
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_0019CB1B
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: EnumSystemLocalesW,14_2_00192C34
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: EnumSystemLocalesW,14_2_00192D93
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: EnumSystemLocalesW,14_2_00192DC5
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,14_2_00150FE9
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: LCIDToLocaleName,GetLocaleInfoEx,14_2_0015126B
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,14_2_001936F0
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,14_2_0298C244
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,14_2_0298C313
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,14_2_0298C015
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,14_2_0298C13E
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: GetLocaleInfoEx,14_2_02960B22
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_0019372F GetSystemTimeAsFileTime,10_2_0019372F
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_02918138 GetTimeZoneInformation,10_2_02918138
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeCode function: 10_2_00148650 GetVersion,SetErrorMode,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetSysColor,OleInitialize,InitCommonControlsEx,RegisterWindowMessageW,GetSysColor,CreateSolidBrush,CreateSolidBrush,GetSysColor,CreateSolidBrush,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,#381,#381,#381,LoadCursorW,RegisterClassW,LoadLibraryW,GlobalAlloc,LoadLibraryW,GlobalAlloc,LoadLibraryW,ExitProcess,10_2_00148650
                      Source: C:\Users\user\Desktop\bgsTrRPJh0.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity Information2
                      Scripting                      		Valid Accounts1
                      Native API                      		2
                      Scripting                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		11
                      Input Capture                      		2
                      System Time Discovery                      		1
                      Taint Shared Content                      		1
                      Archive Collected Data                      		2
                      Encrypted Channel                      		Exfiltration Over Other Network Medium2
                      Data Encrypted for Impact
                      CredentialsDomainsDefault Accounts2
                      Command and Scripting Interpreter                      		1
                      DLL Side-Loading                      		1
                      Windows Service                      		3
                      Obfuscated Files or Information                      		LSASS Memory3
                      File and Directory Discovery                      		Remote Desktop Protocol11
                      Input Capture                      		1
                      Proxy                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain Accounts1
                      Service Execution                      		1
                      Windows Service                      		12
                      Process Injection                      		11
                      Software Packing                      		Security Account Manager35
                      System Information Discovery                      		SMB/Windows Admin Shares2
                      Clipboard Data                      		SteganographyAutomated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCron1
                      Registry Run Keys / Startup Folder                      		1
                      Registry Run Keys / Startup Folder                      		1
                      DLL Side-Loading                      		NTDS21
                      Security Software Discovery                      		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      File Deletion                      		LSA Secrets1
                      Virtualization/Sandbox Evasion                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts13
                      Masquerading                      		Cached Domain Credentials1
                      Process Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Virtualization/Sandbox Evasion                      		DCSync11
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job12
                      Process Injection                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 1543072 Sample: bgsTrRPJh0.exe Startdate: 27/10/2024 Architecture: WINDOWS Score: 100 43 Multi AV Scanner detection for submitted file 2->43 45 Found ransom note / readme 2->45 47 Yara detected BlackBasta ransomware 2->47 49 5 other signatures 2->49 7 bgsTrRPJh0.exe 2 547 2->7         started        11 bgsTrRPJh0.exe 2 2->11         started        13 bgsTrRPJh0.exe 2 2->13         started        process3 file4 35 C:\Program Files\...\lgpllibs.dll, DOS 7->35 dropped 37 C:\Program Files\...\AccessibleMarshal.dll, COM 7->37 dropped 39 C:\Program Files\7-Zip\7-zip.dll, COM 7->39 dropped 41 43 other files (36 malicious) 7->41 dropped 53 Detected unpacking (creates a PE file in dynamic memory) 7->53 55 Potential evasive VBS script found (use of timer() function in loop) 7->55 57 Potential evasive VBS script found (sleep loop) 7->57 63 4 other signatures 7->63 15 cmd.exe 1 7->15         started        59 Found Tor onion address 11->59 61 Deletes shadow drive data (may be related to ransomware) 11->61 18 cmd.exe 11->18         started        20 cmd.exe 1 13->20         started        signatures5 process6 signatures7 65 May disable shadow drive data (uses vssadmin) 15->65 67 Deletes shadow drive data (may be related to ransomware) 15->67 22 vssadmin.exe 1 15->22         started        25 conhost.exe 15->25         started        27 vssadmin.exe 1 18->27         started        29 conhost.exe 18->29         started        31 vssadmin.exe 1 20->31         started        33 conhost.exe 20->33         started        process8 signatures9 51 Deletes shadow drive data (may be related to ransomware) 22->51

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      bgsTrRPJh0.exe73%VirustotalBrowse
                      bgsTrRPJh0.exe71%ReversingLabsWin32.Ransomware.BastaLoader
                      bgsTrRPJh0.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/0%VirustotalBrowse
                      https://www.rizonesoft.com0%VirustotalBrowse
                      https://www.torproject.org/1%VirustotalBrowse

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      https://www.rizonesoft.combgsTrRPJh0.exefalseunknown
                      https://www.torproject.org/bgsTrRPJh0.exe, bgsTrRPJh0.exe, 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, bgsTrRPJh0.exe, 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmp, instructions_read_me.txt74.0.dr, instructions_read_me.txt236.0.dr, instructions_read_me.txt169.0.dr, instructions_read_me.txt85.0.dr, instructions_read_me.txt3.0.dr, instructions_read_me.txt170.0.dr, instructions_read_me.txt33.0.dr, instructions_read_me.txt60.0.dr, instructions_read_me.txt89.0.dr, instructions_read_me.txt132.0.dr, instructions_read_me.txt82.0.dr, instructions_read_me.txt2.0.dr, instructions_read_me.txt148.0.drtrueunknown
                      http://crl3.digicertchrome_proxy.exe.0.drfalse
                        		unknown
                        https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/bgsTrRPJh0.exe, bgsTrRPJh0.exe, 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, bgsTrRPJh0.exe, 0000000E.00000002.1653485581.0000000000B50000.00000004.00001000.00020000.00000000.sdmp, bgsTrRPJh0.exe, 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmp, instructions_read_me.txt74.0.dr, instructions_read_me.txt236.0.dr, instructions_read_me.txt169.0.dr, instructions_read_me.txt85.0.dr, instructions_read_me.txt3.0.dr, instructions_read_me.txt170.0.dr, instructions_read_me.txt33.0.dr, instructions_read_me.txt60.0.dr, instructions_read_me.txt89.0.dr, instructions_read_me.txt132.0.dr, instructions_read_me.txt82.0.dr, instructions_read_me.txt2.0.dr, instructions_read_me.txt148.0.drtrueunknown
                        https://www.flos-freeware.chopenmailto:florian.balmerbgsTrRPJh0.exefalse
                          		unknown
                          http://file://sftldr.dllAppvIsvSubsystems64.dll.0.drfalse
                            		unknown
                            https://www.flos-freeware.chbgsTrRPJh0.exefalse
                              		unknown

                              World Map of Contacted IPs

                              No contacted IP infos

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1543072
                              Start date and time:2024-10-27 07:48:06 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 12m 45s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:25
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:bgsTrRPJh0.exe
                              renamed because original name is a hash value
                              Original Sample Name:2413841b2f5f656e269f61644d3957847b199107bb6b141c3208a03df59f0759.exe
                              Detection:MAL
                              Classification:mal100.rans.spre.evad.winEXE@18/1723@0/0
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 77%
                              • Number of executed functions: 27
                              • Number of non-executed functions: 286
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240s for sample files taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, VSSVC.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report creation exceeded maximum time and may have missing disassembly code information.
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtCreateFile calls found.
                              • Report size getting too big, too many NtOpenFile calls found.
                              • Report size getting too big, too many NtSetInformationFile calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              07:49:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Skype C:\Users\user\Desktop\bgsTrRPJh0.exe
                              07:49:22AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Skype C:\Users\user\Desktop\bgsTrRPJh0.exe

                              Joe Sandbox View / Context

                              IPs

                              No context

                              Domains

                              No context

                              ASNs

                              No context

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\$WinREAgent\Scratch\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Reputation:low
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\$WinREAgent\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Reputation:low
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\PerfLogs\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\AutoIt3\Au3Check.dat

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13399
                              Entropy (8bit):6.702201016039428
                              Encrypted:false
                              SSDEEP:192:F2EhtF9FqT7mPhExum5VVxLjvdblKpHDTCs6WvTQdfLOTl9EGCBry4O9H9Brj:AatNWRxLjvdxKPOWMNLqLEGCBiHXH
                              MD5:F7E7FD201C6FD48529223F52E6C85559
                              SHA1:FE1016E8EDC39DB582FB9068EA2D2D1AD82E1177
                              SHA-256:175F6582542AA931880013550ACACE17452E99B1B9EF61A6C78B9A1439563BBA
                              SHA-512:FE5B1F88309FB2349E519E2F94ADC98AA99983EB1F799AF6AA1938E6D9D71AC76DDF7CFCAA3D90558C9F881AA5BF7C5359A3BB11139BE2AC6091FF8B55E2F0E5
                              Malicious:false
                              Preview:.).....j.wF9.X...[....gZ...=.|.V~E7w.x ..v.b..C~v_..s{~VL..e @AutoItPID @AutoItVersion @AutoItX64 @COM_EventObj @CommonFilesDir @Compiled @ComputerName ..@ComSpec @CPUArch @CR @CRLF @Desk..4....~$OF...T../U..S.O;.."/.i.IWA*9.U7..i.n..ERk..W}aMj..fresh @DesktopWidth ..@DocumentsCommonDir @error @exitCode @exitMethod @extended @FavoritesCommonDir @FavoritesDir @GUI_CtrlHand..d....S.TXb9.q...e..D.Nw..JV.Z.pLl*x'X6..S.y..MJVI..u[CfR..andle @HomeDrive @HomePath @HomeShare @HotKeyPressed @HOUR @IPAddress1 @IPAddress2 ..@IPAddress3 @IPAddress4 @KBLayout @LF @Loca..4....T.T.k..V...t..N.Nu...3.r.}|E9p.1...i.u..T_m..vOS.E.. ..@MON @MSEC @MUILang @MyDocumentsDir @NumParams @OSArch @OSBuild @OSLang @OSServicePack @OSType ..@OSVersion @ProgramFilesDir ..6....c#IYF2.u..{z..D.Fv.....].ZaA(m.x ..e.O..dOsA.Ff*yV...ptLineNumber @ScriptName @SEC @StartMenuCommonDir ..@StartMenuDir @StartupCommonDir @StartupDir @SW_DISABLE @SW_ENABLE @SW_HIDE .......0 uct..i...`.p.xV.....G..S{.F.

                              C:\Program Files (x86)\AutoIt3\Au3Check.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):234402
                              Entropy (8bit):7.08120689435632
                              Encrypted:false
                              SSDEEP:3072:Deol6wrJhArF3ladZgQCz+QcJis3djMHwVLkkhDXpXY+gwRIdCC9QM54DBGu9dr:DeO6GA5laH2cJF3dYH0kkJScwe91
                              MD5:2E0402D2150D9AF1FEA485EA9A744791
                              SHA1:D3518AC9EB955E8E2B5B67401319210AA49DFCB3
                              SHA-256:266F33FFC6F7565A3F3348598BB0819FB1545006219CC9C8C28BF94C07602C24
                              SHA-512:F895741C9CF24F11E888FCEA3ABE932D8F3193AF57077FE6F2A81EBA7064680EA588A6F4670652BE02FC438B8768FF13B4A66D2905E9F4806D14FFA8F163A2DA
                              Malicious:false
                              Preview:2.S.m.?*....}G.SN.....UG....lrX.rw...}.....h!E..&.. ....d.'>.ky........!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-...8....c.q3...~......txx.N.>^.u.@V.p>.*..q9...O.....9.d.'..ky................PE..L...g.(c.....................6......&........0....@..................................e..........................~.?*.......S.....U....-irX.rw...}.......E..&.. ...((.'..ky.........................L..@............0..,............................text............................... ..`.rdata...8...0......n.=*.......S........).f.lrX..{..|~.....h}F..&.. ....d.'n.k..rsrc........p.......f..............@..@............................................................................................n.?*.......S......U.....lrX.rw...}.....h!E..&.. ....d.'..ky....................................................................................................................................n.?*.......S......U.....lrX.rw...}.

                              C:\Program Files (x86)\AutoIt3\Au3Info.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):176546
                              Entropy (8bit):7.239079386858462
                              Encrypted:false
                              SSDEEP:3072:LnYhAXFqmratmTbb2cZTX7H5yXElfCaVssS8rAewb37E3H7/uY46IG2oi:LYebTH287YXixpYG7/tju
                              MD5:0AC9502DCC8F8C23B409546865B17168
                              SHA1:711CED6CE387D444187D800CE8D48F3B720C9F06
                              SHA-256:6EDE81E4F96ED42D8450F993406E6E54C3AB911BAF5DB8043361CE759384F577
                              SHA-512:0963757A3DE7C26598B6D85C477DC5DEA6DDA90408EAECDADC9A08517C169FE2C7B466D25DFAD29CA8EF66347F579C09E9112F1771512C318CF30A2DDCCD4175
                              Malicious:false
                              Preview:.e=t...5.;..w5.....F`.....u..m.5C....=..2.~2........#b.DE.|.w........!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9...M.SI.k^."...0.(>...X.J..L.v..o.c..H....Fi+.!|.....DE.}.wPE..L...C.(c.........."......:...........\.......P....@.......................................@...................................t0..1`5..#5.....F`.....u..m.5#....=.'..~.........#b.DE.}.w............@............P...............................text...19.......:.................. ..`.rdata...|...P...~...>...........?.t.....Zo..5.....F......u.Dl.5C....=..2.~r.......#b.t....w....................@..@.reloc..D....`.......r..............@..B.................................................................?.t...1.;..5.....F`.....u..m.5C....=..2.~2........#b.DE.}.w.................................................................................................................................?.t...1.;..5.....F`.....u..m.5C....=.

                              C:\Program Files (x86)\AutoIt3\Au3Info_x64.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):196002
                              Entropy (8bit):7.07009597247026
                              Encrypted:false
                              SSDEEP:3072:On1ZgdMjNaWwk8BaEL/E8M8uIgzL+MlxpIJSmVMUrtiXzol+vN6thOOvb:Haj3wkJA/E/8uNzL+au3Vl1uNyhZb
                              MD5:5D5CF7634759F0CB2BF1E66BDA9B563A
                              SHA1:5C3A2AB88F0F8586A85EAAB1F5154A5E50541AF1
                              SHA-256:24500E5339B3BBCF5F4834A60A26289E01AB79CC40E6C4568D16BEA2ECCBBB25
                              SHA-512:48ECD45255CCB2C11F128EF61F15B80090F4264EFF39C704DFB3146DCB7109730284BDF2AE0A9024BF3486CFD5170705E8D808E190E0C24FCB92FCA71E39878A
                              Malicious:false
                              Preview:Q..O......H..TW..W ...tI.lg...b...^...j >..L.........-c.@..........!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X....@=.B....e..)....L0.x.tEK..?)3...{".........I.....M=...-c.A..................PE..d...G.(c.........."......J...^......Tr.........@....................................e.....`...................>.L.......q.T...G ..HtI.lg.;.`.6.^...e ...L........Y/c.g......L.......8............................................`..`............................text....H.......J.................. ..`2.J.8{...h.....T.d..Wn..HtI.lg...b...^V...T_..L4...5...-c.G..............@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc..L..............................K....q.T...W ..HtI.lg...b...^...j >..L.........-c.A......................................................................................................................................L.......q.T...W ..HtI.lg...b...^.

                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1634714
                              Entropy (8bit):7.721231075352731
                              Encrypted:false
                              SSDEEP:24576:WXH6hXJtk6E8YrMC9WBoAZI/26hAQODlpRVmcJNkaEOcM8nI83o:LVTCMn2Z/yQSH4cD59z8nI8Y
                              MD5:46A89FC35D2E8E2C6834FF9E5F15D0BE
                              SHA1:A6A2714E0AC2908835D714CD42E40D84980E2DEA
                              SHA-256:A83F06401C890ED823A80A723A5FC6051CE70B945B6E3E5DAD20AA817D1B9636
                              SHA-512:B10AABD8673FD99ABB5BEC11F09EE67186143D4E3B79E8720D47093A29A428D0D2DDDE751D4B5AE04E523429BEC5DB549DF8B3607192AD0C3B831F8C58B055FB
                              Malicious:false
                              Preview:P.`B.!`..dC.G./f..6.y.k.....sd.L....tZ....<......p..x:r..F..........!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5.............................t...,b0.....3.w.9...k.... .,.tP..3..C_y~.Ug.HN.e.}^*S......................PE..L...9.(c..........#..................d............@.......................... ...............................K.B.!`..dC.../V..6.x.k......sd.L....tZ...........p....t..G..............................@...............X............................text.............................. ..`.rdata..$H.........B..e..dC.../...6.y.+.......s.KL....tZ....4......p..x:r..G...rsrc...X....p......................@..@.........................................................................................K.B.!`..dC.../...6.y.k......sd.L....tZ....<......p..x:r..G...................................................................................................................................K.B.!`..dC.../...6.y.k......sd.L....t

                              C:\Program Files (x86)\AutoIt3\Aut2Exe\Aut2exe_x64.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1800602
                              Entropy (8bit):7.6583178169914055
                              Encrypted:false
                              SSDEEP:49152:eq5jfV6LQwl8+ulyAvcTwAzqd/0Z4LUKu:XfiywAvcTwA0/SKu
                              MD5:C145C5D560B35484C50B1D199E5E69D6
                              SHA1:13BC38221287DC6F2E46ACA7C1E2E7D633ABC496
                              SHA-256:673335D3E851CD44C936B9E978D73C0DE2CE16B4BC72BD4720661DCB782F5739
                              SHA-512:D8423C9B944F1A8730E53872F3E891C613D2536AB0B851A90D05613855474675D25793FC578F84A9CA3CAFC3AF604E9352777CD9D337215EC839109443F0C761
                              Malicious:false
                              Preview:.Z...PX.....*.u.CK_Y.^.e..e.}s..^]4...Jen.H.{r:..=.U..5[..^............!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....|......}.a...*p..i...*p..p...*p..H....`...H.-{........S...Gz....(&kpx.,D5......P..j.Q.L..n...=.............PE..d...>.(c..........#..........0......(..........@....................................4..... ..............................PX.......u..K_Y.^.eY.l.yr..^]>..[[en.A...:..o.Uw.5[..^.....n..p...................0p..(...0o...............0...............................text............................... ..`.rdata..L....`_..^...1r..K_Y.^.e..e.=s..p9U..Je..H.{B3....U..<[..^........@....pdata...e.......f...@..............@..@.rsrc...X...........................@..@.............................................PX.......u..K_Y.^.e..e.}s..^]4...Jen.H.{r:..=.U..5[..^.........................................................................................................................................PX.......u..K_Y.^.e..e.}s..^]4...Je

                              C:\Program Files (x86)\AutoIt3\Aut2Exe\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\AutoIt3\Aut2Exe\upx.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):305466
                              Entropy (8bit):7.997518123685114
                              Encrypted:true
                              SSDEEP:6144:h8Veu/yMuU8SzJHuerkzAjYQYZuSrL/rGSMRW9UOT7wA3+NYeBFBuGQ9yl9qOOtj:keuKzStJY8wuSiRcvR+NPHn9qxu3bi
                              MD5:9E37B393EDE456405B99F1568A51E3D0
                              SHA1:4B59C6FAB5D86DD536AA920558F1DFAF3EBCACDB
                              SHA-256:459C4E1E63DD65764B854C7B3A3C40D7ACAEA4FA957FCC0C2CADEA20D46F629D
                              SHA-512:B2988813B71803A49C76C23FC2A231A59ED0A5947D3E71308309ABC632E337F08CE91782BD4170099C78F543245AACB3B7A18CF76390D0A94A7A74DB6AD55209
                              Malicious:false
                              Preview:....kV.;...%d.<..A....#.=....#,.P~m.d....)yz..C...^.O+`y..&.C.........!..L.!This program cannot be run in DOS mode....$.......PE..L......................8.........................@...........S.iV.;...%.k<......#C=....#,.P^m.t....9yz..C...N.O+`y...C........................................................................................................................UPX0......F.hF.;...%.i<..A....#C=..0.#...&\.d...>-yz..C+..^.O+`y...C.....@....rsrc...............................@...3.91.UPX!..........5.............&......*.X.b...x{...S..H.....b..>....:cJ....Vf..8z..I.a'..g..Bk......m.P....8_.6=.W].........ZI.w.f...*<...........:s.@.o.n..B%.4.c6.6{...G............N..G........M....,R.|.....Mb{....*3w.|S.+h.g.GS0x.nq<!k_..4.N......h"Ai.......i...)[E.8...3...vyst-X..P.Y..... `.I.3..6l.D........H.]......1.03.,>I.>'.Rx.....Z'...G..wIk}/{...3.....qvR..[.k.ob.0..z.t.%...nj.......9@..a...X..P/..v.V....jE..H|.E......G.N..D..D.....).&.}.c..p....C#...h...m.

                              C:\Program Files (x86)\AutoIt3\AutoIt v3 Website.url

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):518
                              Entropy (8bit):6.800030369456645
                              Encrypted:false
                              SSDEEP:12:AsilqdrrG2+bDLzuFYjrfF07rzEYVP7TLbS6bj:AsilqFG3Li+jMEY173bS6bj
                              MD5:1BBD23C4293A65CD4C4A1BF44C4D3F35
                              SHA1:35A7374657094D8F009427577E3D49DD0F2A6073
                              SHA-256:3426BD03F66772E90C7ACA373A82E89C7B756D4C0B664AEDC463939B325A3825
                              SHA-512:A22B88D9A7CE81E65424120F62F9E5C2627D7895ED194795C8E24F966A4301C5A2092CABDF826E17CE86EC807168C09E11B81A50D0579FB740E469EF755E91E8
                              Malicious:false
                              Preview:....../.......I.`.Y."... .......-....&..}._ZO......l.....lD.....$.......l.E.J.#...{.....:...."..f..\A.....c...".~x.....9.......s.8...f...;......tq.....\9........N.=.....IProp3=19,2....oNZ].&-.A.w.J. `...l,U;u..'.+k..'..i....|..-\~F.S|Sv2Wu.{.Y........7..V.X/....v.^..........'..OP..h.G...k),.MmD.~)......?{H..'0....x.u.1.#j.....".t...{.A....9.a._,vr..tT7...p..J...x.....r..?GW."...............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\AutoIt3\AutoIt.chm

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7185955
                              Entropy (8bit):7.995350626612748
                              Encrypted:true
                              SSDEEP:196608:KetORfcxy7iReF28HaXQzusZJSLRv9IADk:oek+kB4QzBJSVmsk
                              MD5:FB526E0C91DF9D6C8939AB804BBD2147
                              SHA1:B132A1AAE35F7B6D7AA3235E398B8385838D638A
                              SHA-256:F0CFFCCF48D0B743462FCCF04438C5D54729B6896E9A2E4E0897F66C96FF0C19
                              SHA-512:DA612D1FFAA29AA4185E27C576E6EC30E7F702317EDB608048658B2421080E38259CE8DB9D4F92EEA2E2137A9DDD8C4FA2B1CE7EF49FF712A3749486DF461F5B
                              Malicious:false
                              Preview:.M&..<-5.....9.4=.b~.c.t......3....c{.^LIk..D'..S.,L_BgL.....n........x.......T`.......`...............m.............ITSP....T...................5.......4.......6.......j..].!......."..T.....F]....qBP.t.x...k.t...L..."q....I.C..._>..&w..f..N..J..n../#IVB....q../#STRINGS........./#SYSTEM....E./#TOPICS....$..../#URLSTR....0..d./#URLTBL....$..../#WINDOWS....%.L./$FIftiMain...M..*..$......w.`..#....a.b..L.M..t.7.,&.#dU..6..wE./..h/.b....Links/Property....e../$WWKeywordLinks/..../$WWKeywordLinks/BTree....}..L./$WWKeywordLinks/Data....I..b./$WWKeywordLinks/Map....+o.l..kz~.....].]...3.....4....O.5....4....{73..S..;z.o8-.Z3..../utoIt3 TOC.hhc.....z./html/..../html/appendix/..../html/appendix/AppendixRef.htm....W.../html/appendix/ascii.htm.......!"/html/.i...XDM.....p.w...h..........8.,6...)..#.)g...R..|q....)$.n....>.9./html/appendix/ExitCodes.htm....P.M./html/appendix/fonts.htm....m././html/appendix/GuiStyles.htm....w..9!/html/appendix/Limi.j1..]XY.....T..FA..u...+..l.G..|....,

                              C:\Program Files (x86)\AutoIt3\AutoIt3Help.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):124818
                              Entropy (8bit):6.824678962421165
                              Encrypted:false
                              SSDEEP:3072:DsVsvkvBS6o7pIZSI1Y+lfCEMXPkTToOLLu+5WHaADXKyl:DsVNvVoS3I4ToIXpADXdl
                              MD5:0549A69A6C9661F3E677AAF6B61A5FD0
                              SHA1:A2E0654B6AD7CEBB4BCD1CC30525037795F38ACB
                              SHA-256:AC2EFF642A72D8B3F74234B36B8F82E50D84F4CC949613038C57547F25878F56
                              SHA-512:DEEEE7BDDAB908A8870238F02624E578BC701542567BB50397CC8FA9A5C00CDFCB7C0015942F9BC3277FB06AC85F1930ED14020E85338B51B85A3CF879594F64
                              Malicious:false
                              Preview:....0....W...V.....q.).uD....-d!.vgt!..M9.$z.c.E.....h.]..!.........!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>>.....'./c..c.E......3k.-R..Z.faH........w.O.=.r.....:..5d...........................PE..L.....(c..........................................@.......................................@..........Vj.. ....W.QtV.....q.)..a....-d!..v..!..M9.$z.cnD..!..h1.]..!.....8...............................@...............t............................text.............................. ..`.rdata....z......W.A.V.....q.).5D....-$.....t!.aX9..{.c.E..'..h.]..!.....@....rsrc.......P.......*..............@..@.reloc..$...........................@..B.........................................Vz..0....W.AtV.....q.).5D....-d!.vgt!..M9.$z.c.E.....h.]..!..................................................................................................................................Vz..0....W.AtV.....q.).5D....-d!.vgt!.

                              C:\Program Files (x86)\AutoIt3\AutoIt3_x64.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1072018
                              Entropy (8bit):7.15481309084005
                              Encrypted:false
                              SSDEEP:24576:Qe8hccufhaaJTks8PNaillG6k011srNchvT+7R1C1OST2IYwvVnqaa7CqQNwoi:Q5OfhF9kskNaiHGB011sB0r+11C1OSyb
                              MD5:37F929E6CC31ECECA1AE0A30B465323C
                              SHA1:D69437D93A482E432DF7D6D837CA78C5696E5E5F
                              SHA-256:DC9EC9A3B6532062ABB021982BC51968337E12C112434730138F65C65A8BC951
                              SHA-512:1D75D7449D766E544067B6DD0C1321724B6BC0646C1FF17089A7781B876635B0FACE9C1B8D1FAF665878A0A908F425C151C86AC474EFD7FBABD8762A314624A7
                              Malicious:false
                              Preview:+!t.r&.iT.0j.] .....Z....K.@.9 ..`..}F....N...3..X..u.<D..&..Z`........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#.B..@w.J`..I..:..H.b.. .byc.h:..1..i...K.Z8...B/A..$...8m..A@C9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@.....................................q....`.f{..q&.iP.0j. ...Z....[.@.9 ..`..mF....N...3V{V..t.<D..&i.Z`.P...o...4..X&......|... .......................p...(...@................`..8............................text...<G.......H......f{.q&.iP.0j. ............@.Y+..$..}.....N...3..X..u.|jd.RX.Z` ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc..|.......fw.q..iP.0j. .......A.K.@.9 ..`..}F....N...3..X..u.<D..&9.Z`................................................................................................................................f{.q&.iP.0j. ....Z....K.@.9 ..`..}F..

                              C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX.chm

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):200700
                              Entropy (8bit):7.9319208878684835
                              Encrypted:false
                              SSDEEP:6144:J3I6ocJtiqvYSHzj9CrYpC/KgsZpgoiMmObiGltEbJ:tI6oE0qtHzj92/KgMUMmO+GtE1
                              MD5:56ADBF4FFE8BC5DA00B460A3AF6036B6
                              SHA1:B4591B707FB1639AE2BC2C6C90E273198C0A1DD9
                              SHA-256:390289118429B4618E65E39C515006D66176BA3D69F943CEDF62E32CB2D5EF78
                              SHA-512:D8EC8966E01E15E99A6DBA60B8F1A4963A4C0016BAC1B0223E822BFC290FD41CAC9FD38A4FBCC3ADF3C0425E78BC5F1E8D954E14DBB1C65B20227EF0FF7E4A6A
                              Malicious:false
                              Preview:3ET.Nb. .LVh.....C..7...n..v8D....&j.j...*..'>[..ebY.......1..........x.......T0.......0..............................ITSP....T...........................................j..].!......."..T......g....g...I..)wm.>.....&..C..-..........T...(...TT!.[..1.../#STRINGS...4.-./#SYSTEM..N.6./#TOPICS...x.0./#URLSTR...L.h./#URLTBL...(.$./#WINDOWS...u.L./$FIftiMain......c./$OBJINST...z.../^FP.>.zC.-".o..k...>...Q....0..O....}.%?..@..w..z......f..eywordLinks/..../$WWKeywordLinks/BTree...A.L./$WWKeywordLinks/Data.....'./$WWKeywordLinks/Map...4"./$WWKeywordLinks/Property...VZ.(.8.zi..v!w...+...?...........C....r...5.Z.0D.~.....6...>.tml/appendix/..../html/appendix/AppendixRef.htm...R.j./html/appendix/ascii.htm...<..L./html/appendix/SendKeys.htm.....S./html/co.Nn.9.gF./3G....*...R.m..|...&..M.....n...1u..[..f..Bw.q....m_interface/methods.htm...M.[./html/com_interface/methods/...//html/com_interface/methods/AutoItSetOption.htm...$..'/html/com_in.tu.,.p..)".v...F...y.z..W..T..G......

                              C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX.psd1

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):33768
                              Entropy (8bit):5.7228497863123025
                              Encrypted:false
                              SSDEEP:768:s3If5NRr4nnIrsjPYtBSNOvQ1CU8WzUucr6+o0DwGNi:s3I3Rr4nnwSNOvyCUVIucm0D1i
                              MD5:87E54885D12B4DAD311CA9E60053562D
                              SHA1:6EBB72D4918DD540EF3E6AC5CEDB737602A8FE30
                              SHA-256:CD136D239FF47504AFA258B1884C85346B70D27A6DE43D7B78723355A49551FE
                              SHA-512:99FBB595E758DEC1A6FCA8986BB916C73F644008AB54EE88D6CD6FFF7418278CD8F5DBDF778CFC49505DB1ABD83701E031EE846B5F97858A4C6F7451EE47A07D
                              Malicious:false
                              Preview:?...,...y...y.Y...\^..}..S+.,..4..6y.........Bag...._...s} .'.A.u.t.o.I.t.X.3...P.o.w.e.r.S.h.e.l.l...d.l.l.'.....#.....#. .G.e.n.e.r.a.t.e.d. .b.y.:. .J.o.n.a.t.h.a.n. .B.e.n.n.e.t.t....w..,...y...y.Y..\@..}..[+.,..4..iy........S..ah...._......}#.........@.{.........#. .S.c.r.i.p.t. .m.o.d.u.l.e. .o.r. .b.i.n.a.r.y. .m.o.d.u.l.e. .f.i.l.e. .a.s.s.o.c.i.a.t.e.d. .w.i.t.h..w..I....y...y.Y..\T..}..J+.,...4..<y.....7._a..._...e} .=. .'.A.u.t.o.I.t.X.3...P.o.w.e.r.S.h.e.l.l...d.l.l.'.........#. .V.e.r.s.i.o.n. .n.u.m.b.e.r. .o.f. .t.h.i.s. .m.o.d.u.l.e....w..l....y..y.Y..\@..}..Q+.,...4..ty........S..aw...._.....5} .I.D. .u.s.e.d. .t.o. .u.n.i.q.u.e.l.y. .i.d.e.n.t.i.f.y. .t.h.i.s. .m.o.d.u.l.e.....G.U.I.D. .=. .'.9.1.e.2.4.4.f.b.-.b.6.6.6..w......y...yLY...\...}..Z+.,...4..fy........D.=aM...._....c}t.h.o.r. .o.f. .t.h.i.s. .m.o.d.u.l.e.....A.u.t.h.o.r. .=. .'.J.o.n.a.t.h.a.n. .B.e.n.n.e.t.t.'.........#. .C.o.m.p.a.n.y. .o.r..w..D....y..yXY..\...}..W+.,..4..7y.

                              C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.Assembly.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):44442
                              Entropy (8bit):7.0315223434510195
                              Encrypted:false
                              SSDEEP:768:Wq2TopellNfivRkLe808l6w48tUZDKLooCPLCLOg1sMUSwtttItphgKryj7Kjini:WtTlE2ZybVLuitvlGVUNTy
                              MD5:F45C1E94243C0BD26914F17B9E5C744F
                              SHA1:9F7A451A4F0FC07D9337CF839B79D790F82561B5
                              SHA-256:A1E7D0EF6DFB8536236BFFDDA638DD4833BAFB8A5CF073720D13C314EF9669B0
                              SHA-512:AA6655BEB20903FE1E3EC9821A27C80779B6B556BC6E3264B2BDDCF3594A45AEC3A01E845AB99125DAC04D5A828B713ED9AB9D93B74C591ED013553FCD698D6A
                              Malicious:false
                              Preview:..\....3......B..7.(aw.%...,..B..'3.(.cg...........'..v.<...........!..L.!This program cannot be run in DOS mode....$.......PE..L..._.(c.........." ..0..|..........v.... ........... .......W.....3...VY.Bx.7.(cw...../..>B..'3.(.cg...........'..v.....$...O.......(...............`&.......................................................... ............... ..H............text....-.....7...V[.Bx.7.(aw.e......l..UP.(.Kc..........e'..v.........@..@.reloc..............................@..B................X.......H........2...e..................l........................W.....7...VY.B6.m.(g[.M...*.B...}.r.ca............!...,...6...(....*..(....*.0../........s.....(Z...,...o....(....+...o....(.....o....*V(Z...,..(....*.(....*.(Z...,...........(....*........Y.....|.WY.nv.4.-os.`...,..A..)7.-.ng.........6.'..v...i.....(Z...,.........o....(....+.........o....(.....o....*.0..8.........s.....(Z...,.......o....(....+.......o....(.....o....*.0...W.....9...VY.HP.6..Ma.f...(..Db.'3...

                              C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.Assembly.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):49832
                              Entropy (8bit):6.222393108797496
                              Encrypted:false
                              SSDEEP:768:Fvv1LMk2TRuluiYuAwORwrzc+c0RHTZ3F0:hv1LjwZbQzk
                              MD5:F3AA55ECFAA8A303D27BD69CA5ED2A3C
                              SHA1:2F0E2BB2CAB43ABE220E81C8A8DA75092DB70CDE
                              SHA-256:8DA4ED3777851C176412DA00670F39627B3941A91861B8502899ECA444D63E7B
                              SHA-512:98E56F05199E1A4CFFCED8A717765FE114500CE19D6EFF362CC9AB6B80B8EB8A2BE136B9271D0F8B13794E460102F66C686B01D9E02A9D2254B616A91705778B
                              Malicious:false
                              Preview:...B.:..&..Ue.m..n....=.g.>..8..w.VYL.?*.....y..~...........ItX3.Assembly</name>.. </assembly>.. <members>.. <member name="T:AutoIt.AutoItX_DLLImport">.. <summary>......:.t...Z</.c..%..t.y.H....yO....IE..5.....-.V~..........X3.dll... </summary>.. </member>.. <member name="T:AutoIt.AutoItX">.. <summary>.. .k.J.[..;..Z,..c..0..e.y.h.@..~P.k.MO..<2....O,.\............ </summary>.. </member>.. <member name="F:AutoIt.AutoItX.INTDEFAULT">.. <summary>.. .Z.N.v.."....H!.1.."..e.y.j....j^...@XZ.u*....}-.];..........)... </summary>.. </member>.. <member name="F:AutoIt.AutoItX.SW_HIDE">.. <summary>.. .......t...ZHg.c..~..m.8.}.>..8..k.....0#....0T..~....Y..... name="F:AutoIt.AutoItX.SW_SHOWNORMAL">.. <summary>.. .. </summary>.. </member>.. ...J.x..t..Ue.y..%..t...p.z..6l...jxd.

                              C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):53658
                              Entropy (8bit):6.911058580829466
                              Encrypted:false
                              SSDEEP:1536:7W4nECqqc16gTTtCKho/2w9LM11avjhTEzlSdtLKLDB:q4oJ1N1Fo/ZyojaZSdtm3B
                              MD5:0CD511A33C9A026B6158248169128A3E
                              SHA1:8C1E6D7EEBA9A08E6FA1926FEC1E950710CDC5B6
                              SHA-256:73A1E89E7BBB9B4A1028640829EC1B15A2419B5BE50D3704BB5B58A3C14B2D57
                              SHA-512:AF6D37C468FCC854637E72B0EAA54FD3458FF65C0B183F8770B4FB79FA2E02AF06275186EB06E2B9EEBA08F848D6CB7E9E52A5466B67ADAE6601BE7C33E5264E
                              Malicious:false
                              Preview:..x8q_...m4c..v.u....?.8...!6....3U..V.p..9....\..;_..RF.V.........!..L.!This program cannot be run in DOS mode....$.......PE..L...c.(c.........." ..0.............R.... ........... .......@.8r_...m..k.w.u......8..!6....3U..F.p..9....L..;_..R.V.....O.......8...............`&.......................................................... ............... ..H............text......8r...E.m..k.v.u....?.8..|.D.ot.3U!.V.p^.9....\^.;_..R.V.....@..@.reloc..............................@..B................4.......H........J...q..................H........................@.8r_...m..u...u..5.=.E....(.f..3Q3.T....9...'..;[..P.R.....*f.~....}......}.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...{.....{.....{....(..........(....*:..}......U.8xu...m..h.p.u....D.8..>#5....7...-.p.......T..?u.).V.*"..}....*..{....*"..}....*..{....*"..}....*...{.....{.....{.....{.....{.....{....(..........(....*f.r...p}......}.....(....*J.(.@.2.G...z...u.^.u..5.=|4..6.4.`..3Q

                              C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):726954
                              Entropy (8bit):7.290249641184009
                              Encrypted:false
                              SSDEEP:12288:wXGz+ta0zHaker2pMxm9e+UeinSL0/CRyiKGL8xZusq:4aj0zHspx2wBWW7q
                              MD5:80971D15C9B1AE09F68EBF1572F03891
                              SHA1:0F2142D93B73705351DB512ECA72EE41FD6DA087
                              SHA-256:C156997D56CEF37A27FE646E0F221AFBD7BF4820EC05E3C47C314DCE62C24A32
                              SHA-512:39CBCA8EF001F3828183BEE2612571D5FBF123C73BAB6A8EAC4EA574CF48E10A8B492561A49ABC2C6D2ABBDF5DE560F06863C78EE8167CE1B3F654BAC2FE06D0
                              Malicious:false
                              Preview:........hn.E..W...OV}..n...O.#*....YD.onk.v0....\.I}...}k.........!..L.!This program cannot be run in DOS mode....$........<.q.]o".]o".]o"...".]o"..."-]o"...".]o"5..".]o".5k#.]o".5l#.]o"`..)(.....IJ>.*...uyR.m. .;.D..A.E....Wp.L.6.T>4{.RI32. .(.!...4m#.]o"Rich.]o"................PE..L...P.(c.........."!.....~...........s.......................................0......Rh........3......h..E.4..W...OfL......+.)*S...Y..o.'.v0....\.I....Zk......J......p...........................@...@............................................text...8z.......|.................. ..`...z....h.tB.4..W..O.}..n...O.#*_..w6.....v~....[.I.....l.............@..@.data....)...`.......@..............@....rsrc...pL.......N...V..............@..@.reloc...J.......L................s......h..E.4..W...O.}..n...O.#*....YD.onk.v0....\.I}...|k...................................................................................................................................s......h..E.4..W...O.}..n...O.#*....

                              C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3_DLL.h

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13307
                              Entropy (8bit):6.88752703775169
                              Encrypted:false
                              SSDEEP:192:3hLKzx2BLkVdby8t08WwR5W9qQLLJy08kzSexHHdKnXCw7e4mJ:RLFdkVdbbiwR5W81gjB9KXCw7exJ
                              MD5:80ED91F1D485B52F6DE6FCAF9EE1F8DD
                              SHA1:6604DA6285D1281574EACB6EA000B29FF3C143A6
                              SHA-256:1AB24E26A8116FC78181ADD88C0CC8B1C0CF071C68B0BE21B8A31ECB642B19A3
                              SHA-512:EBE1C9ABEC02223E7B41ACAB3D1E8285382FB2ECC622723033EEA37D709D0A84A13E4F5381850CD91CEE550DD6561D90EB39BCD473E4964E77C90EAEAFAD61D0
                              Malicious:false
                              Preview:......OR.........]CH.(......C..}./.Z.lj..z.A..{X...L..D.....(///////////////////////////////..//..// AutoItX v3..//..// Copyright (C)1999-2013:..//..- Jonathan Bennett <jon at autoitscript ....CL.eH.....RN&.Sk......r.o.U.,+.<....&....L..D....t file is part of AutoItX. Use of this file and the AutoItX DLL is subject..// to the terms of the AutoItX license details of wh......@R..G.......R...'K......._./.x.lj..=....'.H......*....._3.dll as a standard DLL this file contains the definitions,..// and function declarations required to use the DLL and AutoItX3_D...............]CH.(......C..}./.Z.lj..z.A..{X...L..D.....(/////////////////////////////////......#ifdef __cplusplus...#define AU3_API extern "C"..#else...#define AU3_API..#endif......// ....Z...........L&.4|.....*......|.nw..b.V..`@...C.......% value for _some_ int parameters (largest negative number)....//..// nBufSize..// When used for specifying the size of a resulti....G..O...........G.t........7. ....

                              C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3_DLL.lib

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29290
                              Entropy (8bit):6.575168091838858
                              Encrypted:false
                              SSDEEP:384:sMnLe1unaIcpnLI5ANSID+8OEuL2niIKnQjeZA/2zbjhIErA/ETUCnknInClgoL9:uYk9K8CusZJToiVfDCK88dA
                              MD5:CFEBCC2DA2BEEFAF013FF7FAD02B2D02
                              SHA1:881065B79DA095390CA683B6F71C358B8B976C0C
                              SHA-256:D9B4F35A3036C14E184D1C316C88715A577DDE54DCFC7823B08B61B5EFC1349A
                              SHA-512:F67D8F24CEFDE0E94105C9C4A8EFC19E8D83272C34C4C6962B2B1D661561E21E01DA500EF6C8966DC29EED08C2B635D0A55438392E600D8823297ABF3131062D
                              Malicious:false
                              Preview:p...j..Sr....#..X.5..IlO..\....VN...Y.*.c.X\..>...r.>.3I%$v.,.. `.......7f..9...:...p...p...M...M...< ..< ..<...<...=...=...=l..=l..=...=...>X..>X..>...>...F...F...G8..G8..?H..?H..?...?...@8Q..Z....]......x.T.-i..=.=#.'.dn..:.y...C..|8..*3.T...o~.U8...?..C...Dl..Dl..D...D...E\..E\..E...E...FJ..FJ..G...G...H(..H(..H...H...I...I...I...I...J...J...J~..J~..J...J...Kh..Kh..K...K...L\Q..>...]......x.X.-i.u=.2..'..n..y...C..|8.t*3.8....~.Y......PL..P...P...Q,..Q,..Q...Q...R...R...Rp..Rp..R...R...ST..ST..S...S...T8..T8..T...T...U"..U"..U...U...V...V...Vr..Vr..V...V...WNQ..,....]......x.M.-i..=.$/.'.n...y.~.C..|8..*3....s~.L$......Z...[H..[H..[...[...\,..\,..\...\...]...]...]~..]~..]...]...^h..^h..^...^..._\.._\.._..._...`P..`P..`...`...a:..a:..a...a...b Q..B....]......x.v.-i/.=...'.n...y.n.C..|8..*3....]~.s.......e...f4..f4..f...f...g ..g ..g...g...h...h...h...h...h...h...ip..ip..i...i...jZ..jZ..j...j...kD..kD..k...k...l...l...l...l...m.Q..z...-].F...^x.xT-i!.=..A.'.n....y.P

                              C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3_x64.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):921002
                              Entropy (8bit):7.160404502978802
                              Encrypted:false
                              SSDEEP:24576:2GJmmIDaK6Cr7e60exEZrSyr6FVR4nPiRbcHCa8:22IDaEr7U+FVR4nKR+Ca8
                              MD5:1AC712002960C084018C8959779E32EF
                              SHA1:FD98B578C0CEB6FEA7E3F8E96E577B7A65480FFC
                              SHA-256:7AB68494C8064362CE3537BF4F42212DCCB8ED59BE621FB33021BCBAD4593249
                              SHA-512:2C836029B5A73250E9E4558E0524E587DCFF10234DF535181172B586C08A9B28231521473214565E5A0852A64F8282BA3EA0135C8536657E807B8877FEF2FC70
                              Malicious:false
                              Preview:.j.j....-.:.y0........C./..DP.x.....A]O...(..>....;...@............!..L.!This program cannot be run in DOS mode....$........>a.._..._..._..$...._..$...._..$...._......._...7..._...7..._..K.ql.........?S..~n|]..Y....!K..N.\...hy.0Bw....V;L...E.C....%56..._..Rich._..........PE..d...Z.(c.........." .....X...........c.......................................P............ ...@...... {.i....-.:..0.l.......C./..DP*......A.....)......;..@........p&...0.......:..p...................0<..(...0;..................P............................text....T.......V...............0{.I..r.B.Jn.0.X...r...A./.%MP.x.....A]O...(..L....;yx.@.........\..............@..@.data....8... ......................@....pdata...s...`...t..................@..@.rsrc...pL.......N.......0{.i....-.:M.0.B....a..eS./.OJP.j...6.A]O...(..>...y...@.....................................................................................................................................0{.i....-.:..0.l.......C./..DP.x.....A

                              C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3_x64_DLL.lib

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):27860
                              Entropy (8bit):6.500805212419417
                              Encrypted:false
                              SSDEEP:384:yDqdT8kOD0cYz9rS05CiKz/Q8ll9BjE0JN6kTM7wK:2ql8e6PjXjE0v6h
                              MD5:4D0035C5262AB36A64CE102CFD2293B2
                              SHA1:E40EDD48219EB731CA146AB3D1F74B1CDD8C5749
                              SHA-256:139AD640E38B630F16489615ECC89F6D1AA1C5F0B186130992824981999CD108
                              SHA-512:666EA519F73322E15D4AA11F79B473EDDB9FE22D7E71F0B50827D86D0A7B62CF6A874BEB7C3BF744DBCD78AF61520F54F3BB8C1E905EC23A7CDE4A46640596B0
                              Malicious:false
                              Preview:.G.F....s.......;b;.a'K.HW.......^...7Vq.2...xO/ZVZ.....u... `.......1`..3...4...k...k...G...G...6>..6>..6...6...7"..7"..7...7...8...8...8|..8|..8...8...@...@...A`..A`..9l..9l..9...9...:\.{.h...\..q....B .A.Peef...4....B....vQ....XR#zvGG...CU.....>...>...>...?...?...?...?...?...?...@p..@p..A...A...BP..BP..B...B...C<..C<..C...C...D*..D*..D...D...E...E...E...E...F...F...F..{.....W\..Y....B\.A.#.ef..4.z..6C...3vQ.6...p.X&.zv0.....U.a...J|..J...J...K^..K^..K...K...L<..L<..L...L...M...M...M...M...N...N...Nr..Nr..N...N...O^..O^..O...O...PF..PF..P...P...Q...Q...Q..{.....U\..[.....BI.A.9.ef.d.4...-...vQ......X;=zv.E...AU.~...U...U...U...U...U...Vt..Vt..V...V...WX..WX..W...W...X@..X@..X...X...Y*..Y*..Y...Y...Z...Z...Z...Z...[...[...[...[...[...[...\n.{.Z...M\..C.....BF.A.6.ef.f.4.... .....vQ......X0=zv%A...EU.K...`...`...`...a...a...az..az..a...a...bn..bn..b...b...cT..cT..c...c...d<..d<..d...d...e(..e(..e...e...f...f...f...f...g...g...gz.{.N...w\..y...%.B|6A...ef..4..........

                              C:\Program Files (x86)\AutoIt3\AutoItX\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\AutoIt3\Examples\_ReadMe_.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):521
                              Entropy (8bit):6.824370623688086
                              Encrypted:false
                              SSDEEP:12:jYAeOtXOyuxZawho5HRFEor2XY8yOEHyjKUi:jAP77G1oor2Y1OEChi
                              MD5:9AA1413FA29D2EBEF597466F7FD14894
                              SHA1:DD72B899FC628892B6A8885FDA08A9C897847792
                              SHA-256:59F223C0252FF9C9E3954250A314B204E8AB9DFE8D82E7B369F780DAFF88FE42
                              SHA-512:C28B1D352F027ADB84E1E676F4D97B41F46AEAEE5128A51E97BD39BBCAC5697C209C1E99D4E7E36A255163764B89A4C7B2C0D1B1A3676A31027CEA5FB8DE8BA2
                              Malicious:false
                              Preview:...y.SY!.....+...M.\..g..2..h..^.....1.....D.{.N....F e.p.9R...p...W!RL........\.Y..l.Q2..<.._D....r...6.].x.......E>k.=.kt...<..rTBxM..1...Z.X..a.I2..<.._.....%...A.G.r.N....Zrx.a."Ons.....- Jon.......l`0......Iuz.T..........Zk..=.0...%f.6..r\....Z1........UL....3:-..yc........K..w@.."8g......S.....j.V{U.?H...Sq.?..Q..Y..<U%T..4..\j........Z..."aK........v.a(.#......`....j0.P..s....O...................................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\AutoIt3\Examples\calculator.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2181
                              Entropy (8bit):7.705351922074254
                              Encrypted:false
                              SSDEEP:48:cc0FJ9LV1tf8CydyV9i27MWVtIdbPyN5sA/MsAUf:cc6HL/1824WVWPO5TUsj
                              MD5:DC22ADF7C2B5DD4E8CCB16CDDBC2D79B
                              SHA1:B99E1676D9D877518E3C142F73BE7CB971139234
                              SHA-256:5BD7570E16653CB768129B33A46239DD9A43A9181A2C2C1CA3008E0D7D089668
                              SHA-512:9DCD5631AF368CDE6E6D99483CC5254D1AE92412428D07E3B0478D5E7608A61888D9B42945F0285CCF840ED009DCB86BAFD3116CB5405C8A9CC615DB22C7895D
                              Malicious:false
                              Preview:=. }woQme.s.b...Q.r...h.....%..,.@<.........C......5."-]...Kc>!;jtSA(..B.e......lbd.v.....'..r.@ ........./......r.@U=...ax>@nIrt.pj.d..R...Q.3.T.v...S.f..'..t............T.r.NR$...2;l.>j;~Z|e._.%d...h.8...3...S.f..h.,i........E....X.g.HR=...45.ju..!.[&.Y.xI.F.5...[...S....1.@w........A......(.%.].....f.#nw..!H.u.e......5...>..~.K..=.. .......Em(....O.V.@J ..)=>.={i:Age.E.,...V.....v.....f...../.......L.K......&.CF7...39s.:{i:Fm1.Q.,]..@.|...v.... ..-..o.........K....~.&..k?..a|w! ml.G(x.}.k+..g.( <.r...*....d.DM.......#$c....V.s.@n$.. 5n.+<7:.\-.C.....Q.+...v..S....+..c.......@V......&.._p...a`>.n/-:Tf!.D.i....L.rON.9.....1..<..o.......Em(....T.=.lO5...50{@;m~h.{e.^.{...J.(...&....f..-.@t........G..T.u.mH(..5-l.nhzv@m6.=.,I.....:OL.9.....f..!..e.........Q@......&.WN$..$x{./skvP(#.^.x.../.|ON.0...2.5..:.] ......m(....T.&.bT7...i|S".MBIaM....M%...d.(.'.t...<.h.....!.......L@...........p..%.xmD..:.(e...y....@.?...#....K.h.@R....

                              C:\Program Files (x86)\AutoIt3\Examples\count-do.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1617
                              Entropy (8bit):7.659055218852519
                              Encrypted:false
                              SSDEEP:24:E7A947p4WyRz/fgoZjzDxiHDlXCMraPHlZcTo+UMUBxBdvxezOESoCky+Sr1Rl7J:DCEjztUrMSTlCbv2OErytr1R3+I
                              MD5:125583C5B167A1A8F95AAF96EC6B8B30
                              SHA1:06A832E0D9C5B89C3240E149975F969CDA16BAEB
                              SHA-256:5D5DFD2E550B9F7FE4FA0A6C15E5C7EA402BF242DD23318CA978638523475F4E
                              SHA-512:7BD9128800AA2FC32DB7EF2B73ADA5BB19252D0A76F65172A49F582B5C434A4AFDEB61BB0CAB811C79EBAF5DB884DCCC7533737C6DC76803A0ED1BD404F1285B
                              Malicious:false
                              Preview:...<@.*x...........{...K!1..$2?.B..2...A3....v#.kP8pH8.>........\n=.........R..o...3A....$Sj.e..K&;."g..0|.[K8..v.kR....+D. =....x......Qo...4XT...v.:..o..D....Q...7w...}X.v.kR....6\.%....V,......QH...5ET...?Sj..d...O.G|....1}.A.8.M9.k.....R&#.e....$......3a...nd...A>..J..DJ..\3... r...}..v........;.^g............}...`!1....j.j.s.......Q.....a...l.]>.k.....0..;s...M.......\....aM....J.j..d...H..\4..xu...8LH$.&.....:X\/i...i.......k...'EW....vS'.n......D/.....|...8.@..8......._..r....C....0.(K...m.....] ...F.%$F..~.....g.$.yQY:.i^.....,..-o.....e......z..a.....cS+..O..D...Xr....xj..Ko]G".?.....6XCl4...d7......Qz...4_^...e.9.y...H..M|....(g.I.}Y."..R.....9E.+=.... .....R..z...aZZ...-~@..+.DJ!..|....;....}X.~..6.....h.\:u.....e.......v...-I....p.%......HK.i2....x..E"\rfv.#....._..r..../S....7.<A...m......M.j..j....M..~....xQ..J:.$\.B ....R&u.s....g....!......aOT...vS>..:..m$..I0..7f..K%..[.Fx...:O.:x...M`....P..z...aXS....q.>.+.

                              C:\Program Files (x86)\AutoIt3\Examples\count-for.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1400
                              Entropy (8bit):7.599637708009413
                              Encrypted:false
                              SSDEEP:24:KbhSvUyrJ8sS+qo3S0+BTGDWHQ5wJd1POD3XmOwIT64CEv/yJkAqhLjtH1gZbY:mhSvUSWsd80+FG6tzVc38InyqAmx1
                              MD5:4CCF7FEF3244BC4F2056FEB72D31544C
                              SHA1:B9DA95D5E6431C863A1CF3835B368C9FDE238551
                              SHA-256:6753DDB208C132FA086AD59A5C121558BF6B73A817C90805CBE91B7578EC1832
                              SHA-512:229D3B7E3CED1295EED4A68ED366B51CC27E761BA22D9D13B9C6FD7F69425ACE8F10086BFE14415D1BDEC8BB34CE92385EFBBC854BD67D8D46332FED744E6EF0
                              Malicious:false
                              Preview:iS..._"....2..Tut.X.l.04.k.CG.../o.(:?.@..8..}......i...L.8M..Ap....fTo..1..H.....a.wl...s\.!./.F.<...."...)......Y..j....D.n%T..K(Th..3..T42.D.-.w*...&..r.}G.(u.....%...~...........D..jW...E-y ..W..swh.[.-.vd...&....4.F|......j..2.e....C..hK.-.D.K%J... .1R..-...=..f.j.lr.E..#.X.[k+..2.,.Lh..f........./....".J#I....d]'..%..-.!.m.c.pb...Dv...z@.|.3....&.;.O.......>..7]D.W/H...4.D..5..Swh.[.-.#....(\.d. `.|%.....j..f.e......j].-Y..P/H..^f.^..}..Eq:.C.-.ff.A. ..!.`\F1:..@..>..~.l.......j...V..A8...Y!6E....oF2.f.R.FY...iX.C.\w5..;./.-...2......C..+@.3]F..hn....5.X..)..Ixv.H.x.w*...|\.r.aIF=uQ...Kj..}.k........jZ.1LD.KjH...C2K...W..)/:.C.n.#~...<..s.|..2&.....%..z.e........9H..L..."_...L/.O..2.mg}.D.-.f~...i..m.j]OQ_..@..j..}.e......!H...@.`.u...oT^..3..X}n._.h.fr...%..g.aM.5:..j.%,..{.+.....^...i...0.A$7...g5.h..u..bKI.x.H.NE. .e\.@.{A/(u3....&.>.g.....!..k..R2m.v/N..'L}o.....*.....H.fi...i..d.cA.,uC..../.......... ..$Y.b.U.p%...#OO...4...`r...b.m~.k.@1.f.`VNx.4.3

                              C:\Program Files (x86)\AutoIt3\Examples\count-while.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1609
                              Entropy (8bit):7.663924881204082
                              Encrypted:false
                              SSDEEP:48:2MtYT1SoUdk2wZ2I2L2eFXWk3LwFbXZI82Rlx:2MWT1SoUdjIcpFXWk3abmJ5
                              MD5:E651685C9242442C2BF94850585B7EF4
                              SHA1:4473C6F5FFCB83463267F9485C0A2CFA2C336156
                              SHA-256:C0367A34BE9C1AB7B2B9AD7A3F305548FC8A5D92ABE800B0A4431B73C33B1F51
                              SHA-512:A9D23487DA7B9FA98F798E489F507125D3B3C77BDD5E47F4004591C67A5D5A77C6B513F241419B343485833AEC99D6972FE25760EA19BCB6865D9EB5231D3BF5
                              Malicious:false
                              Preview:...Tm...j ......(....EN#....}..)..=a.3v{..2^c......R.x.......8..8......vg.....,[......}....p9..P.c.|%6.....>.6V........Py..3......T6.....["\....T/..)Z.&5.5ke@.V_c....Yz.6V.......Hw...mn..L...5...1.. ]....=f.}9.</.%$|..iD6.....<.~.......5...........Tu....9,Q....d....7.....((K.).,....Qn.sT........P}....n.....qV.....0A...:W..3.....7ix..tMN.....Ss.bV........l..#.......?.....Vc\...n8.....93.;t|I.5.+......P..6.........k...7..L..9.....&E....R}../Z.&3.v`m..5.0....._..6R.......8..........3...5.".z....z....).....@I%.pDa.....[.w........Pq..5......0.....7....B...:Z.if.>md..|.,......S>.y.........j...?..E..qV...4.. B...B...z..(/.!azI.3D7....Qn.6^......P}...0...L...|...5..c[.....+..(..`L._?( .|F......}...........vW...aJ.....\9...W..&.....[8..(..=(.8..`.:Dg......N>.6R......V...........X....../.d.....}..(...5..|i..0.a......>.o........]l...[i......Q...~.[.L.....>..3..;L._Hg..0Dg......#.&{........]{...v...L...,......&....T2..)..i(

                              C:\Program Files (x86)\AutoIt3\Examples\functions.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1586
                              Entropy (8bit):7.558795832203676
                              Encrypted:false
                              SSDEEP:24:QQ8s33RfomrE7FJ2qczl7ic8r1BETRY2lm8M7B3JyPwLW10KybACYh7BCIgOgGTc:QOhoIimJxi5gm8OHLo0KJzgOgG2v
                              MD5:4F41401E194EC0D62BD461EBA7EB2424
                              SHA1:EF75B18EE31130EB91B740994ACB2056980699D9
                              SHA-256:24550E23D378F78C480B682BB987F57AF0CBE6BB154CAB65D1FBE47E9F1D6307
                              SHA-512:BDD681B98D4D5C484527C761842B2CC9DF78254802B93512879CF96DA6BFC8CF0BDF952E3DF78ED8DC3731C2ECDB730B76FD08BF26E4AC5FBA4F7871D4C67155
                              Malicious:false
                              Preview:..7.W...^/~.u.eh..\=...gS.OP|Hev...t.|P..wZ.'..ky.4.~.;j;PA#:@..t.....z,y.iq.'_.Q)T..3.T}VSe..>.S.$)...9.i.V,?.K3e.W+u..b}o... .C....s.u.u\#v...)T...*..)..7^...Y.(&..i..C...8.Po,..1u..b}....=.M....J+ZR.yu....U..7..g{y~..I.X.3&..$F. .Dx1.Wj1..e&:>yP/...C..5i.pL.l^...lm.>.. .;>.s.%....s..MG...B5'.\+i.UM<Y]15@...}.(...J+ZG.eu..X,...`T..3.S.r...M.9....:.i.Q7:.M)1..+ DQ0}Q...!.....n#b.q.+1_.N-...4;.[..S5E...I.+o..$G.,.E46..y$..f0CQ0}V...5......x%0.i.+t..MhF..~../V.*E.I.X.=o..->.@.L;6..-,..x"RFb`.....Z...R.8^L>TE:.s.... ..'.%'.z.&.|.u*..EF.&.Wx..Xd5..)y...5L...7.K...t,|Zb.gp_..+O..;..;V.=V...X.:s..pZ.'..xw.V)<..+"VZ6}Q...!.....4M.w.u0<<.X+K...;.....bD...N.9t.k..!..(%.Ty1._x0R.65@..8....=&..!1x{=.EhR..,.T+..0R.@.7.g&..$..&../6..j)..`0S.jyl..t....u%~Zd.bh_.U-...3..8V.0Y...R.Q..b.. .M+ .K)x.SB.y{b.M...^.+..r88^L>TO&.i.m.)..X}T20C. ...|$..*....Fyu.4.L.%n!BF,P/..0.D....{0(t.+H..I.U.\S.}...1q.....u....:.i.V6w.\z1..e6.9HTq....L...-i.pD.oZ..^h...Pc.+...(G...7.V

                              C:\Program Files (x86)\AutoIt3\Examples\inputbox.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2142
                              Entropy (8bit):7.723038856112731
                              Encrypted:false
                              SSDEEP:48:m/Mb5pFkGfb7uRHjqEHwmJFKjghxCRvdSdy1CBU7u48Sh:m/G+GfuhqK3bHhZy1CBq/nh
                              MD5:1775A70EBD53D54158F5393DF4E450FA
                              SHA1:F00CC1311681121BB358F01BE05B7C21533DD35A
                              SHA-256:6EE3EBC6B5A994F929DA050243BCF21C04DFEC219082DD992AAF8092F2761071
                              SHA-512:8488F4A8D061031E9130032393148281AB041F8EEB7AE72C36A1D67476AB0F0F757E9F4EAD4B3AF567ECC3D2A0C2DFB6E2C4856759036505EC3FF712D98DA99A
                              Malicious:false
                              Preview:.o.....}...[K.T&.]*......x.|.c....5>.!r....;..E.....m..nr.....&....8..XL.HJ..y.....b..L.N....`...?O.5Ew..k.....v../<...R.h....8...Z@.Tg.C6.....l.......L.0>..iC..%T.!.......?.5<...R..k........>..s$.@)..5..n....T....`j..kX...:..NY.....8..{^...R..i.....y...@M..2.Ly..S.......c..3.M@.-~V...-U.& ......m..fr..........v..q].M7.Lq.y..-"......J.%j..cE..h..E.....$.{<......g....V..FJ.P3.^0..S..hR....._.!'..cE..<]._.....v..j<.....o....j..F@.D".H0..Z...>......W..9..t...,;..DR....~..MC..<..&...A..yh.d...u.2..b;.V....N.%j.-hP... ].EF........|<.....&.....w....D....Y,....-........./?..i....-].E......3..!<..R.s...8...FP.....{.y...I.5......(/..uR...h..X]...."./l............p..QI..!.E<.....@..4...[.58.HpV...;T.!#......../k......e.....<..{...p..-.....u..V....[.!'..c....+..DD....r.ao..R..".....L...9/.)..N...[..O-./.:..s....D&....'4........v.j=...x..T.........ZA.FJ.$S..S..b.......Z.5$..j....h..NX....v..y}...R..s.....8..C@..g.A0.....c..V......%$..r^

                              C:\Program Files (x86)\AutoIt3\Examples\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\AutoIt3\Examples\msgbox.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):773
                              Entropy (8bit):7.220804423059025
                              Encrypted:false
                              SSDEEP:12:thLOoxZpYywAoG8SkcxMiwpABylzyAb8GNDWhMqvmy0pnBqRoKY4Bsv:rLOoxZpNLkAjGABylzlVNq4ZpAE4c
                              MD5:876E97EE4D3C35D197E33C8A05DA39F7
                              SHA1:1BAB5E6689EB2012E963FB71F90C5351AFED0D5C
                              SHA-256:BF7339AD2FA452AE9316A0B10FACE1BE4C60A5F86E0AA93E7691162564E0E500
                              SHA-512:060CCC5CBC8D66006A202E9BD1FFB5D6DCD9E153CB5DFA2C1A13D44917003F784A80DCCC49782C1948C836A3B4256421DFB77A1DD1FE67B797BC1764EFB4E622
                              Malicious:false
                              Preview:.'.....Eg.O..j..6..U...&.N...A.F. ..U.....L..lV.25.3!...y....#..n........k..j..RI.+...~.6.9.k.F.u..r....2.@"-.us.L....8.Y.Xd.Y ........b..m..p......8.1.l..8...%..x....R.v.W.. .mHU..l.?..'._!......g.H..vE.>R.....8.1.w..'.F.<..o.......q..f~.\D_..#.s.r..c=.......^..9..;..[...{.!.w..*..."..r...^.6q..nc...N.q.Y..).Z/....T/.,..9..x..U.H...7.A..c.+....O.....{.7.L.@n.QbS..`....!..n........,..w..iP.].<.J...%.....u..<.......[$L.BI.x....L...X-. line 3")....yw..L*.....x.`.n.73......-7.Y.+..C.Q.6....a.ih..T...FoQ_&M@I.a.Xlg...m"..!r.....x9.i#....U..dd..R......0.....W.pccnN...c#.P..uM;.M.S.p6V..).?_......8..59.qh.E=.*w.O.j..Rwg.....1...0Hf...z..Hq....5..w.............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\AutoIt3\Examples\notepad1.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):2152
                              Entropy (8bit):7.697538061043791
                              Encrypted:false
                              SSDEEP:48:O/xteSZCn2FkawFkjblLK4TofG20UO+RdoeLYnCdrxIgSVuCMB55CYV9ukMYo:UxwSZCn2uZkNofG2q+RdoeLYnwWNMB5c
                              MD5:952F452DAC9AA056820D27D5C45F9276
                              SHA1:52F1DAAB3CA14D10523F705666D11E1D1E963547
                              SHA-256:B07D23F4E675EC663E0D2045489DB51641A3F8C3914F02EFDBF118992241415D
                              SHA-512:61A1E3C162C6EC7BC662197C0F99221DD0CAA625C1E6CA6BB0AEAC8B2AA77C52B5D61E2C61847741F60636442EA64AC9D52E66CF6AB4F092B99759E2824D4F29
                              Malicious:false
                              Preview:..-....w.<@..V....~\....g.............e5...z4.........b......cP.U.2.nd|.Jr....Q...... ......3c.vN...4O...o.....,.@...."....2.em~.V_...>.......u.......95.yc(...5...t..E..,.@............;....q....$.%.....u.......-?.* ....do....d..S..b......&..U.|. wx......#.....j.......PP.T.J..lo...5..*..e.m.....-....v......W....E.....3.......-..-h"...q|...o.....i.....c]...w.a#I..1.."R......n.......:z.8r&...q|...=.....$.....c....2.iou..M...."XC....v......1z.0A)...f...z..X..e./......).&.]. ']..q&....p,..D.:......%;.)l"..6Z...n..I..,......-P...w.ag<..[...>....M..........84.(u...4J....h..A..,......*..W........a....pI......h.......}..yt/...fa...5..E..d.@....%....t.r#]..`...5I......v........<.{N(...u}...~..D..(.$....tY...w. fh.....5E.....|.......T..y$....ck....9..n.X........7.j.$NR.{,....r'..M.[...........y ....6'..O..U....i...Nz...).Rv~..M....40i.....8......%?.p.M../....=..R..d.@..."....2.e`.......&XM.....y...........

                              C:\Program Files (x86)\AutoIt3\Examples\notepad2.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1862
                              Entropy (8bit):7.708190702608225
                              Encrypted:false
                              SSDEEP:24:hXENlvGP/14HetEXDnm1UvYAe+TpCrzGOMx9OMciKN0j9Ph9bqVI3Va2GuW8d+lz:UlvG314HWEXi6pC0UMWaNh9eVIvHdcz
                              MD5:FF3C13F9D82BD137B8FE3F8ED1598C6E
                              SHA1:2571E092368428AFC1502F928D359A2F0E889228
                              SHA-256:2BF36966FA95CB04E110027A7121D5D937B38EA726C082D84BCA91E74320FCCA
                              SHA-512:5D760F33DAA6594DBCE02A7E787D4C26D45C7CF5E6F9495C3BE8F8EE6D88BE9AF72917733B12511C3D4EC1BB6371D6E55886CB6176433B1BDAB6F701992F90F7
                              Malicious:false
                              Preview:.....5.%.QW......[\./....D6./.f.Iq.?....5O.(....J3Vl.I..X..R.iNK....`.`..s........."...o<V.4.L.I.......Ld(Vo..a.t.3.y..4....(.d.....!.`..z.....E@.n..a;O.}....Y.?U...CI.6L...JM.8.%C.p....(......./.M.V......F_.n...c:R.z.a.R..k:....24...A.,X(.3O.4....gDK.....`...M`.....F[.`.. n..|.L..H.k......3.....w.|."S.4....mGJ....0.#..x.....LG.<...e<H...a.d:.......OTrh..X.tuV.cl.z..].l.#.......`.(l.......".G...r!V.`......8...........H. .?.*Z.4..@.m.O.......`..{.....[G.:..f"Z.4....].?.....^\:....Bs.9.7B.4..Y.(OG....2.-..q.....C\.C..o-Z.4....C......Y.....b.t7..gg.K..f.G........... Y........;...tn~.u............B\.....H,X~.+C.4..G.x].....2...#{......[V.+... =T.q....D.*.....O.{...TD X..cS.a.T.|.Z.....`.4.O=.......l.+...t&^.a...NC.*.......4E..EJp.3.3^.<..P.|AK.....`.)..4.....Hm.6...t;I.4....U.bx..Cc.{G...Jw./. F.w..Q. .g.....`.i..|.....[..&...x/V.x.L..^.?....i#5=E..a.s.9.c..0..{.(}F.....I.3./{.....|v.....O.z.8.N..D.....Ae7uE..Y.!Zu.I#.F..@.f$$.....&.J.g......a@.+....D2.a.D.._......

                              C:\Program Files (x86)\AutoIt3\Extras\_ReadMe_.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):491
                              Entropy (8bit):6.651684709751777
                              Encrypted:false
                              SSDEEP:12:N5prQIj6Y9jjUpl/LGhUdGO/uObF0zlydltz:/prQ0M/L2UDPbpdltz
                              MD5:ED8E39FAD2E788AA80AA4D0ECFEF85BC
                              SHA1:59DAF38D4FB2B7A056A820BEECD665A98F4E63A5
                              SHA-256:66A2E9FAF9CC2CA92415DE0A28846C2BB1676488B3FFEEF82D91CECAD9E87FD9
                              SHA-512:2458C8A59099FA3BA2B4EB44C4B3DF87095BEBE92BC297F9CAF153ED18E2F92D7ADA993DD136ACCA68534F4AF5D283855AFA8D74F3E1D02B1335EF6F31124A85
                              Malicious:false
                              Preview:...@..5B.Qr.U.9.7....O.T..@.]F.7..OUG...XY......#.#.#..^..a/..z..P.&L~... .c.....M.X..V..P.{..O.&...1K_.....-.g.?...E...Ave been kindly supplied by users of AutoIt.........0.r.I.Xi.....Qwj.`.......@I.4eT.9.t.........j...hd.O7_@.#CU.L.+.,..>.?.>|X.0...Z.B...ml.:.....r.....di...E.3#.=.T..@..O.+..A.2.......H'.....c..x.S.....`s.`yQd...?....i.f..u..&utyf:>..q:+6X.Y...Z.............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\AutoIt3\Extras\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Blue.ico

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7720
                              Entropy (8bit):6.0026866414447895
                              Encrypted:false
                              SSDEEP:96:L4jPEmUEaZTOHqZsmDlYYESUEt2N9KHNRSnQKSuH//53:sjtPaZTOKGmDluvEWEHNInys3
                              MD5:B57FAB9F6C3D8F77D4A41C1B5607572A
                              SHA1:D81BE10A5B5E7EF332B89BD3766B7F6DDFC54860
                              SHA-256:D25F267882807902E112B2B614D2F0D4E33AB9EA8C55B6481CDACC387F54D192
                              SHA-512:A93C9DD88F4F7B97A7934A80D1AD9DBCE5B5138B018A426A3F25FB3049600C31560FFC005B00E71D9AAF1119D3E693C19245B103B79B65DFBE73FF04FB84958C
                              Malicious:false
                              Preview:1.."bLZ..(#.Pf..$.He.mI.B.l&..3....,k.~`..$...+.v...j=..*.............................................................................................................................???.CCr.Zf%L/...gm.PO0F..P.eZ......&Ta.3."=...~'..$>T.+uB.....=.q.%...................hhh.XXX.\\\.ZZZ..................v...c...]...b...t...................|||.GGG..............g...e.........LL}.Nr1L9...}w.P.....e;....0.&?q.3.a|...~.~i$;Q.+0..6..=..P./3........h...d..........._...........g...........y...i...^...p...............................b..........^..............r......L..9....Pc5...>.e.....S.&%..3.......~.OJ$ok.+}].....=.?...5....n......................j.................\...a..................................e.......................c...............<L.....LP.b...[.e>....#.&5h43.I'...l~.Zt$v..+Aq.. ..=..J.'.........n....................................................|................................................}...x......L.~.....P$V#..e.e!...C.d&..3>....K

                              C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Green.ico

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7720
                              Entropy (8bit):6.045652753981562
                              Encrypted:false
                              SSDEEP:192:AuJKbmkCoyY1r243LVbUYKq+6ctNm9Z/N:AZmxm2O2qnct09H
                              MD5:03ABBDB674353CB101EC18001DE220B9
                              SHA1:36A6EE78DBEA598A563CE3AFA51311E58E591B79
                              SHA-256:DE685D2B9061AEA1EFD34CF223064A7481A82EC4762AFAF979C83938957D9EB1
                              SHA-512:EEE3F1F7866D051AEA15DB2AF49D3D299609BE7034ADAE7E6001E3C9468BD8048BA71D96ED79952DD2D7F5BD9FA5AD77679A37672297734388FEE9278D655EC5
                              Malicious:false
                              Preview:......]....Bg.i=yM.z.4."?.@{...f...!..mZ}}w.!U......Q..D<..%..........................................................................................................................???.CC...;.v.....BN..=..yzi..".+.{t.+f.?..?.m.;3w....*.j.T"..=..E...............hhh.XXX.\\\.ZZZ..................v.{.c.w.].v.].{.b...t...................|||.GGG............~.g.}.e.........LL.../.`.....B..;=..#zq."B"+{...f.Z...W.m...w...hP(.+]...../.z...........h.|.d.........w._...........g...............y...i.w.^...p.............................z.a.z.b........w.^.......j...=......U.BQ_.=...z)..".m.{...f.~q..^.m...w..<..(X.....h......v.^...............n..........................j...............v.\.y.a...................................}.e...............q...Z.Hl>.65sB.H.=..+z...".41{N..f.Hg..Q.m...w.. .^./.....R.W.!.h............y.`...........n.........z........x.`.........................n..............|........................w._...J...8.....K3uB.G.=3..z...".3.{A..f.Mj..

                              C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Red.ico

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7720
                              Entropy (8bit):6.068982631211068
                              Encrypted:false
                              SSDEEP:96:zg3X1M696rAiSlC34nOAgevb/as8juf5z9XwELZshcWDYOkXb33G//kt/:kVMG6Uwonngev+sWs5xLZshdDYOG3v
                              MD5:CB79EED8ED7FF27BB47A6FDECF11DEBF
                              SHA1:9C39B01BB5CC0CA2B2602073ABBAAE6F355910B4
                              SHA-256:CC23F67FB7735409EF5DDE90AC08808C6CCE9CA0D8016D08394EF31CBFEA3E3E
                              SHA-512:ADF54E041C4950E245A76ABF0398C4201DA7848E3EC07A4B66D288708D52D1689A99A27820C5076AF4399ADE1405249DF141E9A517D8FE8BF7127AE9DBE4F5FB
                              Malicious:false
                              Preview:.....n......:.t....C..zlG.....5..A...*..8..&.".D.o..."^U.$..........................................................................................................................???.CC...........:..P....Cl^.z..+..sD..a..&..m.8,'......$t...U................hhh.XXX.\\\.ZZZ.................wi..eU.._N..dT..ug......................|||.GGG.............hY..fV..............LL...........:.(..VAQCiSsz..0..O6...%..=...(a8)"...N...P....U.J..vh..........iZ.........aP..........iY..............zm..k\..`P..rc..........gW..............................cS..cS..........`O5.R7_.."Q.k..:8...ot+CJ.nz..b......kt.>..z.8\W..j..,.\....UF...........z......o`..........................................^M..bR.......}..j[...v......................gW..............v....n...U..9T.C_3:..6...#COrhz..o..6.........F.8........ES....U.....|..rc..........pa..................bQ..........aQ.......................~..}p...................w......................gV..dS7.H.F.4h...+:5..._O8C-.Kz.._... ...$..n

                              C:\Program Files (x86)\AutoIt3\Icons\MyAutoIt3_Yellow.ico

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7720
                              Entropy (8bit):6.029658879893488
                              Encrypted:false
                              SSDEEP:96:JAZWzCq7rWE712g10eGkymxf/Q0YBFFFtIoY8pCe6fxFDU7bv1LA91m//2v:557rZh2sGOu1FFFthxeFKb5WR
                              MD5:9C9FFB766ADD813FAB81ACD70B89EAD5
                              SHA1:7F718145855F43F275F1F7CD74C663F6EE03A3F5
                              SHA-256:B47B9011C5AE53A556F40CDF8FCC4096B02B761A04D41FFF69DD8F3A98A9DAB6
                              SHA-512:05A9DF26F5641A80DF2233EC48BAAAF676BFEAEDAB0A6548ED59ACAF7A40AA37B1C152624077F1700E76B29A248DC7CCABECAD8E86F4351450D593E4FE18AD82
                              Malicious:false
                              Preview:K.*iF.9 .[....,..te.......}........:.9?.U....J...<V.E.~..np.............................................................................................................................???.CC..o-..LU_[.....Qyt.C0.B.....?.....r.:.....Y..........-.......w..............hhh.XXX.\\\.ZZZ.................V...>...7...6...=...S...~...................|||.GGG.............B...@...........LL..{9..ZCI[......t..j.tON...M...X..5G:......................q......D...?...........9...........C...>.......Z...F...8...O...........................w.......;...<...........y...........Q...r..@......['..._=.t.K8.FHI..O..U..;I:...,.[...............j|..t...............S...........................5.......l...E.......d...........n...................e.......=...................C..q...H..[5.....$t.F5..@A...J..._...q:...+.X........%........L..z...........:...........L.......}...............}...............9...............L.......m...]...............v...f.....................[W...,4.t:u...wv.0.~.!.`...p:..

                              C:\Program Files (x86)\AutoIt3\Icons\au3.ico

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31840
                              Entropy (8bit):6.815763271899651
                              Encrypted:false
                              SSDEEP:384:++s9lOwhq2HQaUn37PfDYWwOZYRxW25jK1obJzmg9Hdm/i99yY7rOliubh:clxHi3jMROZcBmg9Hdmk8zQg
                              MD5:0DE7E9927F95B5FC772FB1E8E2FB5D90
                              SHA1:A1017A069E894B5F83D3243229094D573294100B
                              SHA-256:36E131F092B4D64D2316CCCD47E1C91AE904A1F9AC7F5EFF2E967149A6012B3C
                              SHA-512:1BF3376CFD9487C2FCD90F6EE4D9249B88E280898C8753EDDBB9C21A24BF46E814A5009A454EAC21C8DEC85B50FB09A579E351986FD5F21A6B5D7477CA2B9688
                              Malicious:false
                              Preview:_;..v...Ne4..+>.=..".Nd.X....5.U..yW{.O.%.....&.. .L.....&.(]..F......................................................... .....N... ......0....... ...........!.. ...........#.. .... ..._;D.f....Ne4...=.=..".nd.X....2.Uf.yW[.O.%......&. .l....&..|..~U..(....... ...........@...............................C ..N ..!P..v...3H..XP../\..&...n.......5...................<........._;R.f.I..N.7...=.=P..";]d.....v7.U.yW..O.....U..&.. .t.....`Y..............................................................................................p..t....wpw.tp..xuwvww....v.wHp...........|6.Bn..F.J..u".).).x...B..0.Wc'.n......}..x..\g..Vk..@^..w.....x............p......w.<........................................................a......(....... ........................._;..f...Nd4.....=...";^d...x.6..U.v.W.}....$....&K.......@;.;.5.@BC.KKK.NPQ.QPP.VY[.[[[.kV@.w_G.t^J.ubO.kaW.``a.iii.pje.npr.ttu.vvv.twz.uxz.xyz..`/..a8..j=..r<..aC..eA..qJ..qV..rP..uP..wE..~.;q.=.J.jN.L}..Gi=P.f"..-.../..U.7.W.%

                              C:\Program Files (x86)\AutoIt3\Icons\au3script_v10.ico

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):71860
                              Entropy (8bit):7.61670650506223
                              Encrypted:false
                              SSDEEP:1536:TXN2tC+cuDAri8QFPx2PcqrmZPY17MGK3X:4E+rNpf2PcqrmNy7MH
                              MD5:A7763B51D17AD2A448D807BCEF2A02AA
                              SHA1:0663FDAFEADE28C1721F18C2638635C83370DAF6
                              SHA-256:7CDEF84C575884731D57E7BFDEBCCE1FC9882D4F4DEA4D06D959BF181B105B6B
                              SHA-512:6E8B9EB922772BC515929FEE4C5E563ED4767B607620DF458ADEF6B07A92D757D4278C89BC12D22450B9EF0C6C99B9BCCD05CF879F7333EE474F0C7217F43C75
                              Malicious:false
                              Preview:.S.R.}.V3..(..Y.O.n.Z,."...l.....{...."g..<4..FU.9.&.....oQ....... ......................h...n"........ .....'..00.... ..%...... .... .....j......... .h.......(...0...`..................S.R.}.f#..(..._.O.n.Z.42.XMl......C{{}...y.....\.94....o....................................................................................................................................dR.}.f#*9...+(v7.....K.& ..lL..kzH<...q.T..H...#0\.94........gwwpww...............wwwx.w.ww..............www......ww............www..wgwx..wx...........ww.wFgvvGg..w...........wx.dv|v.gCx.....dR.}.f#..u..8.1]*<.{..& ..lL...0.<.5x.D...B.#0\.94...c..nw|vFRG.x.........x.`dvgww.|vd%xx........xx...GdlvGfE$.8.........wx..A.A......`Xw.........xv...`......pg...........t`...x......C..,dR.}.a.-.^.e..v{3...i3.. ..lL.Cl...|.p.[..V...0\.94...A.r.qt.Cx..du...........tvwH.qg...w.b..........xv|ww...x.v~vW...........tw~tx.tx.Hw|gx........x.wgx...x...wvwx........x.wg|.....w...wx..dR.}.f.-.T.cS'..c..,{<.& ..lL..l....s.

                              C:\Program Files (x86)\AutoIt3\Icons\au3script_v11.ico

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):41601
                              Entropy (8bit):7.008103203680149
                              Encrypted:false
                              SSDEEP:768:X1MoLQBkni5c4uydOrcJ4xnv8b3EASXPR:X3QtdOGYKaPR
                              MD5:233146216CE620FA7B64D75E5480456F
                              SHA1:890E8FA2480DF0AEDBB091379CCB8DDD53F89ED8
                              SHA-256:BB6093AA2BA62311BE704B5E03A68B5C9B3ABC98DC47A116CCC15AC534C4AFDC
                              SHA-512:594FA93A00227D954AB0F12D9211DC7A4D4077DAD4C4E3244E8FA10B67B1B5062BB4535B8F8CF86247BB2FB62F1D895BD21DE73FE97CB91F2E26BBE775761287
                              Malicious:false
                              Preview:.=b.T...S......A....Yy..<......8%..[.&f....^..`.:.TZ.`.T.....E.. ..........WJ.. ..........?M.. .... ......U..00......h....f..00...........l..00.... ..%...{...PNG........IHDR...........a.o2.......>u.g....?U.&V.d..&..I..D#f.D....[.#...J.,0X..36kk6cc.ck.=;uPGO..lo..H.R....*..F@.%@.B.M*..?.?...G(23.#".#.}f........}....H."E..)R.H."E..)R.H."E..)R.H."E..)R.H."E..)R.H...?)A..Z........8[...a....u..QS6.V.w..mt...;.4N..r.h.k..?.[.4R.Z........7.}.....?..>.......g.y....O.....>z...xU...).R.p..V.\..'NH..$Q...-..Dky.oG.2........g.`....../..j.........'..... .......w!..mw.{.% .&..B...=..F...b8.....i......0.......Bg4.xv..~.._H...p7..H......x..1!......$..@....|.....Vl.Y.......i..;.%...."I@...2..... .`.U......q.(i...N..s~7.p....%.H..q.X\%.k.b....c..2Z..V.........^....Y.,.*.(....."..?.+......Gd'.q.8.>.s...]......tf.k.....g..f..p..\af...3.c.......T..Lf....H....G..},.e...~.?.......|...${:..^....\......$..(.@..-.u.6K........iZ.`...'.it...R7...D..c....~x.\.+.5q

                              C:\Program Files (x86)\AutoIt3\Icons\au3script_v9.ico

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25528
                              Entropy (8bit):6.649234927497562
                              Encrypted:false
                              SSDEEP:384:28d7cEUmZG7RwHES/tpdNsIDmf4dcFGJ4y5N0V0J/lPzeQg:28d7dpHESl3NsIqf4dtJ46E0J/lCQg
                              MD5:D9C9C7C52D56732A951DE7FCF680781E
                              SHA1:F38242979C6204FCCB3E30866ECA002028E17690
                              SHA-256:B2A67C1D42B7F9CE7491945004C653691781C2ABBBA078A33A20A01059C84BF6
                              SHA-512:7B1CA4BA819340EED98B247CAF75C0DBA4B7B3CBB490EBAEA500F9DD912B65851A10400F9CE643DF8BC558650DE0A63BCB246BF8C542086D9126480FF4975146
                              Malicious:false
                              Preview:.Fl.$,....MDe..2..N ..o........'....2G\....v.).~......7.. ....N;..........(....?..........h....@.. .... .....FF.. ...........V.. ...........Y..(...0...`..... ......%.....................Gl.$.....Mded.2.N .._........'"....w\.....).......6.< ...................................................................................................................................Gl.$.....Mded.2.N .._........'"....w\.....).......6.< ...................................................................................................................................Gl.$.....Mded.2.N .._.....3....D...d.:+.zi!..O....e...EP.Z.gf.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff............................Gl.$.....Mded.2.N .@9..'..36......,.+.GT!T.~.R..eJ..E..n.RSR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..NN..NN..NN.fff............................Gl.$.....Mded.2.N .@9..XNi3Eq^..0 ...

                              C:\Program Files (x86)\AutoIt3\Icons\filetype-blank.ico

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):48363
                              Entropy (8bit):5.802192543873274
                              Encrypted:false
                              SSDEEP:768:YWF6yHiddxRusZ3P/5kLwE8kFIwdU8JRrsTl5+z:vFPi7WU/5kLwaIW/fITKz
                              MD5:D4B065859DDF94017AF077E9FE3BA7B2
                              SHA1:14F765444DE7C782D711232902300ABD0ACB17D7
                              SHA-256:1B7A60B6916B88F6CD4748C4CCDAE24669E8BF116B366DE6C1EEBDF38A68CAC8
                              SHA-512:86A8567EBEB620403CCCC640D8D3F40C1FC9F4C023B7BA32E40001975853BFB3A8CE69D75E6490161066C7B5FBAE21A00F4E4AF7F4B919342AB3D777F9EC50C5
                              Malicious:false
                              Preview:..i..}.b.%]U...JX.........;@.^.k..=P!C....0R4....d......4.=..&...{.. .... .....a......... ............... ............... .h...I....PNG........IHDR.............\r.f...jIDATx.........R.@~.3MhVX.+E[V....p~Y:N..R225.I.M....,W....D..u..|.c....N......p.9...'.j7..R...!.C. .ch..t.........14.B:..@H........!.C. .ch..t.........14.B:.v.b....O....{...u....Y.....R6...r.[N...9.C....T....x..-..L.O.I...Yb..F....o.....S1.._4.S..y.Jzh......%....~............|...;P.......B;.......}..w..0..F.E.9..cO............{H.@.s.k..."L......i.....R.=}z-N...}....i.&.`..Z.6*.FI.......s..l...o}."......T..|..g...R.....G..T."..@...:(vL.#.^.3..../.=..d.........9~ ..7&"w...nw......+....J*.K&.[.u.b...<.s........h... .1..;.......WWW...L.&.B..@l36...8q.7o.....H..X..pV.SQdN..&?'O.0U..4.=.E.I)4.[.4#p*..W........."9.....<{."..a...S..c....i..@..<..........oM.K...?..q..o.....5......~.+....g......8'@......,um..OR8<;@..... -....W.p....k...4.b..y..+_.8G.....z..w..d......p.8.^.!LYy.;...

                              C:\Program Files (x86)\AutoIt3\Icons\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\AutoIt3\Include\APIComConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1285
                              Entropy (8bit):7.299890309728865
                              Encrypted:false
                              SSDEEP:24:/5ymhayMf+cu6H43Q/ymyKCmy/08CEFb3myMfu:/1zYRus4g008xFbau
                              MD5:40D7FD6EF0DCD442147C69ACCC38F32E
                              SHA1:5D0F41A4F5A18001A2329819868861E4B355AEC7
                              SHA-256:7EB64DC3B088ACE5CAA4EC5D72D70E37D1FF9D82CDB27B1C8519E547860ACF51
                              SHA-512:051B1555B4CE83CF08B491B9740976A83CFAB4206A8B72335FADD470B280EC2127DF69AEF2312C11FB3761A0B4BA5DFCEF0B883A46530BC7E62CC26546F825AA
                              Malicious:false
                              Preview:..!>.M..E."M.Rx.......&Xz12...m........vS&1.T]/.I4.u...\OU...r`....U.q..bO.......^=d,2...m........vS&1.T]/.I4.u...\OU...r`....U.q..bO........t5t/...~.........'Xc.I#}...h.<.3.%4H.V.=<.A...lo.+........t6X{..#.........zX5=.c[2...n.).v.O\F...u}.V....$#.dR.R.....o71!........W...#.o,...2..T|.-.3.....j..}.Q....5#.dR.U.....J w?!.........]....&c.7.T]/.I4.u...\OU...r`....U.q..bO.......^=d,2...m........vS&1.T]/.I4.u...\OU...r`....U.q..bO.......^=d,2...m........vS&1.cm..WJ...G./&;...r`....U.q..bO.......^=d,2...m........vS&1.T]/.I4.u...\OU...r`....U.q..bO.......^=d,2...m........vS&1.T]/.~..s.L...).v..2.V.... G.:Z..+..... .~a.........f.....#^B.=(@..0L.h.3..BZ.5.#2.Y..+."]..V.h.....*S.SC..........c.K...s..7f.;.3."=!.v....t..<..k..7......n..}`..............:D_.,%V.."L...V.. 1....%....S.q..bO.......^=d,2...m........vS&1.T]/.I4.u...\OU...r`....U.q..bO.......^=d,2...m........vS&1.T]/.I4.u...\OU.=========....(...<.&Q.?`{*y0.M.u..e..y.@

                              C:\Program Files (x86)\AutoIt3\Include\APIConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2062
                              Entropy (8bit):7.65414176853421
                              Encrypted:false
                              SSDEEP:24:umahvzQ/HtdNTGOaNNoFrFRjASQuprbTXoWE3EVOkwt+E3ErOME3EK8E3EO5A9Rb:umS0/TGKFz1QuprnXozNV5ATz
                              MD5:C563913D9913FF4095A8DBDA8A43E732
                              SHA1:D354071D54EC7E18257FE7A344D922B3B1EB8114
                              SHA-256:4F3B21FC113C5C73243A580D633EFD01DEF3CC55FD27B83D3756BD4C32FC9526
                              SHA-512:19D785B0DDBCC63D9015E57A4F34B976552BEAEB38F9E909497D53F64CF19AECFE7C015F1B3C5A72A4F8B110182208AA5BB403B8A09B8A86B7504D08B2CB3BC0
                              Malicious:false
                              Preview:.v.;...>.'DT._<...N.f.....yF....U8+_.T.L...l.1E.j/?..Im...<=....[.9...}.:.P.f.....C.......h_.T.<y96X.[.KO..*..B. (2..Xl..-$....}.....g.'SB.4D.....}.....-.@..^?.D.I.^R..q.I|..K...Nd..LV....w.6...|.:SP.!B......J...\k.0..j..B.Y;PR..>.H<.b4o..'+........Y.....p.&IB.4_....X.1dw..Jc.t.{...b._.|S..+.R;.- ).. .........:... .`.&IB.4_....X.1dw..Jc.t.{...b.R.SP....R<.b/(..L}...fW....m.2.P.C..Oa.!Y....Y.}.....-...2T54^._X.}....O..m2(..Y{.._V...v.;...3..wx.=T....C.g.....Hz.2.Q.?6H.O.Z...0.X*.@.2..Lf.........;.9...w.i.r.9^....^.r.....\<...xS8;G.^.....1.H..w2r...*.........}.u...P.'TE.;E......c^..Ez.u.y|?4N.U.LH..+....0cQ..Df........v.....g.'SB.4D.....}.....-.b.6_.7E.N.QH.>..m..b5..A}...N3....v.#...`.(R..X;...A.w.]..D`.i.4T%,J.N..].}.6l.m"0..H(.........l.9...r.z.<.vX....I.3K-..L|.S.5I"9E.IV^I..R..&.`-)...*........w.$...g.gFD.w<...N.f.....@a.@..U8+_.T.L...l.1E.j/?..Im.........a.>...P.'TE.;E......c^..Ez.u.ym?6j.s.TY....R<.b/(..L}...fW....m.2.P.z.-HF..^....C.`G....$....{...o.b

                              C:\Program Files (x86)\AutoIt3\Include\APIDiagConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3220
                              Entropy (8bit):7.689044717950427
                              Encrypted:false
                              SSDEEP:48:9tW1stptc5tX4Hw9zipLTkgLiUV945KNPqMrwHhFbdmwIct4THPU/l:9t5tptcfXkwFiug+Ea5MPzQFbApHc9
                              MD5:8F483294708A901B346557F5EF6AA708
                              SHA1:93815E8F6C82AB175AF2CCF5A72EDE8F23619FA4
                              SHA-256:427DB19000A91959217638705F19F9A18E88FF92E72F8FC9D2987F00C3F0A1BD
                              SHA-512:A94196010101F6C4CD5C75F5A43A4ABB532DF6CE152F566F0E9C9E35C38812D5E07A7AC15772C2517293101F39C10620EEB3B96A489D7DD19D3715A39D80A574
                              Malicious:false
                              Preview:.yM.y.]..7.n..,R....i...W............eZ{H|X...U.n37.2.N-.D...-.-..(N.T.e.0..b0......`.I............eZ{H|X...U.n37.2.N-.D...-.-..(N.T.e.0..b0.6....4..S......=......(4.,pPF...ad.{P.d.Yo..0.yA.t.@I.7.-..R0D...*.....Y~I....Sz....xThFoT...e,h.F.aV.q.....>.>..56W..1.e...I.H.R.)..X.....c|....6.5U5.UM..G=.h./D.u.YM.x.Eg.5.P..9.t...L.O.O....T......yr..<Kf?1.93.H.n37.2.N-.D...-.-..(N.T.e.0..b0......`.I............eZ{H|X...U.n37.2.N-.D...-.-..(N.T.e.0..b0......`.I............eZ{H|X...e,^.1.,r<^.-{.C.0..(N.T.e.0..b0......`.I............eZ{H|X...U.n37.2.N-.D...-.-..(N.T.e.0..b0......`.I............eZ{H|X...U.n37..<y+.&m.Q.Y|.{.T-.4.....v..|.O.1.7YYN...y^....+.:.:u{t'j.ZO.\h>R.5i..0.h..%C.Q.h....I=l...O.).Penp....a_....".:.$p}u-u..7.?IC!.I... ..d.z.X....c...{^.v.p... yhm...c@.... WvEpU...e,.be.n]SS..I..4.In.E'f*...R..u.C.r.i.}.T.O.....#...4.$.-EwVI.Rs*Y.B~#D.=...W.-..mK.Y.h.=.,.a.Y.L..2..B.....pG....5.0.:xvf,us3*.w.C .I.....WO.w.UI.7.~....T.t.t....5t{x...sA....

                              C:\Program Files (x86)\AutoIt3\Include\APIDlgConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11069
                              Entropy (8bit):6.740288448717774
                              Encrypted:false
                              SSDEEP:192:JH/NFbA4MlYarLrOsiciMQoUC9bfGBGuwcbJDpiOupiHlv2di0bf+:JfNFs4MlYarLrt9iMjUafEGuwcbJDIOV
                              MD5:36A37A324A00AA4179C281940B3AD690
                              SHA1:C29733BB87FC82B1D2B3D8C696D633550188A5E0
                              SHA-256:15F98B54F473FB2DB075642D2E0861ED620DB07AB8F071AA6055646F06969C2A
                              SHA-512:F75076371A798150DC5C7496972CC37C884EFF56B3E404CBDC7D7480957E752D6427DFAA50B5BCAD072EBCA71971A2BDFA64364BAF6B23EAF9A09B744D186313
                              Malicious:false
                              Preview:.f.....).._}.....k.{....2.z.$..!...i6...o.e..........7w...X.==================================================================================..; Title .........: WinAPIDlg Constants UDF L.m.....*@.._..x..F......~`3.O.o..Zt1...a.n..+...i....+...K...: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ================.2.IP..q.I.#V.*..v...q..,.z.$..!...i6...o.e..........7w...X.===============================================....; #CONSTANTS# ===============================================================.2.IP..q.I.#V.*..v...q..,.z.$..!...i6...o.e.........f%.......st $__DLG_WM_USER = 0x400....; _WinAPI_BrowseForFolderDlg()..Global Const $BIF_BROWSEFILEJUNCTIONS = 0x00010000..Global Const $B.I.6?...j2~L(.Z......l..!.w.(..,..s8d..r..6.Q....c..E.....5.INTER = 0x00002000..Global Const $BIF_BROWSEINCLUDEFILES = 0x00004000..Global Const $BIF_BROWSEINCLUDEURLS = 0x00000080..Global .`......f2nZ$.C....}....P`..$..d...d;..

                              C:\Program Files (x86)\AutoIt3\Include\APIErrorsConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):309775
                              Entropy (8bit):6.6838658191553035
                              Encrypted:false
                              SSDEEP:6144:crKXxlZUIir0+QISAcDYsmrFTwqtw68Oq24H2L8an:cGx3Lir07ISASYsmpTwqW68kL8m
                              MD5:2134A7F6433567119F921476B6507843
                              SHA1:D76ED01BEC692A994FABE169B5341AD4ED71FA26
                              SHA-256:54F51C29BEF4CAD41ECE55D94046EDB6ADB0896DE1B2EBBFF81BDACB651EA7B0
                              SHA-512:6237173E0DC613C84B2CD77F14E555DD91C2DCDEF2F91D9C932AC1B6F6DA78D695F3F895DF12F22AF2D2C7FAE7355201D6C6007C3E72C19BE4980AFEFC6E30D6
                              Malicious:false
                              Preview:...iE....k..+kC%$.`...T..+.=...*...l...n.... ..~{.M.M..N.[..==================================================================================..; Title .........: API Constants UDF Library...x.&....q.x,Znnj.,...iR..yC ...9.......h.p@.z.W$#.^.^..].F.glish..; Description ...: System error codes to be used with WinAPIEx UDF library..; Author(s) .....: Yashied..; ===============.E7.Z...8.H.\s.".~..1..+.=...*...l...n.... ..~{.M.M..N.[..================================================....; #CONSTANTS# ==============================================================.E7.Z...8.H.\s.".~..1..+.=...*...l...n.... ..~{.z...C..F.nst $ERROR_SUCCESS = 0 ; The operation completed successfully...Global Const $ERROR_INVALID_FUNCTION = 1 ; Incorrect function......hH.....v.U.$.}P.....Sn..IkO.a.7...j...6.OX.i.[c%...........the file specified...Global Const $ERROR_PATH_NOT_FOUND = 3 ; The system cannot find the path specified...Global Const $ERROR_TO..5Kg>....K.3o-.|?.c....XH..eTs.J.7....>

                              C:\Program Files (x86)\AutoIt3\Include\APIFilesConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):27747
                              Entropy (8bit):6.712507164951695
                              Encrypted:false
                              SSDEEP:384:gNt4a+Vw7S60YAItvlFicP6pRHI0VA828g6qIlGOI4b7+OdjleWjztvynN+61nt+:Y868qElI4hReWj4F0v1
                              MD5:834D2C00F1A01FAD7488614DC63CD524
                              SHA1:7C5CD5AB4DE04886384CB9DABAEEC23E3F1D1C88
                              SHA-256:5FC3E8A8364DC3C08D1BAFA4B30A11FC5296BB811204A3A785FF6DE22C942822
                              SHA-512:2B9755291B50C1F75E951E715E99BB5ACBA18763F6C7996EF24F962E24E81F1C920AF3084355C6912482EB4DB1D784EB69E46E38BE6463D1DCFCB316653FC8A4
                              Malicious:false
                              Preview:.4.......bY...A*a.3.....~..,..}........M.,..2..?.* ..XG..Q.(==================================================================================..; Title .........: WinAPIFiles Constants UDF.........cH.J.8O.N#.....*..e.c%IE......C."..>..9.[|]@....L.;....: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ==============.`.C...R..1..6.q.g.-...w.c..,..}........M.,..2..?.* ..XG..Q.(=================================================....; #CONSTANTS# =============================================================.`.C...R..1..6.q.g.-...w.c..,..}........M.,..2..?.*.9*oA.;U{API_BackupRead(), _WinAPI_BackupWrite()..Global Const $BACKUP_ALTERNATE_DATA = 0x00000004..Global Const $BACKUP_DATA = 0x0000000.P.9....OU.x.l..{S........E..}........@.#....`.n.Tr]T.Z..-.^UP_LINK = 0x00000005..Global Const $BACKUP_OBJECT_ID = 0x00000007..Global Const $BACKUP_PROPERTY_DATA = 0x00000006..Global Const.y.?..?..Ij.Y....{D....z.n..!..p.;...\.

                              C:\Program Files (x86)\AutoIt3\Include\APIGdiConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19736
                              Entropy (8bit):6.80177044190285
                              Encrypted:false
                              SSDEEP:384:W1tQ3I2DPC/eg2l+xW23HJZ6tX4cDYrEBxxvGsm8zE:V3Bd23rCOkvFmJ
                              MD5:C8C67F5D94E62965F34F789E177B28AE
                              SHA1:AE3F5DB0E6A9278FBD304329D0F627490722F619
                              SHA-256:93FF32D914A71409EB53A80641B926882E19842D908E86C3646249FC02C069CC
                              SHA-512:EB086CADCE39E05CB4151006FF79B40369737329E2BB1AAEC7A889AA96DEA88879E874B91E0A4D706021428DB60860DA89F83D23F76FEB0D7C1290F1CC307BDE
                              Malicious:false
                              Preview:...)D..Rl[..hm..}Y....g6.c....:.A...G.2..<..v....2i.SX...E},==================================================================================..; Title .........: WinAPIGdi Constants UDF L...7H...q.......ut6x..W.....q.u....I.!../..A...a3.....Vn?..: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ================..x..DB>..VXZ..{D.~..S.~....:.A...G.2..<..v....2i.SX...E},===============================================....; #CONSTANTS# ===============================================================..x..DB>..VXZ..{D.~..S.~....:.A...G.2..<..v.....Y.UE.....AI_AddFontResourceEx(), _WinAPI_RemoveFontResourceEx()..Global Const $FR_PRIVATE = 0x10..Global Const $FR_NOT_ENUM = 0x20....; _W....n...sG...%.+.L...QF.N.dK.e........L.sQ...n...P..:(...(.V = 0..Global Const $COMPRESSION_BITMAP_JPEG = 1....; _WinAPI_CopyImage()..; in WinAPIConstants.au3....; _WinAPI_CreateBrushInd....1..tuDY......).O7.`=...aw.S.9...O

                              C:\Program Files (x86)\AutoIt3\Include\APILocaleConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8071
                              Entropy (8bit):6.697410267792323
                              Encrypted:false
                              SSDEEP:96:JJrAQ0C0vGqJoQj+mXw5cX0IGMIdvveGdHG166BSHhdFZ+z3O+K7BW1yOJy+kHo7:frUVyG0fvveGV9Hru3O+K7BqyOe2
                              MD5:1927182F77EA910D6CF4F45806606C05
                              SHA1:FE022B5A83E5D8A06AC0B75B60012D79D0072E55
                              SHA-256:F2EAAF5682BD71E63554F3BC7FF5B901F59D6F34AE64007FDB58391F9688ADB8
                              SHA-512:9430521E71D37900EE8AECDD587AB0A22DD964669B03CF354DB54CA5E558FE4ECD1A2628307FE2C72714F239A38D60A691F1DD8F68D1E3ACACA0434FAFED542F
                              Malicious:false
                              Preview:.(.>{.*...I.oO,}.%s..Z^.f.._ua.i.m.....d...7..4.~.....Qy..kSP.==================================================================================..; Title .........: WinAPILocale Constants UD.a.4u./.]...^($7R).r..$&.3..+<|.1H#..C..y...$..'.N.....#UM1.M......: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; =============.|.`*.sI.....5X..{.;..";.{.._ua.i.m.....d...7..4.~.....Qy..kSP.==================================================....; #CONSTANTS# ============================================================.|.`*.sI.....5X..{.;..";.{.._ua.i.m.....d...7..4.~.....fI*.v1:MnAPI_CompareString()..Global Const $LINGUISTIC_IGNORECASE = 0x00000010..Global Const $LINGUISTIC_IGNOREDIACRITIC = 0x00000020......2u."Tg.X(A.i..Ys..PT...'ha.dB`.....i..9M..k./..[...d.b.< {IGNOREKANATYPE = 0x00010000..Global Const $NORM_IGNORENONSPACE = 0x00000002..Global Const $NORM_IGNORESYMBOLS = 0x00000004..Glob.-..x.=.....~E:.a..T...[R.f..R0l.d.`....

                              C:\Program Files (x86)\AutoIt3\Include\APIMiscConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2193
                              Entropy (8bit):7.624283334855522
                              Encrypted:false
                              SSDEEP:48:ux91TYcrGGYhW9Y9w9Y9dRtIchwwRPEJGpB5Cqqry/mJz++Y9l+Xf:uldBYhTgchxWGvlP/mqq
                              MD5:5CEA1AEFD18F8B513B475860A32C33DC
                              SHA1:9AA82681C1285AB4B6D89BEBAA0215174CFD838E
                              SHA-256:88A4B14F242597F38BB878DFF5614BC29036C000C7B7649FA7696FD34FE50321
                              SHA-512:E10581302424D230024191BC1A64D84321470A8E1A6C720A34EFB0798C445D9A86B9F28E2CBB2B2D02A00D93AF13D446EB1ECA181CF1A6D7C6F63025BF45EA4F
                              Malicious:false
                              Preview:.1.[."|.w.C.."#_.f..}..l+M'.;.0s...g%........e.t.c._.O`..S.@..b..\{$.%,.....h.{......5P'.;.0s...g%........e.t.c._.O`..S.@..b..\{$.%,.....h.K....@d.:.(.#`...`8.U}..ec..x}&.-.......*h]..=.V.?9.wc...\A..u.....A|.S.&.h<.A..z"..=.....R.i.?....:W.@.S..q..$(~.qbH......5.Z.]g.:.(.7n.G...y.H`..DO...9Pi.;....9...Z....../{.ycY......2.A...(C4.(.7n.I..3}..3..A#..e.t.c._.O`..S.@..b..\{$.%,.....h.{......5P'.;.0s...g%........e.t.c._.O`..S.@..b..\{$.%,.....h.{......5P'.;.0s...g%........R3C.~.!.<.f. z...b..\{$.%,.....h.{......5P'.;.0s...g%........e.t.c._.O`..S.@..b..\{$.%,.....h.{......5P'.;.0s...g%........e.t.S.o.I}m..@<....[.?J.m.D..%$..)._..[f.n.".C..i...Q.}G..b... .y.n.R.BP8..A.....X.5m.<Bn..ib.........8]+.6.=C.o..8y..P.._Z...z....#.-.v.S.M..o..Qv)...g..JO9...@...[#^.G.T....j`..#......R&.?.B..3A.N......~-.W.UT....Ve.v.....9.*v.d.an.G...8.o]..`a...e.y.n.R.Bm..c$:..=.[A.v.ke..fj.....a...(]b.6.=~...P_.Sq...m..,.m...=.=.w./{1..b...v).(!...%$..)._..[f.n.".C..f...W.

                              C:\Program Files (x86)\AutoIt3\Include\APIProcConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5425
                              Entropy (8bit):6.774480237223261
                              Encrypted:false
                              SSDEEP:96:Q4nyCPnXpFJnL7gKGTH7Qfr0TEJVY+aEHQsOxR5aEaL7VvBf:Q4yetgK/jeuJf
                              MD5:DEE9ECF0D6B4369ECFA7B2A735A0666B
                              SHA1:4C8DEF1282BE299ABC6658366A0A06785E3624E8
                              SHA-256:8BFCD452408836443E8FA6864AF0019A4E14A1552D17B7B5E5217529731F6791
                              SHA-512:01B03202EB111C6826D5C25D72F24845C04BA99A1FCA36ADCD9F19A86726A529D7DBC74CBC1C36E84BF96360642DDAB48C40E46A39F53A38FDB192A2991C3FE5
                              Malicious:false
                              Preview:....5.w..`rL+..v..h..]4..y.B..JB.BO....F..$.......s.t.2^,}. .==================================================================================..; Title .........: WinAPIProc Constants UDF ....8.j.W`n.....O..F..90..6.........D...H../...,.../...n.t`.3....: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ===============....d....2!.s.F;.v..$L.d.B..JB.BO....F..$.......s.t.2^,}. .================================================....; #CONSTANTS# ==============================================================....d....2!.s.F;.v..$L.d.B..JB.BO....F..$.......C.D.4CN..s.PI_CreateProcess(), _WinAPI_CreateProcessWithToken()..Global Const $CREATE_BREAKAWAY_FROM_JOB = 0x01000000..Global Const $CREATE......_.nJN}...6I..k..)..i.O..Gr.8.E.....X.m...twm.....X<R..N.LE = 0x00000010..Global Const $CREATE_NEW_PROCESS_GROUP = 0x00000200..Global Const $CREATE_NO_WINDOW = 0x08000000..Global Const ......V.a]S{...>B.....\"..d.O.GO.OB...

                              C:\Program Files (x86)\AutoIt3\Include\APIRegConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4873
                              Entropy (8bit):7.814945531940821
                              Encrypted:false
                              SSDEEP:96:M/Pb/P58cb/Pb/b/Pb/Sn5NKI9mb3fIA+Isia34DNGL8+RYK/k/+pUoJ4+WK5gT+:M7Zt7j7aneI9u3fI70Dk4+GK/G24+WVa
                              MD5:172B3D7A7AFEB04FE4A365949EC32E60
                              SHA1:5B8BFD8DAB0A32720B20626105DE4578C8584820
                              SHA-256:11BDF93D44664D51191154283095CA7421E0E4A4FFF2C3CCD09C283D27D4D7A6
                              SHA-512:47FE25551B8FD64CD372331BC575623E104D8FD882473FA47B4D1ED4ED2A9DEEC1650ECC09309FFEBBD6B9CE604BF85A0800438C691A4CD1224BCC41E9A9864F
                              Malicious:false
                              Preview:...6,%v..Gf%.=...Ez.-..V.A..Y.<..W..%..b{.j.?..tu.g..!'<....{a}..h}m/..5{..'..Xd.^h.3.\..Y.<..W..%..b{.j.?..tu.g..!'<....{a}..h}m/..5{..'..hS.C..z....J./..D.."..6(|..P.i..4.[}tu..bm.|.[..42)2..Z(..Duj..hS.C..z.(..2.s....."..qu.f.,..Cs...A{o`....hrn..u.>u..[`K..:g...+..!.a.A..J.!...@y.,fI?.v..(&.8..iid..@@24`g..u,9p..ZqK..:b...6.K&...O..J.!...]}....M:....tu.g..!'<....{a}..h}m/..5{..'..Xd.^h.3.\..Y.<..W..%..b{.j.?..tu.g..!'<....{a}..h}m/..5{..'..Xd.^h.3.\..Y.<..W..%..b{.j.?..CE.a.._UO..vg..c..h}m/..5{..'..Xd.^h.3.\..Y.<..W..%..b{.j.?..tu.g..!'<....{a}..h}m/..5{..'..Xd.^h.3.\..Y.<..W..%..b{.j.?..tu.g.%..:.`@(..{..&3?q..\X#.S.J......0.'.k...`..).Zk..{.x..G.......YEB..cf.|}..XJ.~..Idf._tP..A..1..G.$.0.Q..?.gH....t.."..dz.P.Csx`..tF(/4......W..mL..iJf..*..&..3.L..n.m....[.,2.s.G......pHCQ..bg...e..h``...Dg$.\:`...-.G..\.$..!.^.:.kL...f.w....%'.;.._uo.......q.....M..xM..}[d..Xy.n_.b...D.n....H....t..F......zXSN....KV.^..4,pQ..[|f.`_q..,..'..W.$.-.D..W.....

                              C:\Program Files (x86)\AutoIt3\Include\APIResConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6799
                              Entropy (8bit):6.796911032072646
                              Encrypted:false
                              SSDEEP:192:68RQtaXMu6iJD5bvOnmO2F4Ry/tLo65/FS:68RPMu6iJIHUtLvFS
                              MD5:6DFF71CD56BFDFE549A364D20D7C14AD
                              SHA1:ABB832E0FB8973895DA0CABA53613F8AA7A93313
                              SHA-256:248785DB7E7167B22CAB4531459B492D310BBA6068C6E30B379B48372961BADA
                              SHA-512:3E69FBC13558F68600A077500869BE08CA56260038B1EFAFA16673A7C1813DAF14308EC0E3B66BB01DC97B3742652DAA06398117FB9210D4CFFF75339EB4EC1A
                              Malicious:false
                              Preview:.O.`%CWW..B..~..]m...0....1c.7...(|hZ.3J....#..5....0...D.==================================================================================..; Title .........: WinAPIRes Constants UDF L.D.b;O.T...#...#e.......f.,..xW[.{aoG. D.......(....j...W...: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ================...>t......_.N..jk....H....1c.7...(|hZ.3J....#..5....0...D.===============================================....; #CONSTANTS# ===============================================================...>t......_.N..jk....H....1c.7...(|hZ.3J....#..5.....-...8xI_FindResource(), _WinAPI_FindResourceEx(), _WinAPI_UpdateResource()..Global Const $RT_ACCELERATOR = 9..Global Const $RT_ANICURS.t.>i..?.@......9.....'..n.E..Ej..5sgj.I.....]..{....O...).= 2..Global Const $RT_CURSOR = 1..Global Const $RT_DIALOG = 5..Global Const $RT_DLGINCLUDE = 17..Global Const $RT_FONT = 8..Glob.J.@&X@F..~6.5........B..h.c<.f.q.{2!G.

                              C:\Program Files (x86)\AutoIt3\Include\APIShPathConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3485
                              Entropy (8bit):7.790225243427575
                              Encrypted:false
                              SSDEEP:96:rQnMa8+aWjd1m/c88pF/uOngO8nEwVdRmqC8:EK81m/evrngZF9mQ
                              MD5:E04CD6EB56C2C4EE8A62C7BB916440EC
                              SHA1:C0F95554B0FE070FD87AAB9C385D1883DCF4D2B9
                              SHA-256:8F2B0FD7FD299BEE35F09CA3BCC640F5AB37FA1D131DBC2E32AE6A637391D868
                              SHA-512:CC3C7C58632CEA62524C4F51935B9F542DAFF6D2401ECC63D39E8058AAA90B7629E7A03DD27543300FF4054EE30B0B937E1E57313754A82EA82E2AAB73A1F258
                              Malicious:false
                              Preview:........j........"..j4\..*.y.PZ..z....eb...|jF....^.Y..j...|......_L..z...'....$...G%...7.y.PZ..z....eb...|jF....^.Y..j...|......_L..z...'....$...ZL...o.j.CI..i.....6..C..+V.\. ...D6X..a..........g...:....P...p#...~R..M1.4..B.b... ofM..9.X.(.^0C..$......XQ.. ...r....]..@.q...eSd.CI....._G91..35?.C.W......"E..a......$Q..%...c....X..K.j...*.j.CI.....DZ=;..Y1:v=...^.Y..j...|......_L..z...'....$...G%...7.y.PZ..z....eb...|jF....^.Y..j...|......_L..z...'....$...G%...7.y.PZ..z....eb...|jF..9.n._...y........_L..z...'....$...G%...7.y.PZ..z....eb...|jF....^.Y..j...|......_L..z...'....$...G%...7.y.PZ..z....eb...|jF....^.Y.:Z<..........2..."...2...u..B.8...yId.85....i~....E..2s...N.i.w;Y..-.....F$......_...W..l-V.:0N....+..C]++..F..$d.|...;.d....p........Q..)..>...J..f7]...^md.MU.....NR4...}2#[..f.<.'.u.s........Q|.+...v....j.../J...Iu..(8....c.e.....;.U.X. ...Dw...........=?....../....v..OZ[...~.`.?+....av....Caj[..>.....\wu..2......12......_...9...w....h\(....3..ya.

                              C:\Program Files (x86)\AutoIt3\Include\APIShellExConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):33423
                              Entropy (8bit):6.872692888871156
                              Encrypted:false
                              SSDEEP:768:7nCX1pAO6x5/atr/u+iR+eRhreW5Id1crmoK/2:2X1iO6O/u+U+e3reWed1crH
                              MD5:EFE7A722BD7273F980B68CA97319776B
                              SHA1:9E205DAB557CBC1B560D3443F956EB1022EDE1CD
                              SHA-256:2B9A6B5F2F6F674EFCE80A6D970B17BFCF6563CFAE869B441715A0948E08B5ED
                              SHA-512:52FE2CEA536F9662337E2E38690A846DC164D5B77B03710650039149EC5EEC75ED3463D93BFB162E5521C80F7CEC18B41DBA7FD2B233AF64A97EA1CB8E52A173
                              Malicious:false
                              Preview:.t.0......~7Q.}S..YS._..S*:...<%.}...0...|c`.........u......*F==================================================================================..; Title .........: WinAPIShellEx Constants U.[....i...02[nW....9."..0)[..Hl..BMEd.F.{~n.........h.......r[......: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ============. .n.&..-i.!Jc..DM.,.64'...<%.}...0...|c`.........u......*F===================================================....; #CONSTANTS# ===========================================================. .n.&..-i.!Jc..DM.,.64'...<%.}...0...|c`.........u......H,inAPI_DllGetVersion()..Global Const $DLLVER_PLATFORM_WINDOWS = 0x01..Global Const $DLLVER_PLATFORM_NT = 0x02....; _WinAPI_ShellC.|.4..t...i|..}......1..ezn..I[..x~zA.~..................u.l Const $SHCNE_ASSOCCHANGED = 0x8000000..Global Const $SHCNE_ATTRIBUTES = 0x00000800..Global Const $SHCNE_CREATE = 0x00000002..G.r.2..X...dt.O?...&4.]..N)'..1(.p...9."

                              C:\Program Files (x86)\AutoIt3\Include\APISysConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):16526
                              Entropy (8bit):6.870657873475127
                              Encrypted:false
                              SSDEEP:384:nzHVfCKtzzIKKUxXbTA3WdgAL+0Qj/IweX5fPBHAYY:pjmK7xXbTATAZQj/IwkNNHY
                              MD5:5B60C8ECAC368DC6C1760E6265E49FE8
                              SHA1:3A06855083B06584E25DFFF3B2428BBE462AF4DA
                              SHA-256:5971EBF1B3703D0022103179861CBD173693745C39D17D1C4EBB2611B310672B
                              SHA-512:50879D4C7E9AB225DA3009A3236FBDC97F4A69A9DDDEB0FAB1599876CBA68AADE18D088E92F2C97DC0BF15DBE0DEF49A1CE1BCDFBDFC17F11547833A7BF7B2AA
                              Malicious:false
                              Preview:.1.f......."..7..e.k....U..T..v...u.........U]E.......%..==================================================================================..; Title .........: WinAPISys Constants UDF LF:.d.s..M.....R...H.......<......$..{.........$....R...6....: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ================.eX8.7.O...|X....x.......H..T..v...u.........U]E.......%..===============================================....; #CONSTANTS# ===============================================================.eX8.7.O...|X....x.......H..T..v...u.........Umr.......v~.I_ActivateKeyboardLayout(), _WinAPI_LoadKeyboardLayout()..Global Const $KLF_ACTIVATE = 0x00000001..Global Const $KLF_NOTELLSHELL.eE5.:.B...yU.7..'.........../..............XXu.._....8|.nst $KLF_REPLACELANG = 0x00000010..Global Const $KLF_RESET = 0x40000000..Global Const $KLF_SETFORPROCESS = 0x00000100..Global CoA+.%.A.4}...#.q..e.....D..d..'...h

                              C:\Program Files (x86)\AutoIt3\Include\APIThemeConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12166
                              Entropy (8bit):6.726812950780171
                              Encrypted:false
                              SSDEEP:192:YJDYb06Lv+53Vs7/M1PiTDgbwkcxTtt7ig21Ss:YJl6Lv+5O7/M15bwYp1Ss
                              MD5:810137AD018C311567B138A5751C3D19
                              SHA1:D6FD438D254240C39D7ACCD542194ABB049A6DA1
                              SHA-256:FEE6038A1B5733263C567D8E506A713ABD906B347FC38B371D185723F2C05FDE
                              SHA-512:A4B6BCD02B5341AE480906C2257EAEDDCDACE49C84CAE93765A2A970A20348EE815304EFEA63E537F9FC8117FDB8717D24544EE03CD36B8E82DCF8B9169B81EB
                              Malicious:false
                              Preview:..cg...a...MO..t.vj......=K.......=Gll.96a..E.M..O.... .F..60.==================================================================================..; Title .........: WinAPITheme Constants UDF..df...}...\.....>.@....Vi.b..\.i.?q.$8r..I.^..x...Y.z....+#.....: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ==============.09.U.9.......D.pw.p..g. K.......=Gll.96a..E.M..O.... .F..60.=================================================....; #CONSTANTS# =============================================================.09.U.9.......D.pw.p..g. K.......=Gll.96a..E.M..O..5...@..\d.API_BeginBufferedPaint()..Global Const $BPBF_COMPATIBLEBITMAP = 0..Global Const $BPBF_DIB = 1..Global Const $BPBF_TOPDOWNDIB = 2..Jh...h...@Y..]........lJ8f...}. Gqb3..V.......1..L.9.+..TH.ASE = 0x01..Global Const $BPPF_NOCLIP = 0x02..Global Const $BPPF_NONCLIENT = 0x04....; _WinAPI_DrawThemeTextEx()..Global Const $..Y[.-.P...ax..Y.5z.}..j..|l..X..C.?"J

                              C:\Program Files (x86)\AutoIt3\Include\AVIConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1897
                              Entropy (8bit):7.579785687014385
                              Encrypted:false
                              SSDEEP:24:4HutSqCybDL2bmuHu/uHuikoDoNtLHvd4ibzm+IuFyySqkugsnrvWfuOrZF6V9h:PSqnTMkxHLHvd4ig4yTq7gQqTaJ
                              MD5:794C1878933A1E25108CF19CB2896CCC
                              SHA1:A369FF4C33999F3DF4C65509B811F0EC256D9A4F
                              SHA-256:1DD289C6A3AB551A966F40107A4EE5D01212E4D9533B1A69875CC1BB01E60072
                              SHA-512:B6700ABAA297C9DB16649FB72BFCA8944407EEE584D3BFEB518C0905F48A490E1858DFAD90A3C9E1E76AD29DFE4E61FD6D175004D923306FABE50D11E3D18956
                              Malicious:false
                              Preview:\..3..8T.NS..(..}..k..#4...x)...[...8..bA...ti.6.L...KKO.....qB..m..a.........J..uc.ZL...x)...[...8..bA...ti.6.L...KKO.....qB..m..a.........J..Be.3...Je:.=.H...+...*...&:....K..MV3...Z.....9|.|.........F..s~.....N"q.=.H...?..1....!Y.0.5Z.........bE..?}.(P.UN..J..K.. ,..L...ju.c...D.*w../...,'.c......TH5....A.8...pR....UD..V.....ET.G0..G*f.`.F...+...*..."Y.0.L...KKO.....qB..m..a.........J..uc.ZL...x)...[...8..bA...ti.6.L...KKO.....qB..m..a.........J..uc.ZL...x)...[...8..bA...ti.6.{2..U5=...`..\..m..a.........J..uc.ZL...x)...[...8..bA...ti.6.L...KKO.....qB..m..a.........J..uc.ZL...x)...[...8..bA...ti.6.L...|MR...K.Au..?q.0..NS....4.....34...e%.....O.i..0....m..X.%m...&7 .....~r.<|.=].bR..Q..6.....3>..n.4.3.k.j.jR.3\...: ./.2l..;3 ...#.....1...^.RI..d..(.....&?..n.Q.G.[....:.UG...' .d.Q[........B.?r.<|.=].bR..Q..0.....85..n.X.L.0...%.../......[.#z...|{x....].-...]..0^.@Q..J........18..a.@.].9.`.Pc..\...1`.;.{x....R...Z.h>...\........z..!.....30..p.Y.F.#...%..o

                              C:\Program Files (x86)\AutoIt3\Include\Array.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):85539
                              Entropy (8bit):6.7371926938599405
                              Encrypted:false
                              SSDEEP:1536:xpn6wEasemZWCiOXrwzBAao2tBT2aa7ByAuCGphbgUIdC+RNSY2VsCH35ISV:v6wRMZ6xBBKv7ByHXhbhIdCSNS3VZH3H
                              MD5:4042307C7B0878DC3D8FC682EC35356E
                              SHA1:F8F55F8ED55EA7BCF8FE3EAF3383F0DEDAC9E8D7
                              SHA-256:04D1C1876674E5DB4AA9A45DE265DA5C71162DA97D71E9D9DCDA0F56986DAAA5
                              SHA-512:AFFD77A2F58620A4C15C5DE24DB1A5C94692703129AFE2A049000C6EB03F686B35B0DAA4822D25699E00530FDFC5CB89DF224292F51832A51388A368382B2D00
                              Malicious:false
                              Preview:..!^.5........G@...X..Y..(.....h.4.wQ_V....f..L.+....Qf......`"AutoItConstants.au3"..#include "MsgBoxConstants.au3"..#include "StringConstants.au3"....; #INDEX# =============================......l.....&ww..Q......7.....<]y.+.+.R.Y.:.._.c....O2....L}==========================..; Title .........: Array..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ......7\.%.......ij'..K..\..d.....x.j...6y....u.K.p....H/.....Q.rik Pilsits, Ultima, Dale (Klaatu) Thompson, Cephas,randallc, Gary Frost, GEOSoft,..; Helias Gerassimou(hgeras)...0[.?......;.#..^..p..b....s.%.y.6t....h....~.]..^/....Q.uttall,..; Adam Moore (redndahead), SmOke_N, litlmike, Valik, Melba23..; ======================================......l.....&ww..Q......7.....<]y.+.+.R.Y.:.._.c....O2....L}=========================....; #CURRENT# =======================================================================================......l.....&ww..Q......7.....!?..dIo

                              C:\Program Files (x86)\AutoIt3\Include\ArrayDisplayInternals.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):42789
                              Entropy (8bit):6.872724688338539
                              Encrypted:false
                              SSDEEP:768:ORlRg6nsyE7FGqeTJnqH8sutc+3DXoYdVpiIK2BS5loJtOwq46JFui:x9u3XoYd/tK8lKfFui
                              MD5:DE96576D954170FE2EF06E3891324DD6
                              SHA1:3012C0F4BC9C89FDEE1D598FA4B49DB35AB1F1F8
                              SHA-256:0DA9A4DF0B951BD39C85A780E88CA9F5A465C9826D5F48F26ABF0A080A38C44B
                              SHA-512:F76B3EAD5DFA09660611FABB9076F7513EBEAC02232CF03E417A3C700373E8E8EB80D403ED937CE9941C6D4D029A32179B896F761751D503E5B2C62CB383FF6A
                              Malicious:false
                              Preview:(.w.'!.... z.J~Co...i.C."...=..o..\..<.h.z..Dm...u.z.......xConstants.au3"..#include "StringConstants.au3"....; #INDEX# ===================================================================6.$.vi.....~".}Ntq....!...=...o.......@u..4Pt.?ss.x..>..*..cW.......: Internal UDF Library for AutoIt3 _ArrayDisplay() and _DebugArrayDisplay()..; AutoIt Version : 3.3.16.1..; Description .%.#..:..../?.5.*8...<.I. ...r..^...I.Nh..mM..`;)...*.....3..".(s) .....: Melba23, jpm, LarsJ, pixelsearch..; =================================================================================6.$.vi.....~".}Ntq....!...=...o.......@u..4Pt..CD...~.q...*..,. Variables and Constants....; #VARIABLES# ======================================================================================6.$.vi.....~".}Ntq....!...=...X..J...]..h..}.i.j+n...p.g...(..(.....Global $_g_ArrayDisplay_bUserFunc = False..Global $_g_ArrayDisplay_hListView..Global $_g_ArrayDisplay_iTranspose..Global $_gT.k.*-...."f.)7 ?...N.Q.....0.....w..

                              C:\Program Files (x86)\AutoIt3\Include\AutoItConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13068
                              Entropy (8bit):6.831078517680806
                              Encrypted:false
                              SSDEEP:192:jQcZCtoGBbNOasa9v+0E3w3drrsljWWgQcWIHSQ:jQcCLZMasaw0E3wZnQLQ
                              MD5:4565F8DACF2C6766499999AEBA914FEB
                              SHA1:D35D5E509A2B37F225EE7315415F2D9C465E3D09
                              SHA-256:A8EAD5663DDC7111852D701EC3910B4F90B743A78ADA77A915F1F1604F2DEE43
                              SHA-512:A47AA4E4897FA553EEDA8F05B0E43950CE1509E94911EF6156C601B3B8F9D7E9251B4CCA31FF9222900FFE8685843C9322B0536B310BEB6B8C699F3FD39F2CCB
                              Malicious:false
                              Preview:^..eIo....L67.b..'i.H..J...r......^S.|......E....H...|.p.d.C==================================================================================..; Title .........: Constants..; AutoIt Versi....).%.....c7.T..f$.s..w...a.......(H.......Q.......o.c.yq.nstants to be included in an AutoIt v3 script...; Author(s) .....: JLandes, Nutster, CyberSlug, Holger, .....; =================@..4.6.....n..R..:w.;../...r......^S.|......E....H...|.p.d.C==============================================....; #CONSTANTS# ================================================================@..4.6.....n..R..:w.;../...r......^S.|......E.....N.P5.m.1W^way coords are used in the mouse and pixel functions..Global Const $OPT_COORDSRELATIVE = 0 ; Relative coords to the active windo...eSi.]..@=I.O..W..E..@.....t...CS.p.........F.......[a.".+V.nates (default)..Global Const $OPT_COORDSCLIENT = 2 ; Relative coords to client area....; Sets how errors are handled if a Run/R...`H+.D..[:U.O..n&....~...#.x...CJ..o

                              C:\Program Files (x86)\AutoIt3\Include\AutoItExitCodes.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2792
                              Entropy (8bit):7.482270395768446
                              Encrypted:false
                              SSDEEP:48:xvFlFJ7NkFlR1Fl1ZA8UTFlFO6FlFcUFl1ZFlFHGexqlFlUSwlFq5FlFz4ZP:xvH/hkHR1H1ZoH46HpH1ZHVGexyHUSkN
                              MD5:E2F162C1726F96A3A62F26757AC69E73
                              SHA1:45684968017A84520288C773B697AF4092266BCD
                              SHA-256:D3539636F92D530363DC136FBEB8E3C9F1346252F7C30658ED986FB26A5D9372
                              SHA-512:1B402F26D960ADC5A170C6E979EE91E3AA71D5D0A776EDC993AC24BC75A37F9BCFBBC0E5063BE142AAF5C77A6FC9A3887798CE14616BFDDEBCD745B066A78DED
                              Malicious:false
                              Preview:..&.7.$U.&m,p&.n.b!.{..Ul........q.z.|.g..8.....1J.L...T...p....).:..H...a'.X..Lxa.b..=F..E+....[.*. ..T.d...../.P.E...I...9S...uKf.}...u3t@..Y.6r^*...q..C6.j.b#.4. ..T.d...../.P.E...I...9S...uKf.}...u3t@..Y.6r^*...q..C..l..w.e.=.=G.w.....2b.[..T...pN...-.V.{...<a.....Jx&.y......P:.y.R..).|.t..>.....<.C.X......d...-.8.)@..'`iS..^.g&.7...*..j.w.:f.}.r.vd.b.j...}QE\Q..Z...$$...BM{.}...u3t@..Y.6r^*...q..C6.j.b#.4. ..T.d...../.P.E...I...9S...uKf.}...u3t@..Y.6r^*...q..C6.j.b#.4. ..T.d...../.P.E...I...9S...uKV.M:..kM.3..%v_.@7...q..C6.j.b#.4. ..T.d...../.P.E...I...9S...uKf.}...u3t@..Y.6r^*...q..C6.j.b#.4. ..T.d...../.P.E...I...9S...uKf.}...B.C:@..Ygo x..Dl..&B....[.R.@.!4.d.p...*dt\.. .W+....;..l..)z<.M.D[g .~...n..^T.].VE.L.T.P%...t...Jj9.X......f...!.{.5^..!a'S..H.TBi......*H....A.P.Q.P".y.H...w..VX......cN...-.2.`_..<f,]_..Ly..9..l..t.....F.].Q.@,...g...TeA.Z......}N...:V7.'_..f,.Q..i2.F83..y...1X....M.\.Y.D'.y.H...w..VX......$....,.,.n.....Ct%.i20o^*...q..C6.j.b#.4. .

                              C:\Program Files (x86)\AutoIt3\Include\AutoItFatalExitConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6698
                              Entropy (8bit):6.68395722989785
                              Encrypted:false
                              SSDEEP:96:aAxgWVX3Z9u47wihswCNBm6LthuVcXndigQxZTJJJ7XFy:aFWVXpMA9hQNVLCcXkgQxRJTXFy
                              MD5:EC33A4985CC9F056D113D8F8CEC9316B
                              SHA1:9B272EF313809332609E4C8827FF7EA6C8E4853E
                              SHA-256:2A0408417F13FAC3C1542C0D4B16816A99F185549AEDD9C71F5B09DEBEB544A2
                              SHA-512:8BB315B3593FE11D6AFA2E0238ABA7D673153FCD381D05F73ECEE6A37DA492463353A86CC69BB3CDD8B801B1C2AD6871143860EA652BD5A7C00A0C6C4B52E9BE
                              Malicious:false
                              Preview:h&F.v_.|#.=..Zak...{...G.Y~I.d.RY.k.:Ezy..E......22T.B.....!.==================================================================================..; Title .........: AutoIt3 Fatal Exit Codes.At..o^.Pz....$...5.x.,..Wry.b.#..1.f."d..Vl......cf..r.....o.ription ...: Constants to format @exitCode set by Opt("SetExitCode", 1)..; Author(s) .....: Jpm..; =============================vr..'..$3.n.XjV[.(.e.?..D~I.d.RY.k.:Ezy..E......22T.B.....!.==================================....; #CONSTANTS# ============================================================================vr..'..$3.n.XjV[.(.e.?..D~I.d.RY.k.:EJN.)?......a|..[.cl..].ALCODES[81][2] = [ _....[0x7FFFF068, '"EndWith" missing "With".'], _....[0x7FFFF069, 'Badly formatted "Func" statement.'], _......P.\l._>...EpI1.a.z...q...$T....3.".%V`...'O.....II/.O.y...Q.ssing right bracket '')'' in expression.'], _....[0x7FFFF06C, 'Missing operator in expression.'], _....[0x7FFFF06D, 'Unbalanced )=I.qO.j..=../...f.1..%.Y.y.P.4T.a.A>.

                              C:\Program Files (x86)\AutoIt3\Include\BorderConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2434
                              Entropy (8bit):7.6925432752314284
                              Encrypted:false
                              SSDEEP:48:6HjAZlGAH8AbHmAxVcgybORrDBWOqBGILnRj1nCqtM8kHcZ0i9j:6GlAAxVrybO+OqBGsnRj1nCyv00
                              MD5:5D80336BDF2106B2C2D1A4F1EEF3D0D1
                              SHA1:4D9F01E72D7C868F8CFC6257337B25C988B0DA43
                              SHA-256:689DDCB6DCBF7E230FE066A14EF6E2C095765E9FB8F829FCCE7D33ADA91015C0
                              SHA-512:800D814933478BC858585903959911105A241E50135256BCFB695E9958A8D93597BA8DB2881C0850D6B143E4AEBFB8C9BB481BD889B86FD03866C35064222750
                              Malicious:false
                              Preview:n..{...*..."..<.Ny|......g...L..N>......Nz.#....~.....6....f7pz.%.APr.CM|......Sg..~.w..g...L..N>......Nz.#....~.....6....f7pz.%.APr.CM|......cP....>..z.._.]-...B...5.]S...".O#.0.q..4C9g.}... .^Ja......@k8.x....=.....]-.......+.mT...c.OM.b.D..5*ci.".?.!.../...Y.N.b.-........4...+......3.qN..c.....1.w.."*.5.k.qgt.CM|......Sg..~.w..g...L..N>......Nz.#....~.....6....f7pz.%.APr.CM|......Sg..~.w..g...L..N>......Nz.#....~.....6....f7pz.%.APr.t}K....y.=.t...i..g...L..N>......Nz.#....~.....6....f7pz.%.APr.CM|......Sg..~.w..g...L..N>......Nz.#....~.....6....f7pz.%.APr.CM|....Z..;Y...$..z..#..2J...c..!g.>....I..SL.g.s..(~mc.\.#?..-5.....d.Sz..r.@..5...Q...p....i.. ..Uy........;.....f"%.t.?.!..Pe...e. .p......z.....yD....A..).j....~{.[...2~...<.8?..?9....b.<v...........?..=F....j...&.>....7..yj.N.u...O.g.8.....VT.....c.%.{.....z..#..2J...c..!n..{..."...A.x....M...Y./(..CP......,.g..........4..S'...... ..Wr...j..{B.i.\.4d>3.<.8*..-%.......,3A...n......?..=L...

                              C:\Program Files (x86)\AutoIt3\Include\ButtonConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4765
                              Entropy (8bit):7.830529876548603
                              Encrypted:false
                              SSDEEP:96:lsfNjWntvDspDJE/kyJPWPs5+971eGNQK5QrqiRVQZB+A:yWnNcDmky8PsQ71iK5QrqiRGB
                              MD5:952B245247AAA757956CD4EB82E67961
                              SHA1:606BE49DFC0F1CEFF2121EE44E82AAB73748C101
                              SHA-256:C2002B3A82EE9E7A11D7FB5BA1247CC6AD9261E314FEC9111CC84985C22F8B9D
                              SHA-512:79264A84F4A2EE87601BEF17FAFFD14EE004730AE5A8EEDA8FBE5A7048B853CC22953982F784E953E8D0A3D668F99E088FCE20BBBC778784C98636E35A93F02B
                              Malicious:false
                              Preview:..#..J..*Mb'......R...Ujbl..F.jY.9...`;....wx.%....=..4n.q.....p.S..[:.1y. ....O.},..r..F.jY.9...`;....wx.%....=..4n.q.....p.S..[:.1y. ......`EFN#U.U.yJ.*...g&....$.nw.W...t...2su9.......L..i.6d.3....\.J*.v.^..T0..*...s(...&,^p.....e..`#@%....c.N|..tVm*.n...OR..`y]_)..U.x..tQ.G4~.....><A}.....#...}<Zn.......K..k.N1.i...N...%b......[3D.v[.Sq&....fenp.G...x..2su9....>.N..H).6d.|..0x.},..r..F.jY.9...`;....wx.%....=..4n.q.....p.S..[:.1y. ....O.},..r..F.jY.9...`;....wx.%....=..4n.q.....p.S..[:.1y. ....O.J.%.o..4{.0.J`..};....wx.%....=..4n.q.....p.S..[:.1y. ....O.},..r..F.jY.9...`;....wx.%....=..4n.q.....p.S..[:.1y. ....O.},..B:.[r%..t9.d1i...%+^l.....G...Y.{...}.^..l.(7d.h..S...,~M[#...[$.. v.|.I...we.`........k2Xl...m.,l.%BlX..=...EB.p.%}#_..Yw'.jG..yD.....~P.q...N..9+.|...!..^.FDMb7.=..b>...1...H.J.gi.CX.A<j.....>e.Z.{...T..G..q...}.c5..h@m(.^..IR...N.o.x.4mwY.4L..mG....($A8.K... ..V.a....m.N..W7.<I.Z..\.../.\No..(j.-.L`..}6.

                              C:\Program Files (x86)\AutoIt3\Include\CUIAutomation2.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):47975
                              Entropy (8bit):6.723946788124523
                              Encrypted:false
                              SSDEEP:384:JbtSKEChvbz4fP9uMQ5pUt4Ynf6zyygvRcWUAc18Aok2T/oHaeNCqGi7ibcQjSlA:Vt1B2P8pUtRfqv9B2bDSZymyTPl
                              MD5:87F2374A5DE220EAB3CE79761AEF7B25
                              SHA1:E168A51C151A8C254D889DDDE9672D5BF92C0315
                              SHA-256:1C0353F94C6773578B728E94E0B66EB7D313FDF25A37338965FE840D0BD6B342
                              SHA-512:0E884329BF90F74690945777E1AEA18EA9B2757492C5B47764A23DD641F6F5AF09BFDA93B322B118BAFA19DC67C9377C5D713271174CFFFB8C42EB5C910D2598
                              Malicious:false
                              Preview:u...H.eh....f........Wml3.........U..T7.....Kqj..{..S...(}.D...083-8FB8-45CF-BCB7-C477ACB2F897}"....;CoClasses..Global Const $sCLSID_CUIAutomation = "{FF48DBA4-60EF-4201-AA87-54103EEF594E}"..m...Q.d-.+..S........#.........&~.s@.*.:..Mua.#f..U...*;.A..p0..Global Const $UIA_SelectionPatternId = 10001..Global Const $UIA_ValuePatternId = 10002..Global Const $UIA_RangeValuePatternIdv...\1>.h..l..P..!...'.+........k.#p0...../4.r&jf`...kj.3O.3t $UIA_ExpandCollapsePatternId = 10005..Global Const $UIA_GridPatternId = 10006..Global Const $UIA_GridItemPatternId = 10007..Gl9..../nc....V..=..;..Bf.........;C.w(bZqC./.C.-p......yr.Tu.._WindowPatternId = 10009..Global Const $UIA_SelectionItemPatternId = 10010..Global Const $UIA_DockPatternId = 10011..Global Cons"...m-^Y....S.......W.#lR...q..7k.wV-.2..wWE..s..B...gV..T.2nId = 10013..Global Const $UIA_TextPatternId = 10014..Global Const $UIA_TogglePatternId = 10015..Global Const $UIA_TransformPatt3...@L<-.R..5........Wml3....)...6x.;y.

                              C:\Program Files (x86)\AutoIt3\Include\Clipboard.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19232
                              Entropy (8bit):6.340275260720928
                              Encrypted:false
                              SSDEEP:384:ZIWzMB7KMjwBWEv78F/TdteipBqLt6+VrYPfpmeRuabDD3JaxE+CHC7OyvnWTR+o:uX7KwwBWy7UptxpBqLt6+V8pBRueDDZJ
                              MD5:D16BC97B02A84D7138A622CA144A58C9
                              SHA1:9ACC27C05617A2AA91D7E638225B2B10199F77BD
                              SHA-256:6FC08677176211DDA306F1AC43CBA0AFAF8B0734A682FC34335022EBB9ED43F5
                              SHA-512:1ECE08626E931EE5BB8BEE1A67894ED80A4C32691A572824AF9780E9E8DB0A7A99796894E57FD66577D85636EC5CDC942BE34FBBE5641FBF28BDB0FB334492B1
                              Malicious:false
                              Preview:c5...:s....I@......f..OP........K._..]h.#...1oz_......!,!..XZ===========================================================================================================..; Title .........: .0... v..|d......(..HG.....Z......B..]^.T.....MG\.....&1Y....sh..; Description ...: Functions that assist with Clipboard management...; The clipboard is a set of functions !2.T.*d....Y......f..VQ.......TE...i8E.j.....X.......'1<..EG Because all applications have access to the clipboard, data can be easily transferred..; between a0,....c...........|..T........^K..Jsyh.#.....EPT.....2?&...l Campbell (PaulIA)..; =========================================================================================================}a.I.r*D.LS.......5..7>....9...ik.8v>wX.%...H..A......!,!..XZ===========================================================================================..Global Const $CF_TEXT = 1 ; Text fo21...EP....F....,..ev...Z......$Ds3

                              C:\Program Files (x86)\AutoIt3\Include\Color.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10298
                              Entropy (8bit):6.222876105465709
                              Encrypted:false
                              SSDEEP:192:VNcp4Z3yKu+yoZrCG900PeZlTRk29RxJ9615nHL81:VN1MKt3BCT0mZtRl9RxSjnrQ
                              MD5:7DBCF6FB97EB572E13CFB8395B892527
                              SHA1:B91D7E3C96DD882C497270A602F3CF22D82491EE
                              SHA-256:692DD025CB2FBA132A48825CFEB49A3D6CD2C3920E26A1D303D2A6ED1FC9CC8D
                              SHA-512:C0D43067E910C76EB7A58C2C1BBB4AA6A3AA4F2E7AF4E94CA454C76B986F0052F21800024389E846DEB8F94E00D7BC72ABC4877D89D10806C600B641AD573D1D
                              Malicious:false
                              Preview:..u...I+.|..1..9.*h..kN.y}.o...d.....k..dg.`.g.#..<..358h...====================================================================================================================..; Title ....5....t.p..;......s..W^...J{.o.Fn+.Y....6..o.!...m.Y...XC5f.English..; Description ...: Functions that assist with color management...; Author(s) .....: Ultima, Jon, Jpm..; ===============..&....s...Wi...~;Y.#.....5.=.[i6.J...%.,i.P.W.%..H..KP&u...================================================....; #CONSTANTS# ==============================================================..&....s...Wi...~;Y.#.....5.=.[i6.J...%.,i.P.W.%.3.....z$...nst $__COLORCONSTANTS_HMAX = 360..Global Const $__COLORCONSTANTS_SLMAX = 100..Global Const $__COLORCONSTANTS_RGBMAX = 255..; ===..&....s...Wi...~;Y.#.....5.=.[i6.J...%.,i.P.W.%..H..KP&u...============================================================....; #CURRENT# ====================================================..&....s...Wi...~;Y.#.....5.=.[i6.J..

                              C:\Program Files (x86)\AutoIt3\Include\ColorConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12870
                              Entropy (8bit):6.746538896750991
                              Encrypted:false
                              SSDEEP:384:jssEV4mZO7j8qh8XSJRdFFwn/CpiPeiF/lZ:uZ8j8y8XQ/UeeZ
                              MD5:B9AE44DDC2D44CC1F5ED71B6A677DCB6
                              SHA1:220BBC439F04284CA38DAEC88A7AB68E1067BCC6
                              SHA-256:FBEA883F1E3A96F7D95AD37BD0500C4C78A093E0239193E39B65A100C7BA9C49
                              SHA-512:048021461EB0870D590FACEB4878B50B17E6D2938DA80A0F15A898AC960438DE43AC687175EDC2177BE3766CB0D12E22E7382A71866070966489893755A4096A
                              Malicious:false
                              Preview:%Z.`.....D.........o.@w.H.."H.9..[!.q.....C*.*.......R..g==================================================================================..; Title .........: Constants..; AutoIt Versii]..,.K.........Z.A.eU.K..1[.*....{.%VW....:r.t..........Ubx5nstants to be included in an AutoIt v3 script...; Author(s) .....: JLandes, Nutster, CyberSlug, Holger, Jpm .....; =============;...1.E.............9..V.."H.9..[!.q.....C*.*.......R..g==================================================....; #CONSTANTS# ============================================================;...1.E.............9..V.."H.9..[!.q.....C*.*......>.O.O;ndard W3C colors https://www.w3.org/TR/css-color-3/#svg-color....; Color Constants RGB Hex..Global Const $COLOR_ALICEBLUE = 0xF0@.........K........e.H}.4.K<.Q../H.l.....;U. ......w..1Oz$COLOR_AQUA = 0x00FFFF..Global Const $COLOR_AQUAMARINE = 0x7FFFD4..Global Const $COLOR_AZURE = 0xF0FFFF..Global Const $COLOR_BEIAv..,..>.........Y.J.G]....;6.H..$U..p

                              C:\Program Files (x86)\AutoIt3\Include\ComboConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8085
                              Entropy (8bit):6.835167113348044
                              Encrypted:false
                              SSDEEP:96:rZj9M1Ix2CyRoqzxa8CM2dbQgyAyNgzCH3qdgErhak4LxVnfgS64pbiYbAv8FjI7:dj935yRj1V2ZDkH6dgGo3HK8BAAv5o5
                              MD5:FE79FB0F643B0FD9F62EA41A350FD7B1
                              SHA1:DEE6EA756E34ACFB80A68179F31CAEA6DC806DF5
                              SHA-256:FBF9A7A47D611794B20B1C0708A11CEC2BA229C9DA891305FAADC5E7168C80D1
                              SHA-512:5B5056FAEDC6C3CA434997498EE861DC9279BF52ECC7C400FC1FC851C68A578B9FE27BD3FB32360A018B2EE2F52885EB023A0FAF83C4D1E84BD6A86284CD59C8
                              Malicious:false
                              Preview:.....\.i....=.L...d..n.....C...gON!.,.'..&C.x.B.......L`o)7\V9==================================================================================..; Title .........: ComboBox_Constants..; Aut.....L......b.u.".u...C........=.S2.?.4..^.S)......`..> }z..kn ...: Constants for <a href="../appendix/GUIStyles.htm#Combo">GUI control Combo styles</a> and more...; Author(s) .....: Valik,.......~....R.f.,.y...s...C...gON!.,.'..&C.x.B.......L`o)7\V9==============================================================================....; #CONSTANTS# ================================.M...1.T.e.{.,.y...s...C...gON!.,.'..&C.x.B.......L`o)7\V9===================..; Error checking..Global Const $CB_ERR = -1..Global Const $CB_ERRATTRIBUTE = -3..Global Const $CB_ERRREQUIR..P........:.*.R.*...j..j.,...7S!.<....t.U).<......3.._K8K9 0....; States..Global Const $STATE_SYSTEM_INVISIBLE = 0x8000..Global Const $STATE_SYSTEM_PRESSED = 0x8....; ComboBox Styles..Gl.....j.b..I.....P....s...y.^..nBS'.P.n

                              C:\Program Files (x86)\AutoIt3\Include\Constants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4547
                              Entropy (8bit):7.799443075573907
                              Encrypted:false
                              SSDEEP:96:KWSnOdgQ5dMLX+iUAq3MzyfW63KDPrzFuS70H6:KtOWLbPqqZRDrzFZ70H6
                              MD5:97CBFD12C6B6887E8EBE8D66CAD285DA
                              SHA1:016892E40EB1884E5CEF6A9B1FD0776A0244B686
                              SHA-256:84E979D03C20F91205694681703A4C022D8107B1F3D83C2E3F2D10EE06A845D6
                              SHA-512:6E5F1A43A08E8A2400EFB9BD5EA0B1B1216CF604720BE06EF96CFEE509BB429DFF8A38390E15FBB832F7DF9236D416059AB300CBC81AC64634B01C9520947E0C
                              Malicious:false
                              Preview:.W`..y;.v7A.+F2.K.V..DC..\.8l.&;..9..z...`.r....cu....[....../.hQ`..m1.(vN.}i5.b.Q..]R..^..k.&...7..}... ....R..:...........3.JPz..m*.yU%.'%[f4.Z..eE....:v.:..."..o._..0..X..2..S.\....:...__`..">.hz".m"Vi-.[...e.....Z.'...8.. ..N1....U..#..Q.z......4.EJ}.yl.VR".uk.C..z....O.A.D$.tO..k.3..@.......Tk\.L....D.}...3..1b.fe..sv.7|.....O.A.D$.tO..k.3..@.......Tk\.L....D.}...3..1b.fe..sF21a.V..M.\.R.W7.g\.....}...g......."....x......z...=..:q.VR...*Vm4.X....\.R.C9.'...%.....9v.p..K..9.._........!._M...,=.{1A.">\o%.V..IXR....P.i...%..g..S..(..N..9.........C...JPj.. ...,\.+9.*..]..{Z..P.1v....v. ..F3......Tk\.L....D.}...3..1b.fe..sv.7|.....O.A.D$.tO..k.3..@.......Tk\.L....D.}...3..1b.fe..sv.7|.....O.A.D$.tO..k.3..@.......*./.%.`...D.}...3..1b.fe..sv.7|.....O.A.D$.tO..k.3..@.......Tk\.L....D.}...3..1b.fe..sv.7|.....O.A.D$.tO..k.3..@.....6.Rv2...........`.DQ|..,>.>xZ.+/.c/.K...[....Yx.-R.........p.z..H.cmA...o....:...__`..">.hU%.Dp.Y$.L..GAR....k.i...v..`..

                              C:\Program Files (x86)\AutoIt3\Include\Crypt.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):27575
                              Entropy (8bit):6.570240019929509
                              Encrypted:false
                              SSDEEP:384:g1KeehR5IMR0l7DLa5AM6oMbFUP8kzUSR1htXIj5bMb4XAVU6qakfA1zhz7hAKhF:gheCMRgroXj2Ob4e9GKhF
                              MD5:C0D3B522759860345362242154CDE953
                              SHA1:F719EFBFB021C81F88A0902EE2E2C65FABE04BB7
                              SHA-256:9E786D2EBEB6FDD160991E813FD0A172AB7744178EEB562CCB79EBA582C8C10F
                              SHA-512:753B6E15D12FB34B2492E7CA7C5CB1FEB6A4A3876C0120D7E8720C39359C850F1013B21173B66C8665DFB07D80AFC5B0CAF8D0757EA859AF0B2E816395BFFECF
                              Malicious:false
                              Preview:.MG}.4."i....../...:.......(.0..-Z..VP..#_...o.Cd....3r....rror.au3"....; #INDEX# =========================================================================================================...#.|.zy|..,......-..\...o...qG..>M..u;F.@'g.uXyt....;......16.1..; Language ......: English..; Description ...: Functions for encrypting and hashing data...; Author(s) .....: Andreas Kar.WZq.a.*+/..c.....:..q..-..v]..b..^V.G.@6e.hK.?....n .....===========================================================================================================================....;..jK.....b..,......dN.A...|...b@..q..ME.@.<o...<E.,.@..Y&.....================================================================..; _Crypt_DecryptData..; _Crypt_DecryptFile..; _Crypt_DeriveKey...>...>45..b..J. ~.G...8......5D.4.E...i3..s._e.8..b.....e..; _Crypt_GenRandom..; _Crypt_HashData..; _Crypt_HashFile..; _Crypt_Shutdown..; _Crypt_Startup..; ============================...#.|.zy|..,......dN.A...|...b@..q..M

                              C:\Program Files (x86)\AutoIt3\Include\Date.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):86394
                              Entropy (8bit):6.418649688168852
                              Encrypted:false
                              SSDEEP:1536:MgGMIoOjmmujflHEBTMQYecX98M5GbWZ4d:mm/jeBTMQYd738
                              MD5:E8CFB147FD91AA380A4C5B67D8EFB8DC
                              SHA1:E624CA3C0A74319D56A1D793D5DBB44D08188461
                              SHA-256:894574192B57842A5802D56C3CA31F9011230CCAB9628434EA764BA797C0EE6C
                              SHA-512:81D335DF3805CAAD1623F7643B292F7C762BCD79C2342CE169B79E1F7506110D8693473F163D1FA86689CB6B1F66C8E93F23C36484531D046E4F04C9851D656B
                              Malicious:false
                              Preview:K.r...n{g.....4@bJ.....a.o.Is. .I*0`........../Z.i....;du0I]fo4ory.au3"..#include "Security.au3"..#include "StructureConstants.au3"..#include "WinAPIError.au3"..#include "WinAPIHObj.au3"..#in..i..U(I#....Q........'.E..)Ff.n..{.B.Y.}.S..gT.Y.....j,,hTB.7d=============================================================================================..; Title .........: Date..; AutoItH.y...epj.....|^G..J.I.!.xs. q.i{..L.D....S.2d._.e..%xa!..E*w..: Functions that assist with Date/Time management...; There are five time formats: System, File, Local, MS-DO;.}..U]w$......m<......i.;.i2.0?C3<L.....4..T.z........Z.*uI_.*y one of these formats. You can also use the time functions to convert between time formats for ease of..; H.<..U*>j..............j.o.cvF!8S79B.o._....R.(A.M....y+1...i&yjlandes, exodius, PaulIA, Tuape, SlimShady, GaryFrost, /dev/null, Marc..; ======================================================U.!..H7#w.....pUT..L.8.r.0/[xl.zh.._.Y

                              C:\Program Files (x86)\AutoIt3\Include\DateTimeConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7368
                              Entropy (8bit):6.814123707699499
                              Encrypted:false
                              SSDEEP:96:qg+IuIW5KhF/21QpfilMT2LFWy/K/bu8fEwIaK9joPlFJ:q1IZqKhBZf8LAy/K/bllIaK9jY
                              MD5:82AF6FABF9C17A6A84D7490664E93DC5
                              SHA1:E28F4FBAEDFE76088B17F120BA3A1F1B8D49E20B
                              SHA-256:7A020D3E157BFA9500625CF7D6AA43122220A198918666A0794B19F7D4C26395
                              SHA-512:3AD9D7DBDB2D55258E0D4924223873C27B6EB463D0712FB699E1853DFBD606AB91E44F98B27A1A37EF0BAD9A8E7E3F2E7108B12F043B65529717649D2D39695D
                              Malicious:false
                              Preview::P...[6..K#..s...z.*.P........O.M..2.........z)g6Q.{4L.~.>...==================================================================================..; Title .........: DateTime_Constants..; Autvp..9.M L.K`.J..k.Mi.A....U.....^..!......D4|W.W..l._1YsG..n ...: Constants for <a href="../appendix/GUIStyles.htm#Date">GUI control Date styles</a> and much more...; Author(s) .....: ValpR..(.M*..W/..t...g.^e)v......O.M..2.........z)g6Q.{4L.~.>...=================================================================================....; #CONSTANTS# =============================$...R..n...}.D..g.^e)v......O.M..2.........z)g6Q.{4L.~.>...======================..; Date..Global Const $DTS_SHORTDATEFORMAT = 0..Global Const $DTS_UPDOWN = 1..Global Const $DTS_SHOWNONE $...e.S<G.I`......~.7.K.....f..=..1..2......L+4.d..2)Ux.c\g..EFORMAT = 9..Global Const $DTS_RIGHTALIGN = 32..Global Const $DTS_SHORTDATECENTURYFORMAT = 0x0000000C ; The year is a four-digit9_...2Yb.J"..Y...).C|P.....q.."..#..2.

                              C:\Program Files (x86)\AutoIt3\Include\Debug.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29607
                              Entropy (8bit):6.581818381853153
                              Encrypted:false
                              SSDEEP:384:ntEB+/R6xQZQQMy1eNQg9Mtwisk3IZdm8WviFKY9FtkzAC8uS2eEeUxNf:PDiQxuPZdWvi/Utvv
                              MD5:6A4DEA912BFDA2D75E2AF5BCD9C738BF
                              SHA1:7BC0FFC1CE7BDA762F01E5551B543BC6F25A0792
                              SHA-256:FC16878288874E9742D2BF361BE3C58B82758CC795C5BD1489BEDFDAC295A056
                              SHA-512:A0C47255EAEFC96BEDF274B7B6B811F9B9EBBE4F6AD2CAABFDEA9ECAEB5B0F0E3D976D10DC05781EC254C1E159AEE1580F85C4106C2F60D4053E6B02B77C8DB4
                              Malicious:false
                              Preview:..7.....a.K$..k......0w."K}G.9.C5..+.{!k.5.b.Q..e.;...d.'.."AutoItConstants.au3"..#include "MsgBoxConstants.au3"..#include "SendMessage.au3"..#include "StringConstants.au3"..#include "Winz.......o..c..k...T....J.^.2..@..xYVo}(h3.f.3...U.z......5.~..==================================================================================..; Title .........: Debug..; AutoIt Version :..w._.......a...u.....z<.M./c...Y6.fX{5.k.8.g..Y..g......}. .ons to help script debugging...; Author(s) .....: Nutster, Jpm, Valik, guinness, water..; ======================================..d.L....3..|..[/..J...i/.^.2..@..xYVo}(h3.f.3...U.z......5.~..=========================....; #CONSTANTS# =====================================================================================..d.L....3..|..[/..J...i/.^.2+.:._'..r.z;}.{.Q..o..".^...f.,.ext_Debug = "Debug Window hidden text"..Global Const $__g_sReportCallBack_DebugReport_Debug = _DebugReport..; ==================..d.L....3..|..[/..J...i/.^.2..@..xYVo}

                              C:\Program Files (x86)\AutoIt3\Include\DirConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1409
                              Entropy (8bit):7.371988987923833
                              Encrypted:false
                              SSDEEP:24:sbpFrpF7keAlD5ElOfrpFrLDpFrXgrjHk00tpFrpNNNH:stvhkeAlD5E+TVhbvNNNH
                              MD5:A9783988B9F4C64FEEDBAB24C8B7835E
                              SHA1:18D95EC7352A4BB786B118B33283FF389E703ACA
                              SHA-256:7BBA0D665971261B87802A4CD916F190B07FE7310E1DDF14C7997D876C9AE855
                              SHA-512:8C51FAC93FAB29CA9A8170F71FFE0CB05A4965100ECB2ADF5CA5DB6F619039E03890E594910E95728443D0CC97BB5E2D23DC3BE7B232E74B74F1B2C408A7C447
                              Malicious:false
                              Preview:%lNxL..O2...%...W{%v..TN...0L..r.p6.TP.L. ..!#t....*e.......". ;8.&...._`.\.....Qf;...,+...0L..r.p6.TP.L. ..!#t....*e.......". ;8.&...._`.\.....QV....xb..#_..a.c%.SM...B.Yrm=P....R......uk.KcwSrO..Bn.R.....aQ=....q.NhQ..a.c%.I(...t.^..r....t*.H.....1.3<%ctN....).A.G...L2h\..us..@cQ..o.8.. ....=.Unw9E...r6.M.....[.o&cUuC.....l......3iM..86...#_....!b.EM...d.pnq:E..9v.2...". ;8.&...._`.\.....Qf;...,+...0L..r.p6.TP.L. ..!#t....*e.......". ;8.&...._`.\.....Qf;...,+...0L..r.p6.TP.L. ..!#t....*e......6$.>EJnHt...1~.\.....Qf;...,+...0L..r.p6.TP.L. ..!#t....*e.......". ;8.&...._`.\.....Qf;...,+...0L..r.p6.TP.L. ..!#t....*e......."..AiOyA...3.......3.T|..GS...=.....};.Y`.6.r.Wp>.^...7|.|....nZ.IIWy;....Rm.Q.....f.jP..}6..G~......T.;$.4.=..,fy...'h.5....^~.=EjNhT...&..$.k...%.C...!n...=I....GL......^.Xoji....H..|.....?.e65.+....oW...J.../4hL.5R..v_4.....R.TM...-..,.y...{7.Y....Rl.="AdW...&..(.m...\#6...!&..$.6..-.!+......9.rPA.h...Zx......./.-61-....._`.\.....Qf;...,+...0L..r.p6.TP.

                              C:\Program Files (x86)\AutoIt3\Include\EditConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5148
                              Entropy (8bit):7.806104492797392
                              Encrypted:false
                              SSDEEP:96:D3rFRcWLBjFc4HEQdPlWZaXCipgRPZ6UTm5NjDDpdf0jqdl:rrFoePIgXCipCPZtTm5xDnRdl
                              MD5:D16222A9681268A4FC8A47B6A84AA148
                              SHA1:E6E27C7493A5EA9BB31D3488B1214B64EA02FCA7
                              SHA-256:BE66973D002A23B4F8583C3D4F7FAD25237E330F6FB92E0744B9934A5A239122
                              SHA-512:552825B777BCBC7CE0B9CE005FFCC04A920F45B1AE31CC838D42BFB7946FE7839B2AEDCEE9CE234FA3E1A2C5889C35D9A4651B370F79AC2DA3CECC553A6F3D3E
                              Malicious:false
                              Preview:......z.-R.5.b.S:*....[..2..yz.ig.".a.Z...tm~..9r..,q.^..E.5..L0.....I#.=..k.R.c.,...r"xq,..yz.ig.".a.Z...tm~..9r..,q.^..E.5..L0.....I#.=..k.R.c.,.7.oK,8}..ji.zt.1.r.Gy..=.._.w;..e?.i..9.|..-......p.:..x.A.h. .7.oS$"v.G#".zt.1.r.Gy..%90X..t..t?.....g.._#.....Tv.e[.t.A.?@a.S.&gj.D.u0>.1).w.1."X..kn.e.$,.e>......|...}.....r.s..7.O.0T1.H.'?(#c..'(.'..q./.j6..%7X.vg..1b.M..B.^..f......>.rR.".O.p.....r"xq,..yz.ig.".a.Z...tm~..9r..,q.^..E.5..L0.....I#.=..k.R.c.,...r"xq,..yz.ig.".a.Z...tm~..9r..,q.^..E.5..L0.....I#.=..k.R.c.,...E.Ow1.e......K...Z...tm~..9r..,q.^..E.5..L0.....I#.=..k.R.c.,...r"xq,..yz.ig.".a.Z...tm~..9r..,q.^..E.5..L0.....I#.=..k.R.c.,...r"xq...d..-6.l.V..S..%p._.w;..T../..,.5..|.......>.oS.".K..oR.s..Meq1.+N..;8.s....O..m..o.M..1q.Q..?.g..-.....T:.Sb...;..y_...o+HFV.I&&.t..q.(.Cy.....u.G..1q.[..?.g..-.....T:.Sb...*..qB...o.sA..J+%.8z.p./.G......c.S..1q.P..r.d..a......>.En...;..cR.r..?xl'.+N..;8.s....O..m..o.Q..B..,..X.(..I......r.CR.%.O..cN.r..[..T..yg.al...0..]

                              C:\Program Files (x86)\AutoIt3\Include\EventLog.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31421
                              Entropy (8bit):6.468981560849005
                              Encrypted:false
                              SSDEEP:768:FXagm88UmkuLRoyzlQmmRvTJjL8nAjWzVH2nrNx7wgN:wg9gojMA3
                              MD5:E721364FA3A912CBC2900BE888527DA6
                              SHA1:601DA0AF2550BBCC3897137BCBEAF8E91D1445FC
                              SHA-256:D2CAB8B730488D7F08EDCE54C2030438B164A51A88A76E7184418DFC8817D7BC
                              SHA-512:C9115FC912855FD1976AACC06287C6FDE77CF30DCCEF91BC8653F0EA37A41C035B56477D6DEE960DEDA8B64618297C6517AC06F15B3BCFEA95F85BCB6E382A7A
                              Malicious:false
                              Preview:;..\.6vBt]'N.~j..).=re.8..g...w....{L..<.n.?%...T..Y....~s...include "StructureConstants.au3"..#include "WinAPIError.au3"..#include "WinAPIRes.au3"..#include "WinAPISys.au3"....; #INDEX# ==%.[..~/.d.t.ZN]..7.n,4.a..x.../.A..d|..h.0.w|...s........6}...=====================================================..; Title .........: Event_Log..; AutoIt Version : 3.3.16.1..; Language ...6.H...|@5[:Ejy[..o.0c`.(..+...<.\.H7"..:.~.>).../B..D._.o/...ystem logs...; Description ...: When an error occurs, the system administrator or support technicians must determine what cause|.FK.&2.<@;B._m..*.s1).|..e...2.\..85..8.y.>....-^.....O.g/...ata, and prevent the error from recurring. It is helpful if applications, the..; operating system, and othej..F.7wJyA,_.....*.6rf.8.(...fJ...<7..!.-.?"...=......[.y9...ditions or excessive..; attempts to access a disk. Then the system administrator can use the event log to8..Z.32.=W=H.....*.$yh.Q..e...2.\..ya..u

                              C:\Program Files (x86)\AutoIt3\Include\Excel.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):57934
                              Entropy (8bit):6.639574387347109
                              Encrypted:false
                              SSDEEP:1536:g5JVGNQFq2InavLvhZB7e+ZDgr0DsQz3QOiRYunQUrmt1NMAIJGWKEBvwn6Y:4JVqQfInavLvhZB7e+ZDgr0DsQzQOiR+
                              MD5:C22ADB4D4D69D10DF3E274A627C9EE68
                              SHA1:FE055549AE55A6CCC9BC6A46C9ADF41C494C6059
                              SHA-256:6385C856F74D5744F2391D17071A42E26F3172761C03D204A43577ABF80365C0
                              SHA-512:A0CB39596DBCCA9035C0F6FE7D97D2B75537886D06F529862C1ED83B10C220E9DBA18C4880B016D292CE21CFCD619E63179027952956CD31C8983FF27C16F0FD
                              Malicious:false
                              Preview:;....{y.......~...n..h8}.,.Z...n.2..t(....V{XI...[q.......&T3"....Global $LastExcelCOMErroDesc = ""....; #INDEX# ===========================================================================%@..3 .......#.*....M6...w2.h..Y..^.,.Z*y....O.tC....1E.....i. Microsoft Excel Function Library..; AutoIt Version : 3.3.14.5..; Language ......: English..; Description ...: A collection of fm....as......}Br.....+.YMjb.;MK.......GZ-....XT....QsK.....1M. Author(s) .....: SEO (Locodarwin), DaLiMan, Stanley Lim, MikeOsdx, MRDev, big_daddy, PsaltyDS, litlmike, water, spiff59, golfinp....aj......Sy;....n....n."MW...i.1..d+............a.....z.=========================================================================================================================....; #[(...@I.......#.*....M6...w2.h..Y..^.,.Z*y...I......"V.....z.==============================================================..; _Excel_Open..; _Excel_Close..; _Excel_BookAttach..; _Excel_Boos>...k.......{MH..<b.C$@4..aC...<.~..

                              C:\Program Files (x86)\AutoIt3\Include\ExcelConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19931
                              Entropy (8bit):6.647282039370262
                              Encrypted:false
                              SSDEEP:384:R3b/n4pJsNg5t/v8JFrhGx10U12kF7O3Smv8ae/aaereo2e:Nz4/v8JFrhi0U12kxO3SVMN2e
                              MD5:F385A5A88B0B45A547477E3007F233F9
                              SHA1:EB7F95EC6366EDF653289D074ADC4A8481911EA3
                              SHA-256:1159BCFDE96868172E48088AB4B5C3AF6B5D30E66CEC50295291A6853DA1F872
                              SHA-512:68451E973C52A54A02D025C5D7902C5883313F74067521AFA50B1D1EBA77A01B76BD258D7C2019D28A65A7A11E7910D3D9AEA430AB9CF288F51753106DA719AE
                              Malicious:false
                              Preview:.()REK...J.Z...w..A:k...IV...h.."._i..s0....".H>...G.!y..==================================================================================..; Title .........: ExcelConstants..; AutoIt .$5B@Q.......N..l............{..1.':..'~.?$.?....q.HT.Zrd..: Constants to be included in an AutoIt script when using the Excel UDF...; Author(s) .....: water..; Resources .....: Excel 20.qgtGK...D.P..@._.mR........NE'..y...;..+c.G].s....q..F../|..5(v=office.14).aspx..; =========================================================================================================.|z..........G..\$.....`M...hh...K..Bi..s0....".H>...G.!y..===========================================================================================..; XlAutoFilterOperator Enumeration...7TJW...V.M.....R.xV....V....R:...l...5..ny.].]m....j..A.Ep-.. by a filter...; See: http://msdn.microsoft.com/en-us/library/ff839625(v=office.14).aspx..Global Const $xlAnd = 1 ; Logical AND .'gr[W...L......t.pV..X{...HD4...p...

                              C:\Program Files (x86)\AutoIt3\Include\FTPEx.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):46540
                              Entropy (8bit):6.598052695853867
                              Encrypted:false
                              SSDEEP:384:zvOTqrGNCLup1jm99SUxii6zLSLA4ijWdW7osYg2a/kcwOSwvRPYBEz5/FuP3GRp:LqH4A4l0ona/kcwOSVE0N3uj
                              MD5:68DE7037D0FBF473141F63D3B5117A59
                              SHA1:66F8678DD176A731521ACAB5806AD02B63F66692
                              SHA-256:625F207FA7E586365E13270B8F015441E38FB6869136D43B0D9907BB7F4D711F
                              SHA-512:9C76A54DCC7FA66A3DFE0BC8E63B0C0292CC46B213BB37D09C6E88E3877FACD6784DFDF861D9A6BF09D59DCD903273224E5918CAFF20A3F2D049212F42DBE896
                              Malicious:false
                              Preview:W."~n.R..^.hl.yF.C6..#._...w..<{.`K.4\.....H.9OpR.3...e.y..5...3"..#include "StructureConstants.au3"..#include "WinAPIConv.au3"..#include "WinAPIError.au3"....; #INDEX# ======================I.q ?.......0\)Iq..e.Wk....g+../'.nT>.B......$P...k..+Z%^.{...=================================..; Title .........: FTP..; AutoIt Version : 3.3.16.1..; Language ......: English..; Descriptio..b3,.....S.d.z.l.B9.J7.IA..6..fr..=S.r...X.v..H.v..8I"C.)..r, Prog@ndy, jpm, Beege..; Notes .........: based on FTP_Ex.au3 16/02/2009 http://www.autoit.de/index.php?page=Thread&postID=483M.A.9.......0\)Iq..e.Wk....g+../'.nT>.B......$P...k..+Z%^.{...=====================================================================....; #VARIABLES# =========================================I.q ?.......0\)Iq..e.Wk....g+../'.nT>.B......$P...k..+Z%^.{...==========..Global $__g_hWinInet_FTP = -1..Global $__g_hCallback_FTP, $__g_bCallback_FTP = False..; ============================I.q ?.......0\)Iq..e.Wk....g+../'.nT>.B.

                              C:\Program Files (x86)\AutoIt3\Include\File.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):44443
                              Entropy (8bit):6.704645659677546
                              Encrypted:false
                              SSDEEP:768:2k3kbJ6C4x5sQkzGc+tN0qk3HwgT+Z65EHokikV5RMU0W+Bs:nUbJKOQkzx3H4pfjLJ0W6s
                              MD5:F7CA3AB397D36F15F07BCCE7343BE905
                              SHA1:14DC2126CC486ED98FB56E4C8FA4B03706BE8CC6
                              SHA-256:85F93311D0EED0CCD5F61F3CC16507C71FBBBE80B68DDC496789FEE981379CC6
                              SHA-512:B868DF99D927B4A749C97960217777926357A18F0F45A7065BB2DEFEB1AF7B0945611DFA56B60BC6B1C0E89458AF0B4A7027E2E1232BC158C1175621E6324C44
                              Malicious:false
                              Preview:..p.s.yT.8.....D.OZ....e.......^.yy..J...y*84{...a.|._.....u3"..#include "StringConstants.au3"....; #INDEX# ===============================================================================..#.". ..jTL..t5Q......x.i........fI.....R..hf.R<..l .!.......e..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with files and directories.,.%.^.iY.%A...g&B......+........f[8...d...hk6Rw..$o.g.....JdeB, Jeremy Landes, MrCreatoR, cdkid, Valik, Erik Pilsits, Kurt, Dale, guinness, DXRW4E, Melba23..; ===========================..#.". ..jTL..t5Q......x.i........fI.....O.!7'O/..3.2.....====================================....; #CURRENT# ============================================================================..#.". ..jTL..t5Q......x.i........fI....#I..Zcv.Q..,z.f.[..._FileCreate..; _FileListToArray..; _FileListToArrayRec..; _FilePrint..; _FileReadToArray..; _FileWriteFromArray..; _FileWriteLog,.%.@.t]......&D.]....... .....!.{+.

                              C:\Program Files (x86)\AutoIt3\Include\FileConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):7048
                              Entropy (8bit):6.794214894438035
                              Encrypted:false
                              SSDEEP:96:vRk0bSnwrmcgVkaGaDzm75sttoneN7zS35dxunaiMYt2RjFl3Ij5xHf3Y+txi:vRtbSntcgKaGavm7y+y4bxdNTeHgwQ
                              MD5:324E3E04BB093914D54A0C99A6F57B1F
                              SHA1:7FA8209CC75A7F33CE7A659C4C3DD6F888378680
                              SHA-256:4A80C01363D64F17549D271CE752C96F5D8775001F5D1D5C6AC6D77E40F1FFD4
                              SHA-512:027A9CB95B22CE5409A462BD2FECBD8B6F252A6547E8430B259B332BFD77BFAE0A902976F6EF87F29495FF7A9B1B092F16F4331C53FB298E9DAE366C76DDA3AD
                              Malicious:false
                              Preview:..C..!(f.\*.5:..o}........W.Be{Oo"....;k..".'}..H.g....m...0==================================================================================..; Title .........: File_Constants..; AutoIt ._..;"#..w.c...Kw......U...=f\|1...&.^..v.rM..1.)....?X..#.: Constants to be included in an AutoIt v3 script when using File functions...; Author(s) .....: Valik, Gary Frost, .....; ====...E.iq>..y.m...X{.......J.Be{Oo"....;k..".'}..H.g....m...0===========================================================....; #CONSTANTS# ===================================================...E.iq>..y.m...X{.......J.Be{Oo"....;k..".'}..H.g....m...0..; Indicates file copy and install options..Global Const $FC_NOOVERWRITE = 0 ; Do not overwrite existing files (default)..Globa..n..'8#.u...aa.2.j......L.0.#.%m....c.Y..v.}`....W.....<...cst $FC_CREATEPATH = 8 ; Create destination directory structure if it doesn't exist....; Indicates file date and time options..Gl.L...#m.Gd..c{.*.j.......G.Dx..&z...&"

                              C:\Program Files (x86)\AutoIt3\Include\FontConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3920
                              Entropy (8bit):7.80592946934614
                              Encrypted:false
                              SSDEEP:48:QG3fGFwGerVeV7RV/Vlx4xs5jUlD6Q5KtjwP6N4DpNoEh+lJ948+FLSWx5hC/YWE:WP2+qR5cwPE4T904vTqY6arr
                              MD5:0CE5729F9E4CADCAAE5DF0F723266B01
                              SHA1:5FEFED55CB054C57033C9DC346AF7BEE49F96A57
                              SHA-256:175F4EADA314F1C7CB169BD829832FEEDA7137BB2A84685FAC597B50F6E93D01
                              SHA-512:54835B6414E6E9F7EBE1165897F0AA5E8884151AB63E8C051D53CC13702E5634E704E274D1346480F68369081A9EB0BB46CCAE0A25219CA8C5D7817B1BF5DDD9
                              Malicious:false
                              Preview:o?.2..p.=.._c......H...........&.Xn..'.@..c..a....7a.O=.......qk.l.f).-.}.;.......;...........&.Xn..'.@..c..a....7a.O=.......qk.l.f).-.}.;.....&...D.....5.K}..\....../..]IyQ.I ..SMu...3.".4z.*.s.5.....&...T......5.K}.._....-..V..wXy?..p..HL...bl...5g.q.4O&...~...&...U........E..r....w..r....*...y..UMO.6Fm.l.f).-.}.;.......;...........&.Xn..'.@..c..a....7a.O=.......qk.l.f).-.}.;.......;...........&.Xn..'.@..c..a....7a.O=.......qk.[.Q/.3..rU..k..;...........&.Xn..'.@..c..a....7a.O=.......qk.l.f).-.}.;.......;...........&.Xn..'.@..c..a....7a.O=.......qk.l.f)...`Zi...2...d...N.....L.!...Y./..c..Q.._Rh=.RC..TV..}......4.0.p......Z..E.......w.O.$..R.]..l..Q.._Rh=.RC..TV..}......U.Y..h&......j.........F.?.2...].)..~..l..tQe>.. ..IQH........Y.\.}.2.......g...O....t.D. ..[.]..j..Q.._Rh=.RC..TV..}......A.0.`.6..T...j...R...e.H.(...V.]..h..Q.._Rh=.RC..TV..}......V.\.`.&...2...d...N.....L.'...:.]..n.....Q\f|..n....z.d......[.T.}.>.......g...O....t.D.)..X

                              C:\Program Files (x86)\AutoIt3\Include\FrameConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2382
                              Entropy (8bit):7.69651237380071
                              Encrypted:false
                              SSDEEP:48:E7cEH3lvc9FCipdu5loL4riurDNhtDK063tyLfUQ:7EH3l090llobCNT63tyLfd
                              MD5:934C590FF07B3CC90C2F4EBFBC93FAE5
                              SHA1:A25763F1E58FC99D2C40E5658AF1D4BF8165DCE4
                              SHA-256:2A3C2E4DFF3E3067AABC79F80C829C45C678407275A0EE3F2CD78EBEF713F21B
                              SHA-512:CF605C96A17D29DFB1B3C3489125BC113E9C007A42D8491257BD21BFDC6EA161DF977E7D1DEB7525E9E01EF64122568D1C5ABA17FCC0EB18382A4CE041E66AEA
                              Malicious:false
                              Preview:..$..3r......u......7..9...g+.bn&...A./.N..M......I.YR|_...z..j*....4.B......)..9...g+.bn&...A./.N..M......I.YR|_...z..j*....4.B......x..*...t8.q}!.j...w.0....D...*..T....+...5..8y....:.I......z.e...t8.q}5.....~....K....D....../B...g..9d....).........K.e..@;{..<u.^...;.~..1P...U..].JAoL...&..wQ........B......)..9...g+.bn&...A./.N..M......I.YR|_...z..j*....4.B......)..9...g+.bn&...A./.N..M......I.YR|_...z..j*....4.u.......G.J...z+.bn&...A./.N..M......I.YR|_...z..j*....4.B......)..9...g+.bn&...A./.N..M......I.YR|_...z..j*....4.B.....m..$...<d.26..k...s.S....Q...a..6.0;.,...J..;x.....f........D.K...z'.U.w.N...Q.....Ta...j..!.YOso....%..wT.....-..<.....Z..9..?PQ.01z.....a.S...3z...h..T.D\Lh.....#~....h.._.....f.a..u6y.>?;.C...2.7.../g...h.'.%;.B.......{.....J.........V.P..q.S..s&...L............T.P.",.=.......D....q.r.......W.w....P...Y.x.3.@.7...M....*......-B....3...Q....]..1.....S..9..Jk...?t.M

                              C:\Program Files (x86)\AutoIt3\Include\GDIPlus.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):304934
                              Entropy (8bit):6.390069963536487
                              Encrypted:false
                              SSDEEP:3072:7tTQqbgu46tbpEwoqjWvF52aipc3GqRXqUvLSExcJJLNLI0Xp0HoVYVZD0m72oCM:ZQqeSCBqaSpTHoW/qH0q
                              MD5:3F899C653DD04FE0993B4BB711136D33
                              SHA1:EB59F1F5BDB253630E492E33AFD63A882FD064DD
                              SHA-256:65B9AEE2ACA73871BB24C7817C68609611AB3B7CFE4AC5D5B21DC3F5D64B0F37
                              SHA-512:A4A58D2B716BF10265D42CB7D0E9C6B68D956ACA450989BE5B369A82FDD3D02542A6758B3854DFD66AA68D4ECBA717F68C6855AD92119BCCA1B6DD94CBD0AE99
                              Malicious:false
                              Preview:..\.gEx.K....h..._m.:...'..L1.k?.n./.....9..%.;..Y...YS.....ctureConstants.au3"..#include "WinAPICom.au3"..#include "WinAPIConv.au3"..#include "WinAPIGdi.au3"..#include "WinAPIHObj.au3"..#.Q.~Ty.D...85.C..j.w.......C.$..i.......*V.+............v...==============================================================================================..; Title .........: GDIPlus..; Au.{.+fy.....Y_.9.O*.o....<..i..r+.H.o....7..q._..=...hR..."..on ...: Functions that assist with Microsoft Windows GDI+ management...; It enables applications to use graphic..S.o.z........*..|.y...h..(..bj.D.$.....{..6.X.D..\E.......; Applications based on the Microsoft Win32 API do not access graphics hardware directly...; .A.nQx.F...RE.d..v.:...n..(..q#.H.%.....7..6.S..\..J....'..tions...; GDI+ can be used in all Windows-based applications...; GDI+ is new technology that i..[.h\i.....E.c..k.*....f..(..bj.D.%...

                              C:\Program Files (x86)\AutoIt3\Include\GDIPlusConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):26520
                              Entropy (8bit):6.933111989246408
                              Encrypted:false
                              SSDEEP:768:oOQ8WCoDTXZXx14Rj2DGI7TC+6N+P6VMDB:K7Bx4a5lP6U
                              MD5:5C2BDFB8F2414B42C62AAC80520BD3A4
                              SHA1:8FB9DBBFE70F50EDF4AD87F5AF36D533F93064B0
                              SHA-256:61DC332425CD9535497D5A32766745388059F5A46EB9ADE6C39BA590285D92D7
                              SHA-512:2E8D7179801D856B89C6ACAF60EBC4331FDC152BB871DC9EDCB90266194961AE04634EB4BF8A80E63A0508B6070A0C889F48116918ED79A3C9428AA305920926
                              Malicious:false
                              Preview:.0...".&M0C.....S.`..vp..>..X..G.#.T.....t.@...(..)'w.}9.4.==================================================================================..; Title .........: GDIPlus_Constants..; Auto.-1..%.*.1..+..w.m.\8.i.......T.0.G.....%......5.Fgy8.0p.f. ...: Constants for GDI+..; Author(s) .....: Valik, Gary Frost, UEZ..; =========================================================.d,.Kj.~]b..%..d.~.l..t.#..X..G.#.T.....t.@...(..)'w.}9.4.======....; #CONSTANTS# ========================================================================================================.d,.Kj.~]b..#..<...."Z...n......p.r.......:..Y...E.gUI...T.E.T = 0 ; A square cap that squares off both ends of each dash..Global Const $GDIP_DASHCAPROUND = 2 ; A circular cap that rounds o.?1..#.c.1I..w..<..+.5SF!........9.p...............E.q][...A.4.3 ; A triangular cap that points both ends of each dash....; Pen Dash Style Types..Global Const $GDIP_DASHSTYLESOLID = 0 ; A sol.=1..9.Nj.A..y.....0.q.r..N..$...#.[.(.

                              C:\Program Files (x86)\AutoIt3\Include\GUIConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1323
                              Entropy (8bit):7.508778246805147
                              Encrypted:false
                              SSDEEP:24:1uTwor3UwoFgnOCOfwor3Uwor3zheqiwjkLk2sywumFYmLKpY8N2tC3CuxX:MKgO7bilXiE7GVmimLKb2tCy+X
                              MD5:E61527A8BBE67285C5C94888E0B011AD
                              SHA1:D497E6C9ABD4D4976EA3FDA96EA76DBA583D1196
                              SHA-256:F2693827B669B71B8C2EBA61D917D544F80C8E0EE4F6B5F569118C605F2A23FE
                              SHA-512:04C285F954B2CF612B23B3D1C8BD051D87DFA49CB7BA9E35941A9E1CBC81038AB3D25A7844E444123A211A2F9AEEB7E666142A1E716CD5A0EF455F8A43C8E921
                              Malicious:false
                              Preview:G.z.......5.t.rk]H..W"..H.8.L.g.f.+.*..E.s1..6.v...d.'$.[.=3?,.Y.)..XH..PfE,.E[jN..#Q..-.%.L.g.f.+.*..E.s1..6.v...d.'$.[.=3?,.Y.)..XH..PfE,.E[jN..%L..d.}b_.t.u.8.9..9.",.B.$....7.i..].A{v~...B.....DMaX".KHfE...f..\.v%..=.{.8.9..B..b..b.#.....iz...tgm..J.:..&..Y.:.e.X.?...}..r.87..>.,^b.7e.1..|.b.*....*..".'.tfmc...4..K[..M..}..Jw....f..T.tb_.t.u.8.9..B.D7..6.v...d.'$.[.=3?,.Y.)..XH..PfE,.E[jN..#Q..-.%.L.g.f.+.*..E.s1..6.v...d.'$.[.=3?,.Y.)..XH..PfE,.E[jN..#Q..-.%.L.g.f.+.*..E.s1....h....,..9.'.IMm....z..K...OVr2...;...>N..d.w,2.4./Vx.d....l...b.(....y.Yv...Calb...`......`Q[x..."..<(..u.q/..5.(Cw.cQ...}...(.%....<.8\...Calb...`......`Q[x..."..<+..S.v1..4.(rn.vW.Z.D/..h.>......im...Calb...`......`Q[x..."..< ..d.q'..5.(Cw.cQ...}...(.%....<.8I...rkqb...g........K3.rE>...k..2.q!..>./ty.dV...=".8.F...:.o}.F.Sbku...{.....^.u.d.Zk]P..}...u.:.....8ty.dV...=".8.F...:.o}.F.To`R...`.....K.hZ..[.9...z...D.}''.?..Xx.cC...`m..).A....5.~|.D.pJmf.Constants.au3"..#include "WindowsConstan

                              C:\Program Files (x86)\AutoIt3\Include\GUIConstantsEx.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4363
                              Entropy (8bit):7.825997338102069
                              Encrypted:false
                              SSDEEP:96:rxtxXZxtx9xtxhSn5Ir+2moedKUWuncX+mM+ZqW0DLvxtPr9U:rH7HTHhr+2moed9WuncX+RtPHpU
                              MD5:C5CD2D3DF2C0365474A2FA91FC9DCB8E
                              SHA1:5A2F78246E8223334306F6C76BB7263BFF274C3B
                              SHA-256:7316F9BFA44812A36FC03FD391F368375C89E5FD9E0DA68DB690E916DC735015
                              SHA-512:34BE1A38E6BD3942E1920CB77761921FF8CF1C68503F93CE8E87A681BF5A2D35B89F80D201001F5D8259F23B4727E4B409B789F96C07BAA4D34172F810F11D81
                              Malicious:false
                              Preview:^...d.....P..E....V.;E..B.XxP.g..+X...d!.....$.5........I=d.@...5W.>..@.u...K.O6..'.ExP.g..+X...d!.....$.5........I=d.@...5W.>..@.u...{.I+.n..eC.t..8K...y[......m.f...A.......I-.+..a...9..S.f...{.I+..t..$..z..8K...yY......3...J....... w.S...g...b.J..<...V..n..s.X.8.z.Pf...G-u......".I...V.......Z.w.]..$J..o.Up.s....V.\%..4.VkC.`.*-E...d!.....$.5........I=d.@...5W.>..@.u...K.O6..'.ExP.g..+X...d!.....$.5........I=d.@...5W.>..@.u...K.O6..'.ExP.g..+h..,b<...X.\.........I=d.@...5W.>..@.u...K.O6..'.ExP.g..+X...d!.....$.5........I=d.@...5W.>..@.u...K.O6..'.ExP.g..+X...d......w.{...].......sT.:...i...l.M..l...3.7E.I.6.!.z..&E...=y......9.m...W.......l<....|D.D.Q..$......R/..S.=.(...aD7...d<....m.z..X.....Tc6....a...w.[].>.....+.n..!..z.Np...G-u.......d...U......PG.."...F>..L.{].h.......j..Y..6..~.u_:..c.H....9.(..3....7o7.....]#..U.p).....?.7+..7.uO*.5.AzE..H*h....\.M...k...I t.p..g...#.Q..<...?.7]..N.5.5...zSE...o.

                              C:\Program Files (x86)\AutoIt3\Include\GuiAVI.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11270
                              Entropy (8bit):6.265096888675748
                              Encrypted:false
                              SSDEEP:192:sAFph+SLU0OxfnIf9cygUQBvrVdlcBSUrK75cWsZdZma//qYlrDAdN:sKph+oHOxfnIf95grdlrUrK7bsZdZmaK
                              MD5:C5B3758E261F5873C3E3231D8F125CA8
                              SHA1:5C55E15ADD7EF89476A76F71814A3379F3E9717A
                              SHA-256:D2D4CE6B449499EB4100E32C97AF43EAAC9D96FE33FD6FE07AD75E6FE27F47B4
                              SHA-512:C3FCD904434F0856BA8239353721B759DC929BC8048ED1D62489A6C5C5793B02A057E13F3C92B125E194DD3927CBE782FD453E483B3C7BC09CF9422C371FFCF3
                              Malicious:false
                              Preview:..JbL.k}6r.@y.u4.i.O.7.}..wx......PD.*I...Gu#..g...}...nternals.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3"..#includ...VI.NHRT.Wy...R...Y.`..~..B]........xb..n-T..Jx:..0{.4...#INDEX# =======================================================================================================================....UI.c};3C.2.V..:.m.+.)..O<........gT..N,N...*x...sf..4...nguage ......: English..; Description ...: Functions that assist with AVI control management...; An animation c..PsO./qh=..k...Q. .D.6..4..MP.......^...C&O.Jm3...$>.......) clip. An AVI clip is a series..; of bitmap frames like a movie. Animation controls can only display AVI clip.PiA./|t=.Lh..Q.t.E.b..(..N............c....9v...e+..S...se for an animation control is to indicate system activity during a lengthy operation. This is..; possi..A!B.lynn..h..XQ.e.M.+.}..ST........

                              C:\Program Files (x86)\AutoIt3\Include\GuiButton.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):28799
                              Entropy (8bit):6.374905005417324
                              Encrypted:false
                              SSDEEP:768:oPdtS8QcwQBkpq/393AdUsvN1CO8+bYQUCiMwXc6Lmz+5:Wtsl5S7
                              MD5:FB3D537E86CF8B1B9B5A9F4B898D87CA
                              SHA1:3DB3F41F35E024AE15CC966C908E47294BDB9C1A
                              SHA-256:D5D9889AE215A64ACD8D7D4646D558BD7B0F676B9A4CC868AED10B05B0617E86
                              SHA-512:5204C66BAF4AA2094D137F438E3D8D49FFDD47833C54F6891AC8A54F50AEFE13963045D98FFEA47317650232B1155318C131E4579586663DDCA2CAB55199314A
                              Malicious:false
                              Preview:.......>......^Ivx..Ab........$...J.X.n.V..K....g.h....LWs.8nConstants.au3"..#include "SendMessage.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3"..#include "WinAPIIcons.au3"........#s..X@...SQu.Wi....Q.js......Sar..{;.YM9. .B..3.:.j======================================================================================================..; Title .........: Butto......l....|b...N8!...4.....h.G5..Y.W.x.....h(.D5j.q.....'.2scription ...: Functions that assist with Button control management...; A button is a control the user can clic......u8...p~....lt..K'...........3... .....{;.YM9. .B..3.:.j========================================================================================================....; #VARIABLES# ======......>l...$-.@.%&...:....._.ZD...... .....{;.YM9. .B..3.:.j=============================================..Global $__g_hButtonLastWnd....; =================================================......>l...$-.@.%&...:....._.ZD.....

                              C:\Program Files (x86)\AutoIt3\Include\GuiComboBox.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):41931
                              Entropy (8bit):6.138898201886382
                              Encrypted:false
                              SSDEEP:768:xfcALqMQPK4KfXVZRxbzlIVb9TG1OPrj4DYfqEjl2wZRwvRv8NSJuHUX58WIY57Q:xYKwahIo7I5EA
                              MD5:2B3F803B60256EB9F703E652679A47C3
                              SHA1:35ACDC1AD0AAC69F902BC46AC8BC29556C2A0112
                              SHA-256:8E5CFBBE03252155F1A965FC6A9C6998721B5C4FFBFB6B87943F6F9255D46F67
                              SHA-512:A88946105283C4D19B7FABE0844560905D1ABDE0BEA32B653FF0B1F542B23830E7F7AA8D4E61E7B7C6309A472ECF6B6EBC4C242BFF64FA42CB1381D04285AF5D
                              Malicious:false
                              Preview:...t.{.......=>\..%Y.Ik..N.Z%c....}..4.O..o.{.*.`...rx..?V0.4stants.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3..i4.`.......^].`5.u.V!._.8B"....m.b3.....%.z.`...x|.\U^7..W...; #INDEX# ===================================================================================================================.^*...........x.Re...5....W'C.....)..4.(......`.`_..%3..J.l..P; Language ......: English..; Description ...: Functions that assist with ComboBox control management...; Author(s) .....: gafro..O7.o......[Z==vp...2..Q..u<TP..4..}Y\.a.K.4.3B..+ ..F....g====================================================================================....; #VARIABLES# ==========================.^*.3.........k.Av...2..Q..u<TP..4..}Y\.a.K.4.3B..+ ..F....g=========================..Global $__g_hCBLastWnd....; =========================================================================.^*.3.........k.Av...2..Q..u<TP..4..}

                              C:\Program Files (x86)\AutoIt3\Include\GuiComboBoxEx.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):48540
                              Entropy (8bit):6.123624173326748
                              Encrypted:false
                              SSDEEP:768:b/1NkGwF/hK2EzyXsjKMZu2ezTL2HRa0rt4PA9qw9vxactxyvedSjvE06JsrWfdW:Py7EzvRhgDI7c
                              MD5:70F3CB3DA0B18E9CBA457F02D1491FE5
                              SHA1:24F1E6D87F1E8001F764FEF05D70759B78A5DB79
                              SHA-256:03C148DBEE469BC9E60DDA76126FAB7D7061D6B2AAE3190C8651B3FC6AC7561C
                              SHA-512:F73AFE4F91F5C65D4FC8CF394A82D76A62AEF635E66664C881A6708F93FADC4253635A2CA3B5BBD4B1C4AEE1E819CFF4E60FABD24EDF45DB00BBB6922CC64BCF
                              Malicious:false
                              Preview:RY......6.Q0.-.y..q...E7.P.;.G...O...!...X\..F....(Lr...T.....Box.au3"..#include "GuiCtrlInternals.au3"..#include "Memory.au3"..#include "UDFGlobalID.au3"..#include "WinAPIGdi.au3"..#includeQ...... .{;.B....l....p>xIX.$...k3..2...Gl:....C.q.o.......q.==============================================================================================..; Title .........: ComboBoxEx..;Qq.......<.A<.I.I.X1....|..Ni.H...O...!...T.=.j....?A_-..y...>.ption ...: Functions that assist with ComboBoxEx control management...; ComboBoxEx Controls are an extension ofQD....6.P:......m...U:R.d".k....]K..{...Z"rZ_....*F ...X...!.ges...; To make item images easily accessible, the control provides image list support. By using this control, ._......y..u...S.K?...1R.d".k......../....%nEA....5.=A....... box without having to manually draw item graphics...; =========================================================================L.......d..h...N.V"....o.Oyo.9.....V..2

                              C:\Program Files (x86)\AutoIt3\Include\GuiCtrlInternals.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7439
                              Entropy (8bit):6.441723759666785
                              Encrypted:false
                              SSDEEP:192:/9yJLk4+BuvDD5PoZE2ZK4DeBwMCgMkTA:/9yJgHIPOzZKBWgw
                              MD5:4F9ABD2AA66E04BA7420FEB19264D6F6
                              SHA1:25CA1BBCDBC9A2B88474234962A9702F36E8F1E3
                              SHA-256:2B6EF69AF72F209CD621372EEEFDF666A98211D15FBC56424A165919FE6C2947
                              SHA-512:FCADA9BD46A68F3ED11869C5717AB7D5DF9FF0D3346A850E4BA2D96635520DA67DCF9ED8613E6F39E67F097F0F07821AAC797779B77F19C7ED18EC8627AA4235
                              Malicious:false
                              Preview:9&.g..B..&S.m.-]}.....n.9t.k...B... ..E..R...~.uG...Fq .7&7>.Dnals.au3"....; #INDEX# ========================================================================================================='r\9.....t.G5.*ZL.....%.5..(F#.V.~K........>~.3u...R~S*-.++.O for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Functions that assist with _GUI control management...; Author(s) .4aO*..L.]D7A(..mJ....L].6.&..;U0.Q...?..[D....w&.j-..+.N[yRdwC.============================================================================....#Region Global Variables and Constants....; #VARS.#H.....t.G5..mJ....L].6.&..;U0.Q...?..[D....w&.j-..+.N[yRdwC.===========================================================..Global $__g_hGUICtrl_LastWnd..; ==================================='r\9.....t.G5..mJ....L].6.&..;U0.Q...?..[D....w&.j-..+.N[yRdwC.============================....; #CONSTANTS# =================================================================================='r\9.....t.G5..mJ....L].6.&..;U0.a...?..

                              C:\Program Files (x86)\AutoIt3\Include\GuiDateTimePicker.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14223
                              Entropy (8bit):6.175087432147066
                              Encrypted:false
                              SSDEEP:384:6eLifnAMkS/0wsPKYnS+b9ul/D38gIMY5:6XfhyoQ4zcB
                              MD5:BDE208FA05C7D5A03542B06F7A52B5E9
                              SHA1:77D1C94EA2C9A8C2B444733EBB1C78DE4D63B6B4
                              SHA-256:13C1EA21405B95A1958082D66C13C97E825F94F048062B88C830507F447DA2B8
                              SHA-512:3E0712B9B300610F7B683D9667A67FA36257BD9D27418F847A53B73307005067644CD1C93A8AE15AEEF03558BA30B5E7FEDD843C27A9D8B516F76E9A511E99B8
                              Malicious:false
                              Preview:..}......../.[.u'kA.GH.K.9...y...#..vh:..v.%...s.cT...EG./'<-...CtrlInternals.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID... .r.W....9.3.Zz!F.tm.@.o...>.pu..:o'..m.3...)./..!.Ob.?'na....au3"..#include "WinAPISysInternals.au3"....; #INDEX# ==========================================================================...B.IO.Jq.k.E.u.......$...0.Gs.$;t..%.k...{.:7......el2!...: Date_Time_Picker..; AutoIt Version : 3.3.16.1..; Description ...: Functions that assist with date and time picker (DTP) contro..~........8.[.C.h.......9...-.Zn..}g=.y.2..-.N....CY.c.H_..ontrol provides a simple and intuitive interface through which to exchange date..; and time information with a ..v.Q.T4..W).7..A-..SM.G.x...]... ..vji..m.5...!..~....^..0<{..nter a date and..; then retrieve his or her selection with ease...; Author(s) .....: Paul Campbell (PaulIA)..; ...B.IO.Jq.k.E.u.......$...0.Gs.$;t.

                              C:\Program Files (x86)\AutoIt3\Include\GuiEdit.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55244
                              Entropy (8bit):6.289265842699799
                              Encrypted:false
                              SSDEEP:768:KLUjzhxl5GZBKSZNWo4tfyex4qVwDB+0z60rcsGHbNNF9LZABitOUfU6QjZlLLQW:uUcBzGKW1evYwpS5BygTsT
                              MD5:3C637C857B64338564D7E1D281D98CF7
                              SHA1:ED0083BA4BAED9D2B716E3B2E19A6C8B09A05F76
                              SHA-256:80EA14913CC65498DA37DACEA3808EB878E55E94E00374D243E459058F1DE757
                              SHA-512:D5D261D5882673931A63F46D186E99589776C8CBA3D1912D7CE0002FE5C2956C585F2ABCFDB7CD7ED30FD4B22486505881A53A2DE6F17609DCCC76807CF42C84
                              Malicious:false
                              Preview:.z4.....Q...M...7..vCuvg X.P...J..sPA.O`..A.K8P...\..H.......kusBar.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "ToolTipConstants.au3" ; For _GUICtrlEdit_ShowBalloonTip.:W.........4..{o.wBxoJ.V.`U.....nGL._v..c..t....Q...X.......sude "WinAPIHObj.au3"..#include "WinAPISysInternals.au3"....; #INDEX# ===========================================================..g.Y..AGZ..+....C%.$>>xE.([..4.R=.........T.g..K...J.....b.?Title .........: Edit..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with Ed_gz.......G.Ix..XE.vT7..~X.5F..).O ....3......?......YE....H.?rectangular control window typically used in a dialog box to permit the user to enter..; and edit text by typinQ35.....\...Jy..Y.s..9>>xE.([..4.R=.........T.g..K...J.....U."=====================================================================================....; #VARIABLES# =========================..g.Y..AGZ..+....C%.$>>xE.([..4.R=.....

                              C:\Program Files (x86)\AutoIt3\Include\GuiHeader.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):41894
                              Entropy (8bit):6.262852432835088
                              Encrypted:false
                              SSDEEP:768:zszJn5ogRUd728mwLNLqaPmFxQ734q7VimSZCPuY8hED17NEgpUqDOaTYa:z2RFYQmbjVoExYa
                              MD5:65EB1316853BA2F2A4C59A7F38FD5EA8
                              SHA1:490C792FC6AA80B14777DAFDC013E35596C63230
                              SHA-256:76E4E5A64CF1C677EBF78971E5CFC875B084863BB242F1967B403F793CED4C61
                              SHA-512:24E7F09CD6E575928EF8386779BEC5D46F0F34650810F0CDEC16161F4858796D4ED4A25FD204679D9B884B5464EA1949E76A6FEC01224234FF7819ED85F76BD2
                              Malicious:false
                              Preview:..iu.X.......}...u........:./."......E..d$.)..LPr.b....E.H&erConstants.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID.au.U...D........ ..R.......m.f.. .....O._.$A^.kz.._d.5...[c.E7de "WinAPISysInternals.au3"....; #INDEX# =======================================================================================.J:+..........J....&...M...r.Q..D.........K?9..6...Y.v...?.U..utoIt Version : 3.3.16.1..; Description ...: Functions that assist with Header control management...; A header ..ib.B..........;.......:..."......Y..u7.Fw.@.r.{...A-.Obtext or numbers. It contains a title..; for each column, and it can be divided into parts...; Author(s) .....:.'fc........W...w...}..r.Q..s.....P...X,*..%...,.*....0S..==========================================================================================....; #VARIABLES# ====================.J:+..........J....&...M...r.Q..s.....

                              C:\Program Files (x86)\AutoIt3\Include\GuiIPAddress.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12733
                              Entropy (8bit):6.136840604271079
                              Encrypted:false
                              SSDEEP:192:S1NtxU/J1fbkylFSl2PlvVlbrWp3SlqJGEL5GlMQ4+y:S1NzU/bfbkyl8lilNl3WslqAIGlMQ4d
                              MD5:D0F854EF1FA77EE1FA295E8F3A784C09
                              SHA1:7D14D8C17A471ACEB6A5EC576C65CFC025FC7603
                              SHA-256:407DCB94CB3DF452991EC78D231605BEE79EC4537E7C2E32A6E6F9FEE650153C
                              SHA-512:2829311BCC11FCD4BF471F981980D6B6411EDC0AF74D65C304B2DEA8A0833AFC4C3F2C759271337C16E3417141CB13DD5C3FBF3DAD45640FE8CDA9D3B305EE94
                              Malicious:false
                              Preview:&...i@...E.,.O.(eI.e 4.2.}e.S:#}.b~.T.^Fr.FyP...k.i.H.^...K..."dressConstants.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID+..'8...D.#.&..M=.e.....31.g.S+...y.R.EC{.JOL\..(.d...^.\.c. .%lude "WinAPIHObj.au3"..#include "WinAPISysInternals.au3"....; #INDEX# ==========================================================8S..8.....Xr....RW.6~e.k.`z.;N]4...-..L..#.U%....\.=.....C.T.D.} Title .........: IPAddress..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist wl..Le...X.<.b.J...d/x.7.< .k..}..!+.p.DOq.@k....O.....J.../.&.2 (gafrost)..; ==================================================================================================================8S..8.....Xr.O.(eQ.(........UP@4...-..L..#.U%....\.=.....C.T.t.{==================================================================================....; ========================================8S..8.....Xr....RW.6~e.k.`z.;N]4...-..L.

                              C:\Program Files (x86)\AutoIt3\Include\GuiImageList.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31828
                              Entropy (8bit):6.293650301377012
                              Encrypted:false
                              SSDEEP:384:79sE7Dvz7cuFJgDwygsDFiSq3RvBXbQJM4lpVqXtLRj01ElmjhY+aJZB0e9CldcZ:7jeqHSdRXcK8OTsm4bmShLFbJ3ovC
                              MD5:184C93BA59EAB5539C95EED92944717F
                              SHA1:ADEF12DDE4E6291CFCCCF445EE1AE86B6C96731F
                              SHA-256:15644069EA0852CCAEE152CB42A5671904F3E9FFEF8957531F1CAADE43E1A63E
                              SHA-512:BB866841EB79B5857A635320DC720144E51C415A268D78ED2F6D79246592F3BB5961BF8F656D8EBA9E4648DE6A6AB022FA63137ADFEB93281CE50063304028BE
                              Malicious:false
                              Preview:eV.T..&T......'..=...S;..R.Y...J[...w#....:..O..QT.[..=..@[....istConstants.au3"..#include "StructureConstants.au3"..#include "WinAPIConstants.au3"..#include "WinAPIConv.au3"..#include "WinAP.z.E..lPv..}a.S..w...J*..P.s.6!q_..b7I..x......X[...7.+[.....au3"..#include "WinAPIRes.au3"....; #INDEX# ===================================================================================={.......>..MV....#._H.s.O.'GJL.%....yZ...7..C..\.U...c...s.....t..; AutoIt Version : 3.3.16.1..; Description ...: Functions that assist with ImageList control management...; .Q.^..%T#.....D......S"....u.W.^8...d'...{......P....#..Bw....f which can be referred to by its index. Image..; lists are used to efficiently manage large sets of icons or b/K.V..l.B..P..L..m..../....{..QTq...b0...5......0q...y..B2... in a single, wide bitmap in screen device format. An image list can also include a monochrome bitmap that..; f.....b.#.....D..>...T=....~Z...|...#+..

                              C:\Program Files (x86)\AutoIt3\Include\GuiListBox.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):44404
                              Entropy (8bit):6.2308147029876775
                              Encrypted:false
                              SSDEEP:768:JvAAXlkmbfXYTSHw6WQCCWkNcvYfVq62ijwUkJObvPSKz9sjw/41ZzlyErkh6hb1:GIkGRWcM
                              MD5:565AB7CAA67DF8C413E077928F967933
                              SHA1:ACF6364093382356A21F31A931D63F9F14A440CB
                              SHA-256:2589B1CB6D2B7D1DF6A1119576656DA796B89FF42B96148A71CE4D799ACAAB8A
                              SHA-512:5032AAFEAF814863D6AEBDF71042D6E08FC8A7FC216F423B7137354A3C0232699130DCA9AA17648232B787CD79D452E44BF09DB7049FEC7F5DCDF97666562E49
                              Malicious:false
                              Preview:..r.\G>0lG....]O]IP...wB...e+RYqO..].........+\.....w..qonstants.au3"..#include "SendMessage.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3"..#include "WinAPIRes.au3"..#inc..x...t2sBy.......CAD]...6..R.,I6.%.79j........7r....>....==================================================================================================..; Title .........: ListBox....].Fj/=UL.....D.....J.yQ.z...]Db[..K........f&J....G...@iption ...: Functions that assist with ListBox control management...; Author(s) .....: Paul Campbell (PaulIA)..; ===============..!....f >......C.....F.j].M..y..8.CJ..........7r....>....================================================....; #VARIABLES# ==============================================================..!....f >......C.....F.j].M..y..8.CJ..........7r4...b...m_g_hLBLastWnd....; =============================================================================================================..!....f >......C+9'6.[../.#.g.hy&.CJ..

                              C:\Program Files (x86)\AutoIt3\Include\GuiListView.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):196299
                              Entropy (8bit):6.462499055809714
                              Encrypted:false
                              SSDEEP:3072:kc+7lVff9kVDHhP0g8ye3afyEKlrMJYMeq:Aflk4TrvMeq
                              MD5:B176517B5DD02378BF73B07F121E487E
                              SHA1:BDFB37E0E66F96F81AD928E80C1B3EC10B4821B2
                              SHA-256:15B01664D117882771EF08461C19C67F5FA67656B18EBD70F9821D414840E7E2
                              SHA-512:FE0C64A86B2B9DEDE939B10914C15ABFDB9D3126B053C071FFC266B1FD34859475B0C7977D58D0608375360CD93495DC90B26B011C919DB7330158E3D4FDF417
                              Malicious:false
                              Preview:1.p.).....!-.4.p;...*.....a].^.b{p..t_.?."k....+o...X}.%...0s.au3"..#include "GuiHeader.au3"..#include "ListViewConstants.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include 0.j.0...G..!.J.._...(......>}L.R..7j.U..Z.>.;F..X..`!r..p.5..X~WinAPIConv.au3"..#include "WinAPIGdi.au3"..#include "WinAPIGdiDC.au3"..#include "WinAPIHObj.au3"..#include "WinAPIMisc.au3"..#inq.k. ...\....k......k.....;fK...~&.A..O...#j.X.lM......J..[.NDEX# =======================================================================================================================..;2.w.).....a`...S..+.:.....](.#R..^<rG.%E.3.w5.....s.V...(.....)age ......: English..; Description ...: Functions that assist with ListView control management...; A ListView c}.j.*...F..n.P..^.G.!....'.N.T.7+=}.2U.5.9/...'A...tr.(...9m consists of an icon and a label...; ListView controls provide several ways to arrange and display items. For w...5.....+*.M.._... .....#z@....x=&..l

                              C:\Program Files (x86)\AutoIt3\Include\GuiMenu.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):61900
                              Entropy (8bit):6.151075750490252
                              Encrypted:false
                              SSDEEP:768:H5jQFzhobc7TYvu91Mw5exTk4ntCOe5j1EDDPbcqUvDeq7E9OoQHukWcYj:Z0FqAYvyMw5m4sLweZZ
                              MD5:9E5E48471977B0743214F07C8A27C777
                              SHA1:087DD91BE82C3CE09B1EDBE5D96E5C362AA18874
                              SHA-256:088D0366050EA581BF7FD3CEDD8D8D1D7A4C848F80F2DB40E2FF87B094177E26
                              SHA-512:12F550E513C494B617D049335536464CDB5E5905BC8F651B45CA6714A6FF881616F829BC1447BB7D45890F8D73FC85C72F62036661EB44B34550D3709A6652DF
                              Malicious:false
                              Preview:y..........-..L......9.b2...Ni...G...O7..).|8p..p..a_..B.p.n/.reConstants.au3"..#include "WinAPIConv.au3"..#include "WinAPIMisc.au3"..#include "WinAPISysInternals.au3"....; #INDEX# =========g.Y...B...u.0|$....`..-zV....M..LM..$.'.L.n.^.C.8...,.?.0fF==============================================..; Title .........: Menu..; AutoIt Version : 3.3.16.1..; Language ......: EnglishW._....@..!.ca7......3.6y(...^.......Uj..m..Zs..}..fU..c.n.`:.agement...; A menu is a list of items that specify options or groups of options (a submenu) for an application.z.......U...B.-a9....}.b0gK......FQ..Yt..j..As.C`..h_..1.p.n:.ses the application to carry out a command...; Author(s) .....: Paul Campbell (PaulIA)..; ======================================g.Y...B...u.0|$....`..-zV....M..LM..$.'.L.n.^.C.8...,.?.0fF=========================....; #CONSTANTS# =====================================================================================g.Y...B...u.0|$....`..-zV.6 ...Q....

                              C:\Program Files (x86)\AutoIt3\Include\GuiMonthCal.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):40050
                              Entropy (8bit):6.294565375697112
                              Encrypted:false
                              SSDEEP:768:hwDm0jWXvW2qKHKE2E0wF9csklJfO7ESr2VD0ODXkerHL6t8ARr8s4trapd:aDmyvsCQEq2V4iFs4dwd
                              MD5:49BD6C19A571CF11B6D2EC5D9CF58854
                              SHA1:0206B0B8277FEA30BC4101789CF7DEE98A426D44
                              SHA-256:21CFFA8F262DE01B82E83D0CB82F1D59FD40A147151A24453B0BA0D9C0B3E4DE
                              SHA-512:BD12D30DBCB61761D6FDB0461169A9CC4E5504B07A79F2B8F26F15687C1ABBAF3FB0F569080E014DD7C9CDE8934F245BC740D0F8C3C004443EDA7973039233FC
                              Malicious:false
                              Preview:....N..,jzR..Ga..LQw..Z...rJ..1.S....HZa.m.MZaAW^u.W...`.7o.CtrlInternals.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID....d1..ofxD..h<..cbR.Q...f.T.R.H.L.._Wz.{..x;.....P....p.7%..include "WinAPISysInternals.au3"....; #INDEX# ==================================================================================....T...<8)...wV...&........K.e...R....[.j.I.|Mtzx.....H.{\.alendar..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with MonthCalendar co........odsT..>E...;......3.V.x...O...V`.j..L3.?:2.K...q.zD..mplements a calendar-like user interface. This provides the user with a very..; intuitive and recogniza.....^..na4^...$...K\|..M.S..[..1.Q....]Oj.>.xG7C9;8.K....i.z..ovides the application..; with the means to obtain and set the date information in the control using existing ....IO..dv:<.......M@3......=.L...C.O.Q

                              C:\Program Files (x86)\AutoIt3\Include\GuiReBar.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):67447
                              Entropy (8bit):6.239545772019287
                              Encrypted:false
                              SSDEEP:768:qKfncoiu7wKZTWs1jIR6GoqTVf6VkgVO275+aiEs8BM3L0Y0yp+WMnCmd4+HGKVJ:q2ncoijeWsv3V5g0GKFFqARZg0h5gVnE
                              MD5:8525C82F3EE875E76C95F74E26772ACD
                              SHA1:66549B157BCEE696EAA0FB7FE0412C9A13C52B69
                              SHA-256:5951A481A8F79D5FD56D26E4DC3B5CC9996A1AC2FFB0F0BC8496F917943FAF66
                              SHA-512:F9ED0C39E57E6CD54FD0641C0609D85CCEE8B42E41092A3BB7EB13D0EBDA9143C5DE1AB5289F4C1A682249DEC91989AFF356BC8C5959DDC4720661FDF0CD2ACA
                              Malicious:false
                              Preview:.F..j..E*..U*...p. .&9.~d..\|...}DC.k.(........C.Q.........%k..iry.au3"..#include "RebarConstants.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID.au3.".no..Lr...m.l.;...*;.n`.h'.(.-%.Xv.9.................%+.onclude "WinAPISysInternals.au3"....; #INDEX# ===================================================================================...p;...:..r.8.G.t.xhB'<..&4.`.2.7F..a.......O.u..YK..-.eG...; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with Rebar control management..%.m&...'..o.%.Z.i.e..x`..xf.).`Dy[~..........5..E..._.oO..&windows. An application assigns child windows,..; which are often other controls, to a rebar control band. Reba..."h..Ok..U .q...i.+0_us..t{.}.nFn.3.P......A.{..WE.._.iB..gch band can have any combination of a gripper bar, a bitmap, a text label, and a child window...; However, band...,h..T'..X;.l.Z.&. u.r`..tg.}.gAf.?.3.

                              C:\Program Files (x86)\AutoIt3\Include\GuiRichEdit.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):209303
                              Entropy (8bit):6.597216290908052
                              Encrypted:false
                              SSDEEP:1536:KYYnhCd4uTZXkvmPY0t7mN9V8J3htwMqS0zdfh07U7NIq7wSVd5hI:yhCdVFX3g0QV8JxtwxS0j0QxBHI
                              MD5:53CE0F6D88CE229452BA1514981DABDD
                              SHA1:A9608D9C92054AAB7E40E06A70134B1830069E2C
                              SHA-256:4E95FB8C7B0084D4D938C0E632E4835CE7ABF5A00BDF1A4F2965651EB4A0503B
                              SHA-512:08EFEAEC0FC1C58E26A752FBA900D4BF531D724FC1A1F306D8AC65195FF6B7DC82029C75059AD4DE7CE09C67E35754B98E836C2BE94A79C8AD10D17EBA2BB3F9
                              Malicious:false
                              Preview:\..paX.:..L.....C....n.-.i.....n!.#. ...........3.....Sn.....uts.au3"..#include "FileConstants.au3"..#include "GUICtrlInternals.au3"..#include "RichEditConstants.au3"..#include "SendMessage....1.'.6..N....%.....v.;.........|}.x.w-2..@.....t..8.HO...:.zu3"..#include "WinAPIConv.au3"..#include "WinAPIHobj.au3"..#include "WinAPISysInternals.au3"....; #INDEX# ======================B..0..b.....O.:t.@.?At.t.....2n.0.h..........k..{B.....C.&=================================..; Title .........: Rich Edit..; AutoIt Version : 3.3.16.1..; Language ......: English..; Desc...gdB.......".h.....g.d.;......]:.e..DQ..M......[..f>.SE....;.....: GaryFrost, grham, Prog@ndy, KIP, c.haslam..; OLE stuff .....: example from http://www.powerbasic.com/support/pbforums/sho...`y..7..R..K.6x.[..q.*.<...../n.0.h..........k..{B.....C.&=================================================================================================....; #VARIABLES# =============B..0..b.....O.:t.@.?At.t.....2n.0.h.

                              C:\Program Files (x86)\AutoIt3\Include\GuiScrollBars.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):24990
                              Entropy (8bit):6.41157282699041
                              Encrypted:false
                              SSDEEP:384:GkTnl6s5lxKOlex8l3lcXlHlR3BOO3Llnl24Plb+SgY+A8ePfl4s:zPxteOVc1F3tljb+SgleF3
                              MD5:217C05167CAC8A3BC5FC1E66AB9ADD50
                              SHA1:26CED1383C2D59D7F0959AA343EF89D3CDEC6D3A
                              SHA-256:51F302096FABD4B79602CFD620CEB6E0667358E9638A8313A10A96A9DBEB448D
                              SHA-512:35AF8E020197E968CDEA88DE73E6D0BD052461357C45F1C8F2CC5DFB105E8E492519766DD177125A66B187A28769D028B63137729B5CE9CBD817CB1A31AF608D
                              Malicious:false
                              Preview:N...(..e.M.\.W.J.7Ha.oB.....J.>......6.{.......b... ..L..l.tructureConstants.au3"....; #INDEX# ============================================================================================P..y..=..,.Pg.z.).2T>..v..L#.q....K.w.&............1....f;)oIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with ScrollBar management...; M..d.. ..1.,z.$.{McIaV.k./Z.".....K.y.`...........c....U<2w button at each end and a scroll box (sometimes called a thumb)..; between the arrow buttons. A scroll bar rep....*.. .Jt..,.5.xM/.fY.?...[.&......y.(.........H..."..A.C!*'s client..; area, the scroll box represents the portion of the object that is visible in the client area. The ....0..n.Mw..2.J././I#..k..a..q......+.d...........+..M.B<}the user scrolls a data object to display a different portion of it. The system also adjusts..; the size of a s....(..a..b..9.(.x.m.{..$..)H.q.......:.

                              C:\Program Files (x86)\AutoIt3\Include\GuiSlider.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:Dyalog APL version -15.-97
                              Category:dropped
                              Size (bytes):27089
                              Entropy (8bit):5.976876192188699
                              Encrypted:false
                              SSDEEP:768:4hGX+bOt6VLyaNxs2UBnMH0RyECNkJ6IeOj4ggLd7X2pw57E+5lT:iQYdLT
                              MD5:64A041908E502D37EDB8EF2E908C70A1
                              SHA1:33A3307C37F78B60F9897C5F93177F70689BAEB4
                              SHA-256:7FDBC64656523FA29B4D053C20DB3B7C648751CB84BC1C3676D7CEB1FEF0AB4F
                              SHA-512:B26EDB9D4D057C1990699A766C37E60FC93D53180AFC8B94A0046D9846694C425494D02F4B0F004DDD1ED255F4116E3299492FEB57010674B8BF71A9BAAAFB9A
                              Malicious:false
                              Preview:...,.j.....?.y.W.h...>U.^..*wou.._....r..^..oi._GU_..C+..,.stants.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3"..#include "WinAPISysIntern...!.=K.e.aa%PW.uD...v..C...s.7;F......m.9@S.18...H@...s..~.=============================================================================..; Title .........: Slider..; AutoIt Version : 3.3...q..R.#..=p.y8./...e..^....'Ib.q..~..9.p...,+...U;..S'..0.that assist with Slider Control "Trackbar" management...; Author(s) .....: Gary Frost (gafrost)..; =============================...}.3T.R.Vg8N#`.<...v..C...s.7;F......m.9@S.18...H@...s..~.==================================....; #VARIABLES# ============================================================================...}.3T.R.Vg8N#`.<...v..C...s.7;F......<.f...(Z.\}....S...N...; ============================================================================================================================...J..R.L.$.V'_.eR...v..C...s.7;F.....

                              C:\Program Files (x86)\AutoIt3\Include\GuiStatusBar.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):28779
                              Entropy (8bit):6.218514890183461
                              Encrypted:false
                              SSDEEP:768:uWUhFnt/Jm+u8wG9CVLB9mLYfL6wwkq8OUb/ysYHo0eY1H0pe:uXEGwrmLwLfLysYI0rFF
                              MD5:60954470CDF1235BD32090D5BB33922F
                              SHA1:63FCAF685999AF54F2C4138870322F47938C152B
                              SHA-256:A8CEFFEC388326104E7118D242AB5CF88DCE3F6C1B1D76DAE2FAF6FEF910AA48
                              SHA-512:779F27645EA45D7F13A4D0E09B0A6902ED8BF55479E7A735579D10ECEBBE7881EBF91C3C2B6BE8EBD31BBD08F2292A82FE60092B9F8AD241CD6D564E837EB50F
                              Malicious:false
                              Preview:<... .1y>.M....7.YC`m.EH/.(...L.Bc..?..~+.sX.y..(.^...c...=C.ry.au3"..#include "SendMessage.au3"..#include "StatusBarConstants.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3"..#v...9.0<1.J....i..c`z.BB+..A.....$'u.z..Q....&V.I9.|E.Z.;..re..=====================================================================================================..; Title .........: Status]...F.u]f.L..._..Ca`...y..A.....$._.;..j&...(E.Z*.{Xx...o..BR..Description ...: Functions that assist with StatusBar control management...; A status bar is a horizontal windoh..l.=y3.L........o..Q^/..O...\.Y...z..v$.hK..tH(.\...h..6..isplay..; various kinds of status information. The status bar can be divided into parts to display more than oq...5.0..........Z......j.O...Q.HE..;..p)...&*..lK3PNN.(..ab..aul Campbell (PaulIA)..; ======================================================================================================="...q.h!.........G.33...G.e...n.|c>...4

                              C:\Program Files (x86)\AutoIt3\Include\GuiTab.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):38512
                              Entropy (8bit):6.1929227927201564
                              Encrypted:false
                              SSDEEP:768:iiXzh+EVtFzpjOKdKMruDn578PVjmOX8CxDM2kNi2T2Go4DAiEcmRmUyiwfbPvHU:Xh+yjOijmehuPTdo9ebJC
                              MD5:F404055CEC62D79F7CB8465366DC4702
                              SHA1:F298F9B9541FC344EE5DE96F591E6EC38F470C90
                              SHA-256:81C460B040D978D78B3B0B2E7193FC7F5CFD345EFDC60C779F8A3E3A25E7D56D
                              SHA-512:C3565E618642D280A62C18EF74A3B66520DDB04E4A693D366A82B6D5F389800514B2EEDE44EAE2A5CDCDF82D60FD05628E73FE8081E2EA070BE5E88EBF27ED37
                              Malicious:false
                              Preview:.*........A3....&...,..+.&..&i.3hW<yV......`?...jm...!hD..1>K..ry.au3"..#include "SendMessage.au3"..#include "TabConstants.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3"..#includ.c....-!s.`2......~el..,.sL.s"..tz%^q......o+.D..;Y..G.*.0:`>.X# =======================================================================================================================..; Ti./...B_...~...M.,, ..=.j%.h .2nT<c........!p...S`[..|.*._.@..age ......: English..; Description ...: Functions that assist with Tab control management...; A tab control is .-......I.[?......&..=.&A.sag)uO.uM....Q.i/.[..+..$s...3.G.. cabinet. By using a tab..; control, an application can define multiple pages for the same area of a wind.4....LQ^.N<....N..Ao...n..#a ".1N7....Q.!j...@nJ.."sS..g.... a certain type of information or a group of controls that the application displays when the user..; selects .+....._._?....K...-..E.&i.'h(52H\7...

                              C:\Program Files (x86)\AutoIt3\Include\GuiToolTip.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):41162
                              Entropy (8bit):6.21441701941515
                              Encrypted:false
                              SSDEEP:768:4dNTWtHW2FuU8U30+LRcLH+xqRE3TZwunBy4Iubm:4EHpzYIcL+/qf
                              MD5:A8189977B6A67DA06FD1C89C2BE3EE7A
                              SHA1:DAACBCF52A159AB9488F9ED562CF0DA50A5C6074
                              SHA-256:CB97E35698131DE5347F92F8CF06B9F8DC9F4C4385BD341122391F5B71999B8F
                              SHA-512:B0043D5F0883F32DC47BC5F384A1C47554F0E00016ECDD555BDF1AACCFA3243C15B843B40983C842B81EBB23E532E8D9D850BADAF7488D831368FA01A5DFAF8C
                              Malicious:false
                              Preview:..iuQq......|..11...B...5.~....RpU....e..o.|. b..<9...s>n...ry.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "ToolTipConstants.au3"..#include "WinAPIConv.auo....m..o...S..US...W. .a.K.:..}i.....<.T.W.\V?m....*fs....N==========================================================================================================..; Title .........: T3.kBTt.8X.......D...G.../....x..2-...O...Mt.g)k.?~....Q. .....s that assist with ToolTip control management...; ToolTip controls are pop-up windows that display text. The t9.s6Hw..o......I{.....I.z.U..!.I.t...+..hWx.3`ex.k....7{n...S window, such as a child window or control, or an application-defined rectangular area within a window's client..; |.'6.$.#..._...2...F...f....x..&<...+..qO...,$]O1...>VD....N============================================================================================================================....g.$@|V..A4...Q.../....XT.(....k..!!...6

                              C:\Program Files (x86)\AutoIt3\Include\GuiToolbar.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):80333
                              Entropy (8bit):6.104995414969738
                              Encrypted:false
                              SSDEEP:768:8R2I0DvtEjxFp/riTBwRji987QK5J9gAaZ/a16z2DMiluVm/IKqya841UNQZ/h2Z:38TEsvfP68fomCbBuUFc
                              MD5:709B52EBC7A9329666E444606CB58A6C
                              SHA1:48F7F45010747250F38E824AD8612A6F4E9DF201
                              SHA-256:8B7F4EF496E0F77856E170F49AE6E724A6C54659B63B8B9F1A08FD2E5B3BD846
                              SHA-512:0F96D2746E920718C77AC31B14276693DBA27D4EE108592BC638664723823F0E1ECE8B74FAC2C65DE81ACA84B50E018A0D9A2A4946ACE9964B1532C72F0AC99E
                              Malicious:false
                              Preview:..7vz.K.'..m3L...'....4...')..Hnf..Gq.s...,FE..k#.$....=..~.ry.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "ToolbarConstants.au3"..#include "UDFGlobalID.a.{...F.i..j3a3..j..).>....(..]i9..s.j.q...(.T.`.A.......j....#include "WinAPIRes.au3"..#include "WinAPISysInternals.au3"....; #INDEX# =======================================================..d(+...7..3k|,..9..W.m..]a..!7..D.>./..p.K.4\=.w...."......; Title .........: Toolbar..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist ..-}6.@.f..|v"~..v.....>....9.......Y.#.2...m.V.)A .j......}..3.s a control window that contains one or more buttons. Each button, when clicked by a user, sends a..; command ..*fw.J.~..z>$1..v..J.9....r.hez..No.>..(.V.|.t.$....?..3.oolbar correspond to items in the..; application's menu, providing an additional and more direct way for ..1p6.Z.o...".1..g....p...@=..Pui..Mm.

                              C:\Program Files (x86)\AutoIt3\Include\GuiTreeView.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):118803
                              Entropy (8bit):6.34885244919958
                              Encrypted:false
                              SSDEEP:3072:+iJBmoFlcqPJwaIaWl9WRpOUYpBVMHlSt+Su:+ivmoFlcqPJmHl9iP4MFqI
                              MD5:3E5669B80E9407C0733495C574C5566A
                              SHA1:10D5803733A3F915B58C4019D1B8E2DD7DE71A63
                              SHA-256:A3CA23D0959D7E9037E08D2939ABE34DE8349BF19858DDA88B1CA34BC2239E95
                              SHA-512:21A25EAF3C9D881BA5065853CE79E16EEA8719E9E38C5CC80CD30C3813DE4CE1EF204233F1DD0C6A905E28B0F5CF15631F58C8761CD811A4681AACB85BE438A6
                              Malicious:false
                              Preview:#.@..*.a......}..P8.%.......f\a.._su^.;$..9.A.oS.Oc .>II..mageList.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "TreeViewConstants..[...DH%....f.U`.x..?.F......6="..TbwJ..5g.u...ER.U8%.-I....nclude "WinAPIGdi.au3"..#include "WinAPIRes.au3"..#include "WinAPISysInternals.au3"....; #INDEX# ================================.....sVqH....>.J...f.m.......)....<&...(x..&.v.;...+y\#V3...========================..; Title .........: TreeView..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description .......-.%....k....M(.#..].....qU~..M!xP.g*..v.%.aX.Fx0O.a5... A TreeView control is a window that displays a hierarchical list of items, such as the headings in a document,..; ....nKlU....#.W..V>.5.X....4QF..Te~G..z7..s.k.oQ.P6%.zKj...ctories on a disk. Each item consists of a label and an optional..; bitmapped image, and each item can have a li.Z..n.9....p..F.Q8.1.N......}D..xx;

                              C:\Program Files (x86)\AutoIt3\Include\HeaderConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7327
                              Entropy (8bit):6.810977265349919
                              Encrypted:false
                              SSDEEP:192:m+oDJdQSgMCVnPEzkn4jiEMJAY8+2c9Tm9TM+njKgy6:m+o4SgMCVnP5EMJAY8+2wTATMYK0
                              MD5:0D1570981FF29449CC8708BB5E668867
                              SHA1:F9B865440322E19139E0BF50A9B8E0C7677FE284
                              SHA-256:A0890BF7BB41EAE514ABEE9A639798EE009A9FD354EEAFB57AFAC5BDBA2D1334
                              SHA-512:ABAB21578861F319ABCE9C19B6196356C4F8FFCD2E10EC4E3B0D412E1B641CC3C417AD46115B3C330527D094E8F91B9FC2FC29E2BFFBF845E7AC0EDB24EDBD38
                              Malicious:false
                              Preview:0....u.....K......v.E....Nd.!.O.E...r;v...4sLW.....0..~......K.==================================================================================..; Title .........: Header_Constants..; AutoIg...x..^.K.'....d...s...>_}...V...a(q...n".......I.. ....[.....: Constants for Header functions...; Author(s) .....: Valik, Gary Frost..; ==================================================......,B.C.V.4....h.6.n..Sd.!.O.E...r;v...4sLW.....0..~......K.=============....; #CONSTANTS# =================================================================================================......,B.C.V.4...._.g.1..N.Er...\....J...4nA......=..N.....U..Const $HDF_RIGHT = 0x00000001..Global Const $HDF_CENTER = 0x00000002..Global Const $HDF_JUSTIFYMASK = 0x00000003....Global Const3...S6.3.;qF.......+.s.^i.,.B.H...#i)...J!.....jK.........V.x00002000..Global Const $HDF_STRING = 0x00004000..Global Const $HDF_OWNERDRAW = 0x00008000..Global Const $HDF_DISPLAYMASK = 0x00#......u.t..Ak.....;...w..(.xH. .9....&v

                              C:\Program Files (x86)\AutoIt3\Include\IE.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):153769
                              Entropy (8bit):6.771706874805446
                              Encrypted:false
                              SSDEEP:3072:SiPqqNhrIdWtpfMipui2+b+g/VNETIAaa+m7xIaI6ibzPa2QcAZ/9Ak/bD6kjuXq:NhvjEipu8AIAp+9j8uI
                              MD5:9A456891ABCA8F5878B0DA9A05328C2F
                              SHA1:F8DF8F9CD377B71C777681765C5640F6B8A22812
                              SHA-256:D9C3F2E1C8DF402D97846FB5CB7E8C1207C30602D09C805A64F3D212D6A96430
                              SHA-512:EF47187957A795548991F5A9357D44E1102508106A1B308D96E1B8BA4A8505AD5B2BD55B618EE6C2C958AA06CECDD52145FE0C8F9651FC98FA7366B42D63F344
                              Malicious:false
                              Preview:L.\....p.*.....[.U..X.;xhToQ.s..\.c*..rG..U.X4Z..G......V...onstants.au3"..#include "WinAPIError.au3"....; #INDEX# =========================================================================R.......`..t...7E..@...cew('........*v..a.L.z.i7g..G..@...YX..: Internet Explorer Automation UDF Library for AutoIt3..; AutoIt Version : 3.3.14.5..; Language ......: English..; Description A......2.,...dX.]].X.=,#ztV.\....r*...;.Q...3t[..L.....Z...ng from and manipulating Internet Explorer...; Author(s) .....: DaleHohm, big_daddy, jpm..; Dll ...........: user32.dll, ole32.d......>..-....1X..@...cew('........*v..a.L.J.o*......S....JK.=================================================================================....#Region Header..#cs...Title: Internet Exp..@....).(...*-.}].D.,98l:C.H.F..^?..U`....3zV.....@...2}..escription: A collection of functions for creating, attaching to, reading from and manipulating Internet Explorer...Author: Da..z.....T.-...nB.Q.....7$..,._..Z.-k.

                              C:\Program Files (x86)\AutoIt3\Include\IPAddressConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1688
                              Entropy (8bit):7.537653220518947
                              Encrypted:false
                              SSDEEP:48:qXL4n7l4nntF4n7l4n7zun7l4n70g6iGHNrcX9ANU4n7l473nax:q4B4ntF4B4fuB4ogyZcXuNU4B4zE
                              MD5:E919CB53D6C0D4A71B45F7392C0835AF
                              SHA1:8163E74A2CA9F8370B21507DD21D2B80F9ECD0C6
                              SHA-256:6CE3AE22ED632B68DA06C2F419D4D1011FA83B20D06C706E4F491605971654EF
                              SHA-512:075ECB8632EB5869D48D144021C83AA9F400CE4B63F7C9B12D61752657776074546699A84DB200847FE89AD40F4B0B49EFE3502CF071473AF3411A936FE8CC7D
                              Malicious:false
                              Preview:6..l...@...'......./b.'R].'.;O...E^?&6...=.O..).P.t....%.....(X^2..P...Ry\.-...1..^*8.:.;O...E^?&6...=.O..).P.t....%.....(X^2..P...Ry\.-......7~q.b.(\...VM,51...A...\g.2..'.N.........a.*{..W...*A.0...=..R...'zg...R.."5%.....R.Ws....D.....{....z.C!..W....7..~...cY.*GD.cDc...U..aob.....x..U....;.I..6...t..d..*D..O...c..."..i,%.:.;O...E^?&6...=.O..).P.t....%.....(X^2..P...Ry\.-...1..^*8.:.;O...E^?&6...=.O..).P.t....%.....(X^2..P...Ry\.-...1..^*...<=R.|60VZE... .O..).P.t....%.....(X^2..P...Ry\.-...1..^*8.:.;O...E^?&6...=.O..).P.t....%.....(X^2..P...Ry\.-...1..^*8.:.;.._..cw+...s.R.fK.=.........V...J2.P..(w..Ot9. ....`D..{%.hXu...z(.]XG...A.6.|G.M.a.e...\...V*-\..#q..".4.U...=..J...kYd...p..qo+.M.!.mU.).......G.....Q7&\.."k....5.G...Iy.H74.6..x..\..n;H...t.V.iY.*....~...8....J,3N..?`..,./.D...[f.6D@.'.&C...uiEwd... ...J`.I....i...V.....=A<P..,a..*.2._...B..4ZZ.TsTR...HP+.....b...z{....m.j....L...5XC'.2l..+.3.C...._..-CZ.JiS!...SC3+?..

                              C:\Program Files (x86)\AutoIt3\Include\ImageListConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2059
                              Entropy (8bit):7.6324484418368295
                              Encrypted:false
                              SSDEEP:48:mW7TYo7W7+W7Xkv1hIbWEicKo/rrF76h7WEtoII:mqzq+qUgbWE9KoHF4kII
                              MD5:57AD5E287049F3848A192998902AB1BD
                              SHA1:21E543BD562B7755667F34FDF848C7B53505DE65
                              SHA-256:F8AEEB5A44C69D418736870C457D319E767BCB6275A0D2A30FF83F5F10191B2E
                              SHA-512:C9B937FEFEEF0A2A4EC87110BAFA447CACAC749663759EF848FFE7316F1F657F9AD246B5C32496B880759CE9779E3E8E11B5299CEFA9538C1515828E322FBDBA
                              Malicious:false
                              Preview:x~..l`...^...K....=_@...N.Q....,S.t.:i...rw...R....l'@Y....M...f*MM=(.....p.{.... A4..+.L....,S.t.:i...rw...R....l'@Y....M...f*MM=(.....p.{.....v2..b......?@.g.)n...(/..U...M."n......K.../x9. C...X.#.|....3M?.....Q....d..,.)z...uj..A..J.[!] .....4yP^.;...^.>.'...{.{...w....1..'.s=....B@..g..M.yiTD....^...:e.PFg..<.v.{.... A4..+.L....,S.t.:i...rw...R....l'@Y....M...f*MM=(.....p.{.... A4..+.L....,S.t.:i...rw...R....l'@Y....M...f*MM=(.....p.L....>?F..W.%....,S.t.:i...rw...R....l'@Y....M...f*MM=(.....p.{.... A4..+.L....,S.t.:i...rw...R....l'@Y....M...f*MM=(.....p.{.....;e..z.2....1J...X....rj..._....a+pn.......4y.. 1..n........-.9..&.A...}..(.'....on..e0.n..^9&........k'@6E....^.,.f....i\-..I.>...1S.y.7d....~..a..C.qY......9....X<?R-.....}.v....%q...t.....b..m.K........R..Z.a*MT....z..9v.PCz...........R.;...6......!^.q......#j..H......Y"'...C...{'.@0%.....@......q\J..b.U...A/...S....7z..._....[]....3../7T9LV...c...f....-L9..&.|...s..i.h:.

                              C:\Program Files (x86)\AutoIt3\Include\Inet.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15506
                              Entropy (8bit):6.677143043055797
                              Encrypted:false
                              SSDEEP:384:5EcLcyyWGOwMtLkunemvsIVswqSknZzU7z1pCKqEjS:HOWGCpWmtWLPnZzqJaEjS
                              MD5:5466CC7462B08EFD8021F677CCD40EB7
                              SHA1:B0EFCFB00D08787E4FF77B33A926C96677E1B58E
                              SHA-256:BA7296041D17B4E50D7BF168BD6F7F4F87F83B01363F239AE181F8374E486FC3
                              SHA-512:716C3530BB21929F02B7226E48F1E6255025AC0ED875984D2917E3D896A518794BC0378760CA28A8663A850DC4283A3B0563BC214AD533A694A75288AE681B0F
                              Malicious:false
                              Preview:q..MB.......+.......q....<W;yC.<....,..$.-q6u.B...S.xr.>C?.3"..#include "StringConstants.au3"..#include "WinAPIInternals.au3"....; #INDEX# ================================================o.........E....... ....`.cj..2....Gr..}W0nB&...W..$!.pPc.=======..; Title .........: Edit Constants..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Function!..FO...............i.....P)ewc.{....So..nD#i_W.D..F..cf.9.<., Jarvis Stubblefield, Wes Wolfe-Wolvereness, Wouter, Walkabout, Florian Fida, guinness..; Dll ...........: wininet.dll, ws2_32.6..#$.....E....... ....`.cj..2....Gr..}W0nB&...W..$!.pPc.======================================================================....; #CURRENT# ==========================================o.........E....... ....`.cj..2....Gr..}W0nB&...W..$!.pPc.===========..; _GetIP..; _INetExplorerCapable..; _INetGetSource..; _INetMail..; _INetSmtpMail..; _TCPIpToName..; ===============o.........E....... ....`.cj..2....

                              C:\Program Files (x86)\AutoIt3\Include\InetConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1610
                              Entropy (8bit):7.454538714879322
                              Encrypted:false
                              SSDEEP:24:6LT9LT2g3efXgPNtGT9LTqIpvHf9LT9HpOGkP8JDDH/x090ZLahU8rwLT9LK+WrB:aBRaXg1tGBZtRW4DH/OK9csBFKue
                              MD5:7F381C5ABB3A921F6DD9AE6B1923419B
                              SHA1:C1A2171D6173216D9463903534BF555D6FE3CE76
                              SHA-256:1AA00E3628250D6D0E80A0C54C1FB03548D5936829725EFF19C67CBEFE790FD6
                              SHA-512:FD5B8484905C7F7172779B2E666150F463E04B394CEC405D78734B6B7B7F2A78C356FD02BE0E0664F1E07F5EE545E44A9ED98140FF873CA1457529F2F177046D
                              Malicious:false
                              Preview:....\.Q,....^..5...If..0.2.%..y........l....l....H}....mr..].....<.....n0.(...0..-.2.%..y........l....l....H}....mr..].....<.....n0.....YJ..u.!.6..j....G'...>..%D9).U.A...$o.....F..;.....e#.....AB..eQh.8..j....G%..9....4DWQ..4]...~a..@..G.@`......so.5..aV..t.f.8.........4...2.....&_QM..3]....!..@..G.@h.....h-.`......0.!.6..#....Z1..q....l....H}....mr..].....<.....n0.(...0..-.2.%..y........l....l....H}....mr..].....<.....n0.(...0..-.2.%..y........\....rt{m.!.z...pr..].....<.....n0.(...0..-.2.%..y........l....l....H}....mr..].....<.....n0.(...0..-.2.%..y........l....[pXL..,....#;..)..}.xN......H.(....d..rQc.[..0.....}.........s...DM>...2...#..Z..%......C.G..A.."=..t..(...]b........~`q.;.r...mo..j..F.Um.....s).[..Oj..Bi[.Y.......$H..3...?D@..<.q......."..h.g!.....^..y..a...~C{.<........e.......a:>d.."U..?!..@..g.`^......I.T..._l..T.2.)..N....Eb..".....ckg.".x.......@....>F.....b.f..Dm..Ot@.V.........

                              C:\Program Files (x86)\AutoIt3\Include\ListBoxConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5338
                              Entropy (8bit):6.730855159928755
                              Encrypted:false
                              SSDEEP:48:fKLr5WIBTnVSSqogq+VsTjpmivaIae9kbVSEQqyhjpN+eKD1dyB9hyJmPvnxdCBB:f6t5TVfZ7vlWbR6zLhPPPx89uwXuvVq
                              MD5:0D1DC6D1EAC0CEC3F813A41F0F9A2962
                              SHA1:982CCEA95050F2FCEF54492B3386CC72F4934072
                              SHA-256:067A60DE64FBE6773FC74713D2BCA1B1FA49F9D6316C9A268773CFEBBD2C5A81
                              SHA-512:5E0B813372524A2834282DA6064F0244C634C0B592C5B3255C8AED68FBF79DD56CEC87D55443D4CF27AFB48E1325FAA89E4E5186AD15CB47A285A26A49EDB3C9
                              Malicious:false
                              Preview:n.cJ.u..d.6,./.8..8.<.;.fg...Uz.U.!...If2.O...x....%.>V....N==================================================================================..; Title .........: ListBox_Constants..; Auto..-..r..&..oi.......{.B.TT5=...Hi.F.2...15h..^.O...Yk.q.... ...: <a href="../appendix/GUIStyles.htm#List">GUI control ListBox styles</a> and much more constants...; Author(s) .....: ValikaUJH.y.$;.!e........K.D.%.fg...Uz.U.!...If2.O...x....%.>V....N====================================================================================....; #CONSTANTS# ==========================pH0..=._t..ht.......K.D.%.fg...Uz.U.!...If2.O...x....%.>V....N=========================..; Styles..Global Const $LBS_NOTIFY = 0x00000001 ; Notifies whenever the user clicks or double clicks ,U~].i..D..9&.D........].Zf......Ug...,...Dk=.I...7XA.Ol.j..... the list box alphabetically..Global Const $LBS_NOREDRAW = 0x00000004 ; Specifies that the appearance is not updated when change>Ul[. ..-.._..J.S........<y......<..$|O.

                              C:\Program Files (x86)\AutoIt3\Include\ListViewConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):23534
                              Entropy (8bit):6.832224593008097
                              Encrypted:false
                              SSDEEP:384:FZxlMRWT3LA9K3+QWXr8OwaMTb+LiB3DTmUyNo9VlYEdxUgt3qLC23GE5gdN:0WaDjr8Owl9YNo9VlYEdOgt3qLC23GEw
                              MD5:071407804D020B8C6EE5D356AF0A7ACF
                              SHA1:8DB0844B6815C8EF6AB71B47D5A40C034492C4F9
                              SHA-256:55C9011F879B2E506ED2A2ACE87AEA4D0560BA8EE326EB1D265A9EFAFDD52F0E
                              SHA-512:FF6B0B7C0A3A85B9C2AC379F68F620FB43FE62222870E7B3D2E71F12BCE4F5282D38B2CCD1114107F01390C22D90DA6825747BF42D87DA5A44E33930832BDDC0
                              Malicious:false
                              Preview:[.k..XS.....sbP...Vn.b....C..............^3.....|....h.e...==================================================================================..; Title .........: ListView_Constants..; Aut..q..HE......^[s...1..-..xH..T..O........&`Z....a.N..'.(..n ...: <a href="../appendix/GUIStyles.htm#ListView">GUI control ListView styles</a> and much more constants...; Author(s) .....:X.d..F.....8.2...1..*....C..............^3.....|....h.e...==========================================================================================....; #CONSTANTS# ====================E.8........CU`....".......C..............^3.....|....h.e...===============================..; Group state - Vista..Global Const $LVGS_NORMAL = 0x00000000..Global Const $LVGS_COLLAPSED = 0..5..........<...qS....bn-.i..n......^..S>........J...6...$LVGS_NOHEADER = 0x00000004..Global Const $LVGS_COLLAPSIBLE = 0x00000008..Global Const $LVGS_FOCUSED = 0x00000010..Global Const \.S..rd....:H`.../......$t.M..K.....B

                              C:\Program Files (x86)\AutoIt3\Include\Math.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4964
                              Entropy (8bit):7.572400970429736
                              Encrypted:false
                              SSDEEP:48:Rsp5p0voYp5pNp5ppp5pTp5p0/p5php5p+p5p4+OPAp5pTo22SX9IMeY6b7keVLR:RbvoSOP37xVLr5z0JSQ5oNThDh
                              MD5:7771A1DB6B75F0A0E27C645A591B0BB5
                              SHA1:D2D3DAA1402133DDE4893961418B0B38339B6882
                              SHA-256:EF546AFDC7F083DC52A4FF393FD5BBBE11F9FCE0287084C7FF99EE6415CF1190
                              SHA-512:37F999046A7293DACF52ABBFF73A8406CC4F23551E16EE3C9DB345A6562E08AD075E51008103BAAD6C95988A8F47838263A014EA9A0C6B7BCFD92DE4F5004464
                              Malicious:false
                              Preview:)h&%3z..R......R.S.x}..jC..sN.....u2...\.Zx.....T.)C..8.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....y...9o-a}.t.v.$/fhq5.>.......6...6}..mS..JF.....U)...I.??....T...C5w<..k.R.*M)(8z.....G...q.P.xy..}N..../......`5.....G`.........&-ey.z.+.cr<f(f.._......>...wr..oJ..RN......gV".I..(.....Z...W&.lt.1.x.ks1f.}.........1...60..,....V....)aK^...Tg.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3...4"a.....P.5<.h.*.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V.../|)..I.*2........M;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...`.T.#.y...XD..|/.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...P;d0%.P.x.Nd/4:j.yD.$...U.P.[w.....lN......4aK^

                              C:\Program Files (x86)\AutoIt3\Include\MathConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1240
                              Entropy (8bit):7.22875125869802
                              Encrypted:false
                              SSDEEP:24:YrvvsvTB5AFJv8xs8gvvsvv0vsvve0I8zvGZvvsshmOic:EQVCL8xQQsQ/hzeFBm8
                              MD5:15A2A9198E2856D90E924260BA11ACBC
                              SHA1:08F6FA326C8E7C38DE3F2680B95DEB693447D5AB
                              SHA-256:A7E70362CAFBFAA6385CC2162388E3DF49A6C76FCFB1BA5F7F64EFE58974FE03
                              SHA-512:7899EECE515146352C0470F22252EB70B5B031F53F8DD87E57717E97834A3E65FEFDFAB6B945EF1E31E27C3C3D553A5B8CB49C3152EAB1C0CAE599E525489DEC
                              Malicious:false
                              Preview:..,...H.F..=l.ULY.(D.It61% ..%.N..3>...^G.Kw......C.........`....^..BV..c4.b|n.60}0.S/8 ..%.N..3>...^G.Kw......C.........`....^..BV..c4.b|n..6`YX.~`=..6.].. 9.`....5%..I.I...6..{...w.}}.0...B_Q..p:.nw}..6`AP.up|...6.].. 9.h....."....c...NB.N.....s..b..._....-).0a1..bc#aD.wa=...y.S..zl.Y..I..)..M.....R..I.....<_.b...O....-'.Uzs...e/...;%3..6.S..gm.H..w.Mj......C.........`....^..BV..c4.b|n.60}0.S/8 ..%.N..3>...^G.Kw......C.........`....^..BV..c4.b|n.60}0.S/8 ..%.N..3>...^G.KG..7...=.rx.{.....`....^..BV..c4.b|n.60}0.S/8 ..%.N..3>...^G.Kw......C.........`....^..BV..c4.b|n.60}0.S/8 ..%.N..3>...^G.Kw....*.E.cf.N...[.6o.4.J.&8...?e...=..+).Le&MLN..`\.%..GA.h.^Z.{@..R.F.^.SE.N......t...*.e,"..)..s^..6`Ru.uwx...4.,..jj.C.Jw.1&..\.....O_.....v..n...&..BK..p;.jvd.:>p5.]..&..%.N..3>...^G.Kw......C.........`....^..BV..c4.b|n.60}0.S/8 ..%.N..3>...^G.Kw......C.........`============================....s......C.H..<..g .Y.W@..z.".....{.wL..3.4H.$|:.!...0_@~...RH..........

                              C:\Program Files (x86)\AutoIt3\Include\Memory.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:VAX-order 68k Blit mpx/mux executable
                              Category:dropped
                              Size (bytes):18498
                              Entropy (8bit):6.277449048583577
                              Encrypted:false
                              SSDEEP:384:z1hqtaIY89k4ptluPkSe+7f5W3ql6c3/A/3wJUwshRdsXBOuTW:ZwH8bhI/PwshRdyO6W
                              MD5:605A2FF5243C9DC21FA2FD550D81DBE7
                              SHA1:9CB5C2BF32BFFD76EADDFE46D4F5FDC0561C6349
                              SHA-256:9F0F0EADE147C81EF2DED1C0A29897F804179AFDBAD55ADD79E54CA6DEA3E50A
                              SHA-512:C59CB23FD8ACC9138F1BCEFC3B27EC02CEF01E779B43EC9397EBF06BE196E2E978FCA2DE79294A345033A5125B7844FAEAFFD50B439ADAA8F962A7D58450D867
                              Malicious:false
                              Preview:..K..D...+>Q)..A.(y......=..Eq`..e.L.I..cC.V...b..?....`Xa5."ssConstants.au3"..#include "Security.au3"..#include "StructureConstants.au3"....; #INDEX# ======================================.R.....P.ym.q..q.6-..Z......eTR.5..+......?..I.&.6J.n..O..5.g.z=================..; Title .........: Memory..; AutoIt Version : 3.3.16.1..; Description ...: Functions that assist with Memory O.K..T...0~?F..l.+0..G....xIO.\K..{.@.O.oW...~.+..#....,|`z..rtual memory, provides a core set of services such as memory mapped files,..; copy-on-write memory, large mG.J......4?@8..-.o0.......?I.BxS..b.K.O..jS...x.nW.2....0&.P.gAuthor(s) .....: Paul Campbell (PaulIA)..; =====================================================================================.R.....P.ym.q..q.6-..Z......eTR.5..+.......;.W.~.b..s....6a|4.glist....; #NO_DOC_FUNCTION# ====================================================================================================.R.....P.IZ.A..l.xu........-).fL..b...

                              C:\Program Files (x86)\AutoIt3\Include\MemoryConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2747
                              Entropy (8bit):7.745462000710928
                              Encrypted:false
                              SSDEEP:48:b38P3BOQyEP38P3S8P3M9K092CSnNk4BMwntntih9Fjn4uUcSYp9P38P3ljl3FAQ:7uBOQVuSuk92DZSpjndUJYbyjQQ
                              MD5:FE11439FF882D5CC4021A3B642DF31D4
                              SHA1:CB89C441A7A3FC70EEF8AD732BDD398146070603
                              SHA-256:1AA942B1E1B522BC047FC0430AA8D47B47675206C8D91371E7E8CAE158D3C353
                              SHA-512:B77D51BD0F857128BC7E1ABBB2A58BD55B174C675C3EA48617421E8ED9E3B95B5E272E396E685260BD8BD236B24C36D0150F13FFC9B12D7914A5DC280AD596AE
                              Malicious:false
                              Preview:..f`;..8.....c...Q.rW....^...5J]..A...}V0..VF....v..MI..@..F..Z.I5>jZ.`..^Q.S...W.l#y.x.@...5J]..A...}V0..VF....v..MI..@..F..Z.I5>jZ.`..^Q.S...W.[%d.,..D..&YN..R...`&h...$...S?....".F......MT^f%..2.YL.@...\.`.N.e..O..i....R...nQ-......*p....L.......G.Z&9w$.3............{).7.]G..k........{KL.......e..^Z..-.....T.jf;..u...../...Q.l#y.x.@...5J]..A...}V0..VF....v..MI..@..F..Z.I5>jZ.`..^Q.S...W.l#y.x.@...5J]..A...}V0..VF....v..MI..@..F..Z.I5>jZ.`..^Q.S...W.[.N.e.>n..\6..._...}V0..VF....v..MI..@..F..Z.I5>jZ.`..^Q.S...W.l#y.x.@...5J]..A...}V0..VF....v..MI..@..F..Z.I5>jZ.`..^Q.S...W.l#y.H.:M..i.@......d,@...-2....v...D..M..<...X.(@8..)..$!.#...<..\..e.]...8GR..;...!.-.......m..>;l.0.8..Z.Dp3gV.P.........."jd...8l..G3)..=...}K=...YK...L$...Tl....[..*|9WY.5....7L.N..Z.a.N.)..@..K....\...&R..."=....{..@L..w......7gm$..y..&!.*...+.._....@...8FP..v...".a.......g../:`.".5..#.I(3/V.m..i+.....J.>p7.e.:l..W$(..9...p.?..fq...B*..3.A....<..*f0LF./....^L.....Z.[Y(.'.....f....;...%

                              C:\Program Files (x86)\AutoIt3\Include\MenuConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5208
                              Entropy (8bit):7.843370951709082
                              Encrypted:false
                              SSDEEP:96:0/NWwDMcFaE3HNiLsaJlD50KhycHSzqMzhC/Tv9pXUM5eC:XwzYE3t0saJlisyxzqKhkjvkwf
                              MD5:E7883832F2A45DD74FEDB449906B66D9
                              SHA1:53710F8D638D8D396F47762D40F790CF9481C1F9
                              SHA-256:93C508285ACD79279D7A83AED67444535D9439BEFA6A13AD50E757A21F52442F
                              SHA-512:064B8A39D9F8E35C3F3185F00A28E8886BBBD87BB762D92C58ADC2AB313937486CC27DC1B644F5851EA88766B6C5E28BA7E3D52977313170B3D6AE7D33EF70D6
                              Malicious:false
                              Preview:...Z{;#.NYW.D...(..#w......4Q.s$<...Y.......7..i...$m...b.7R....J..*szT^..@......W......4Q.s$<...Y.......7..i...$m...b.7R....J..*szT^..@......Q.....].'B.`7/...^.{....e@1 ..Lj].....~....z..J~!)IY..S..."..Q.....M.n..`7/...^.s....b#Ho.]j3..+.e.....M.zx 4..XM......^........L.f..`.......^.....*.lz...9...4.*(..A.1.Vd:kIM..p+.....W......4Q.s$<...Y.......7..i...$m...b.7R....J..*szT^..@......W......4Q.s$<...Y.......7..i...$m...b.7R....J..*szT^..@......Iz....y.]?.n$<...Y.......7..i...$m...b.7R....J..*szT^..@......W......4Q.s$<...Y.......7..i...$m...b.7R....J..*szT^..@......`~....T.J..=m!.b.;.x.....O..t...Z.=.fO..V_...Z..,-w{1d....#..g3....Y.)/. ju...".c....Ak.t...a`..3.h...{C..M7j./<em/h...3..Z4....Z.eL.!wr...).i....N..t..)`...o..e..WN...T!)....0g...R../}...@.9\.~)1.".#.Y....e@1 ..u_....ZO...TG..'~wYW;3:M...3...J....~.J$..RD...D.N.....:.zY..Tv2....d....a1.iX..9C..MY..#..Z4....Z.eL.!wr...).i....K|....s9m..o.:_....z.~{!%...z.O...^..'|....}.BL.n)y...T..

                              C:\Program Files (x86)\AutoIt3\Include\Misc.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):35079
                              Entropy (8bit):6.6574521181863
                              Encrypted:false
                              SSDEEP:768:OulsulvYYQLMuQ8mvNY9o/UrflbO4IQHmw3tu803Maf2xEOuDr88xd7O82rLb5+4:BWulvYYQLMuQ3vArdbOZQGw3tu803MaY
                              MD5:7C149193E17BE617B9BF4219E5DA4540
                              SHA1:9EE099CAC0AFDA761EFD835A7C705BD26229F2CB
                              SHA-256:D82A52144EEF1DB412513DEBFE44B6CE791407529D33A814F7F7BF49CA9E56E9
                              SHA-512:E718AC123CD4179593E1BA5074E1CA5ADF7BDB50280CDEA002E7140DBA4B962FFF9F2627C19F6EC3D6DEA727E21C231FB63AEA17644B62827797D1CCBA4CC852
                              Malicious:false
                              Preview:..d.......UE^........5.....N.S..S..-xz.....S.p......n..5.....2]..#include "FontConstants.au3"..#include "StructureConstants.au3"..#include "WinAPIError.au3"....; #INDEX# =====================.T7..G._......!.!..S.d...2..C....~63.......o......s..Ji..../J==================================..; Title .........: Misc..; AutoIt Version : 3.3.16.1..; Language ......: English..; DescriptW.d..T.X..NHX.u.r\...8....f.S^.N..cHa.....O.>.....u... ....a^ .....: Gary Frost, Florian Fida (Piccaso), Dale (Klaatu) Thompson, Valik, ezzetabi, Jon, Paul Campbell (PaulIA)..; ============.T7..G._......!.!..S.d...2..C....~63.......o......s..Ji..../J===================================================....; #CONSTANTS# ===========================================================.T7..G._......!.!..S.d...2..C....~63.......o......s..z^....s. Const $__MISCCONSTANT_CC_ANYCOLOR = 0x0100..Global Const $__MISCCONSTANT_CC_FULLOPEN = 0x0002..Global Const $__MISCCONSTANT_CC_l.H..3.B...^..,..%.N.d...2..C....~63..

                              C:\Program Files (x86)\AutoIt3\Include\MsgBoxConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4482
                              Entropy (8bit):7.782215130542206
                              Encrypted:false
                              SSDEEP:96:kATof0LPOEL4bQZoSzGJQg5TEKcKvQYeIkADBdzHMYxPR6n2p1eomt:knf0rOEcYdbgeK3Q/p2r3RRmk1w
                              MD5:66A41DDB3908DC6EC771D9B652600350
                              SHA1:0E2FE23F52D15B72E913DF56DDC1CCB8A83DCA37
                              SHA-256:D6DBB5B09AB47624C225426F1E1F68594A1C6030E52743AED0266382A5D881B2
                              SHA-512:B0954BE7ABC142FEC57E2C7DDA1C53498213FDC8C2FA234468DF730DEDDCCCAD87B1CB63A824ECF0160C9CD7B5207F75F3FB356744DB001C5294694F4315CAE2
                              Malicious:false
                              Preview:......"....]3;......+:.k.6.&......F....Q....bh8g#...-ja#.j..a..O]..z..\..m..)....S_.v.6.&......F....Q....bh8g#...-ja#.j..a..O]..z..\..m..)...........%.5....[........1&q;p....l|_.#.(......(..[.~..%....N..%..j.~....U.......R_>zZ.b>,j.8..r..H@..).....#.B{......../..+.u................-<u.>.~w)m.9..:.....)....?A..........c..+.5............/8.P%...-ja#.j..a..O]..z..\..m..)....S_.v.6.&......F....Q....bh8g#...-ja#.j..a..O]..z..\..m..)....S_.v.6.&......F....Q....bh8g#....l|=.....&3..z..\..m..)....S_.v.6.&......F....Q....bh8g#...-ja#.j..a..O]..z..\..m..)....S_.v.6.&......F....Q....bh8g#...-jQ..w./.....(.."..#MWz.....'.."....h............../9d#{...~w(v.w./.....(..k..?[Wx....NF....@.&.............+!j4$....].r.5.|.....c..>...xxW.....NY....+.n.........L...11%...|ZVY.8.0......g.#...vd@....),....6.).............+!j4m...r8.j.w..(.^@..#...."\;......N!.%..+.V.....4...)....lu>zJ.uw,k.?..).....g.....V.4.........'.L.t........

                              C:\Program Files (x86)\AutoIt3\Include\NTSTATUSConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):240988
                              Entropy (8bit):6.7289078354519045
                              Encrypted:false
                              SSDEEP:3072:BurUbzoOtifiiwemT0ZCKehtHcx1c8gJh2Mi:BboO2iivRY5csLa
                              MD5:A92EAEDD9AAE5EA4D0D730BEC81D8939
                              SHA1:4E01AAD56DAADB0ECC1702304E44306EBEDE1A35
                              SHA-256:3BEE78D54F3A51DCF5D6586E4F6D63ED88FA8E04924D324739727DEA6CEB96D8
                              SHA-512:52BE29A295D873C77E0E70CB0CE1A73BF48F1475C3DDAE1926FE46631D38B055D79EFB0847F8EE4C5F5BC35079AF4D1D12546F1DE26133494C533AB5C5ABDC4D
                              Malicious:false
                              Preview:.3...;.."..b.$d]...dm..-&4!...J..J ..$W.'...?...v......+K....==================================================================================..; Title .........: NTSTATUS UDF Library for i/...:T....@.]...."V..%.<...Y..Y,./"J......r.[.%......X"..N.Ar codes (NTSTATUS) to be used with WinAPI* UDF library..; Author(s) .....: Yashied..; ==========================================.gC..sZ.2.<..Sm...z....H8)!...J..J ..$W.'...?...v......+K....=====================....; #CONSTANTS# =========================================================================================.gC..sZ.2.<..Sm...z....H8....B...W^.Kj..>...W.m..u.l...+V.....00000 ; The operation completed successfully...Global Const $STATUS_WAIT_0 = 0x00000000 ; The caller specified WaitAny for WaitTQ*... ..`..!.ON$...#M..f|y..B....i..p..n...`.W.?..[...6.....Ken set to the signaled state...Global Const $STATUS_WAIT_1 = 0x00000001 ; The caller specified WaitAny for WaitType and one of t@?^..=..{..d...2...3W...Uq|y.O....=.Wk.

                              C:\Program Files (x86)\AutoIt3\Include\NamedPipes.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14259
                              Entropy (8bit):6.3981378248398535
                              Encrypted:false
                              SSDEEP:384:1osc9Hf60YZEH59jPDHghYUiZEgpl4dqLH/8RBg:mf/zUfg0AGg
                              MD5:A4E88B382A6E8E4915F5ACF5EEEA1EBD
                              SHA1:CEC4E86A704E88724DBC05CF0323321CC361F89D
                              SHA-256:B809F558E3061EED9BA774C2046C3358A8667578C5DB352361CC591BAAE0D40D
                              SHA-512:63AF8773352B954972296429C2DEFA90FACBA5A2FECAF3F403052DB00C53D5C63FF657602B5BE2F82DCB11EDD0CC94DEE56BA0F2B2045588A4BF3BD678064C8B
                              Malicious:false
                              Preview:.k...}..j+.........1.I3-/.R.9QH..VoRd.X.....-6'.'A.E?..v5..=======================================================================================================================..; Title.,PB.&..ijV.!....<.d.d3=%.....>AU.....9S...XC..R>%..D,....i..C...: English..; Description ...: Functions that assist with Named Pipes...; A named pipe is a named, one-way or d.r...(.7!L....\.*.L%(>....)FK..].Ib.......=ws...*..F.'....more pipe..; clients. All instances of a named pipe share the same pipe name, but each instance has its own .w...z..g%..|.........fij.P...l....]HQo.......*js..O8..F.,.R...e conduit for client server communication. The use of instances enables..; multiple pipe clients to use.v...{.."d......X.:.V/$?....#GO.....K.U......+v%..Dk....:.....ed pipes, subject..; to security checks, making named pipes an easy form of communication between related or .l...i.#dL....B.,.(Lrj.P...l.......*]

                              C:\Program Files (x86)\AutoIt3\Include\NetShare.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):45783
                              Entropy (8bit):6.549405178180744
                              Encrypted:false
                              SSDEEP:768:LGu4FynELiqggWXUlIIpgpDm+iT6jVbeM8zVom8PTuCvJTA874gEDfAFk:LGu4FynELiqggWElHgpDm96pb8zVo/Pw
                              MD5:0F6F71F9F050B28FDB89CA23BE50598E
                              SHA1:35C7546EBA063F87EAB0A05E73473AD4305EC2BA
                              SHA-256:300CDE0598BF25FCE535166F595698F7B4E86D10531075BAEEA3D123C1358023
                              SHA-512:0E64CC433FDC1CB5C2A0C4F403F47FE9E50F467A922EF969ACB61E9861382FF67DE9F0A062C6281551BB1E744EBF3A3DC3653C10EDFCF86C63CAD5246D1DAD92
                              Malicious:false
                              Preview:..1.b..1,H."9L.f`..........n...?(F)..@*.6C.U...Xa.A8.=6...XrnAPIConv.au3"....; #INDEX# =====================================================================================================..b.3..!~.Vz.{.Q~.mM.?....~4....dt.D.};./X...W.'./"m..=&.../Mersion : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with Network Share...; .:.`..s1MK4\'..c.........~y...%6....A;.xE...M.0...v..;:...k;resource is a local resource on a server (for..; example, a disk directory, print device, or named pipe) that ..1.l.... C.4Q"..:.........::...#9B...]-.7Y.[.Z._P..v..hr.../; network...; Author(s) .....: Paul Campbell (PaulIA)..; ===================================================================..b.3..!~.Vz.{.Q~.ZK.V..c'....wg.W...c.e..F....hV..k..uo.....; #CONSTANTS# ==================================================================================================================..U.b...pce.)G2.H..>&.4.....H....jj[Z...

                              C:\Program Files (x86)\AutoIt3\Include\PowerPoint.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):58031
                              Entropy (8bit):6.533750580295773
                              Encrypted:false
                              SSDEEP:1536:gnKpUm2IjFs4ptg0l5Ivoc65ly2eKyIJt6pGF0UfhNF4J4GHaECc9:O49NcUpfjFLg
                              MD5:3C8F9670905AF89F014EADBC6AA0E2CA
                              SHA1:C3800ED3E4FAD4434D2EB8F0D17E820748721AF3
                              SHA-256:25D50099FC40BB7F9A59481F372515E066D8C92BC1070C5745F0D2265B80BB95
                              SHA-512:F88CB82E7E050350B4BFB9144BEDB5053BF54B21E912AD998FB294AA5CFE3B05EB26F687123C6079B1641C7631B4AFABE30E4803D5FEAF485D27615D2FB0BE30
                              Malicious:false
                              Preview:.e.p.t.0O..N........]=W..&.......I/.(.}2......#.mE.<...=?..eintConstants.au3>....; #INDEX# =================================================================================================.1...<.h_.K...O....d?..U........`Yr.}i..A...".u..6...'..*Function Library..; AutoIt Version : 3.3.12.0..; UDF Version ...: Alpha 5..; Language ......: English..; Description ...: A coll.o.z.o.:...X.......N6@.C.........S*W1.=:.D...*.LY.+..4<...}erPoint files..; Author(s) .....: water..; Modified.......: 20170606 (YYYMMDD)..; Remarks .......: Based on the UDF written by t.m.j.).0..:D........d0\..[..B......n.(.# .....,.u_.-..;8...em/forum/topic/50254-powerpoint-wrapper..; Contributors ..:..; ==================================================================.1...<.h_.K...O....d...H..Q......sJa.nn.......p.<..d...ou.....; #VARIABLES# =================================================================================================================.1...m.7..V...."...M;G..H..L.....Zn.9.

                              C:\Program Files (x86)\AutoIt3\Include\PowerPointConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7475
                              Entropy (8bit):6.670475403673272
                              Encrypted:false
                              SSDEEP:192:WPceF0lNQ22HhayRXVzW82HFZPRPpXO7gHN:sD2lNraRXNIHFZPBw7UN
                              MD5:85484220B97A0A61CD61ED7BA2540646
                              SHA1:8E3303FE1E447A2EACCC721F690AF01AE9DF5878
                              SHA-256:8D497188F4C86EB49B898F62F9AFA6D792F881A9BB33BE11356E1ADB2E251A40
                              SHA-512:6EF49F4C90B067A834318B5653C1563EA0615CA109B5FE893B4B4F9ADBAAB8E14F1DE63181C16EF850398346B25A7AA319E8ADE64B2E6ABA0F3983E5E0380B10
                              Malicious:false
                              Preview:......(.O..t....Mlgr..........>....@b"y..:.(s.....G&..c..M....U==================================================================================..; Title .........: PowerPointConstants..; Au....)....yV..idi`.`.S....AdEB..]q1j..).5........>.~p.....Q.on ...: Constants to be included in an AutoIt script when using the PowerPoint UDF...; Author(s) .....: water..; Resources ...........>....cV..ww.?.#.,.L...\9.K...,%k.[t.{`......tR.pW....P./library/ff744042%28v=office.14%29.aspx..; =====================================================================================....q._L.*K..zjzl.s.c......>....@b"y..:..C....5Ug..z.#....U===============================================================================================================..; PpFixedFormat....."....v....iw.!.-.8......wIS..9?".Nb.8(.....Z}].;.......J.t...; See: https://msdn.microsoft.com/en-us/library/ff746754%28v=office.14%29.aspx..Global Const $ppFixedFormatTypePDF = 2 ; PDF......8.h6.x.....8)".n...~...KE_Q....f4.

                              C:\Program Files (x86)\AutoIt3\Include\Process.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:PGP Secret Sub-key -
                              Category:dropped
                              Size (bytes):4135
                              Entropy (8bit):7.680971858156643
                              Encrypted:false
                              SSDEEP:48:ayxOrEOQObORAOT5W0OO7bRaOFO9EpElycNMrk6I1Is+sn7W37tE9wcB17aY1I/Q:aho7NZG32dsn2WD7tIXnqkxTq
                              MD5:A46C2ADA717191A8E4724D888DEC5CD9
                              SHA1:1DCD3549CA6DDFB472832451B78FDA4AB4FB9230
                              SHA-256:409B3289DC631DE304447594F117A8A502091F6723E1D42A6F7872B248943444
                              SHA-512:AEA61CD1EEA7F441BAC1A064B02F1D49DDF2C17E3F15DE62E56037A17ECC2070EC45DECAE5C1DECC87ACD8F4814006CF2D51F9F4DF59DF49A9B3B6A32D061098
                              Malicious:false
                              Preview:..\.b...@u...1..v....%.48.7.....N...........R.3/(?..xkJ....9C2f....3O..P'..A....h...m.l%.Z........[.........,.....eu>.u..'^2f....3O..P'..A....h...m.l%.Z........[.........,.....UB8....v./u.... \..W:...^..X..%.>Q.G.....R..F........+...~.?=b.-..4M!u....`....r..G...6...9.?8.I.....S........J..GbQKA../!w.h..u.j(.._.`......R.1......."."1.I............|.RRtP...,<k.?..o.d>....k....:...^..u...;.[#.#........H.......BT.GN...<$o.B..'^2f....3O..P'..A....h...m.l%.Z........[.........,.....eu>.u..'^2f....3O..P'..A....h...m.l%.Z........[.........,.....eu>.u...n.`..q.\ ..99..A....h...m.l%.Z........[.........,.....eu>.u..'^2f....3O..P'..A....h...m.l%.Z........[.........,.....eu>.u..'^2f....Q".....;.O..8...p..j.......I........!..yCWLv.UB8.u..'^2f....3O..P'..A....h...m.l%.Z........[.........,.....eu>.u..'^2f....3O..P'..A....h...m.l%.Z........[.........,.....eu>.B..!C,..q.G=..M'..A....h...m.l%.Z........[.........,.....eu>.u..'^2f....3O..P'..A....h...m.l%.Z........[..

                              C:\Program Files (x86)\AutoIt3\Include\ProcessConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1783
                              Entropy (8bit):7.523429088705849
                              Encrypted:false
                              SSDEEP:48:U4TOlOwvTXTbOm/6iZph0hkD+OH5Wolsv:U4T+OsTXTim/6iZIyD+OH5Jl+
                              MD5:A9882E1C60D1EA4DE93155463DF6E41C
                              SHA1:72C426418339F5B165AD509E9581BCACD690DD76
                              SHA-256:696FB5D87E017A369081146029F734D001994AC64D16D9593F2400081015D6D3
                              SHA-512:F5F50F0249E393606942A4D2DECB9FC9885435A4B1EDB03CB62BB652F0BB17D29B754069B3D19B49E2283D896E59D8DD7201D1B718DD1DCAA241B9B0AED1564F
                              Malicious:false
                              Preview:j.\%D..T...WrH.%%.....(.........r.5Z<.........../F..<J....t..{......*x.....rw.P..........r.5Z<.........../F..<J....t..{......*x......tj............a.2GQ.......e..\P.|...L.........M..XR...7v.....~G.V....W.N..a.&I/......U..%..V...s......i..h...^S..Uy1W.[...*j.......F.@...!.I.u......U..FT.2...oW.....i.@)K..B...Zt1MGA..Eq.,.........a.&]!...a..V..`...-W....r..{......*x.....rw.P..........r.5Z<.........../F..<J....t..{......*x.....rw.P..........r.5Z<.........../F..<J....t.8K"...~..gC.j||..rw.P..........r.5Z<.........../F..<J....t..{......*x.....rw.P..........r.5Z<.........../F..<J....t..{..;z..Vv).k@...on.?....}.l....}\"!............<..c.....:..bx..rx..kT.ai{......,...Z......:j.......e..\P.6+..B2.......a.{..~s...*e.P....z.Y.....@.E..!O|G%.....y..pk.W)..H8....1..v.....s{*FIC..!9.M....g.z....nM&E..............q..n......'.Ff...~~..gH.iwx....j.M.........E{d.c......R..v.Q>..^3.......~....E..'u......#%.....Q......M4R

                              C:\Program Files (x86)\AutoIt3\Include\ProgressConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2381
                              Entropy (8bit):7.651379667784185
                              Encrypted:false
                              SSDEEP:48:KhXtTwdhChXhz/hXhuYGPMHgmSf6lQIc0zJa8TU40rVBZNXhXij8QpakaP:KhXWdQhXhz/hXhuYGEHgmSiHVJaJ4cvp
                              MD5:8ED4128A438E80CF03A55D07A4B7B8A2
                              SHA1:9470FC84649A4A4FB2BCEC91DA4C443A1AEAD9F6
                              SHA-256:BA723B5DDDD0D1E8C7F72029A2F2E085ED9E1CC0F0023D73CC3EC8CD8F51D3C5
                              SHA-512:0514E6D0650568590A3FA929780DCD5831ED5606DA93AF66D0983192F09D5A828430423F4694DF70525CD28D2748EB2511C5BF18031A1A4CAADBB46656E80CBC
                              Malicious:false
                              Preview:W@.ai%.Dx.+,..J<..5b"_..x.|jQ..B.Z?. ..g.R.-...U..=>.S.(36..4I..?8m..h.xr@.}..(|V,..e.|jQ..B.Z?. ..g.R.-...U..=>.S.(36..4I..?8m..h.xr@.}...KP1...=.oyB..Q.I8.M.=..Bc..P...amV...5+hV}.`."S5.R<.+oG.s..$wE ...../0....I,.3..z..V|..We.. GG..gg{]Jf...,+j..4.-=..}..: .a... ...%......,.i.....Vb..LJ..UJ...{zyFO)$[.ew5.Ru.16..3...+a......;.a:.._...q.|.).b;+..J...r+QG.; %..3T..nl;....76].2^..9aE?...x.|jQ..B.Z?. ..g.R.-...U..=>.S.(36..4I..?8m..h.xr@.}..(|V,..e.|jQ..B.Z?. ..g.R.-...U..=>.S.(36..4I..?8m..h.xr@.}..(|V,..U.L]W..<..4V.S..z.R.-...U..=>.S.(36..4I..?8m..h.xr@.}..(|V,..e.|jQ..B.Z?. ..g.R.-...U..=>.S.(36..4I..?8m..h.xr@.}..(|V,..e.|jQ..r.GQ.d.).ev|..^...omQ..1^Iz|D5{.W@...u.=.M.p..-aP1..(..0......p.p.?.O]y......aqS..p..nOf.H."F?.R!.a.?..b..Z.#1....R.-8.._...q.=....0b]..k ..VFp=.53+.[8D.."S9.U4.O..."P..V..b........)..6..+".=..P.e.0..Q...l#F..t{g].z.P.gv].f9.'....^..aaOV.......*.3..7P.Z...O.0..5e.. NG..tinZ..3E.`d<.b:.6;]..n..Z.9T.......?..1..0O.H

                              C:\Program Files (x86)\AutoIt3\Include\RebarConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6733
                              Entropy (8bit):6.8069081366089526
                              Encrypted:false
                              SSDEEP:192:c/lCACknnM5YRdbTa0b+6koMrtT2waCAZ:c/l3Gq5Rb+6tkNXar
                              MD5:274FF29B7B73EB1F40643795DB241B9B
                              SHA1:069AB48628702781ADD147EB5C79D65E32772151
                              SHA-256:00E38504CE7A777A48FA4F059C9173E46C057330916304D697C70E2AC1942B59
                              SHA-512:B6D1AE094442977BFD610B89D55B615F54FEFC7F7CFE04A55C8546112D7DA6693B665E054B2F22098302661D6CDD6F7CF1073770CADBC915699891D58A17A130
                              Malicious:false
                              Preview:Q...;...6\.....\...C.b.66Kj.oF.d.W.$.......$...1....+..WQ.==================================================================================..; Title .........: Rebar_Constants..; AutoItR...$....c.......I..6.k.{q.6.7[.w.D.#..CL.S.q...,...@.fg...L...: Constants for Rebar functions...; Author(s) .....: Valik, Gary Frost, .....; ===============================================O.Ij...d.....Z...0...(+Kj.oF.d.W.$.......$...1....+..WQ.================....; #CONSTANTS# ==============================================================================================O.Ij...d.....Z.......Xs.$.5..T.-..{...h.T.m..aS....`.Y]..+"m_WM_USER = 0X400..Global Const $RB_BEGINDRAG = ($__REBARCONSTANT_WM_USER + 24)..Global Const $RB_DELETEBAND = ($__REBARCONSTANT_%..!....y........N.I.a6R...?...'..\....e.K...^....f.XG..'3lSER + 26)..Global Const $RB_ENDDRAG = ($__REBARCONSTANT_WM_USER + 25)..Global Const $RB_GETBANDBORDERS = ($__REBARCONSTANT_WM_US7.._w...Su...$..y...WI1...:...%..M.

                              C:\Program Files (x86)\AutoIt3\Include\RichEditConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14719
                              Entropy (8bit):6.770512024034861
                              Encrypted:false
                              SSDEEP:384:04C80+KQHG8KTxGHDpz2t09VYQimjrgMSrt7vbDmvtJnm3w141reunAaaOQXLvqj:0f8rSu1Lvod7UxOhtnx
                              MD5:6DA331C05A5B3DF1EBF35E5F6E37AE02
                              SHA1:828504A73FC776578156647178F962FF56F2A180
                              SHA-256:26C9188F804C8A7399ABD0009F9C74253CF367F3C81AF38B5D42AC2CCDEB7B90
                              SHA-512:5922D639ABEFC7A5CFE4ED2F52226E173F7C2A383B0BBDD6D75049483D1A7823B83A49895AC9AA02A23FE91F30A48C827A6F83BA1714C5F7AFC4C8F91D8E3EFA
                              Malicious:false
                              Preview:7..".....S.M3........;9p.yg...?..2.;..:)..t|..#........7....1==================================================================================..; Title .........: RichEdit_Constants..; Aut{..a.....S..l0.......rv...;L..c../.(..).....-..v>5....Z.x..Y.cn ...: <a href="../appendix/GUIStyles.htm#Edit">GUI control Edit/Input styles</a> and much more constants...; Author(s) .....: Gu..a........x>)......BA..dg...?..2.;..:)..t|..#........7....1=================================================================================....; #CONSTANTS# =============================).P|.L......k-.......BA..dg...?..2.;..:)..t|..#........7....1======================..; Messages..Global Const $__RICHEDITCONSTANT_WM_USER = 0x400..Global Const $EM_AUTOURLDETECT = $__RICHED]...."...h.y.Oq......Nq".55@.."..a..&..JK......[......{.I..i.XCONSTANT_WM_USER + 50..Global Const $EM_CANREDO = $__RICHEDITCONSTANT_WM_USER + 85..Global Const $EM_DISPLAYBAND = $__RICHEDITCOZ.9..%...c.}.B.........J.5za..q..+..Y.

                              C:\Program Files (x86)\AutoIt3\Include\SQLite.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):59538
                              Entropy (8bit):6.679128803341956
                              Encrypted:false
                              SSDEEP:768:lWn8f+pHnDIbiyiRvXpCfpKFL+A3Sc3Jx1JKHwIk68qVQvHKjYRS34PN4+A:0xpH9dvZbN/hMQvq8MT+A
                              MD5:BD0A83EFE09397CF042DDD67F2ADC6D8
                              SHA1:FA22298783597512877B6C256E592A5436D268FC
                              SHA-256:41B1C8677D97356D2C35D154D667D947E720A2F5E5CC702EECD9E80EF8B89C4E
                              SHA-512:3AB6FE395B73395841E63D40D2C5EFB1BC0E43F6F516362A7035F3EB7930CB65148A47967974D56B18A946A7D4B7D8FCF1B5F72BA6B5C57098D6F0045C9D325E
                              Malicious:false
                              Preview:.9IW.U..O.kB.?..$9%zb.....x.....m.E.....".>6.#...,..V..n..=2ozine_Modified....#include "FileConstants.au3"..#include "InetConstants.au3"..#include "Array.au3" ; Using : _ArrayAdd(), _ArrayDe.5SQ.....a.zF{f..14" .{....D..1..;.s...t.Hh.....g..Z.!j....d>)....; #INDEX# =================================================================================================================.m....<...aSnP..myd&)X....t..<....!......H.."...n..6.w)..LJ..; Language ......: English..; Description ...: Functions that assist access to an SQLite database...; Author(s) .....: Fida Flor.1I...X..A.g.....+3f(m.......9..7.4.....i.Rs.!...e..i.I..._F<+===========================================================================================================================....;.}........%./...nzg%*[.......x..4.7.....j.E~.}Z.K-..(.i*..OV,;---------------..; This software is provided 'as-is', without any express or..; implied warranty. In no event will the authors .5.\.U..I.jKg...1w+f~{....F..2..9.h....

                              C:\Program Files (x86)\AutoIt3\Include\SQLite.dll.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):611
                              Entropy (8bit):6.953975556202622
                              Encrypted:false
                              SSDEEP:12:df+7wMlHiPYW6nGR0ldVVwzIzlGX75VrcA4wsSwx9+hTv:df+7llpGR07LwzUlo75VrxDS9+hj
                              MD5:33516B3576D556AD6CBBC8CCB1BECE6C
                              SHA1:124D1C6F13F040BBEA508525FA523A242701B4D2
                              SHA-256:9BDB6BB6EE1DF4E0DF733A4CCAB83914626144FC2526EA7BB15BE9CA55137C55
                              SHA-512:D305DB7F7C99A6D85F6A4DD383F9A10E0555653742A75D7D647FA46F666ABEABA31D691CD0650898A7D9ECE232617DB81735A9214C7D2C8AE8DE43187AA6F181
                              Malicious:false
                              Preview:..?....}.+|./......w.u..8..{.Y.90].....!G$te.....1.1.N....{W..[.......x.%G...r.0...5..q.4.44^......b../......7.:.F..!,....V....).w=.iV.../.om..S..p...3}.....G7G.......i.eX)....wq^...0....G..\./......r.0..+..{.Q.]W1...W.vH6rz.....5.+.V....?(....EndFunc ;==>__SQLite_Inline_Version....P$Y.=...j%.u...D.}.:."x7mL.F./zHejc...=*'.`...........O#.W..'.I......r.e...d.....x...u..)8.'V...c.L..m..,}..%I.B..(.....&.5?.z..VEm.._......>|:H._..5...p..9...U!-n........8|................u...Y..MC|.............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\AutoIt3\Include\ScreenCapture.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11344
                              Entropy (8bit):6.51229721970138
                              Encrypted:false
                              SSDEEP:192:KwoSVofw6FC+Wz/JOj8suCRnsHU0Y2SfgH7KP:KhSVoiPzJOj86hrebA
                              MD5:79C1E569187646BCC78305106BA7B2B6
                              SHA1:96F6D3487F561CD683A12B40EA57AF03378F425F
                              SHA-256:E5DFBC06AEC7353C75855052F31CC788E1B4004996DB9272DA3AFDA77FB0A679
                              SHA-512:8A225FE767E2EC21FBD85289B82BBA51FC7586525933DA89F24AF93D90BA2D1A36D39CF6C4CC9087413180CA9FA34A48F292FD330B0513114C9D32B1649F62F6
                              Malicious:false
                              Preview:s L.."P....q..>..u..a......../.z.....p..n..d..:.<ZbG..b..F.rnals.au3"..#include "WinAPIHObj.au3"..#include "WinAPIInternals.au3"..#include "WinAPISysInternals.au3"....; #INDEX# ==========mt..Jj.J../.....k.E?.....p.p~.4.G....G.W=^.,.'.V.1;f..;.....=============================================..; Title .........: ScreenCapture..; AutoIt Version : 3.3.16.1..; Language ......:p.L..>G....2.vG@.?..k......m.8-.}G....... ..b..n..Zxn{.t..F..apture management...; This module allows you to copy the screen or a region of the screen and save it to file. .,R..3]....|.g\F."..g......m.mc.).Z....Z..fC.|....KJcs{.h..M..various image parameters such as pixel format, quality and compression...; Author(s) .....: Paul Campbell (PaulIA)..; ==========mt..Jj.J../.....k.E?.....p.p~.4.G....G.W=^.,.'.V.1;f..;.....=====================================================....; #VARIABLES# =========================================================mt..Jj.J../.....k.E?.....p.p~.4.G....

                              C:\Program Files (x86)\AutoIt3\Include\ScrollBarConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):812
                              Entropy (8bit):7.004812132534498
                              Encrypted:false
                              SSDEEP:12:eML7SRf8yUf8yvdy1/OajqoZjLnf8yi9Bjdzk0fqO07qwUZJv:erlElvs1xRLfli9Bxz35
                              MD5:14BB12867451FB8EC9A49D7C09612F1E
                              SHA1:1FFFAEB9755EA87B282E4D497CACC23607B1B389
                              SHA-256:D5E50F56B9697ADDE7B4FA4B06CC06E978F439FAAA4B302E4874524C30340AD9
                              SHA-512:11CBDD8A3FF0CE4E21861956448C195C4548170CAA755380CBF810BD259FBE4934E9AAB576711F817A0CAE2E3318D7FFBD4D69BA71A7BD84698104F825E88CE8
                              Malicious:false
                              Preview:..D.].5|&.@.N...L..pa'.y.C.<...k..Ng..4n...a;~D..WMo...y..$b...X...mlt...~....AT!)~.d.-.s...4..05.M}2.@.rg6J.`}X.......A|...X...mlt...~....AT!)~.d.-.s...4..05.M}2.@.rg6J.`}X........-O..K...~.g......I>.nK..7.d. .......x|.94/...<3d...}sK.......vz..K.V.74i...m....`..p}0.T.+.....{..dg.Pn!.G..?{...22E..V...(F.^...$9i.O.c....K.G..x...d.!... ..#&.J`e...Ea+J.`}X.......A|...X...mlt...~....AT!)~.d.-.s...4..05.M}2.@.rg6J.`}X.......A|================================================.......uZ.....R..v3g.I.H43.Q....f..I.........!..$..j..T.W.....F9....NM.G..d.`.~.n...../v\.W..x.iT....OI..:):.7..r....-4{.1..z ..].E..kW!32..f7l..oF.1.$.u0..~`......i8y.....9.%T....:SlH.g......9...CfL...................................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\AutoIt3\Include\ScrollBarsConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2275
                              Entropy (8bit):7.622055233691929
                              Encrypted:false
                              SSDEEP:48:6VJVlx4RtVJVDKYJVoVDcK8NCs17XFrZuA7JUgEttkr5AMAtJ7DwDH:6VJVlx4RtVJV/JVs/2CM7XFtuZttfFJO
                              MD5:4BC95A11F84DED86786FD76847454987
                              SHA1:5E7B9C4DA6471759CFD713042FD04EDA4D646E53
                              SHA-256:DD181649A41C5B73C7D8AB44749FBC4B35FAD411AC311CF2B0F6BA0C232E045A
                              SHA-512:3C1C956752106F9B75C90D26B51395017BBB1E30C3656E71B090D937EF4F4B29BC0CE83CC95B9FBCDCCB79A03B4CC6EE7E06CFE95E90AFDB674B455CA00A112C
                              Malicious:false
                              Preview:..C.....m.:...o. ..x|L..$3E.......v0.*;......=fZ.D...#.............>.b2.;i.>....)..$3E.......v0.*;......=fZ.D...#.............>.b2.;i....hP`O.9 V.....q-itt...t...C4......m.......T....G.l..5.(g.2...4...Uo.......e#.9(...X...s3j.B...m............w.m.+n..ut.l..oZfL.uL........"bTd(......h4......0.......K....F.#.-`..*t.-..6.4..$3E.......v0.*;......=fZ.D...#.............>.b2.;i.>....)..$3E.......v0.*;......=fZ.D...#.............>.b2.;i.>.....)..5X.......Yi4&......=fZ.D...#.............>.b2.;i.>....)..$3E.......v0.*;......=fZ.D...#.............>.b2.;i.>....)..$3u......kNUyu..e...P.4.D...............@.'..I..G..#...A$...I.......%~N7"...i...G.G.Y../.......c.....P..P..G..S....4..(>u......kNUyu..e...A.+.D...j........a.....P..P..A..#..u.Ks.J"X........NqGI..<...l4......p......r.......3`..jt.l.H.0p.FX=.......AJVxd...u...t{C.;...R.......B....[.p..+..Y..W....'....?......$cIc&..i...E.".-...........c.....P..C..C..D....4...I.......%~N

                              C:\Program Files (x86)\AutoIt3\Include\Security.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18491
                              Entropy (8bit):6.336654254044677
                              Encrypted:false
                              SSDEEP:384:DToEfOhiBI1l8cChNEQikSW4IL2NgWEmUod+IXD0D33VMv38RS:f5Whc2kpJIJzyDs
                              MD5:2300147AB79B86FCBBAC5ED4B9A05533
                              SHA1:169C9135C3791EBAE0139175E08AB43D1C57517F
                              SHA-256:48DEBAFC3860F4D09739A83771DA5CBEF68DE2F0637945E2D74355D1B0FB79DF
                              SHA-512:07D500BACD3EA013EE8BF8C462FEE4319C59A81A163119CFF99E21550E40ECFB1D3D0C2F9E357682C3B87D43408DD91712358719EDDE80B0935D7AB85B7E6B5A
                              Malicious:false
                              Preview:L.x.d*61%.FKO.y..).b}.^y.B.W...$..R..,}.f.....9.j...L...B.#W..APIError.au3"....; #INDEX# =====================================================================================================RK+.5boi5.....NO.7..%..t...$...x....x..b........1@.c.@&/.q.ss..n : 3.3.16.1..; Description ...: Functions that assist with Security management...; Author(s) .....: Paul Campbell (PaulIA), tra..s.pRXo(.....NO.7.1#.. G_.9...k.....3.:......&7].+..Rf...<=..========================================================================....#Region Functions list....; #CURRENT# ==============RK+.5boi5.....NO.7.1#.. G_.9...k.....3.:......&7].+..Rf...<=..=======================================..; _Security__AdjustTokenPrivileges..; _Security__CreateProcessWithToken..; _Security__D..z.k>&1\.CMD....1.SM.Hh...}...3..H..7`.T......Ho..d.[...`.uL..gthSid..; _Security__GetTokenInformation..; _Security__ImpersonateSelf..; _Security__IsValidSid..; _Security__LookupAccountName.eM6.[:1!z.\Qu.?..a.|_.Hr...W..\..t..!{.

                              C:\Program Files (x86)\AutoIt3\Include\SecurityConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):8461
                              Entropy (8bit):6.876856551495744
                              Encrypted:false
                              SSDEEP:192:G/I1bziYRCob4CirgIFdC5YANgxL7tR7l:G+L5gFdIYAqxnR
                              MD5:D10B4AB4DB9F930D7B5E0EB07613D53F
                              SHA1:37ABF1C5D6E356AC6F73C5D57B2E71D897AC1BF3
                              SHA-256:8FAF2CCA0E15CA0EADB4E40C34164998BF976F33B4D2113C58A5C13A97C96991
                              SHA-512:83075B9F38B65E69760E4C1FBF1A59A0C9EB8953D63CE4C738042D41ACEA7AF0B4FF15D1FDB2B0FB05F4022483C91657D449CFBE455F6B99BDA138A49697EFC7
                              Malicious:false
                              Preview:......h.%UEg.J]o.E....4.x.(i......%...|....k...H.S.h`a.S:.z..==================================================================================..; Title .........: Security_Constants..; Aut...3.~.aUE$.gdL.P...u}...D5_...[.8l..o...........c.n}...d......n ...: Constants for Security functions...; Author(s) .....: Paul Campbell (PaulIA), trancexx..; ===============================...X.1.5..9.zj_.C...yM...5i......%...|....k...H.S.h`a.S:.z..================================....; #CONSTANTS# ==============================================================================...X.1.5..9.zj_.C...yM...5i......%..)K..F.7........q.../T......IMARYTOKEN_NAME = "SeAssignPrimaryTokenPrivilege"..Global Const $SE_AUDIT_NAME = "SeAuditPrivilege"..Global Const $SE_BACKUP_NAM...G.i.iY@q..%..._D.!R.*.d;S.....v1..e..v....0..!..... F....SeChangeNotifyPrivilege"..Global Const $SE_CREATE_GLOBAL_NAME = "SeCreateGlobalPrivilege"..Global Const $SE_CREATE_PAGEFILE_NAME...6.O.m[_a.&0..._D.6..I.m3T...{.w .Ha.

                              C:\Program Files (x86)\AutoIt3\Include\SendMessage.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2682
                              Entropy (8bit):7.544121433368485
                              Encrypted:false
                              SSDEEP:48:gBNyPj/38WC9zCSCgMC+Nfc005psyAyChvCrSGjx6t3j:gHs/KM00QpsTqSGUlj
                              MD5:AED2202FA39434585A6CEBFFAFFBE8B8
                              SHA1:334A7CC66EDCE42DB453396662A4BB734602376A
                              SHA-256:87F7BBB3C95F152E2038DC7C1E92680D1137F6DC9A2919DA273ED49C9DD223E6
                              SHA-512:8E7383A7AB154D173E31724C0CD4C356268CD65708DA40BD2047E80EBB831AB1055931333CCCB26251238BB53AC47DF8F092548C68A017A800935D07A9AC4265
                              Malicious:false
                              Preview:.x..6.j...P.fX.K.K..1K...}.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..C%.:2.......C6...y.../.....}.a.....v......Wx..z.......5{.K.K...k./9.......C"..>...#Fr..k..|.J..w.t..]Ybd....a.K.J.b!.'.....%. :....Q.M{..*...pk9...j..<....7.`....Mz...|...L.p!.L.P..E8..sc.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.}..r>........d..P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..E8..u~....T..k..T.........k..r....".g..ZD.,.g.3.....>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.P..\Y.W....G.v...>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.g..Zt.*../.f.J...-{.h.^...d.%S...._..q...w...eeB....a.-g.M..1.;.!.Kb..z.e..._.q:.2.z..E8..sc.......P%...d.

                              C:\Program Files (x86)\AutoIt3\Include\SliderConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4578
                              Entropy (8bit):7.804775863308574
                              Encrypted:false
                              SSDEEP:96:49reS6CsaH7621bySBOPYIw3HMJHmLwQmSZjqB4fdWG2w5GDYTD62B6L:4iCsKruE37Z1uB4VWV2hD6q6L
                              MD5:922DBBA0458ED76B7818610FE4587D9D
                              SHA1:C4019F23BB9394E2DE72F8A272E47C87419BFE83
                              SHA-256:F68F2B9F3F4434CDAFF90181EFC913F86F12CA32D51FB51A927B6E867E767AA3
                              SHA-512:E2BEBCE75F380ECA07E85F4EA017D4A3A36B53EDED7892B964BCD8586D69565CC75DB8808FE01E49D413A7384240653B1BB664D785587F14977C4F7F994FC60A
                              Malicious:false
                              Preview:.Ho..P..w.y...sgxC.....|.~...N....C.+u.y..-q..?|e..2..k......=...<.....gD*.I#DWOE.a.h..i`...N....C.+u.y..-q..?|e..2..k......=...<.....gD*.I#DWOE.V.u.P 1E..]=...P.8r....t)..A.6.n.%......o...W..V..4Y-.G0JDCN.m._y..<N...tE..P.8f.~.~+..q)U../.%....nb../...2.r.I<WD]..,.;&P,rg.. gY.H..~<.g..y(.. ..../.8....i&.S!..\..)E8.J>...X.).=bT;/E..}S.L..ef.N..Q9..m3p../..x......i)..F..\..(.d.X>WD\u.g.h..i`...N....C.+u.y..-q..?|e..2..k......=...<.....gD*.I#DWOE.a.h..i`...N....C.+u.y..-q..?|e..2..k......=...<.....gD*.I#DWOE.a._O3o}...=@t.c*.5h.y..-q..?|e..2..k......=...<.....gD*.I#DWOE.a.h..i`...N....C.+u.y..-q..?|e..2..k......=...<.....gD*.I#DWOE.a.h..iP*..0fS.B..R:.3.q ..qap.|..;.....a..Dr.C..z.o..n..^X...u1I1>I...w..C^.~-. ..d)..r$;..j.3....eb.lB..q...+V.Tm.....).0k4^.L......B..bh....T...C.../..f......n6.Gh.....?Yt..p...X.4.!bM<8....pK.L..u'.0..|k..v)-./.$......d'..`..K.WsP..|..R;.2.!b...c..'[u.o^.6x.v..Y(..v(>.|..>....b#..b..Q..6^d..v...X.=.>'Kz}t...3I....sh.%

                              C:\Program Files (x86)\AutoIt3\Include\Sound.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):23268
                              Entropy (8bit):6.52083885748361
                              Encrypted:false
                              SSDEEP:384:MvyI7tkKB9b9D1dVgbNFW9757ZT/PPhydmQObEgm9D0IRndbtz9gu2taq0rB7Rvn:ay8JB9J1ggZZTnPEdQbEX5BRdh670lBX
                              MD5:A30A4F58EB00E792887BEC1CE024FEBF
                              SHA1:0662A41310C9D0380958BCE7E6321374FBE35DFC
                              SHA-256:D20E5C0B4B1A681C51CEE1ECF5EB0A37F6DCC474EB02530338C30A90030F0D91
                              SHA-512:F1426B43F844EEED0DF1FF40F659998916B60807603E07744F9E5F12C37CA4B9821CD0C56AF0D5FA9C9CC8A69F68462C3C4EC3DBC81566CDE8D1DCC1EE5ECEFB
                              Malicious:false
                              Preview:..*L.y.:..8..=.DE.U^..."5...)....J.P.X.....C...L..c..`..=.83" ; Using : _PathSplit..#include "StringConstants.au3"....; #INDEX# ===========================================================..y..1Vb..k...tr.....{m..}.'..............].^....F~..4...mTitle .........: Sound..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with S..*K.a.1.3..^.gB3......?...i.4.......M.B............(*..j..?..saltyDS..; Dll ...........: winmm.dll..; =======================================================================================..y..1Vb..k...tr.....{m..}.'.........*.....#.-.x./...4...p=============================================================================================================..Global Const $__S...k.C%......c...}c}........p.........!......].^....F~..4...p=========================================================================================================....; #CURRENT# =======..y..1Vb..k...tr.....{m..}.'.........

                              C:\Program Files (x86)\AutoIt3\Include\StaticConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2291
                              Entropy (8bit):7.589102553315812
                              Encrypted:false
                              SSDEEP:48:+riCbww1MX7GKwm4W1yfRBmQwboVUWx3CztQWTIGX18g:TCbww1M6rm44pLmCzZXB
                              MD5:C2DC000DF4217A78600F15ED9AAA56B8
                              SHA1:1BD7EFB3D778B452A787C25560CE0925C4994DFB
                              SHA-256:E18D21AD344C877CB91E9BC123B45B382EEEE84BAF79774103F3BC5E245A02D3
                              SHA-512:1AD4F157757DC0CB0BCD859CB876ADEEE338327A9656844206247A56D1E46C3F508DFABC13CDEDDB318E1EDBC0F755F6742FB240C9DCDAC726473E0995D0FC05
                              Malicious:false
                              Preview:.;m..;.\7b...`..iR.Poo|..W.9C....4...]Y.r....l.%n...|F...[..o>.s..'0...P..tL..)..b.W.9C....4...]Y.r....l.%n...|F...[..o>.s..'0...P..D{..@CC3..D.*P..)....I..NS.%.v'I..z[wB....rU..=.Vt-....C..g@../.{>....c...'.....F&.I0.j.\6I..(.B^....|-.r..r.....C..9...pCOp..#.p.......d.....Fm.fh.q.w=N.-[zV....w..'..iy....B..i...4z^<..#.k......h..Ni t.`H.9.j{I..oU...\..3o..b.~{.........i_... ...W.9C....4...]Y.r....l.%n...|F...[..o>.s..'0...P..tL..)..b.W.9C....4...]Y.r....l.%n...|F...[..o>.s..'0...P..tL..)..R.`.$].....G...@Y.r....l.%n...|F...[..o>.s..'0...P..tL..)..b.W.9C....4...]Y.r....l.%n...|F...[..o>.s..'0...P..tL..)..b.W..t.....e...Kc,.O0...w1[....XD.F...\.....'-....*..+...WEY,..N.W!.....)....U'E.MR.0.8.U..5[.d.9...K..s..b?.....i2..g^.{..5.G1.....:.....H...~.?.ls...9zv.-...W..n.A.............`.....-.E'.....)...mnm#.C\.q.w=I..e(eh.....Q.....:=........(...{DD+..9.[<.....H...]D.7.,7.=.z2V....EC.B...D....k[@.......C6..vK[.....p^.....@.

                              C:\Program Files (x86)\AutoIt3\Include\StatusBarConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3530
                              Entropy (8bit):7.814292625623812
                              Encrypted:false
                              SSDEEP:48:W7Sp38mEqW1CFrMmYQPzl8sVySkhgOn03bz4hUZ:gQsmEurlYQbllsSkhPn0rIUZ
                              MD5:85560343E1A3FC02FF554D46C971CC05
                              SHA1:DC7B56DF9CFFF2950DA76EE7A8D04D51313C269C
                              SHA-256:AB8E7A639AF258973DE49D9E45CBA589E035F585DF2221C42CEC2DF4E793D477
                              SHA-512:719BEBDA958A1A6527E4651B375AF7D504FAB4E618506126373D1568EC83C63ADA60DDD30817D878C7C3F9112E639734EA968C6DFCA191A91F923F5B204EC920
                              Malicious:false
                              Preview:h..T].T.(,.......EX.l......faPW -91..j...3...YC...x.....X..v........z....%./.3[,g......faPW -91..j...3...YC...x.....X..v........z....%./..l*z|.......urCD3>>,..6.K.L......DN+g...Eg.?..C..C..-..8.<. W't..........=..=>*"..y...`....s....v.....R.$.......(,...v.a.h.cz{......{:..~dmc..y.4.......C.e=...._..*..\...P.>b...k.>. H?W".......faPW -91..j...3...YC...x.....X..v........z....%./.3[,g......faPW -91..j...3...YC...x.....X..v........z....%./.3[,g...........#9IQJX.w...3...YC...x.....X..v........z....%./.3[,g......faPW -91..j...3...YC...x.....X..v........z....%./.3[,g......`|>.d|a.....Q.o.........Q....6o....~a....?s.....~.l.}zk..........9%R\PE..w...v...n9._M$......R.o..vc..e......K./.>.)j.......7=....C`..6...a...@-.dp.F....E..{.....W.2..._.}.o.1.G........."(RB@I..w...v..._*.U.1v.......9..Y..E.(7..w.v.|.?W".....42..=4WN....n.[...T....e(....ER.3.^B..C.0,...l.2...~(L.......+9..=xmk..%.J.o....^.\N+v.....N.k..YU...M....y.2.a.b.........,.T^C,.

                              C:\Program Files (x86)\AutoIt3\Include\String.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8640
                              Entropy (8bit):6.241754515032104
                              Encrypted:false
                              SSDEEP:192:/LZsW+YrxgLniytF+HHtRB3/SoTtfDdxYRtCdu5Su0u54VW34:/Lq5YrGO6FCNRR1TV7YRkQ55L4g34
                              MD5:628535C2B883A6187760B6C1B8AAC768
                              SHA1:034B337D929B8AC2E59AFABBFABC3CC8C5347AA7
                              SHA-256:285DD280EE60F80A486B28789D06FB9A57CF69B166AA161B004E20490EFC81FB
                              SHA-512:CB2D2C2B8D00BA025AEBBE4EE312761B60481A8F0CCD6273C6ED118A1D67C35626AF7737396CBC741D5B609801D5C741BF6A14D702A6055AE43A524CCDA48EA0
                              Malicious:false
                              Preview:.N.e.Vs.GZB._.....U.H.*{*l...<....".3|E....OR..?..v...........====================================================================================================================..; Title ......'[.,.{@S.<....z.P..j*....<.'..l..a<.U...vK..W..$Z..:.0..... Functions that assist with String management...; Author(s) .....: Jarvis Stubblefield, SmOke_N, Valik, Wes Wolfe-Wolvereness, W..P.g-.6.GAH.r..d..O....zo...<0.,.l.<vT........X..2...!.)....., guinness..; ==================================================================================================================....4H.+....Q_.....<q..[D...KhLt..q..o/.^..AM.....k..n.c.....==================================================================================..; _HexToString..; _StringBetween..; _StringE..L.m.?...kr. ..q..H.V.C.1n...'.'.>.7`<i.../...\..3C..'.T...ringTitleCase..; _StringToHex..; ===============================================================================================....4H.+....Qo.+..B..s#7s..KhLD..F..qT

                              C:\Program Files (x86)\AutoIt3\Include\StringConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3168
                              Entropy (8bit):7.744743367080879
                              Encrypted:false
                              SSDEEP:96:EGH12CGaGr0r4EiZBS+N0cimxRIwXTaGZpuQ:EGH12CGaGlf00EqaGuQ
                              MD5:33464AC4CFDFD14853AB29C5AA1E1606
                              SHA1:B9D9EC035569F7D4801E9970D75224552AF714F9
                              SHA-256:FDE11194626265F93D960AC6FCA5073EBDC930214A7AB5D0240CC8E30A202E4E
                              SHA-512:B69174E79E33C120D346C9DF34B8ACF6A53B97584FF114D426A180EB28C5EBC58F1619D46CF3B52E265738F7D1DE9621746FAA9B425DED1E3223BDF2DBB875C4
                              Malicious:false
                              Preview:K......\...R.,2.G.9....n)...L.....$@..N.W..'u@.....<....j2#Ue.U]R.............p.$......7...L.....$@..N.W..'u@.....<....j2#Ue.U]R.............p..3...Bf.._....7S.. ....}.>....o...wNk.7..@9....V......|.7....zk..H......7S..I./..v!.....E...'{w.6.FNA....W..._.R..".{\...Z...YQ....G9<.......)h.....!..."|w.?.;....._...E.NV.c.......^e.NX....7G......i;Q.........j2#Ue.U]R.............p.$......7...L.....$@..N.W..'u@.....<....j2#Ue.U]R.............p.$......7...L.....$@..N.W..'u@.....<...l/=+..;4.............p.$......7...L.....$@..N.W..'u@.....<....j2#Ue.U]R.............p.$......7...L.....$@..N.W..'u@.....<....j..Sx........T...T..k.?.w^...D&..I....Li........i<.....:....4nj.+...O....W..A.SY.$.wJ...Cf._...L9.........Ew.....m....#/:;..7. ....j...t....m.9w....Wy.N.....@o........v<T.....c....9|jH|.<20....j...t....m.9z....Eo..T.....#^.....J..t;.....^.....\[&..*!<.........NL...j\...Ec..K....@w..S....yh......h...Z.%H.........P.....NV.9.wM....C..T.....m....

                              C:\Program Files (x86)\AutoIt3\Include\StructureConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64584
                              Entropy (8bit):5.569249804948166
                              Encrypted:false
                              SSDEEP:768:/9UFU1xulF4fjsHgsHn9BHvFJIh0Nv5N7zza:Bwl953Ta
                              MD5:C4F09231572680CA5088AD106E746E27
                              SHA1:3A2C5939F22A51A6D50DDC75966B7E38DAECBB89
                              SHA-256:7833A0B39827631DB91CF53F20D66CB8F921DC395AC6B0C0528DDAD3F529C4E5
                              SHA-512:5E138BF82913F4DE52F4460792C414DBCA1AEEC2B8768BC867AF9F2FE20573F85DC6417995AD56C7708169BB5FA5EE93E1F0972224B8FE6DAB6AEB50C06F7592
                              Malicious:false
                              Preview:mG.1.C.h.....y^C_.2......."..2`..~.V..bn...r.E..........E....==================================================================================..; Title .........: Structures_Constants..; A;Z.....h.....Tnnf.!...s.!.?~.|>.3.....q}..y .....L../.E.ws API functions...; Author(s) .....: Paul Campbell (PaulIA), Gary Frost, Jpm, UEZ..; ==========================================s.SoZ..0.._.Iish./...`..."..2`..~.V..bn...r.E..........E....=====================....; #LISTING# ===========================================================================================s.SoZ..0.._.Iish./...`..#...+)..."...Uh...[(.=.........5..f.NS..; $tagSIZE..; $tagFILETIME..; $tagSYSTEMTIME..; $tagTIME_ZONE_INFORMATION..; $tagNMHDR..; $tagCOMBOBOXEXITEM..; $tagNMCBEDRA.l+..x..........zWg......#...+)...(......bB.C......~...6..,.; $tagNMDATETIMECHANGE..; $tagNMDATETIMEFORMAT..; $tagNMDATETIMEFORMATQUERY..; $tagNMDATETIMEKEYDOWN..; $tagNMDATETIMESTRING..; jZ.5"`.C...%.1...|.(..y..Li[s.P....?..

                              C:\Program Files (x86)\AutoIt3\Include\TabConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6507
                              Entropy (8bit):6.641803169184028
                              Encrypted:false
                              SSDEEP:96:NpHrHhQazwLCSBxfErq+WSCuJc8B/P9YQNpjxGOecV8LKuEr10lK:NpHrBQasWSBxfErq+WSCqBX9YQXJPJ
                              MD5:2FDB118C16D29499C05D1FD9C0B6AEB0
                              SHA1:66E18B4E3D2A6E240C3277CFF348F3754F1DF46F
                              SHA-256:0986E2D6DFDF04686174A9BC9728B28A9B862544F859778C18198ECD155972AB
                              SHA-512:E4E4F73453881F42665558A5D5572E9D471CC92FB902ACED71AFBFAAD2E4C42CF32E0D8DAB4A9EC8F00A65CB08032542B1A0CB093026D8D43CC38051CA60696A
                              Malicious:false
                              Preview:./...t..N...2..8d....Cj..[.._...\.qq.[ b.B.."hKwoXu.....S==================================================================================..; Title .........: Tab_Constants..; AutoIt V.4...o..C..Cy...R...fA....B.....[...+ ..uR.D..l6.#".!._...@: <a href="../appendix/GUIStyles.htm#Tab">GUI control Tab styles</a> and much more constants...; Author(s) .....: Valik, Gary Fr.5../..n..Pj...b...a:...F.._...\.qq.[ b.B.."hKwoXu.....S===========================================================================....; ===============================================.{...<..^..Mj...b...a:...F.._...\.qq.[ b.B.."hKwoXu.....S================....; #EXTSTYLES# ==============================================================================================.{...<..^..Mj...b...Q.h....B....E......9[..+..^.7..7......^0000001 ; The tab control will draw separators between the tab items..Global Const $TCS_EX_REGISTERDROP = 0x00000002 ; The tab c.(...m......6........B{.1..6.........

                              C:\Program Files (x86)\AutoIt3\Include\Timers.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12149
                              Entropy (8bit):6.381893112835774
                              Encrypted:false
                              SSDEEP:192:j0dl2JhIVngZQrlYHZjzvhLlTaGtjGuk/efXDloPeIZCIRfy+fKuCZ48MpDO2tkx:jEl5VnMqlYLlTvzXDl/3uCZLcD7cuNZ0
                              MD5:1A4B41EA9CE492C7562D7DA85A585CE2
                              SHA1:00774A389BB9466D0998D26BA127520A1086906B
                              SHA-256:12656A0566BFCCF53856756EBAF7E98DFAEFFCA80B7FDEEF8C3944950484E7F6
                              SHA-512:63DB4720FB2601CFF4A5496BEA33166A774F007991038B8FFB44C55C1367EB014683D780E92434A67DD1D9F4EDB3538997E7763128221F09CA1D4326295BEEFB
                              Malicious:false
                              Preview:..5|.....%'..5..7.......F..Q3.L..C.R....7..xV.-l..Ls..(.T,;.==================================================================================..; Title .........: Timers..; AutoIt Version ..h1...FNY%s..b.....`..U..LK......b...~o..7...y>.._`..5...e.ions that assist with Timers management...; An application uses a timer to schedule an event for a window after..{l...... BqV......../....a..Q..^.O....*..eK.0....n..x.Ien. specified interval (or time-out value) for a timer elapses, the system notifies the window..; associated with H.>?....k..f^..7...+.....m........B.Tn..*...x4...=..x..}i.k rate and how often the..; application retrieves messages from the message queue, the time-out value is only aL.)p.....eIh>..........n..U..V.....^...A.7...xV.-l..Ls..(.T,;.=============================================================================================================....; #VARIABLES# =..f"......vy_8...*....s..F..Q3.L..C.R.

                              C:\Program Files (x86)\AutoIt3\Include\ToolTipConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5840
                              Entropy (8bit):6.7159620636875506
                              Encrypted:false
                              SSDEEP:96:BPcRyZ3eh4fOsj719yk5ARi6KftJ37YTq6lCNGsig1sv:xc0pGsj719dFLlJUCNEv
                              MD5:2F38D88C068E161157A0C01623BD4858
                              SHA1:3A2CF91229CE61DACA9B413C5C68A5A7202DBFDB
                              SHA-256:AB12E9AA586C9DE5B553F051CFBB91FE3FCDE95AF771AB778BC464B763B63D6E
                              SHA-512:9443EA7F51FBE47456F81101E8B1B5FB3BA10A4156C5E07D6895B77F5C7D48B9524CC8B2BEE2E22263A2EE73754B101A0B8BC8632CFD4DE7521D8B559F3B2AA8
                              Malicious:false
                              Preview:...[.E....p.O.....<...(#x6T..........>T'T...yc.u.z.s.....!..==================================================================================..; Title .........: ToolTip_Constants..; Auto..n.B...>.......*.jGf].Y.............-S:,.G..76.B.g.+....D.u. ...: Constants for ToolTip functions...; Author(s) .....: Valik, Gary Frost, .....; ===========================================........P#.......!.fwQ[.(I..........>T'T...yc.u.z.s.....!..====================....; #CONSTANTS# ==========================================================================================........P#.......!.fwQ[..~.....aZ...#MN=...........s.....,..01..Global Const $TTF_CENTERTIP = 0x00000002..Global Const $TTF_RTLREADING = 0x00000004..Global Const $TTF_SUBCLASS = 0x00000010...T.R....q.Y...Z...-%k5I...........v..A...1.;.g.....v.S.TE = 0x00000080..Global Const $TTF_TRANSPARENT = 0x00000100..Global Const $TTF_PARSELINKS = 0x00001000..Global Const $TTF_DI_SET..u...]..........QqL+Ef.......eNZ...#

                              C:\Program Files (x86)\AutoIt3\Include\ToolbarConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14047
                              Entropy (8bit):6.81456217093473
                              Encrypted:false
                              SSDEEP:384:Jc3Tph2aM3IajocJdmls7RajuBlJVEkEan7xY7JlW:qDz2T3Ioqs7y+lJVEkEa7P
                              MD5:B7B80A009C1A95D92AEBDDF96EF71319
                              SHA1:0E6A8D1698876F35448DE60EDE0ECD8F586528DE
                              SHA-256:B3C3730852036FD884E43CF74424F212B959D5924B388A4C962F782C523D43AB
                              SHA-512:648CFB3EA27BF3F975A4783F5B4A14FE21660AF258AC0B4C9F2156E2FCFF2933F6C307F2BDC1F47A34C4FD189B264B66040961A31E48D49C14DD64D39FDDABDF
                              Malicious:false
                              Preview:$xS..w..d# .O/.y....{....P..@J..!.tL....V.!....._n.U~Zh.J==================================================================================..; Title .........: Toolbar_Constants..; AutoNe...`..emy.q..]....8..............2.gK.tW...o....&6..1.%.... ...: Constants for Toolbar functions...; Author(s) .....: Valik, Gary Frost, .....; ===========================================:,....V.6p~....N.........P..@J..!.tL....V.!....._n.U~Zh.J====================....; #CONSTANTS# ==========================================================================================:,....V.6p~....N..................o.iU.sp.4.Q....Bc.XsWe.F..Global Const $TBIF_TEXT = 0x00000002..Global Const $TBIF_STATE = 0x00000004..Global Const $TBIF_STYLE = 0x00000008..Global Conte....Z-.G....h.N.........`......_.'.....).Z....#..H~Ge...G00020..Global Const $TBIF_SIZE = 0x00000040..Global Const $TBIF_BYINDEX = 0x80000000....Global Const $TBMF_PAD = 0x00000001..GloepQ...}..+i...c.1.r..q....]..MG..[.&

                              C:\Program Files (x86)\AutoIt3\Include\TrayConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2979
                              Entropy (8bit):7.722858891978974
                              Encrypted:false
                              SSDEEP:48:+8nLoZnLBOE+oZnLoZnbUZnLoZnSFgIPXlvIEyDQD3scaei9dEira6XjdoZnLE1p:BLmL4rmLmGLmSicdIWVGdE6XjdmLE1p
                              MD5:F16D0BABFF97D87E6CBB837E1541F595
                              SHA1:525C0A68F34CB5C16A7E87FECB6765C62CC174E3
                              SHA-256:943C5A6B5BBDB352960B8863B2A4F2A17E2F8CC0DE53EC8AE0CD5CBF61C4C035
                              SHA-512:B211029263CF99211DD8285474B817198E9C8D9FB0DEC733F9821EB12D89A87F73BEC7428FEBA9CA44A03C8FF35C157496B075D14DFB1AB34387CDCD0F6A3D09
                              Malicious:false
                              Preview:../...v/4..c..I..........7..5.'V$....8.4..7A.m..O...D.N.=..S...|....?f...S(.~....}.....7..5.'V$....8.4..7A.m..O...D.N.=..S...|....?f...S(.~...........$..&.4E7....j.zUrd..]..R....{..V...\.a... ,j...c..c...!.....$..&.:.w...m...3N..3........]....-Z.5...3v4..N|. ...`.....*.]|.S.9...f.`Qg$q.k.......... ..@...a...wg(....a.7....9.......(.u.~...+.',.1\.m..O...D.N.=..S...|....?f...S(.~....}.....7..5.'V$....8.4..7A.m..O...D.N.=..S...|....?f...S(.~....}.....7..5.'V$....8.4..7q.]..R...7a'.N..M...|....?f...S(.~....}.....7..5.'V$....8.4..7A.m..O...D.N.=..S...|....?f...S(.~....}.....7..5.'V$....8.4..7A.m......B.'.a...G.$...w"...c../............zI.E"M...].]..*O.Z......Yq..s..Ja.......^]....+5.c..../.....e.[|.>?K...Q.D~UC.....R...t8H.T....../...vo{...p.5...M....k..K.t.m...D.Vb[O?....O...su..b..Nv.2...AC....-].....`....e.Id.Y.w....Q.HxLO2....R...M?y.l...Y......7V...*\.....`.....M.Gj.vKZ...%.]sRS#....!...K.E.....W.a...g"....7J......`.......%..:?k....

                              C:\Program Files (x86)\AutoIt3\Include\TreeViewConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9715
                              Entropy (8bit):6.738749744408599
                              Encrypted:false
                              SSDEEP:192:yj9zfCEl+ng4/fDVWxMdvF8n6FGxEoY02jZ2DKYe2siWrXVQyS1:yj9zfCEl+g4nDVWx4vFCzEoM2DEiWrly
                              MD5:CA9F0F8648FC2D0B99DA20CA8E90BCF6
                              SHA1:608DD93521CB18000CA17CE15A81CB872099CF4E
                              SHA-256:AEE257F39E2CA9E0E903732358F01655CD34614375D8195E402EC4537EE616A0
                              SHA-512:3D46C8015C38839A6B72F2C8E748B7B51750A861569BCBDB59081B179B5941B8C09ABD3BF435EA62B368184D25D8B299A41A207C1B942BC763136BB63609F25B
                              Malicious:false
                              Preview:.~!..}N..T ...q.....:[;...~.m.O.4 ..,y[.....).u`....L...#..==================================================================================..; Title .........: TreeView_Constants..; AutH^;...kX;.Tc...R.....s.X..I-.%..Q)3..?j\.uC..}. P........j.n ...: <a href="../appendix/GUIStyles.htm#TreeView">GUI control TreeView styles</a> and much more constants...; Author(s) .....:.A...5...H:........P.i...~.m.O.4 ..,y[.....).u`....L...#..==========================================================================================....; #CONSTANTS# ====================.*r...$.o..~...A.....C#^...~.m.O.4 ..,y[.....).u`....L...#..===============================..; Styles..Global Const $TVS_HASBUTTONS = 0x00000001 ; Displays plus (+) and minus (-) buttons nBo;...9[3._-.........q......>...-I..Y.5.yc..4.hm....A....%..ses lines to show the hierarchy of items..Global Const $TVS_LINESATROOT = 0x00000004 ; Uses lines to link items at the root of tOro..mY=.7I.........jC..~....;`E\...B

                              C:\Program Files (x86)\AutoIt3\Include\UDFGlobalID.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7003
                              Entropy (8bit):6.540116137172374
                              Encrypted:false
                              SSDEEP:96:wnft0/Te4dbTKQ/TETEYcRT7TfZWrrT09nAGdbd+cLuTrHHrfT6ovL80:0fi/S4VOQ/QYNRXTSUF9ufHb1LF
                              MD5:45DE545D62E321F8EF69EED2D6F8BB50
                              SHA1:0AC9CBD7415604D2683EF1605A6CB1A1D456C8DC
                              SHA-256:B46EE99EB1FD8D0C1FD8031F0A7AFADC99CB3B9FF75130CE37EC633C111340F4
                              SHA-512:B1EDE0A3656350DD7A60BB3AD5152E82DF9E5C2A592D2188FFC838B4739D178656B420815A4A976335198DB3B66DF7FE58902781E1D900B123EF1326F78E84F7
                              Malicious:false
                              Preview:,..<1....K.....DP....&]..y....q.......6e...j......)......$.====================================================================================================================..; Title ..!i.qs.[.q9.....,...1.^3.../...L.......T87...V%\&...+<;.MI.|.......: English..; Description ...: Global ID Generation for UDFs...; Author(s) .....: Gary Frost..; ===========================2z.b`..\..@...sNF.E.n...fg...........S%9...Z.O*..bZ`h....$.====================================....; #CONSTANTS# ==========================================================================2z.b`..\..@...sNF.E.n...fg...........c.C.H...RT...+Gy..|n.^.obalIDs_OFFSET = 2..Global Const $_UDF_GlobalID_MAX_WIN = 16..Global Const $_UDF_STARTID = 10000..Global Const $_UDF_GlobalID_MAW.....A..H...D4....?...5)..g....... KP.i.8D!H....3......a.0010000..Global Const $__UDFGUICONSTANT_WS_VISIBLE = 0x10000000..Global Const $__UDFGUICONSTANT_WS_CHILD = 0x40000000..; =======2z.b`..\..@...sNF.E.n...fg..........

                              C:\Program Files (x86)\AutoIt3\Include\UIAWrappers.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):110355
                              Entropy (8bit):6.844032664191346
                              Encrypted:false
                              SSDEEP:3072:p0xaAS7fi8o95PbMQMRRl8XcWSRyZNZpWsmE:Sxat+8o9wXluSYNZP
                              MD5:A5C902C7353DD0B1A8D76A8635591BE7
                              SHA1:A18816ECA58519175D974A95EC48886BBB461A8D
                              SHA-256:39262B5242B957C4127E3F6E44E7D9A8FBB343BD8D72DF0A19E78FE30BA73C6D
                              SHA-512:35D61173597FDFA1B1F44C6200F030DB6845CA518E48E213C5EE0B770F1EDAC4DB366386D9717730F4256047D2A6EF273E1A8ED23FF40ED5715D5F1B61DFA434
                              Malicious:false
                              Preview:.P......n.@P\.v.B.t...U..h..%@M.#...7...@../x...<\Id...c..Ow 5 -w 6 -w- 7..;~ #au3check -q -d -w 1 -w 2 -w 3 -w- 4 -w 5 -w 6 -w- 7..#Region includes..#include <EditConstants.au3>..#includ[1..)..W.o.QNM.l..../E..l..e..4...wW.. .C....l{...xBwN... ...e <AutoItConstants.au3>..#include <WinAPI.au3>..#include <Array.au3>..#include <ScreenCapture.au3>..#include "CUIAutomation2.au3....9..j%{._N..G...y...{O.}.."...mP...}.C....,l...."..k..0...ekes/Home/windows-programming/dotnet-registering-an-object-to-the-running-object-table-from-a-non-com-project..;~ TODO gethistogLp....Y.<.BEX.#..Q.p...%K.l..0KX.{......m....R}....?.,%..k.7IElement, $UIA_BoundingRectanglePropertyId)..;~ .local $name=_UIA_getPropertyValue($oUIElement, $UIA_NamePropertyId)..;~ .local .e..\..J)r.cPU.]........i.H)..s.2.%G.....m.$..u]..o.!u...u..Ft[3] + $t[1], $t[2], $t[4] + $t[2])..;~ ._ScreenCapture_Capture($name, $t[1], $t[2], $t[3] + $t[1], $t[4] + $t[2])..;~ ; Find a Nd..\..]%r.@IA.E..J.<7..iO@h..>W[.#...

                              C:\Program Files (x86)\AutoIt3\Include\UpDownConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1465
                              Entropy (8bit):7.4079594607678985
                              Encrypted:false
                              SSDEEP:24:D3CLCMLCxEgPs3lyQLCMLC6a+CMLC4sm1T4NJempPhnWkTLvQTIcsFjGHkeZ:LrLP4ljaCsm1+Je2nWkasFrC
                              MD5:7E0AF16B2F0BE4A8BDEF2E9CBEE94A02
                              SHA1:EDFC4DD130F76DA1C501F93A8B499C1FB0EA8A6C
                              SHA-256:577ECA8CEDF19DF3C10539EB0A3DFE33809EC47FC3ABD3F713D7D6860B9A4294
                              SHA-512:1407E6B417F87A14A7E39A029FC8CF67DB69C4116CE13932A97169CDCC3C5DAC7C852610330C95A87D781231ADB3E8D5745DE8FFB2F1553E353726BCF309B62E
                              Malicious:false
                              Preview:9..H...9m...}..........J9.F.[.....;.......P.A.(p.V..lr.2..'......)?H.M.=.......T$.F.[.....;.......P.A.(p.V..lr.2..'......)?H.M.=........|.U.H.....&t...Uy....a,....3jo..{..n..N...z"O.^..........wU.........(....WO..q..m....K8?..`.4......|p...R...@.....F^g2...V...k...LHO.;.\m....K>#.....m..X...g>Z..P.n.........|.....N....+...ON..T.<m.E..ko..c..6..J....fm...P...,......T$.F.[.....;.......P.A.(p.V..lr.2..'......)?H.M.=.......T$.F.[.....;.......P.A.(p.V..lr.2..'......)?H.M.=........I:q4..2{.....;.......P.A.(p.V..lr.2..'......)?H.M.=.......T$.F.[.....;.......P.A.(p.V..lr.2..'......)?H.M.=.......d..[...V....jN...xI....1...4.k.../..*......{`...3.n.U......,Mp...?s...6Y....6,*...t!....J%o..K..[..l...\VU.@.0.........u.8...N....Y`...wc+.\.5}..[..\E..`..v..D....0W1..1.R.v....Ya.K.k0.....j...O.I.8.J...1..q...?.....G...4A.....$.e......<Js5..F.....>..........g"...._0:../..c..X...{`...3.n.U......:Fv>..3v....Iv

                              C:\Program Files (x86)\AutoIt3\Include\Visa.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):40287
                              Entropy (8bit):6.525480496660919
                              Encrypted:false
                              SSDEEP:768:k5qtuZ3F0i2TjheIBciYSP9pfVdzCW50ss+me:k6aOQsc8CW6E
                              MD5:93C4AF2D8550D99B6AFAA30564E6A554
                              SHA1:C578607B832BB795C139F43A2B3B2BFB6416DF1D
                              SHA-256:6DC33ABE9784ADC0239F71E20E19B29D210E078650F3D783915470C3CDE3DB33
                              SHA-512:02C012B18DA53A5B5C75FFE547B185FE6DE859E7A106D78D6D7BDEC466C39221127751EF92995C44E0AF329AC00395AF0393B785F8D8ECF58B65B88B78F33B01
                              Malicious:false
                              Preview:..<...n.f....Ocv..&.....4.S...Zhyv...6.x6.x.....I....\Q.T3..====================================================================================================================..; Title ....|...$.ft.....5x.=.......'....mBi1....|DXS.;2h......7'.Z4..nglish..; Description ...: VISA (GPIB & TCP) library for AutoIt...; Functions that allow controlling instrument..z...$.)Q...ac};.8.....u.@...wBz?...rUu*.|.h.........v{.X...ectrum analyzers, power supplies, etc)..; that have a GPIB or Ethernet port through the VISA interface..; ..r..*.f..A.J\G..h7..........w+4k...1.|T. ^H........7'.Z ..Angel Ezquerra..; Dll ...........: visa32.dll..; ===============================================================================..o..7.{..\.013e.u^...h.]...j_g"...oHhd.&C4....R....4$.Y#..--------------------------------------------------------------------..;..; visa32.dll is in {WINDOWS}\system32)...r..*.f..A.-,.x.h%...........".3|...

                              C:\Program Files (x86)\AutoIt3\Include\WinAPI.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1834
                              Entropy (8bit):7.568068713874548
                              Encrypted:false
                              SSDEEP:24:fmiYXcXhCiDXkO/prkBbRq1H3LqZifUeBdug+T69bYPd3z8U1vzHi:fFHRxDXppg5uE0Uexk8N0vzHi
                              MD5:CB7CA4AFF9A13F596A490BFDB12DC667
                              SHA1:D7A8E4F86E7913D2CF7274A31BC0C7BC2B142FC7
                              SHA-256:E22161CBC7BC1D7854A843112C388499BBB942DC228E9395E4F243AEA1AD6D6E
                              SHA-512:A2AFA704E11CAFF1FFB8C3CDF2A5D8C07F8FB47DA019731728390FB96773C26B52C322A616A8EB316DAFCF72D97C16913A05028C959A9DECF8483479F945D927
                              Malicious:false
                              Preview:... .x.}...7T.).....M....~...)J..L....k...@y..;.*.`....L..s.S...7.c.~..XpT..m....E.....I...2g..^....y...~Q..v.(.h......m.d..6R/..s...>,.A$.3..E.....n...n+s......m...Q...q.#.c......1.e..`IBd.<...r{.Pv....S....j...sh....hX.v....>.O.*.\.....q.c...pC...9...'=..&....q...j...P.].Q....}...5..Q.(."....c..v.s...&A/.>2.".+.Kv.........g...}+).Q.22.q...]:..:.N.e......=.y..=.&i..1..I_S.Mj....D.....[...?cP.J.@v.;.......8...b.......l.q.ONk..3...7y.sm.!..l....)...4g..J..[.O...#...k.j.y...M..|.e..Ma6d..:..=:.Eq.B.......n..4g?.v....y...~Q..v.(.h......O.C.../$u..%@.fXz.Jg.........B...sh....hv.#..=...;.y.1...S..".-..P~\0..mN.Vod..9.]......6..`4C..._F.%.Nf.%.y.1...S..".-..P~\0..mN.Vod..9.]......6..`4C..._F.%..S...t.d."....@..%.G...,.~...:.aiy.Qp.)..w......+..s:P...Sv.#....8..h.-.b....T..v.t...c ]..3...!y.Le.@..W......+...3z..K..[.w....4..8.1.o......{.s...cAZ..#...p.)..@..U....+..s'D.o....[....>..8...y...B..~.b...oA^.?_.17=.E(....J......d...9pR.o...

                              C:\Program Files (x86)\AutoIt3\Include\WinAPICom.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9788
                              Entropy (8bit):6.149318774721749
                              Encrypted:false
                              SSDEEP:192:2nWJ7NIWqrqbgw9s/niqmEicsau6qbTN9pwOX:2YuZDFf9DbkHDpwOX
                              MD5:4295E7697324E987C61E1CD8A92D0668
                              SHA1:DAF2973F810B078802FB88B4DA0CE6ECEACC6A90
                              SHA-256:833CFA461C5939FCDC06788962B05D9D23F9EEF61E56364EAE6BEC1DB0A2B352
                              SHA-512:7BDAA3621D46F8474386D3D5193DE14BB645D1D4D026652AFF1360CB50A7F4998FDFA38768B7F3EB4E0D6FBE6C6BC061DBCDCBF037E130B4D488279EF6FB1D41
                              Malicious:false
                              Preview:K..9...".Z.b.-........D3e.C.H.r6heQ,...).A...R..y.Y>.!Rn[:.."IInternals.au3"....; #INDEX# ===================================================================================================U.g...z...<...........wT...!..1[)%.vX.A..N....K.d.Q..d'.Js...rary for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPICo.../...|.t.u.O.........y:.8.i.{Y'aR5{.Zz.....b3.-...v.yOq1n..O=========================================================================================================....#Region Global Vari...?...)J..n.S.B......;l .7.H.S0T(.eK.\g.....b3.-...v.yOq1n..O========================================================================================..; ====================================U.g...z...<...........j=.\..<.."H:6.eK.\g.....b3.-...v.yOq1n..O===========================....; #CONSTANTS# ===================================================================================U.g...z...<...........j=.\..<....@gM:..

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5772
                              Entropy (8bit):6.8369104718244005
                              Encrypted:false
                              SSDEEP:96:W6rwulzClOB9Ei4eKyZGDwGLptVAvivgiv:WhAxxiPVAGgiv
                              MD5:BAF832D0400A2300F29D52B2E070B2DF
                              SHA1:59AFE95D040DB56A0F3ACC405738CB74D82739BB
                              SHA-256:774A87F4050FF0781AD8C298D0C9323B10B891786CD1CCADD5FC5C745A65A623
                              SHA-512:30E4462CCB6677D4551F38B5C0C3BA86B393DCBCC262DBF0DC9C4760A3FED098BF66F1392ABF7DB32E4B61B70AEC062621B4AD65152EA0C1B5AA8A7D357475A9
                              Malicious:false
                              Preview:K.....);..YC...,*....n@X..@{.E7_.........bF....H;.s.b....>..==================================================================================..; Title .........: API Constants UDF LibraryH.....k..1D".b~..".}}.[..(.B*Q.........d[.....a.n.q....#..glish..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ======================U.....9i...s$..*7.k..%F..@{.E7_.........bF....H;.s.b....>..=========================================....; #CONSTANTS# =====================================================================U.....9i...s$..*7.k..%F..@{.E7_.........bF....2j.,J3..H.w..HGDI_ERROR = Ptr(-1)..Global Const $INVALID_HANDLE_VALUE = Ptr(-1)..Global Const $CLR_INVALID = -1....; Stock Object Constants..S.......E...s,s.....5.En.Z..).X~......Sq.3[....U"..t...i.S..ED = 0x01..Global Const $MB_COMPOSITE = 0x02..Global Const $MB_USEGLYPHCHARS = 0x04....; translucency flags..Global Const $ULW_A$......|d..6.u..vf..9.Xl[..1..;E......

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIConv.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29874
                              Entropy (8bit):6.054372120191036
                              Encrypted:false
                              SSDEEP:384:tr+wEGq6o3VoRXOBnVkqKSBNv+IFuNS3lblHdz20ndxo/kTpoaluVP6aZ/7liulE:A6XpwHWSVp7zG6fiD/ty
                              MD5:BA57BF1AAC9518B458173800E757E5B4
                              SHA1:DF4F4A09FACE595C96B905C4EE47667266DC5402
                              SHA-256:A92AA70D0C1BFCF88D6AF3EFDC50B34920B312DAD073042FDD0CC4F65FB58D51
                              SHA-512:B8811331849E06A38B015858189B22EF11E2EC99820E2051E7E8C3436BC9928EAEA925F596EA404CFC1191FFE1C940ECC39A7DD8059646DAE0C9E1ADF8D7ED9B
                              Malicious:false
                              Preview:....=.......l'..L...\....z...B.a.Y....E.YNw..=.i.rp[..6.......tureConstants.au3"..#include "WinAPIInternals.au3"....; #INDEX# ================================================================..H.l@..._SC4...{..}..U...e..B..;|..LU....]+..".^..!...tY....... .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, const...q.......j^..(..&.BH...x...j.O.Y..F.^.'j-.j....4`..W}..u..5.shied, jpm..; ==================================================================================================================..H.l@..._SC4'..L.%.Y...4...G.P D....N...x..\....}}C.tY..`..:%RIABLES# ===================================================================================================================..; ..H.l@..._SC4...{..}..U...e..B..;|..LU....]+..".^..!...Dn..f..QY===============================================================....; #CONSTANTS# ===============================================..H.l@..._SC4...{..}..U...e..B..;|..LU..

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIDiag.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):33196
                              Entropy (8bit):6.755508719301189
                              Encrypted:false
                              SSDEEP:768:xfEntD3ZVNMGdzTmNe10iZ0ZRHAhwW7EE70wC5HyyKE20R:xEntD3ZnMGduNe10iZ0ZRHAhwNE70wCV
                              MD5:0AD0E76491EF9A84ED8F1A2410C49D27
                              SHA1:0541E8347B490776E4E887671DB6D53CC8F665FF
                              SHA-256:46DB0D59D32DD8CD8B67A6F1210EFF53E9F0E69513539867CB6BFD074502538D
                              SHA-512:1A4AABC51780D3C3238A880F792C0E1540297352E2F3F432DB474EFE1866918E0C812F6AC7201586B37ED31887A79205E2784230B3188449A6BD8E44D4A52572
                              Malicious:false
                              Preview:......o).9U.E..A.L... ..j<......<.(.t.d.O...oH...Z.|S39..@...."ngConstants.au3"..#include "WinAPIFiles.au3"..#include "WinAPIHObj.au3"..#include "WinAPIMem.au3"..#include "WinAPIProc.au3"..#i......+nT?U.p._)vA&..n..,u.8..}.<.t.@.r..Xbx4.%.70Zv...A...iWinAPITheme.au3"....; #INDEX# ==================================================================================================.MPN[6q>k....0q8Rz..A. /H.8...s.E.4.>...]`|.....aX>1..5p.B."brary for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPID...C..8A.m..U.e#wG4..b.5!2......4...:.`.,...3.q..m.(.mh...].._.v===========================================================================================================....#Region Global Va......xlb8_.c.c?q.)..A...'.......'.I.0.....3.q..m.(.mh...].._.v==========================================================================================..Global $__g_hFRDlg = 0, $__g_hFRDll .@`y]+q>k....0q8Rz..q.&2!..i...`.V.'.-.

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIDlg.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):39300
                              Entropy (8bit):6.6014678821790636
                              Encrypted:false
                              SSDEEP:384:WW6o70cSlOOZdZXLw0HA6eU6RdRoDJZ7Z1DpXkdAtLeVUgKZzf4Svsn3PQ2mTtGn:GOwYdRoDJZVHWh34zJfyvH
                              MD5:97ABC01BF2EA20A446917E92FBBFF79A
                              SHA1:F4794AC90866D817BE65CAA9FE95E2F65292B6A5
                              SHA-256:20E649881218FEECB217A0A137781ABE56ACF536E0EE90D69A1C21572932F103
                              SHA-512:632E77F0714808B659F63176373AA5F26867C92FAF5AD19628013FB22392106272706471170FA19D5305417EE9F312E59D685F8D39D1AE4DA09B42ACC3FE916B
                              Malicious:false
                              Preview:...KL.....i..+E|.7.?Ln.J.G"........N.&i..m../.t.....>.O.5...gConstants.au3"..#include "StructureConstants.au3"..#include "WinAPICom.au3"..#include "WinAPIConstants.au3"..#include "WinAPIIn...FA....4.(.x.!.U2.8E;Dx.."......C.hB>..o..G.u......2.K.]..."..#include "WinAPIShellEx.au3"..#include "WinAPIShPath.au3"....; #INDEX# ======================================================.........|.7.O.uK.c.a.&[..X^.l....M.Xu ..1....j.X..gBR.[N..=..; Title .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variab.........5.d...).R~.)Nx.F....7.....Pm.&\..H..C.d.o../..W.[........: Yashied, jpm..; =========================================================================================================.........|.7.O.uK.c.a..l".F1.6......X.$=..~..N.$.......K........; #VARIABLES# ==============================================================================================================...........k.R..)Q...rY.I....l....../]:!

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIError.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12321
                              Entropy (8bit):6.35986954072015
                              Encrypted:false
                              SSDEEP:192:KZtROaLSUcXkfu2O926JwVbB8sPBqImcGVMc4PNXqDEovalqXnM8d8E8ZoGJFmlF:S/uTkn6Q/yMDkseEpmnoq
                              MD5:42CCEA933FFE25C35FA7161AA7540C49
                              SHA1:7DD7CCDA7C88310A4DB613D465FC28C72CFB06F6
                              SHA-256:15E37DFA9CC0E4BA669AC9F507F90DE7A2D56C9B6CECC61D625BC925B26FD280
                              SHA-512:840E6C24B49A36F3E2808462D57D368EAB88E340BBD09496C74B632469D4541F51071617973C5E79BC13462A792C05D3BAEEBA30436A95201BB4798CCE45BFAE
                              Malicious:false
                              Preview:l...1..[.......aM...k.9..@...5..*I.....iGa...Y..R.....P.5ol.z.gConstants.au3"....; #INDEX# ===================================================================================================r.WA`...>..X..VS.m..}.N...Y.UG.D.....M.n...'..k...EDt.cSQ.3.ersion : 3.3.16.1..; Description ...: Windows API calls that have been translated to AutoIt functions...; Author(s) .....: Paul ....?..R#.......Bc.@C.1..L...Y.UG.D.....t.l..0..6...CY..*.%E..=====================================================================================================================....#Regiono...?...U.......N...'.2.T.....qd,Q.....I=A...w......CY..*.%E..====================================================================================================....; FormatMessage Constant<.`;1.._o.......O(..-F...b1.2.:%j%....X<F...t......NT..'..rT.obal Const $FORMAT_MESSAGE_IGNORE_INSERTS = 0x00000200..Global Const $FORMAT_MESSAGE_FROM_STRING = 0x00000400..Global Const $FOR..>#...mB...#...4&..$R....B...G.KY.Z...

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIEx.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1921
                              Entropy (8bit):7.570615115755216
                              Encrypted:false
                              SSDEEP:48:P1lBgsquTRz/K+3yxY4YKEBGOuGMFrryxyvyxy3EGyxyjn:P1lBgGLpyxY/KPFrryxyvyxy3RyxyL
                              MD5:D963F8DF54F78D303AF77C88462003EE
                              SHA1:20E392A0506BE957E2F50E67BE2D1427C2EB4E06
                              SHA-256:111185A60EB948BC9FB110B78BAD600B415451B3CFC4CDF6A5B21140B9B619CE
                              SHA-512:57106AE71C8198F6721E02E548D86A8B44ECAF47446B856078EBE3A7A9339161FD977786FB7C5A6BCAEB8C4CFCF0E78F7EB9305C8970A790E5E0C93056D40401
                              Malicious:false
                              Preview:"C.8Qz.Rq*s..R..5t..G.+...BYo..G. ..~.s.+k...d_<|]..s..Tfx+..`_.y0.\^2&q...x..2['.v./.....:2.{A.m..)]^._k..8X.5;Q......~+..tN.{.X.Y..T...=...))U.8_'...H}...A.O...\..iw..e..02...y..?r~+..Hb.9W!.Bog...6..8.W.e. ...OwQ.vI.=..G...kn...1..5...T..~D{ ..t..V7,.Y?)h..z...J>.[.-.....5.1F.b..(.\.al..!AI6?Q......~+..tN.{.X.Y..T...v...~.}.[.-.....:h.6i.G..>...; ..KxU:0...=..tKV...iO.7xwQV)v?..1..)~...+'....po.,@.o..o5t.al...u^y~(..\..N\dk..2..Q.f.T00y.......S#.W.+.....5.R..-...}&.(?..U,.daB.. . .*x.<..f.2B.ax .e..a'J..As....%..e..3..p.C.5?..U,.daB.. . .*x.<..f.2B.ax .e..a'J..As....%..e......Q..m"..F?.wrQ..=..sdG...y^.5Yj....[...:..%:..@\....X+2.c..{...L^.mp.....c|L..3.3..O.MK.<Hn.R|k3...v.2}..A.C...Ik\.1X.g..m.P.2"...xO03...=..oLv'..r..8Ra.C=+i...6...)t..[. ....^8h.6i.G..v.?.|j..@b.yrQ..3.DDd-..e'.`.B.S5#t..v...r4M.x.#...@qK.=L....;Q..~w..HxU:0...=..|A71..mO.(.z.B/ y...6..3t..?vu....8..x.....m.^.Lu...x.=0...Z....9!..-..?T..B/ky..x..2....R*....bl[.4..b..m

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIFiles.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:TTComp archive data, binary, 1K dictionary
                              Category:dropped
                              Size (bytes):95840
                              Entropy (8bit):6.39684816812841
                              Encrypted:false
                              SSDEEP:768:Oil43Wj7sEmhreH7TcMEAEgmMvQ37vR0ckU9SHPeqdo70JUc0k50PVU:O4cqEJRGFd00JSPG
                              MD5:29BA3D57C0DEC040CBE61528DE71A30B
                              SHA1:A51188FB1B35170711B83C3250B635688830B0B6
                              SHA-256:0E803C752C5E95A08823F2D67A580E5E6EBA0E0308D80A820D05F826A239E288
                              SHA-512:CAD4B3C3C75300D5F6C538E8458E0D92149F132FF2BE0AC49E48FC00F590A4020E7BF8BDBD5E1BFA66126B91EE2BF5FB2F53979B57EED59E9346CBD6F20CBC92
                              Malicious:false
                              Preview:..C..[..a.<..[.o..|R..)'."R.9.2 .&*..C..S.......`.G...0....rU,xeConstants.au3"..#include "MemoryConstants.au3" ; For $PAGE_ * constants..#include "WinAPIConv.au3"..#include "WinAPIError.au3".)ND..B..).p..8.2..pQ...~`..0...79.0I..Y.1m9.C......F..5...4ve6WinAPIShPath.au3"....; #INDEX# =================================================================================================.P....ZPq.o.k._..(...Gy.Tz...{b.{G....^.P.C. ..M.....8.....UeXibrary for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPIe.A.......X......g...cl..=.P.:?.<......P}...\..P.Y.a...m.x)=============================================================================================================....#Region Global u._..L..?.3..v....a]..@H..(.S.....+..c.P.M...\..P.Y.a...m.x)============================================================================================..Global $__g_iHeapSize = 8388608..;.P....ZPq.o.k._..(...p..=..M.fq.hT...

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIGdi.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):204395
                              Entropy (8bit):6.442934434306256
                              Encrypted:false
                              SSDEEP:3072:w1BNN/plxFlY6C/Sob6rkcvvUDTwA0eeljVtJW4XxN5IjeLBmqkF:w1t7xFG6SSU6rhvUDTZ0x1Voj6BmZ
                              MD5:95B85251913B7A59963E36F1C4C684E5
                              SHA1:CD54337BF36AD5156F568D0055812FEDACB697CD
                              SHA-256:675A9593D139BE85AD7C489F9F33C1ECB8F65B144547A4323603BD1D6892E98C
                              SHA-512:576EF207B95358F0E107E2C46ED8AAD12C691E78636E7D09242A6BC576BA8EE1B049559439969BC6C6618B89F1A6EDA0F5E1B37C2DAC28CE7D20C4CAF6408E62
                              Malicious:false
                              Preview:...^.IG.........v6r.4....JjX....m.{.]...s.X......-.2...o..I.K..tureConstants.au3"..#include "WinAPICom.au3"..#include "WinAPIConv.au3"..#include "WinAPIError.au3"..#include "WinAPIGdiDC.au3".?..S.PV.].30...5R..../...)u)..7.......k....t.......$..).4..include "WinAPIIcons.au3"..#include "WinAPIInternals.au3"..#include "WinAPIMisc.au3"....; #INDEX# ==============================....C.....,Z...A(&Vj.f.JWu$g..9.)..R.:XK.... .y.l...7..'...=========================..; Title .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Descriptio[...P...\.x.....5m.%.:...;5z...w.u.Z...i.V...i..*.q...*....n..APIGdi.au3..; Author(s) .....: Yashied, jpm..; =================================================================================....C.....,Z...A(&Vj.f.JWu$g..9.)..R.:XK......g.4...d..v.[.. Variables and Constants....; #CONSTANTS# ======================================================================================....C.....,Z...A(&Vj.f.JWu$g...h.v.BO..

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIGdiDC.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):20275
                              Entropy (8bit):6.1724044089541446
                              Encrypted:false
                              SSDEEP:384:MCXj2AQfw9K7fln2Bqm9ueWq3YWU98HZ80ZluVcz55W1MGbG1l9lK:PajytHTBFfK
                              MD5:570345490C6B840C5EE891C76AFB51F1
                              SHA1:E44302CFE70D9CDCBAB275CF25FAA839C60AAA0D
                              SHA-256:B059D1E120512A80507DF83E7AE0874BF206FF4790AB3B88658A28526251D098
                              SHA-512:32F1C93BAF9A313A6F1E0E73E5E17FB8A0288CC65ED24884BA4E5620515B7938EA772642F23DFF13A53E1642AB3B9AA78697C1F1C58B1440FB95670958617F1A
                              Malicious:false
                              Preview:.2.."..m...4.C.....jzZ./..3...uO..z.G.N.._).N.TosU....|%....nAPIInternals.au3"....; #INDEX# ================================================================================================.f..s..}...l.t:....4+.G@..0....&........{n.z.?B<.....|`.z..Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAP........5...j..r...!e.jd..J....]{..V...V...&<...K_DK....%}....==============================================================================================================....#Region Global....'..%..?.iD...hx[9G..n...}Z..q.v.....:...K_DK....%}....=============================================================================================..; ===============================.f..s..}...l.t:....4+.ww..Y.....5.........:...K_DK....%}....================================....; #CONSTANTS# ==============================================================================.f..s..}...l.t:....4+.ww..Y.....5...9.

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIGdiInternals.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29840
                              Entropy (8bit):6.622047268120432
                              Encrypted:false
                              SSDEEP:384:wg5VTMN16FQQViFRW8KeccY54cXL/DSl2Gz44QZ4UTOkXtLdNDBCMJ1R3S14Mgh2:NTLsRW2cXLy/zO/dHPvWMs19Z
                              MD5:19DAD413F78D37C472E0529FB33467AA
                              SHA1:1FA0DD84024A7C2F139E77558ADC698B459918F9
                              SHA-256:4101B23B1AA2DE982941C8397AD957D49CC7CD47F90278404075A580E3E8918A
                              SHA-512:47348203D6FC3345D155568BE69D009C2BF606948631E3FF81DF83AC18700885847497AA104A62AEBE95376DA08E7AA0B4C738E21084B9F32259A1B6ACDD47BE
                              Malicious:false
                              Preview:3.n.R......cm..`lS.]..0.6...0n.....|Y.A..f._..:...?8......nAPIHobj.au3"..#include "WinAPIInternals.au3"..#include "WinAPIMem.au3"..#include "WinAPIMisc.au3"....; #INDEX# ================-..0Z.A[...;].:Wr....../..P.Iy&..{...5........@>.$..np...A=======================================..; Title .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1...-#B.....o..'Da...p...{.,..T2z..'...{..V..g..w.9...s+...A.ns for the WinAPIxxx.au3..; Author(s) .....: Yashied, jpm..; ===================================================================-..0Z.A[...;].:Wr....../..P.Iy&..{...5........@>.$..np..%v#Region Global Variables and Constants....; #VARIABLES# ========================================================================-..0Z.A[...;].:Wr....../..P.Iy&..{...5..8.....@>.$..np...A==============================================================================================================....; #CONSTANTS# -..0Z.A[...;].:Wr....../..P.Iy&..{...

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIHObj.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13395
                              Entropy (8bit):6.3369845014890585
                              Encrypted:false
                              SSDEEP:384:JB2yBCG6gE1b+ioWnbZXIEqUC8zueg+7Ys6:HBC9Zg8gF
                              MD5:5B9E486A8F4DA580BFFD9B2E0A461A44
                              SHA1:C8D6EFF9210371BC216B1FDF5107E0572B03F599
                              SHA-256:A7DCA6EC15D531BA3894EE534CB415C70E2311B4036301E0B9B13E9F31DB015C
                              SHA-512:9A0CB3035716B6B74EED8FA71961FD54A8730891D5C7E55B1A6CC63C0CEA8B724B77E00491D6B74A5C163F8622A5C94352ABD1F16B6082B2694F630CDCC0A603
                              Malicious:false
                              Preview:..03..,..K..z....z.E.'1n.F..dR.n)..&R...a.a6..........K?)$.====================================================================================================================..; Title ....p~..f..sx.^....W.q.M.'t..W6.L`.F5..'AC..t..`...l.....>zfj.on : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPIHObj.au3..; Author(s) .....: YashiM.rp..%...1.".....)..E~is.,+..?..z...u.^..=Uo).+.....g..U")$.==========================================================================....#Region Global Variables and Constants....; #VARIAj.....u...,.".....)..E~is.,+..?..z...u.^..=Uo).+.....g..U")$.=========================================================..; ===================================================================..cm..u...,.".....)..E~is.,+..?..z...u.^..=Uo).+.....g..U....; #CONSTANTS# ==================================================================================================================..Tk..s..Qa.v....g.z.E.c;>.xy.V..`+..$.

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIIcons.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25802
                              Entropy (8bit):6.508121604358239
                              Encrypted:false
                              SSDEEP:384:BKOJqFZQzmKdp9Pb61EYX3xgNGnlGAF+mYM2lHexOQMqdiz:0a/heKaxzgYX2Zextpiz
                              MD5:95E7F80868AD35ADCC29B8EEE083F0AF
                              SHA1:CE8652E2291DA973684BD32CA935317EC1B66B75
                              SHA-256:728E226AA6B2632FEE5A70EBB362DB3804EF2BA6CA8155E13461E03151B08A18
                              SHA-512:5F4E6E15C8CDE1F2644BD78C7FA3E6FC6183785BC70D8259C9A0CBF80EFA76A8B41089F7BE538E668BFEAA557C58CFC6228F043EF64C7420B789387B14727302
                              Malicious:false
                              Preview:.....i1Mv&.=.2.@.....d..k.N`;?.....h2..O..e..1_.`;...p0{......Internals.au3"..#include "WinAPIHObj.au3"..#include "WinAPIInternals.au3"....; #INDEX# =========================================..G...0i]$upe9..w....,.v.$4hCg}.V..L....U4.e..1s...oZ/...].==============..; Title .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Addi.....-".k!,:h].f.....e..?W9h;.z&...X...I.E.{.,Y.,......[.....3..; Author(s) .....: Yashied, jpm..; ==========================================================================================..G...0i]$upe9..w....,.v.$4hCg}.V..|.0.q.n.7_.K"..>GD......s and Constants....; #VARIABLES# ===============================================================================================..G...0i]$upe9..w....*.v.$4hCg}.V..L....U4.e..1s...oZ/...].=======================================================================================....; #CONSTANTS# =======================..G...0i]$upe9..w....,.v.$4hCg}.V..L.

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIInternals.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18319
                              Entropy (8bit):6.425969848672745
                              Encrypted:false
                              SSDEEP:384:5YNg+3uosUKywDL7/rrjoOMZV/QdGMGc3VVzE6GfreApsU2O:0uSQfrVGWWr3pb
                              MD5:8DA3253908CF5F299CB9300F290939B0
                              SHA1:8A522B1745DB75531F52441DA661B5D831AE66B0
                              SHA-256:5EEDD2B7E0787A52DEC6BE4A1DFDDA48FA8526D796EB21B3555F1695F86C8F42
                              SHA-512:CF355D71CED9E5E769A133CBB32413C27952696B8A4C92C61DBD6A1F8EF7C485C44D015FE9534D79469ACB6E33E8F22E4A244DBD54D46AA6440C06664AC6DED3
                              Malicious:false
                              Preview:....:e.}.1r.]....>..?K8....I*..<^.].C~(..V$8U.....K.7.l.S..N^.onstants.au3"..#include "MsgBoxConstants.au3"....; #INDEX# =====================================================================.QKYk-.%oc!.......j..w.`.....x..B.P...-a...l6J...f..H..}......b.....: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, constants ...D0e.{&7s.K.....#...F3o|..E=....`$..Q).X##....E?.Fx.P....G_` jpm..; ========================================================================================================================.QKYk-..XS..j....Aw..(N1.z..T$...BMO.F0..D%j...>a."Sb._.#..`w.S# ===================================================================================================================..Global $.3.; U.m?r<.g....j/..j.P$k.._$.[n2I.KB..X5nW...f..H..4.L....q=====================================================================================================================....; #CONS.-80.3.%oc!.......j..w.`.....x..B.P...-

                              C:\Program Files (x86)\AutoIt3\Include\WinAPILocale.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):21013
                              Entropy (8bit):6.2605501495577665
                              Encrypted:false
                              SSDEEP:384:e3r1KLk1Loc/rGfrsokaNH0Vh6IoMkgXq4lb9NVLKOCK6pGJ:ebkYtocGwod5kD0yPpjJ
                              MD5:4C06F1A99B25FC6F9A560B489758E197
                              SHA1:8BAB7110343746B6B622660697990DC55597E45D
                              SHA-256:B310E063BB91D54B3B91946637FCF5D05C6489C4A65EA36C1AB8D1F21154E0C6
                              SHA-512:C5A6D5F1EF5063A35FEAE826F673FCA0D56D6484A7E3856C2F742C8F2E9C17CCFA7BD587A6DE13142E0BFC5B315A388EA00941BB513EF935C62F29AC5B949D8D
                              Malicious:false
                              Preview:.0.....H..A....O.w2........ ...="|~.'.R..wOoKq.wz..[r..F.4G.+ringConstants.au3"..#include "WinAPIInternals.au3"....; #INDEX# ================================================================.d.......B......ifJ...I...Mp..c~-&.u....$.!X-Mye>.E&U.....}..: .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, const.7....I..Z..z-.'{..........#.....x.$....*6.^011,k..3......:K..Yashied, jpm..; ================================================================================================================.d.......B....O.YQT........."..2cFz.!.C..j.}.tP.7m..z....(..^.|VARIABLES# ===================================================================================================================...y.......B......ifJ...I...Mp..c~-&.u....$.!X-Mye>.E&U.....)X.b=================================================================....; #CONSTANTS# =============================================.d.......B......ifJ...I...Mp..c~-&.u..

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIMem.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):21824
                              Entropy (8bit):6.244583988112663
                              Encrypted:false
                              SSDEEP:384:bzK0ExLkl/iocB6YTXdHGOmNWQsJXojxqb/FW/rlnNZ0Va/UJu:6ZsBX7r
                              MD5:B970A426C31D556EF5E769C82DAE39B0
                              SHA1:3C52C2C951A29FCF6C6C8E968D81F9FF9F3A68B8
                              SHA-256:43607FE6E8AA1CC5A989C66A195F976488BC0E4F7FE8F15BCEF2C928914CD5C0
                              SHA-512:4453A8A57A04F206AE2596A95793EA23394774AA9E2CC5B52BD74E063D853729ED2F07A155F6BEB0AC7379AD71D7CC1BA8480B4F4DD66F1F007F3F2F84834065
                              Malicious:false
                              Preview:.....8..p.vv.B..V..^.L...ke.Z..pw>...k.............G..r[;.m.====================================================================================================================..; Title ....._.cT.}.q{8.....U.D.....t.x%.K_"...j.Y,.........s.z..C#NA"..on : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPIMem.au3..; Author(s) .....: Yashie.... w.f.%(Dr..a.........t...q...m.Q8.DP.CG........3...>%.m.=========================================================================....#Region Global Variables and Constants....; #VARIAB...R.pG.`.%(Dr..a.........t...q...m.Q8.DP.CG........3...>%.m.========================================================..Global $__g_hHeap = 0..; =============================================...L.pG.`.%(Dr..a.........t...q...m.Q8.DP.CG........3...>%.m.==================....; #CONSTANTS# ============================================================================================...L.pG.`.%(Dr..a.........i...q...m.Q8.

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIMisc.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14537
                              Entropy (8bit):6.174925009676731
                              Encrypted:false
                              SSDEEP:384:UpduHPddvyri6oxxo1pBd1bcUmLmyLitTkM2EDdGQ8h+kSRfsAuWVaEW0wEcY:UJOhy
                              MD5:456FDE1B497F62B734FD4DC84D4DEC9C
                              SHA1:FF1C7471DF9492750C70E3AD98F7E90D0563FDF3
                              SHA-256:C25E9FFCFF9FF55939EF5BB57AAB92D2DD25176C0F7FC33FCD6F3CF12F9E0492
                              SHA-512:9C1887461607C7766197449AB71422C11A8100CC0BC7C6648D85575E7BA1151AC32798FF12A53D81A5554C5C4A7EB32B3C42C9C21E65D77E66151CA6FD30C2AF
                              Malicious:false
                              Preview:.A.A...;.P.7..9@....{.af.>97..q...}......nf^UX.......H..... A.ngConstants.au3"..#include "StructureConstants.au3"..#include "WinAPIConv.au3"..#include "WinAPIMem.au3"....; #INDEX# ==========.......c...i..p2...%T)?.#&K.......C.... u..V.4;......J...i..=============================================..; Title .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3........T...1..A$...vI:,.$;7..U...P.......|*SE..)e_...S...W.0..unctions for the WinAPIMisc.au3..; Author(s) .....: Yashied, jpm..; ============================================================.......c...i..p2...%T)?.#&K.......C.... u..V.4;......J...i..===....#Region Global Variables and Constants....; #VARIABLES# =================================================================.......c...i..p2...%T)?.#&K.......C.... u..V.4;=.....J...i..=====================================================================================================================....; #CONShi.v..c...i..p2...%T)?.#&K.......C...

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIProc.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):76943
                              Entropy (8bit):6.503044816617891
                              Encrypted:false
                              SSDEEP:768:bsFKkXwFaxvmexMRp+CZ1bnnhprKssCYn/nZ1LKNOWCExMlVZ4kuXa:YFxXwujQZ13rKsSnxgsWCEW45Xa
                              MD5:C223D7C65F3B91C7C20112DD4FB38309
                              SHA1:A9566EB162D6B2F7ABBCF97243307102A060E439
                              SHA-256:04FB1D7D41E75A1E57FAE73929401B3D47760B38EC3957C68F4D938FEBDB85C0
                              SHA-512:FD402994397EE2465F4ADC7BFEE6E2E05DCD9B0B2A2A71B5F44E9C669DCF9CB490D4DD8B317F9490B5C868D95A37CA4FDF42FDE66313EA4E9C2485EB9E17868E
                              Malicious:false
                              Preview:\#,d.a'..,.u~8.Z[..n'...m.}?..G.........G..09......5E.2...2.rity.au3"..#include "SecurityConstants.au3"..#include "StringConstants.au3"..#include "WinAPICom.au3"..#include "WinAPIError.au3]GH$zz ._'.69b`9..H...[iUl\....F....V...v.zdq.T..s....RFq.INDEX# =======================================================================================================================..Dj.ngx&..m.85.'y...W-..%A......M...8...T..t[b.....U...c]..toIt Version : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPIProc.au3..; Author(s) ..Qdl=3M".B*.r7.c'<..;dA.H5.bC.........I......./.-..G..}../.e@l.====================================================================================....#Region Global Variables and Constants..r@y'0W..y..XOf*wl..=yA.H5.bC.........I......./.-..G..}../.e@l.===================================================================..Global Const $tagIO_COUNTERS = 'struct;uint64 ReadOperation<%7ig/6.D7.";b{>%.p!...aO1=........T

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIReg.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):35385
                              Entropy (8bit):6.339133189991471
                              Encrypted:false
                              SSDEEP:384:q6FvkX9P3ABJFMnWKEsjx5lCMsuGXRZknpbJ1Ojye3t0CGCAjRxAGW93NoqwVkf6:QWJJlsf8X8TqE7tBdP
                              MD5:8A922072AB38465D13BAD6AEB242BE29
                              SHA1:59214E71EFC4A18D6E089F80F95A24BA6C20E563
                              SHA-256:F609BD5501F066DEA0D28AB60E31BFDE383C1069A72572ED0F6FA5088FD79243
                              SHA-512:7EBDD38ACB7AA5178C9CE428691C5F85F0340FE0A0441DF6AC21A2447A72C0B1855C97711BBD8378853803858473B4ED8FA7EE32F668125E67363C8DF588CB84
                              Malicious:false
                              Preview:NY....]v. *8U.*.."..ZW.L...k....B.8RN..O.MVY......^.ma..h..NgConstants.au3"..#include "StructureConstants.au3"..#include "WinAPICom.au3"..#include "WinAPIError.au3"..#include "WinAPIMem.au^.....x.........v....[...g.k...<.k...J.....XF.1.....L49...!...=======================================================================..; Title .........: WinAPI Extended UDF Library for Auto$D...y..!.)x.B.."....F...t.`....ve_..I..Q..."....s.mm..r...variables, constants and functions for the WinAPIReg.au3..; Author(s) .....: Yashied, jpm..; ===================================P......f.st`e....v....[...g.k...<.k...J.....XF.1.....L49...!...============================....#Region Global Variables and Constants....; #VARIABLES# ========================================P......f.st`e....v....[...g.k...<.k...J.....XF.1.....L49...!...===========..; =================================================================================================================P......f.st`e.-.p..um(z..o....<.k...J

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIRes.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):38690
                              Entropy (8bit):6.470162968616411
                              Encrypted:false
                              SSDEEP:384:HKVoyXGtcV7uJWs2xRonC9Q1OYB6Bg/IQxIPGi+ctp2Bl/8vMSU9zg8lae4kNe85:kWtKW+oC9Q1L6kXvkvFV5W
                              MD5:2D1B08E8508CFB199EDC95DAB1C6B63C
                              SHA1:AB98BBCEAB8E353FF73C5FEAC9D883BA6C0CBC75
                              SHA-256:F6C7D2CD11253E2777D15E281ADB4F7108180B7CB0BEF285B8A147A60BFD4AD7
                              SHA-512:11BB94F141F172014F5D6A26C5DFA3542563D1180A6BE560AF8DD8854B4A86E79F686CF3DCF70359DA6AE4B4D045FCFB304A8D874815DE847255354A2536FDA1
                              Malicious:false
                              Preview:..\.$....Y...9D....!._..l..%..F..s.q.."5g."..r..:.u^..9..rE.IResConstants.au3"..#include "WinAPIConv.au3"..#include "WinAPIError.au3"..#include "WinAPIIcons.au3"..#include "WinAPIInternals..G...J......1q..A..p....s.xQ....+.#..ki4.l...m..$.&...`.m9.==========================================================================..; Title .........: WinAPI Extended UDF Library for A..]..M...O..<@n...$.U..n.k_.......%..3'j.8....>..7.!...9..9k.al variables, constants and functions for the WinAPIRes.au3..; Author(s) .....: Yashied, jpm..; ================================.....}....H.s.\..p....s.xQ....+.#..ki4.l...m..$.&...`.m9.===============================....#Region Global Variables and Constants....; #VARIABLES# =====================================.....}....H.s.\..p....s.xQ....+.#..ki4.l...m..$.&...`.m9.==============..Global $__g_vVal..; ============================================================================================.....}....H.s.\..p....s.xQ.........

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIShPath.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):44816
                              Entropy (8bit):6.237251050605606
                              Encrypted:false
                              SSDEEP:384:s3lo0j6WNKMJ8mFl5nZm596YjHVLrJTc7pVwXVdHyBjsSYslYsZk+AelxTwV/cBG:v0f/JG3cdttl8ptpg2HX8yC6/ZP
                              MD5:A273C117E55698EAC514EB4502A52675
                              SHA1:15722B00EEE4179AEFE0F0C9DD5F528E505E2C17
                              SHA-256:28C766F5EC32AD332F378CF1CFFF05281C3372809038A4B2C3469F437CB9688C
                              SHA-512:9ABBEC176D55AEC86BC0DE5E2EF01A6C09C6D070996496CFB7B7A1B36361155C7085D36B2DDB2CC225C24C5E4D2BBAD5C37523DC01B3D6CB92E4C159BAB05032
                              Malicious:false
                              Preview:...d.......^j....[..s&.y8NP...86.P.._...<-.J..rz{Q.0..|...\ringConstants.au3"..#include "StructureConstants.au3"..#include "WinAPIInternals.au3"....; #INDEX# =============================..YB5.........iZ4......+;..U:>...qc......O.r>..D..Ed/..a..$...==========================..; Title .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Descripti..DQ&........;.h...Y..tj.KD'`..8?.K..J...)v......*2Y....qL..AnAPIShPath.au3..; Author(s) .....: Yashied, jpm..; =============================================================================..YB5.........iZ4......+;..U:>...qc......O.r>..D..rT...9.vG..]nctions list....; #CURRENT# ====================================================================================================..YB5.........iZ4.....xG.q7Dl..":.V....3.(u..B../0|~...jg..MInExpression..; _WinAPI_ParseURL..; _WinAPI_ParseUserName..; _WinAPI_PathAddBackslash..; _WinAPI_PathAddExtension..; _WinAPI_Pat....m.......:&Y..Y..co.\:hl..w~.h.

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIShellEx.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):42747
                              Entropy (8bit):6.456438743313338
                              Encrypted:false
                              SSDEEP:384:/Bd3+DB/jtrA8fpGf+5SIXE/bhnTMtxEBHjcPsIaAdCtZTZFBrq6IhmsLlN/QTg9:q1F6IXuuKLFZ7GR3/RVvvqDAN
                              MD5:B3A71F421F7735B9733EA31EBFE804BD
                              SHA1:FE4BBD2251A091164A17CC3D73369FFF9177CF86
                              SHA-256:10257781FDAD3487A5E3311F1D7E8757EDBC47CBBBAC449AAEF1623E05E4AAF6
                              SHA-512:3F74FC492F5E245FE1F3C705CB909F5D15B6E2ACB635212961DCD21F6CC36FE26B29233FBD30707B5A52EC41EAD1228A70F7FA16110E9A54E3CBE98E1BC93E37
                              Malicious:false
                              Preview:..L....C.....,....2"......4xr..w8.EF...v..9..u....Y......>...tringConstants.au3"..#include "WinAPICom.au3"..#include "WinAPIMem.au3"..#include "WinAPIMisc.au3"..#include "WinAPIShPath.au3"...(..:h.%.......fq..I...+..."`..=....8.j..f....i.......f...====================================================================..; Title .........: WinAPI Extended UDF Library for AutoIt3.......Ir....S....{v..Z... ...$}..s]...q..9..u....0......{.J.iables, constants and functions for the WinAPIShellEx.au3..; Author(s) .....: Yashied, jpm..; ==================================.....N..]........fq..I...+..."`..=....8.j..f....i.......f...=============================....#Region Global Variables and Constants....; #VARIABLES# =======================================.....N..]........fq..I...+..."`..=....8.j..f....i.......f...============..; ================================================================================================================.....N..]........Qw..7..Bxl..<}..=....

                              C:\Program Files (x86)\AutoIt3\Include\WinAPISys.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):77908
                              Entropy (8bit):6.320276039197386
                              Encrypted:false
                              SSDEEP:768:W/S5nEg54tdTDob9oatbovXUA6kAp2hYO9Yjp+6nrhKPL5Sr:DENtob9oa9ovXOjO9P6Ezu
                              MD5:25121C47D55FAADD38A8DFBBFC0BC9AF
                              SHA1:9B228376ACE6CC261176390EE39D7AE0AB8BFD74
                              SHA-256:558205C8332E7763D830CB7F42A437DA1E9E89F6A8B3C6FC70915FA0449A11FF
                              SHA-512:91847726FFB0861F36AEE6D4EA1F8F2CC287126E16F59773240045BA39EDA7F29A310F8879829992E290532746730C65AFE6B9B3EF027109B7A97F663F9FB7E9
                              Malicious:false
                              Preview:..j......[..?.....$......1-F.L9O.}g.8........S;..W.&....k.60.IConv.au3"..#include "WinAPIError.au3"..#include "WinAPIGdiInternals.au3"..#include "WinAPIHObj.au3"..#include "WinAPIIcons.au3"..'......Q.T....../......z^f.S.D..13?......N0v..A.q......{8.DEX# =======================================================================================================================..; .p........Xt....$..4......k../d.._.4....kyY..[.'......-..It Version : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPISys.au3..; Author(s) .......].........*....zw..@...M@2...G..3.Yk......$d%....n.....eL.=================================================================================....#Region Global Variables and Constants....;..G......`.Uz.....zw..@...M@2...G..3.Yk......$d%....n.....eL.================================================================..Global Const $tagOSVERSIONINFOEX = $tagOSVERSIONINFO & ';ushor..W......d..1....|?........y.Z*A.e^.8

                              C:\Program Files (x86)\AutoIt3\Include\WinAPISysInternals.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):28405
                              Entropy (8bit):6.216308982639467
                              Encrypted:false
                              SSDEEP:384:x6JLfmofk7sTatBzOYLGpLNT3V9Jf+iE9XkROeDdYOf2qP3tBtLhbr:41upqNe2HYSR
                              MD5:D244B33F0749ED728788F54B18B5D992
                              SHA1:F455F652F84194D8E123B54FBE02CC9209B0294D
                              SHA-256:AC7997D12EDCB23274A3DEA9A21532BE0ABA9E742AE55947BA40940C6146EF42
                              SHA-512:4B7B7096C404F8D66FD1A201452109322B571DFDBCF2E68E3A3FBD655A685503A94A8E86EB5891CD3BA6E4A60EC4BDF5C5E8E60EA222229832C18C535C4EBA0E
                              Malicious:false
                              Preview:Y..kY....o.....R(....7..)...X.Q.<.....*(..........I?.......Constants.au3"..#include "WinAPIInternals.au3"....; #INDEX# ====================================================================G...:..P..<.2..L|.....o3.G.N.(...`..B.......L....c..N"......@......: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, constantsZ..'J....h..|...a....;`.*. .f.C.n.._..OM.....G.. k.....N===============================================================================================================================.p...UI....!..`...Q.....>k.Z...5.M.......*(..R...(.._.^.K..S==============================================================================================================..Global $__g_aInP...t_.:..@..T...*s......>.Z.....e.2.._...@}.........s%<.?..3[2] = [[0, 0]]..; ==============================================================================================================G...:..P..<.2..|K......A.).2.A...`..B

                              C:\Program Files (x86)\AutoIt3\Include\WinAPISysWin.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):58771
                              Entropy (8bit):6.327656270859697
                              Encrypted:false
                              SSDEEP:768:A0KmuTcwHYErTFpnHyuYzwZg6hn0hNx9W3V:8muTcwHYErTnHzAAg6hn0hRW3V
                              MD5:C47BF0350E61FB2D4A7ACB419EFFF659
                              SHA1:78D260B6DB4C1CB69F0C21168603F30C67755108
                              SHA-256:576B824753AABA554786D9450E85D2A7D314719DEF69D37383BA8557F69925E0
                              SHA-512:B8E90B345C341FACE5134633D926EA3D6E7721498C31245094B0F7567143A1516A98791C73AAB271497528DE525DAC2AC0C116981E241C3EDB649EF4024A6E56
                              Malicious:false
                              Preview:......._.I.a.-L..T.O..,.eN."......3.....=._..S.d.j.<.M3.JInternals.au3"....; #INDEX# ====================================================================================================.....L......Q..{..7.... ..W...\..X...r ...V'.}..:..f.v...p@.\rsion : 3.3.16.1..; Description ...: Windows API calls that have been translated to AutoIt functions...; Author(s) .....: Paul CJ.......`._.%..j..[.Q..=.aN.^......r....Sx.l..P.."./.-.e..@DS, Raik, jpm..; Dll ...........: kernel32.dll, user32.dll, gdi32.dll, comdlg32.dll, shell32.dll, ole32.dll, winspool.drv..; ===.....L......Q..{......t......O.K...oJ....i......{.>.@.9]..============================================================....#Region Global Variables and Constants....; #VARIABLES# ========.....L......Q..{......t......O.K...oJ....i......{.>.@.9]..===========================================..; =================================================================================.....L......Q..{......t......O.K...o

                              C:\Program Files (x86)\AutoIt3\Include\WinAPITheme.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):42159
                              Entropy (8bit):6.284256794211188
                              Encrypted:false
                              SSDEEP:768:ayKR6nt2inn2/ruDUxsVRhQn8gD37YeIxAsW:atRa2ioSxQnFD3+xAJ
                              MD5:026C80F99D2F8C6E27CB445581DFA712
                              SHA1:A0BB0A35D20AE3D393CEDDAE5FF90158B6E654BF
                              SHA-256:DF9C5FEDDBA1F8A026A6B5027C2B67CB29C6B58EEB29FB160088CE5B5573C305
                              SHA-512:C89B7A32492138F221FCC2FD3BCFF21BBBEAD1F59FDFF38E6E7A83C6A68FF8D7AE74B4AA92ABB19BB9820CA98A1630496C1A878F602FC689577137F555855BBD
                              Malicious:false
                              Preview:.:.I..BH.*.E7....4F.e..a..c....h....9............$...C.=..uctureConstants.au3"..#include "WinAPIInternals.au3"....; #INDEX# ==============================================================.n.......x..o4..`..4..9......N.\0.....e.S.........pu..X.:..le .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, con.'.D...L.!.@'g...3[.o..$.......1D....v........H..e;..M.@.. Yashied, jpm..; ===============================================================================================================.n.......x..o4..P".[..m...t....-....:.......N..,&...i.d..#VARIABLES# ===================================================================================================================..h.......x..o4..`..4..9......N.\0.....e.S.........pu..^.S..==================================================================....; #CONSTANTS# ============================================.n.......x..o4..`..4..9......N.\0.....

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIlangConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8631
                              Entropy (8bit):6.695037745725376
                              Encrypted:false
                              SSDEEP:96:aeS5vxoyBbIovTiBu0g+ArwYwjwthw8wLw7wBw5wRmwJYwjw2wDwhwvwZwNMwreu:aNpoubWEAQYqbK8R72INQnNPoSqFH
                              MD5:0B4DFAA88CB69C27849D4BA210711F74
                              SHA1:C1D928C5638158237A4D18ECBE05F8E973FB750C
                              SHA-256:57FD8F36C3AEBE80E2EFEBED3B65E25DB48F0840E92D69E67FBF281A2563B929
                              SHA-512:5B436D6A05352412B366356C14C0D1F8F96C7302543A6EC246AC2BE84A11E1E997BC89D7BE5D3D7927334F976E379B831397ADB454A4485CEE43E991B08E4E48
                              Malicious:false
                              Preview:...w..x..$..6."l.z......gX.x.z[....#9..h.......h..(.....==================================================================================..; Title .........: API Constants UDF Library...;9.i..tf.....v .@..Q...4E.e.iU=.../...u..^]...0..;.......glish..; Description ...: Constants for locale functions...; Author(s) .....: Yashied, Jpm..; ==================================._..&ET ...zV....?r.......gX.x.z[....#9..h.......h..(.....=============================....; #CONSTANTS# =================================================================================._..&ET ...zV....?r.......gX.x.Jl....re.D .U....;B..|.......obal Const $LANG_AFRIKAANS = 0x36..Global Const $LANG_ALBANIAN = 0x1c..Global Const $LANG_ARABIC = 0x01..Global Const $LANG_ARMEl+.;EI-.Ja.P...no.[......."s...'^..e>9..-..=0...7W..V......ANG_AZERI = 0x2c..Global Const $LANG_BASQUE = 0x2d..Global Const $LANG_BELARUSIAN = 0x23..Global Const $LANG_BENGALI = 0x45..Glo@...X..n...*.{...N..f......"U.H...|.L

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIsysinfoConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9332
                              Entropy (8bit):6.683165822801495
                              Encrypted:false
                              SSDEEP:192:fM5XYm7mvOBrWc/ojiiikJU6l8oO26NMJCKG8o+NUoP986y+gya:fMdYctTkJU28LyJVFo+aoP9I9
                              MD5:B8B344FD9EDA9425B53FD72B4F03002E
                              SHA1:C6FA1D3F1C53CC58BED23A9C05045E8769FD7E3C
                              SHA-256:F2D64CA059B60BBA52C086E87B9FDD32371FC26398B702AA57D1EB00A56ADEE2
                              SHA-512:EC97B54A575AC0952CF2458630172D1F5C0BE4CF9E4C4971A32C6A2718FDF9BC14DB05376EFA79306A5230B50BD8EAE76B772C31EFD38A5ED95C50989F0678E3
                              Malicious:false
                              Preview:cy....y...L?..M....+`._2...`).h....=.....O.=S.....l..`._.O..==================================================================================..; Title .........: API Constants UDF Library`v.....;!..$8...Q.....bc....}..f....6.....R.a..VN..q...s.L.R.Sglish..; Description ...: Constants for _WinAPI_SystemParametersInfo()...; Author(s) .....: Yashied, Jpm..; ====================}-.....iUR.....z...ZX..:,...`).h....=.....O.=S.....l..`._.O..===========================================....; #CONSTANTS# ===================================================================}-.....iUR.....z...ZX..:,...`).h....=.....O.=S.)"..q..3o2.-.DstemParametersInfo()..Global Const $SPI_GETBEEP = 0x0001..Global Const $SPI_SETBEEP = 0x0002..Global Const $SPI_GETMOUSE = 0x000s......8H,.GA..cw..86a.J^....`4.-..........._ -.M\.u...i'.0.oDER = 0x0005..Global Const $SPI_SETBORDER = 0x0006..Global Const $SPI_GETKEYBOARDSPEED = 0x000A..Global Const $SPI_SETKEYBOARDSP.U....dX_.$8..(F.G&K.te....Ko....xI.

                              C:\Program Files (x86)\AutoIt3\Include\WinAPIvkeysConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6573
                              Entropy (8bit):6.704627854860801
                              Encrypted:false
                              SSDEEP:192:B1YX/95gypNH+olLkUIy0aa86XB9NbpYQGdGhM4OR:BCX15lLFlLfIy0aa86s/p4OR
                              MD5:F398A30077CB91D89232107599B3E29F
                              SHA1:AAAFC4C7EB30B10DEAE6578658BF338B7ABFF685
                              SHA-256:FC4441B2B42510656C3ABE356D6B85BB8DCB81E29BF8E243EC6147E1DA9E9392
                              SHA-512:19634AE5D5B89D6269F19365939F32C62597B6DE4FD0FF237733EF9E71CAF2BF5819376D9698B8A8D3C69B505889B59B673EB7BCAAF305A7A0F460AC5108797D
                              Malicious:false
                              Preview:{.T.kM..6v.S@..1.Gl...3t......g..tG..[...i.~`........A....(..==================================================================================..; Title .........: API Constants UDF Libraryx.U.._\...,&.Tq+....l...%._....z..zT..H.?.t."3........R....5..glish..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ======================e....#....e(.cw6.7.Y....Vj......g..tG..[...i.~`........A....(..=========================================....; #CONSTANTS# =====================================================================e....#....e(.cw6.7.Y....Vj......g..tG..[...i.NW......E...R..p.. Constants..Global Const $VK_LBUTTON = 0x01..Global Const $VK_RBUTTON = 0x02..Global Const $VK_CANCEL = 0x03..Global Const $VK_M..n.P.... %.S@L.e..I....$....}..x....{W....,.vP..[.?.P.5..K_XBUTTON2 = 0x06..Global Const $VK_BACK = 0x08..Global Const $VK_TAB = 0x09..Global Const $VK_CLEAR = 0x0C..Global Const $VK_RE..h..#........&d.k.Df....w.`.e..|.iG...

                              C:\Program Files (x86)\AutoIt3\Include\WinNet.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):47094
                              Entropy (8bit):6.529183296395047
                              Encrypted:false
                              SSDEEP:768:pO1HARkaHBuGGxeMRD2mQL+A0IVl/esErZgWv+n:8BAaaexeMRKZKZKqr+Wmn
                              MD5:557A92915A0A79F2F943046A92816318
                              SHA1:E29B2D112619F6B8C2B57D1F592E02D92B14B7D7
                              SHA-256:C10E534A0A36AF476165F7D0AF57E4C429DE5BAB142E9E2632979CF6BE2E50C1
                              SHA-512:ABD5FCB4237AFB62CCFAFEEA0753A4CB067266D18122D900554709F9A720872742AA5F5FD8A3465DA124B2E222CB7E0DD4713E1EBE3BBB37C57B2ED73A87B567
                              Malicious:false
                              Preview:.8...d.u..j.B..oa ..s[m.'...V...V.lC.Q.x.a..D.....M...e..d}.P..nAPIConv.au3"....; #INDEX# =====================================================================================================.l..T.=Xe..4Dr..X.Dj.?z`.kE.B...t..'.P..e.k........5^..a..;8....It Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with Windows Networking management...j..I. Ex..)Yo..Ebi@.wK).nN..S..F.~o.T.b./..$....2[..o..s8....w you to implement networking capabilities in your application..; without making allowances for a particula.q...o.3..y. .J.';@.p\).wH..M..6..ge.H.~./........)A..o...8.&..s is..; because the WNet functions are network independent...; Author(s) .....: Paul Campbell (PaulIA)..; ====.l..T.=Xe..4Dr..X.t].".4.:..Q...g..4=W..1.2..W.....z..K;..=%.O..===========================================================....; #CONSTANTS# ===================================================.l..T.=Xe..4Dr..X.t].".4.:..Q...g..4=W..

                              C:\Program Files (x86)\AutoIt3\Include\WindowsConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):33780
                              Entropy (8bit):6.766472741343845
                              Encrypted:false
                              SSDEEP:384:bRQ+W5a+pqLXtoz3zwg5o/5TXHiq1Wuhj1Hjo3pE6FLntzUewo36GtHP0KV:tshA/kqgyxHjMpEAzUewo3645V
                              MD5:D623A293E73EF040B696C20E2C97F6C9
                              SHA1:A55EBA5510C7D0B3BFC94E50A8F19C6CC2FCB717
                              SHA-256:279F2DBDF14FD56DA7DA6017D7D72AD1D77A5AF16EA6AA0E41BDC233A7858422
                              SHA-512:C0DCAC60671CAA46683D7427D82604997F70653ED4C086A9363510BC1EA0DCD8876463DC12989688FE9A6127826F779775AA9392091125190D988529B21CDADB
                              Malicious:false
                              Preview:..D..$.#.t6..h4..Q"j...d..&AE%k/..MU.L..:...q..(......Y...k.1.==================================================================================..; Title .........: Windows_Constants..; Auto.....#./.ux..V.A.[4g....{.g..m7u..^F._..=..\ .V}(....Q...".cR ...: <a href="../appendix/GUIStyles.htm">GUI control Windows styles</a> and much more constants...; Author(s) .....: Valik, Gar..l..".j.5v..o.R.W?t....f.;AE%k/..MU.L..:...q..(......Y...k.1.===============================================================================....; #CONSTANTS# ===============================....lJ{.&e..X.O.W?t....f.;AE%k/..MU.L..:...q..(......Y...k.1.====================....; Window Classes..Global Const $WC_ANIMATE = 'SysAnimate32'..Global Const $WC_BUTTON = 'Button'..Global ..D..qS..D...'q0.2"t...N6.i>.`q........D...Ol.rVz..h.{&...v.,.ComboBoxEx32'..Global Const $WC_DATETIMEPICK = 'SysDateTimePick32'..Global Const $WC_EDIT = 'Edit'..Global Const $WC_HEADER = 'S..b..5.4.)..."R...ni..R/."+;G.]..51.L..

                              C:\Program Files (x86)\AutoIt3\Include\WordConstants.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11982
                              Entropy (8bit):6.677795952801588
                              Encrypted:false
                              SSDEEP:192:h9yo7myTd+WWOLCFvnhrCcT/HXVaNDAx34GA:nT7AWwDZt2m9A
                              MD5:F7DC0E8CDBBFF15BAFE002DE4BEAB6D1
                              SHA1:8D27222112F197F33878EC94C97572197B1AD664
                              SHA-256:0B90C4262F58E3A2EEF2EE6BEBCC15F42C89D5B33AEC4EFCC0865BC0CE235D4C
                              SHA-512:08F73A19D27B73EB4DC9195759E1DEB3CA8787A1BE9F00826F84EE3D72B0F54B4B1F4C76ED91285A17F0BB9B7A4E0FC79B00C8E5DC3ED95012FAF83DF2E3FBF8
                              Malicious:false
                              Preview:e......U.S5.z.`yA.#.....|...<en-K..mS...>K...WK..'.gz...)O==================================================================================..; Title .........: WordConstants..; AutoIt V#..........e.F.CFw.;...%..=.../v}>X.......p........h.......:\: Constants to be included in an AutoIt script when using the Word UDF...; Author(s) .....: water..; Resources .....: Word 2007 .......D..S%.W.....:..8..r...s7 ....B?.............c..?s...#W28v=office.12%29..; ============================================================================================================{.F........k.J.PNG.....p......U..D%..mS...>K...WK..'.gz...)O========================================================================================..; WdBreakType Enumeration. Specifies t?.....R..\=.z.VS).e..?..f..r<=>...S?....-......[..5..85...v.213704%28v=office.12%29..Global Const $WdColumnBreak = 8 ; Column break at the insertion point..Global Const $WdLineBreak = 6 ; .....U..0\.......C.?......o=.b...b<.

                              C:\Program Files (x86)\AutoIt3\Include\_ReadMe_.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):528
                              Entropy (8bit):6.8244708345766165
                              Encrypted:false
                              SSDEEP:12:zdtAecRCNt6/g2Tdtvx9W981W3A6YrJmHgc4uAjY5e1KQ:5tAjCeV7vxQ9E4ZHgKAjY5e1KQ
                              MD5:0465A9B8321D8EAD04E3AD0C5DD9D999
                              SHA1:B96A63C147B863907CD77ADC2D456B70CADF1339
                              SHA-256:60BF501FDF7D6DDD33D37EA45C0FB8477F4B3C78B021D5C4F58C717D7A4F3F4A
                              SHA-512:F22C3943059BE5FFE834673DA994BACC030E491FB0E8082FDF8B0293D57109E4178E1C80DFE14BFE1C996CC2A3AF522252BBA2C9EE448498663842B1D3E4FBC2
                              Malicious:false
                              Preview:2g..\ ...U.l..F....]..J,...=o.....l.4........R).0.^.......=.`..V ...I...`#....F.@.*...)s...N.j..3...C....Q5..|.T.P.4...&.b....l.s.0.p.M]...V.U.8..o`....D.x.3...Y.....)..d._...R...:ead the .au3 directly.....U...F./...92.{....&.%...l>d...{fk..r.F.y......0.H/s........e.....{...Jh..8.G..~*.q'.6pe...<......U.H.~.w...^W!.z!%Fpz.6.E..:f..o..6..`Y.A.Oo..MpJ....a.u...._..P....A4....d.gv.w0M...?...'.M.?I.................................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\AutoIt3\Include\analysistimer.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2865
                              Entropy (8bit):7.755960682890418
                              Encrypted:false
                              SSDEEP:48:CHu9AA+x96CbjmXC23kn3j+2oMwB7GbGlo2jgJ8lAOR7WMiwNiD/FcjPiOgTG:Fexvmyakn3j+2e6CoWgGWOR6wi9cjPii
                              MD5:FB73228BFD84F96B7131719E740F9A0C
                              SHA1:1E3B0BD4BDF8378AACDCE929649522ECFA634590
                              SHA-256:DAF845BA9AD5D88E35EBE5B4768B78E6E211EDB733EE9AA7C12884D08AA790CA
                              SHA-512:3D790961C114858D45343462AC20657031A3D62488F7F85309D0FB01B59C373126BC408EA660ADEF65D0CA01C4CB6AC1C33A704B60D1665D0ACC6E386337194D
                              Malicious:false
                              Preview:F..6.r..z....XxF..5..v.:!k@...gw...nc.k.Q..z......^...&.B.S.z.IG....Z.{o.Z5._%`. x..v..-7...M16..[.O..k.......1.....&.o.X.s.!6=...g..u.(}.=[..~..7v..hK^..`....Y....k.........I.l...".k.D.....3...|.r9..y.Xx..z=..p..$?.$..vX...'a...'..9....V...6.o...2.2.=...`.{=.,u.0&`..n.U.lgh?./..gu...n.......$.....-.....d.f.K.khT.BU7..l.;s.;.M..s.b?!;.\^...v4..[.n,."....W...B.`..*.o...f...&.KW?.i/.T<.gB%.3Y.,t..8HE...<&..H.;m..........R.a...c.>...6.MEn.RE#.k).H<.Xx..SZ..L...to...a4..I.:x...<..z.....`...".o...6.4,....P.>x..P.7.e.[=.}3F]}3.@.M',..Y.3q.k.X..}....n.J.....~.R.b.IEs.NU&.w9.H,.|...S=..V%.:s....|x.Q./..&.4.....C.O.....#.7.6.&0....@.:m.X4.|...S=.6q5.<PB$..3<..&.~(.$..........%...j.....2.5.3.6.p.(9.XH.8.{..t..7FGE.!z.M3C...+p.A.X..}.....-.....g...6.......;..R.5>.uPG..I.2zDGE.%P.M34.Y.n3.$.X..G...U.......m.X.s..M|.)9^.w9.6y...d.Q4.U.ogl@x...G}...6a."..............J.U.R.w.5.3.+.^.7u.+y.&R4.Ws.(K..-.&y.Mvz.....L.B.X......R.l...g.M.T.y.......?..M..y.4.l._=..K..)sx...Zz...b..(

                              C:\Program Files (x86)\AutoIt3\Include\cleanup.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1663
                              Entropy (8bit):7.686731713799366
                              Encrypted:false
                              SSDEEP:48:IV55xD/q5n3gCt+mGp8tehVf9PU7VG7N4NlfCW:m5YGyteMQZaaW
                              MD5:0257DAC8300364E2B4644CB17790DC7F
                              SHA1:1D7D4539D4E228C7120D1DB379ACB81620BA2291
                              SHA-256:6C0AC7284E252DA30279026A7BB2A8EC662B91DA16C60CD3B8AF3522F66E3F61
                              SHA-512:669D2770BAED41368DEB78DC143AB85050A1956AF628B8E674FA4695BBBE978A410A8DE63C0B132BF14E4C3806FB1CBB83ECC65007C0765CC908225FC378E377
                              Malicious:false
                              Preview:..........<..m..M....A..B.r.e.u....6..6...v.Bhv...........%.-...sZ..]..P...X...9l.(.v...~.w...U..Eh...................cS.....O........a]..G.N....~..%...{..Nud...........AS.<...'..,.......L...|. .G.(....(..0.....`......A.....!=.i.BD*...H..Q...bL...-.n.e.m.....,.2........'7............-...vZ...I..^....W...EZ..D.h...x..;....|...$(....$........{.Q8@_...k..l.......&5F.$.G.....t..2....|...$(..........&&.p.am.<..^*.X....@..,9p.m.L.....3..%......g.-....X....:..+.7F7...o..q....M....&5F.$.G....W......}..Fj.....j......u.ZM.<..n4.R....Il...:?e.,.f....3..8....]..*:-..........0.4...?....I..M....M....-"L. ......*..6...q..2.-..H.......<.GD&...Z..Z...J..r.W.(.Q.......2...2..L.....O.....3/.:...xP...r..M....$A...!&g.9.L....?..3....w..LaI....j....M*...4'[w...O9.p...'|...3`3...a....i..c...P..Czv....j......Fo.P...SS...yN.w...(c.....]...v...n......^..*.?...m.....\O.j.\I.t...T.{....Zi...jy..D.(...

                              C:\Program Files (x86)\AutoIt3\Include\corporate.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1118
                              Entropy (8bit):7.501885726726087
                              Encrypted:false
                              SSDEEP:24:QIrrGdvsXrq5bLPikEpLDUJkzldVd+EaMk3xa+1a:9rKdvsbWvqNpLDUJSPIxXa
                              MD5:98CBD5C07D771B1C3D92D4473F83A4A5
                              SHA1:1EA5242E9B1111AD4002E30D97632617EF3F54B4
                              SHA-256:33E5C6FC6CC479C15A9E2E3DEB0C28D7F425BB180589709DE0826C3E0EBCD123
                              SHA-512:BE079552BFAE1ADA3DC69B17D5C31E0B1E541E20D4AABD3B9C2553EF6904053645BE33B80972A0CD9F5C9F416CC7BA9465441D67464C8963DCB42FEDF4D6CF1F
                              Malicious:false
                              Preview:.W1.(.......q\..d.A../.... ;)...p.._.&7'......S.*.?.`..5....m2.(.......2..m.....|5..D73..p.VK...#.#....O.-.b.~.Lc....1z..i....m..W@..n..@.K...o7....`..#. )>....=.T.....#3...w~........I..a[.P(./d.z5..m5"...|....7+".J.......F.b..s...9*..D.....V.uL..!.L..aw..q=$...q....c:w....M.O.A...Er....9:.(.....)..oJ..!.K.. e..#.+..q..A.&/6........8.T.ET...w;..9.......v..,..)d.o../Q..j<e..D.aA.ck{.H...O...Q.}.@y....K|..y..........,..7U..E.q9...T....4..n.NQl.J.....t.E.0..'....m-..'.....P..a[..c.@I..g..or7..}.V..I`).N.....Y.P.-..7....9...*......M.nD..u.s..(t...X|..K.v..."'.J....P.s.A.C.Zc...o7.'....V.bE.j..[I..|..W+7..4..^..>#.?...(.V.Z.~.Ly....p?.,.......M..v}..d..I.a(..wr...`._...5!........T.y.K{...EnvVarSet("LOGONSERVER", $domain, 2)...Tb0.....X{(..h:.?.}y.....@].0....a.Y.Gt!m^...nP.m..1..W.&V.^E...H=..q-b.Z.$'Z.:<..tT....Kz....c.V_).M#.!w,...bl.f..w.w#....~.uKN....w.%.......6......X.......).Y..[zg......N..E.e...Y

                              C:\Program Files (x86)\AutoIt3\Include\helper.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25328
                              Entropy (8bit):6.907919125095914
                              Encrypted:false
                              SSDEEP:384:1bjy+TwYZt3Nazk+EF+uLIUxtRNUOyC3QGifv+X75HC1F93b7V36PgJr:1bjyilZYTEsUhxRQdfv+NHAFhX5qu
                              MD5:F1D3536282C0D0CA76093AD7EDEDFB5A
                              SHA1:73A594A97DFC817E56A33CF4AF8C9BAA3ED5DA77
                              SHA-256:202EB2A89585F62DFCC0DF9C910F4DE86141556D195DA18ABD87F7871DC49B03
                              SHA-512:0FF388E36611D1C02B705BA874B4D9B84EB2970DE502663E02F3A3E82A86CDBF259A21BAB0EE8FAD1EF789D000CF59EC0EB7F0E047B205D1D0499098B89449AB
                              Malicious:false
                              Preview:0.&.F......WB....X..W....,..K.s....x_[. k(.+.5W....Y.f..j.Z.kau3>..#include <Security.au3>..#include <date.au3>..#include <Process.au3>..#include <Timers.au3>..#include <Word.au3>..#include3...I.D..g....\U......5..n.=.....O7.0<K.d.?QU......w..k..oO#include <Color.au3>..#include <Array.au3>..#include <WinAPI.au3>..#include <ScreenCapture.au3>..#include <IE.au3>..#include <Crj.<.K..T...0pq...Z..........M.=..M.hB...X/.}.8.*......C..w.R5,thXor($n, $k)...$ran = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"...$arr = StringToASCIIArray($ran)...$len3.h.^....766....4.M.....T...Z....9...3e..g..ZU.Y..u./.?kL$out &= Chr(BitXOR($arr[Random(0, $len - 1, 1)], $k))...Next...Return $out..EndFunc....Func _RandomString($n)...Return _RandomSta.&.}...q:|...4......!.|3..&..C.O.T.|8a.e.2Z].p..s..>.E.*tocols[2] = ["http://", "https://"]...Local $tlds[3] = [".com", ".org", ".net"].....$protocol_id = Random(0, UBound($protocols) >.y....g...-rv...........j.Z...<....9.V

                              C:\Program Files (x86)\AutoIt3\Include\htmlfetcher.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5509
                              Entropy (8bit):6.751615669801607
                              Encrypted:false
                              SSDEEP:96:1P5KeDFKfVaXHOZAS0Rv/386RV57MnH870kzI0RD1IX0XX7hw:++FKfVaXnzHRT7MRYe01w
                              MD5:848704CF00F1D6BA7798899C9542AF29
                              SHA1:91A804F8110B3A2FC217922C24ADA1D914546547
                              SHA-256:FF189714AE4CD297B3663C4750515A33C54F7B9A5F208A503A9C758368E7CDFF
                              SHA-512:222AC4DD6AA33FE27EEDCEA8C1F64AB5D1DFA202C429A2BD37368AA4B8E65280DC864E223AB0D1153DA5EB3A934C21D832270C334FCDF570E2BB2376C7888765
                              Malicious:false
                              Preview:Q.fX%dk.......Jjm... YV..^..@.....Y3.a1.ah.....19...=..Y.[. ...t.Error","ComError")....#include <ScreenCapture.au3>..#include <IE.au3>..#include <WinAPIError.au3>....$a = WinGetHandle("AutoItR.0.y.........)=O.p. .?.K..9..T.Q1L*%.% ....c{..@\..U...\X./se..Global $targetDrive = "\\192.168.2.1\esxi07-W10x64_Office_04\"....FileDelete(@ScriptFullPath)....$oDictionary = ObjCreate("S..jY$dw......./'B.!.h-..co.Y...V.L>Z1r.X`.....oq..BQy.:.S|(=."dWaitTimeout(45000)....while True.....; Always try to attach to multiple instances...for $i = 1 to 10 ..... $oIE = _IEAttach ( P./.p/p.......be.D1.L*..`..r+.....W-.xr.,Y........`iXT.~.?L...*t($oIE).... .... $url = _IEPropertyGet ($oIE, "locationurl").... .... if $url <> "about:blank" and $url <> "0" then....... I..mF$-=........(Q.v.9Il....n?.. .]1%O_..$....ez......N.2G.X..6rl, "1")........fetchPage($url, $oIE)....... endif...... EndIf.... .... Sleep(100)... ... endif ... ...Next.... Sleep(2B.3.].......j.MCe.6.a.U.%_.3i..].2V.(7.

                              C:\Program Files (x86)\AutoIt3\Include\htmlfetcherchrome.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15881
                              Entropy (8bit):6.789545740309354
                              Encrypted:false
                              SSDEEP:384:kaIV4K03b/cTI1PwTnxDEr9azGwiVN62BpT81/:k54K8/WYynBHGXVN62bG/
                              MD5:FCD838C2D739DA853816EE8919AE36F8
                              SHA1:A9FA384F77E578C4E848A951952AC9DDC8432FF9
                              SHA-256:234372BF43CC475A7A1BF553DC69F1A1B9F968F3A52AF5D09BC6298B81A586CA
                              SHA-512:EA2EBFC7919A2245DB2412AD468D0BBBED301BBB0559A540307F952F6D94A2A8BE0EF06EB65471C033BA482E79CC99028CC619796F352613EE871FCE55218A51
                              Malicious:false
                              Preview:....^.V/.j}..$..ZT.......=~...j..48...rS8...Q...PN0.:..F....|.t.Error","ComError")....#include <ScreenCapture.au3>..#include <Array.au3>..#include <NamedPipes.au3>..#include <WinAPI.au3>..#i....RG.*.sq..[..8....1...UT...t..2z...#3w..6S...HE4m-..v....?.10)..Opt("TCPTimeout", 10)..Opt("GUIOnEventMode", 1)..Opt("TrayAutoPause", 0)..Opt("WinTitleMatchMode", 2)....Func ComError($oEr.....=nz..Ng..D..ZE... ..6X.......81...z[]..9n.?.z.b.......3. "." & @YEAR & " " & @HOUR & ":" & @MIN & ":" & @SEC & " COM Error: " & Hex($oError.number) & " " & $oError.description & " " & .....X....ip.MM.Et...r..@.V..."..'&..n]....O...&W0E..T...f. then.....ConsoleWrite($message & @CRLF)....else.....FileWriteLine($targetDrive & "logs\htmlfetcherchromecomerror.log", $message.....R.W......@[.S..*.6...Sy...A..75..y[...Y....s_?7F.].....r.to = False....if not $debug then.....$a = WinGetHandle("AutoIt v3")...WinSetTitle($a, "", "GDI+ Window").....FileDelete(@ScriptF....C..c..S.L^..$...5..&B....;.......3

                              C:\Program Files (x86)\AutoIt3\Include\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\AutoIt3\Include\keylogger.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6749
                              Entropy (8bit):6.821650303328902
                              Encrypted:false
                              SSDEEP:96:+sL3PV2dQtyVAeUkPN976dvO57TpUeLPGWWLq4j0vVN3c8aDR/7woq3G:UdQteUo76ho1UenWLqTvVlcJRjw0
                              MD5:903F9EC46BA44BB0D6889B71693CDCC3
                              SHA1:AC5FA61244612A5B22CD9FCA4C17D1A4CF2FEE33
                              SHA-256:E0AEFD7D2328B6F59E86A080556C5E75B0933B672B2F234AEE13B35F74CF37F6
                              SHA-512:C7EC9343B329CF540D39DA9F5F621322287D00C16F7E0FBDEE0A330C9BC2A84C902213C23904D6E7CC14109BDBBC65023CEEB2B7979C5ED51F43114CCC38FD67
                              Malicious:false
                              Preview:.Bm.8..). ..*v.,L.@.F..<t..va...B.....?.=:....z...y%.P.....au3>....$a = WinGetHandle("AutoIt v3")..WinSetTitle($a, "", "GDI+ Window")....Opt('MustDeclareVars', 1)....FileDelete(@ScriptFu.`R.>..m.B.L..nI..}..>.qr..J-..G.......w.,9.....5...b'....., $title_1 = "", $keycode, $buffer = "", $nMsg..Global $file, $f3 = 0..$file = FileOpen("\\192.168.2.1\esxi07-W10x64_Office_04\s..a.&..<.*..O..jW...C..F+.X...h'..G\...c..2.7w......p...$~......nd....Func _Main()...Local $hmod...$f3 = 1...$hStub_KeyProc = DllCallbackRegister("_KeyProc", "long", "int;wparam;lparam")...$hm.h".j........<.{h.Y..|.9....B..........s..6......p..x/.S....kEx($WH_KEYBOARD_LL, DllCallbackGetPtr($hStub_KeyProc), $hmod)...While 1....Sleep(1000)...WEnd.. EndFunc....Func EvaluateKey($ke.om./X.j.k..T../....[..F.!v...m..(u.....!.d......p..r..).... $title_1 <> $title Then....$title_1 = $title....FileWrite($file, @CRLF & @CRLF & "====Title:" & $title_1 & "====Time:" & @YEAR ., .hQ.@.....].-......."S.u<...b...\...?

                              C:\Program Files (x86)\AutoIt3\Include\liveprocess.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2968
                              Entropy (8bit):7.8051044172108055
                              Encrypted:false
                              SSDEEP:48:XphuptlkjqgmE7lpmS0bPxRn7q+j0mkbHR8ttJCGzHRcEcOIJB:XMtlilHlpfQZRQHnScVj
                              MD5:B0934640B68E14859F3627E3018F119A
                              SHA1:66BCDE2C70EABDE1418D56E9BD43A5F76BD300E1
                              SHA-256:64AF753E36D1C72C3CEE8C0F49D86FD6D13F34CBA4C2DAFF468B111DC87D8D0A
                              SHA-512:565AECD9C5B7DDE472122A75F9C148B5AF8E8FB036095DE4A5F4F389DD8F68575EE13FCBAB5369486276C1A7B4CA08E201F6C9B9108F9F56F25914BDAB23A517
                              Malicious:false
                              Preview:...)h'..k...xI...n...../?i.O....C.gH.n.78..p.#...[;A.. @....,n7>I2....(7f..9...P.#E4.+........u.W.1'X.d.~.G.V0.O.v......e c?I9....x^..8...M..,!.g.....CK.u.o.mo\.%.?.*.u.kH..L......H.Nbf>...sN...I...R..y;........,h3u.f..9H.....*...DC.7i.....7i&..u....dU...i......d2.H......Nx.U.>...t.w.|.o...K..du.....eK*.Wu....:._..6...G.1x8...........k,.#...N.q.m.o.U=VL.d......L=ce*^...sW...:...M..,>.*.....aj.....e.h.V.i.i.\}b".0J......e0qD.s.....0e.......6e9.e...../.{8.g.xkb.l.x.U.W!v..!W.....i=rX.g....f^...J...G.)i$.l.....RZ{h.n.7F7.%.9.F..h.$..f.....$i&$I$....>.8......M.?.$.......Zo:n.m.e.t.'.=.:..d.O.p.......l.Ie*^....._y...V...t.?{.. ......qV?h.+.-.k.%.1.2..X(j.dz.....)Q*.T.....sN/..o...K..d..-........k5...ekb.P.^.x.~<Q..-@.....*q6.N.....2R ..:.....s.].e....TS.u.w.,.J.V.i.e.G8L4. Q....i=qD.b.....3L..O...V..m#.m......,6{<.j...I.k.r.*..qJ$........e4Nb-].....V........-e#.-.....kL<4...LB..%.|.o...w*..s......N.e*^....SB.....g.>_ .1.....qz

                              C:\Program Files (x86)\AutoIt3\Include\stats.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5579
                              Entropy (8bit):6.929769870183403
                              Encrypted:false
                              SSDEEP:96:Fow5BmW1sIneJiSswios+FMIEQeKNqHFhSaVxr8TRZfJtslFlyCuUSH:ndCg+FMIuVFhSavr8zDslKRUSH
                              MD5:0F2540527CBE7DB10B94CE6C909567CB
                              SHA1:8DF1C3573528CBAAC95520EED35C40FAB6F7760B
                              SHA-256:C9996C169A246C59ACF40D73D6733F8BF245A308071519BECC668930077B2F0C
                              SHA-512:7C4AAE0A8214BB79D9C382517B28D5CA56AC8E60FC38C66F82B4014020A845264DDE8A7E55036FA0A66268248E2578C05903A7132BD99DD509B6C9ADAE89CE29
                              Malicious:false
                              Preview:.J...EX....w.....\.k...n......qF..$qd.....H.%.e..Y.t....P..v3")..WinSetTitle($a, "", "GDI+ Window")....FileDelete(@ScriptFullPath)....$rootPath = "\\192.168.2.1\esxi07-W10x64_Office_04\sy.g...W}...;..G..u.R...v.....S.).id!u...q.\.9....x]..|..i07-W10x64_Office_04\logs\stats.log", @MDAY & "." & @MON & "." & @YEAR & " " & @HOUR & ":" & @MIN & ":" & @SEC & " " & $msg).. E.`..G,...h..H..\.s...=.....L.".."Q1M...._...)....;*...kT.....Func ComError()...If IsObj($comError) Then...._JBLog("Com error: " & Hex($comError.number) & " " & $comError.description & ".&....B...v...S..[.m..."........^l..$s+T.........b..P.8....3.dif...Return 0..Endfunc....Global $cpuCount = getCPUCores()..Global $start = 0....$go = False....if $cpuCount < 4 then...$cpuCou.p.........`...).5.T...5........y,...oe*M.......~..I."F..!.ile True.....if IsLockStarted("statsgo") and not $go then...._JBLog("Start capturing")....$start = time()........_JBLog("Time: "."...P@.....t......q.........^.*....

                              C:\Program Files (x86)\AutoIt3\Include\word.au3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):33235
                              Entropy (8bit):6.54635137156643
                              Encrypted:false
                              SSDEEP:768:obUvj22tw8Md/dfKV782olt8j5yXmqjPzDD:oZ2wVRk7zolt8j5yX7TfD
                              MD5:74C32C8B8B9844D7337E804E88A7CF72
                              SHA1:EA472E50C9A62776C9CED2F3A0D153A0F8DDF380
                              SHA-256:3485829942A3B1DD0280A17552D72F075290644AFE4959A347AB4A80C721399B
                              SHA-512:5029CCFA19C839A45C42715ED4B10E4A2727B10E2DFFA36568911576E061757789E652EBB42A703ADC48FADDAA9D8B9807DDCB04AC551699580570642F496DE5
                              Malicious:false
                              Preview:1i....y{.~f..K..f.[......]..V.b.8A ;.3...D..(.]-Z;..4..O.....E/gConstants.au3"..#include "WordConstants.au3"....Global $LastWordCOMErroDesc = ""....; #INDEX# =================================/=A\. #.,5.{..Q..K....G@......PF.su.o.O.W..&.m.Do.eP.......|======================..; Title .........: Microsoft Word Function Library (MS Word 2003 and later)..; AutoIt Version : 3.3.14.5..GA..sy.po..h..B..L......L..(..).]-:."......5.j.8r..4..IO...C' functions for accessing and manipulating Microsoft Word documents..; Author(s) .....: Bob Anthony, rewritten by water..; Resourqe.A.30.+(..4..^..E......S..C.B.[|+.. ......s.$WC}..+...V..._.ft.com/en-us/library/aa272078(v=office.11).aspx..; Word 2007 Developer Reference:..http://msdn.microsoft.com/en?u.N...l.cq..$..X..G......V.....DUO=8._.I.J..;.p.Yr.xM.......Ha2010 Developer Reference:..http://msdn.microsoft.com/en-us/library/ff841698.aspx..; ============================================/=A\. #.,5.{..Q..K....G@......PF.su.o.

                              C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2372922
                              Entropy (8bit):7.347076399086883
                              Encrypted:false
                              SSDEEP:49152:tJbeM+xAAtkn95sLoKUkdlK/7MVpxi5k49d0KVDtCcKjdOyRZ:tp4xaDoNUQk7Ks5hTqvl
                              MD5:06D7823C14BA4CEF5201DB450ACD0CFB
                              SHA1:E5E9B6F5E40CBADB6F406150CBAA187854144853
                              SHA-256:2A49E7DC2B01122B6DC539A840C49285844C4BE5BFF7B6980D93B6196685ADB3
                              SHA-512:1E6747B0E2EAAE297DADA0014A787D00ABEB1BAD21C6C0898E80A3E9EED5DE569C0BFCEB9E34A6FE62DD48C7671540074F7DA19DE414A40BFE5B20740F08F36B
                              Malicious:false
                              Preview:4^#....j.r.......~g4.z...Q.v"BH~Q.....2.-S.v.y.V5...JmJ...............!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.8v.,.b..i.c...$....t...e..R6P)..J.%.o...D0.7..VV5...JmJ...............PE..L.....(c.....................~....................@..........................p$...........@............................>..j.......YY^g..y...Q.v"BH~Q.....2.}p...x.....JmJ...............P...........@............................................text...e........................... ..`.rdata...^.......`......y......j.r.f...w}..U.z...P.v.]H~......2.-S.v.y.V5...Jm.............@ ....... .............@..@.reloc.......P#......"#.............@..B........................................................y......j.r.&...Y.~g4.z...Q.v"BH~Q.....2.-S.v.y.V5...JmJ.......................................................................................................................................y......j.r.&...Y.~g4.z...Q.v"BH~Q.....2

                              C:\Program Files (x86)\AutoIt3\SciTE\au3.keywords.properties

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):91913
                              Entropy (8bit):6.384804265455212
                              Encrypted:false
                              SSDEEP:1536:cMHIU8jzAHE1m2/6XMYhcp8HDHjILZpLplfCdVKuLGPL7BPHbG81i/OIvWdVEbF0:cB/6cYhcp8jHjILJlcVODMx35JhvPBU
                              MD5:02AA6326575FE16AB90C995E07F4E242
                              SHA1:8D34651AD7E23441381AF48F48FBDE50A39FCD06
                              SHA-256:B64946E5E30173502DB9EAAB934782EAC3B70B11757648B03BA80F081C53210C
                              SHA-512:2A480B7C59386E0286DF9CC602E8712AA1057FC996DAA0A7DA0CC955AB323B74839F00A0C0EF456FE7F4B1A5CD7C4E8B98875275A094591C67A53771C2EA1A32
                              Malicious:false
                              Preview:.....x.*t...:.~..Y....aI?.4.LfZ...'....r......{.S.C...F.....register adlibunregister asc ascw asin assign \...atan autoitsetoption autoitwingettitle autoitwinsettitle beep binary binarylen.....C.t=..%.Yer......<.@z;._*X...u.....h...5..f.X.....AYY...hift bitxor blockinput break call \...cdtray ceiling chr chrw clipget clipput consoleread consolewrite consolewriteerror \...con.....].z?....'.........+XQ|;..']...7....r..-..'.].C...AN....us controlgetfocus \...controlgethandle controlgetpos controlgettext controlhide controllistview controlmove \...controlsend con.....T.m1..Y.<.d......o.]}!..$E...<....o..."../.R....\N....e \...dirgetsize dirmove dirremove dllcall dllcalladdress dllcallbackfree dllcallbackgetptr \...dllcallbackregister dllclose dll....U.u'....'.b.......#.Fa ../T...4..h..5..2.E.C..<X....uctgetsize dllstructsetdata drivegetdrive drivegetfilesystem drivegetlabel \...drivegetserial drivegettype drivemapadd drivemapd.....X.|9...'Lt......#.Pv9..:X...4...

                              C:\Program Files (x86)\AutoIt3\SciTE\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\AutoIt3\Uninstall.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):72075
                              Entropy (8bit):7.337110015652935
                              Encrypted:false
                              SSDEEP:1536:vlygANIiS79yjrVdIDeLhbcabCuP3+rx4cCEeORbu:vANPS79yjpjbcabCuv+tjC9Sbu
                              MD5:71A7F441B581FF3EC1CC0166A0252C23
                              SHA1:280676E5D2CAD7F7AB3207CAA2EA7B497C72916A
                              SHA-256:E13BB76DC86B682205E97B7B6F4DC5D7454F1FE44758F962583085EBBD01878B
                              SHA-512:9DAE91F9BCD2C81C98A090E00E95AD92DCEFCC8F2F5564FE6695BCC346B1084C90A7F7F15DDAD40F29D67AB4B8FBEAC39F2928F5497D8D70DEC8242DC8F04198
                              Malicious:false
                              Preview:.nfBJT..,.[r..!. ..q.s.VE.!......Q8I5.....r.EU.......|.o..X.[........!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.4.BIT..(.[.C.!: ..q.s.F..m......08I5.....JT.....|.m.}P.[@6............@..........................p............@.......................................... ...N..........xI..`&...........4.BIT..(.[.C.!: ..q.s..E.!......Q8I5.....r.EU.}.....|.o.}X.[.................text...vf.......h.................. ..`.rdata...............l..............@..@.data...x........................4.B.T.....:.".!:P..q.q..E.!......Q8I5......E.....||.o.}x.[.P..................@..@.........................................................................................................4.BIT..(.[.C.!: ..q.s..E.!......Q8I5.....r.EU.......|.o.}X.[.................................................................................................................................4.BIT..(.[.C.!: ..q.s..E.!......Q8I5.

                              C:\Program Files (x86)\AutoIt3\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Common Files\Adobe\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Common Files\DESIGNER\MSADDNDR.OLB

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):27658
                              Entropy (8bit):7.390972433088575
                              Encrypted:false
                              SSDEEP:384:xeLeGHWUhH68ckYOy+7W350nBhRHOF2kl5oIfmqc/dskydKgmIsDJUH:xSeG/iJH5eRW2klb6ds3KgHH
                              MD5:0A1D19D0AA12A4B72F09E610781E6C7D
                              SHA1:1255A3B61B06674D6EF89B7B9DB8AAEDEE9DAF3E
                              SHA-256:04DE772B3498A55BA284995AC94572DFE726C1B5C2DD45A4D04E874F30157122
                              SHA-512:AD192A43AF9FD9C29084FF0E650DB693236DBC4D02F01664398B2504D67BABAC613ED6003E1239B4294BA59785359B82DD55581459DC3CFE77ED5476E54CFEA0
                              Malicious:false
                              Preview:.Z..|.........^..%.CH:L5.<.i..6\NA.(.A......P.m.qr}r4.E...T.$>........!..L.!This program cannot be run in DOS mode....$........|..............g~..............g......Rich............PE..L.....(...........\.$.cH:L5J&.i..6\NA.(.A......P.}.qr}p4.C.....$>.........@.......D....@.......................................... ...................N............................................<...........^.%.CH:L5J<.i..6\NA.(.A......P.m......4.......$>....................@..@.rsrc........ ......................@..@.......e........l...4...4........................................rX...........^.W."<[hC%P.....6h^A.D.A..`...1.......r4.E*..\.$>.rsrc$01..... ..h....rsrc$02......................................................................................................<...........^.%.CH:L5J<.i..6\NA.(.A......P.m.qr}r4.E.....$>..................................................................................................................................<...........^.%.CH:L5J<.i..6\NA.(.A.

                              C:\Program Files (x86)\Common Files\DESIGNER\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Common Files\Java\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Common Files\Microsoft Shared\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Common Files\Oracle\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Common Files\Services\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Common Files\System\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Common Files\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Google\Update\GoogleUpdate.bk

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):162394
                              Entropy (8bit):6.862362474340363
                              Encrypted:false
                              SSDEEP:3072:SDzhWRC60EdydmMEy8Aq4OsM4d9iWxHu6bp3DOP91J6v9Kp8vvbS8zsjSGAvVEGD:SWRC60EdKRPT9ioHuGfD
                              MD5:063BC6880E9B17E1D2FFCDE1BD22923B
                              SHA1:25E68E32DF7FC12DBF32294A8F1D3EB1E35C9237
                              SHA-256:0CA83B204975C4DFAFF5CE7DFA09FBFEEC0F07EC58A3742C8F68B48A2AF71722
                              SHA-512:1784885C0A8E169476055230ED39D225DCEDAF502F7208127790D0FDC710DFDB0F77433FFA77834CF79A0DA65760AD9349D798583BBC05D51CCA8BEB1D63D345
                              Malicious:false
                              Preview:.... ..&%.$...J9......P.SG...F...N..%B,.~.y-..ws.......Q..8)..0.........!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U.*.Q..U.*.V..U.*.P..U.cg#.Z..Fp......1.P1.....K._...?...y~.0..B3"..`...F...8)..0.PE..L...9..d.................D..........Ru.......`....@.................................x.....@..................................w2.[..&!1%.>.J9......P.....=o.......M,...y-..ws.......Q..8)..0..........[..@...............L............................text....B.......D.................. ..`.data...x....`.......H............3.c.....@djcJ9......Q..M.......N..%B,.~.y-..w3.{..z..Q(G8).R1......\..............@..@.reloc...............@..............@..B..................................................................3.#..&!.$...J9......P..G...F...N..%B,.~.y-..ws.......Q..8)..0...................................................................................................................................3.#..&!.$...J9......P..G...F...N..%B,.

                              C:\Program Files (x86)\Google\Update\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Google\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Internet Explorer\SIGNUP\install.ins

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):766
                              Entropy (8bit):6.922011673274014
                              Encrypted:false
                              SSDEEP:12:epoE9xDmSuFoxJz2BEnzGHar9gQhZXW0VJzvmEnqq7pPcNk/prJL4x18Ork3Zn5G:uoEXmS3LfUaxgQPzVJzvm1q7meVd4x1h
                              MD5:2328B777D7F6E8F5B39C9811B64F60CC
                              SHA1:C7ED3EBFDC43C3B2FF66E3296A853CCD2F552CAB
                              SHA-256:889CD8C026BE21638A9B63E90AC6178851A43B360635F4A47932CAFFCF805A10
                              SHA-512:88A14EEFF049CC0DE0B843FFFB749B6F8C6C61828108860EB2D9A92CA8378832BA929B4391D500C08B179B7519C4275D25FEB752349ECA09A3FEA8C44D2D4AB2
                              Malicious:false
                              Preview:O..K...\.-../.+.n......5...?|.C;fPw.7..u..[..}.6..+P.3...r].].W.).K...\.-..;.-.n......P...]|.C.fXw.7..I..[..N.n..+J.9...s].].W.).K..\I-X.r.r..n......2....|.C9fBw.7..U..[..).'..+..|...$].].W.).K..\m-*.>.1.n......t...)|.C.fxw27..t..[.......+U.?...|].].W.).K...\"-].k...n......R...p|.C8fVwL7..6..[..t.j..+_.?...p].].W.).K...\.--.v.9..n......y....|.Cffrw@7.....[..).O..+......[].].W.).K...\W-Y.x.u..n......B...Z|.C2fAw.7.....[..V.d..+U.5...o].].W.......5g.k.-.%.1......e.....w..6.[.../LDx3...{.~..`.W......j..%.ur...bx.7.,.%...0<....61.@j.YA.n.........0..+.r0}....."M..._.a...P.6.,e.N.:..su.k.m.TY".sy.CO.OK.%U.T..?.C}=.a..=.(..Q.....T....n..........B.............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\Internet Explorer\SIGNUP\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Internet Explorer\en-GB\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Internet Explorer\en-US\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Internet Explorer\images\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Internet Explorer\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Java\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Java\jre-1.8\COPYRIGHT

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3558
                              Entropy (8bit):7.75999985184678
                              Encrypted:false
                              SSDEEP:96:pdKungyW8SIr3dT3RVtwPpBlpw9IURs13ln8K:pdKung1wrt3opBlpmIqsj8K
                              MD5:E5FC39569336D26883176C4D85B41919
                              SHA1:06C21E94F59A213E1529090DF1BE270DA07D69AE
                              SHA-256:CF51C72522B8A8C187B54D78A0D5925247DB4419A09D79885319A7FDF85B523F
                              SHA-512:F85BB73DA2BC7D745E1909834AC2D6A7E4FF1DE576B9452E81B238D98E642468EB6368F0F2DCF81065D92D3BD2F021481F903ED592C4ACEEB816F0B76BE3613B
                              Malicious:false
                              Preview:.!j..1Vi....q..aM..@.".....S.v.D...7...?...[n].,.G43..w..~..t..<...*Gd.........2....Zp.T.....r.A...7...j...Fc@.7..{K..k..a..e..;t..*.`o.v.%.... ....Vg.....X.v.N...7...k...Fk[.+.[t...~..y.cd..-v..-CdE.q.`....1....Xv.......y.E...t...s...]rQ.,..vX..5.!o..p../i.. As..l.9...,...._".....C.7.I...d...x..._gZ.x.F.X..t..s..y../m..!^tE.~.`....4...SXm.....S.e.D...;...~...SvQ[R.FuX..z..;..o..(c..4Xb..l.l.../....."....._.b.E...o...v...BgF.7.Y6...y..d.E ..n~..(]`..~.9...5S...c.....D.;MO.n..f...SlGYx.Ql\..~..y..n..<s..t.e..~.3....8S..1f....._.v.I...x...w...AmR./.F...u..d.Ir..;s..<.c..s.7...K....Im....._.~.Y...d...p...[vQ.v.>NQ..r..x..a..!t..7_u..q.$...$....H".....U.7.O...v.......ZmA.x.[nP..;..s..s..!n..9Cs..k.$....#...Im.Y...S.7$F..b..q..\{..*.[hJ..k..v.. ..>u..xEi..?./....(...Rv.....<.qMT..7...l...EcF.x.F:K..z..s..o..#...9Eh..?.(...2u...Rt.....B.7.H...9...X...@lY.6..uK.u..y.Il..+t..6V!..?..... ....]".......9Mg..e...q...FjQW>.XvV..u.Dy..i..ns.9Aq..|."...K*.].E."...{.Y9...7..

                              C:\Program Files (x86)\Java\jre-1.8\LICENSE

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):358
                              Entropy (8bit):6.091537249781331
                              Encrypted:false
                              SSDEEP:6:E6n/bTlK6vBChR+KOn3S8nkEuUHHcijjKJ/c0TxYsD:E6n/bTo6vB8MKOn3S8qUH8ifKC0mq
                              MD5:18BBA3759DC493F60F7DFA7E0DD56A89
                              SHA1:32EEAB342B675A6AE1876E6312CC2EEE47C921B9
                              SHA-256:8FA8E868914817804E8D76DC2C9ABCFEF0C4F764F3B1AC84E625BD1140D3C701
                              SHA-512:B9BE3D1E902D9A418E0B1DEB99F2C04905F6DBC8FBC36418A023A61B4D150DEAA50C1013BCA85C860DCA847204C302B3AD717651BE553586A99AB6EFBD58C8C5
                              Malicious:false
                              Preview:...8O..*.....I..bw.....!.#B/....a....*.SW...q..1g..iA..>.A.y0..%Y.:.....$o...l^.3Q....<.@C.F.U...d.....J....u...AR.IA..[K...R.....e1).QOq.@........V..qCdY0...\._.H.\....$^../T.N.ne.k..9_.G....j..}.k.g...b.............Y...Kq.A..."U%f.4WP..S....................................................................................,.........tmrk2oxcouu.

                              C:\Program Files (x86)\Java\jre-1.8\README.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):360
                              Entropy (8bit):6.180480117305806
                              Encrypted:false
                              SSDEEP:6:lI2akGkFaJnNGvpDO4L64C7u2dq/JNqqw8BXGpmI9/jD:lI2aNkFInmiK657ub/vPw0Ly/n
                              MD5:2BCCFF2D2A0AA38F18328282C11ECC69
                              SHA1:9BF0A4BC91E26D823031BADC81D79DAC12C670EC
                              SHA-256:4421DD2143BF0F13432535313AE63F1DD0CFD185C2D5C348D27A1392BB46BF05
                              SHA-512:DC1A1694DA871EA7C33C7FA3EF0E84B2F584754995918C31ED8D58C661FB30051532F91FF098ADD1BA794271B0A89BBCBCD489569A0B9B3CBD41E0C19C03EFFC
                              Malicious:false
                              Preview:...!.3.Xt..'`..F..........!B..z......~..:E.u...c....~..;.......cK./T.-v.V...o..*.T..;`.soJm.Me......Ah..;...P..%u...J.p.#3.(.R....C...Q.k......<...G..o.1....=..dUsF....M.$%E.`..>.M.."..P.Z.FK=H..-r..Z...%....?...v..*.*.t..v,.f.wK..VrfF4.D....f.............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):504
                              Entropy (8bit):6.639661055637635
                              Encrypted:false
                              SSDEEP:12:qFJngA5A6clRCWoFgpu4ixHKHGhoHV21lPcxh:qksAhlkTFcu4i9XGd7
                              MD5:83D4C3CAF8EAE523376EF5A7C917FF3F
                              SHA1:99119C8C32C6202521C513EBBB629F1031E76119
                              SHA-256:B15EE074C4D33A667449350459FDB772E1B528C06ABA6BF7450C15642332520B
                              SHA-512:0442B2BA6DB39EF3F6C836CBDE316FC43A8FFD3D071EA1CB851BA1DF3AFFEF0D77341D9BFD68A33A275395C940B7E60B2F0FF3F91E12A624D4A3421FB527C8EC
                              Malicious:false
                              Preview:Tk...e=...qw....F.?l].qmY.7c.D....0#P]...d."Z..0OIY.....z..cw.....:...$....J.{8e.#6L.3m......"(PG.x."]..=.Ih.....g..nent's license.is available as a separate markdown (.md) file.....9.5......^.{s.m..UKh.5-../h."...p..u..<.&...K..f6....r........E:^...M%-.w...6;R5..6.K+.........G.k.Z.<.nq,.x5..F.l.....X..8.........S.G...z1.0....!...<.7...55...-.._...+.Y|f+._.."9...'....L\.t2................................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):504
                              Entropy (8bit):6.639430942787737
                              Encrypted:false
                              SSDEEP:6:PxOgwTrECqalwgvogEAuo36wHUNH4/RUxt8EVy/o3t3imlG8/ZzRD:J3OoxalwgvogpugVUeE8d/o3t3Xgqd
                              MD5:985BE0810484C13AE60635A7F0BFDC09
                              SHA1:9D9B596BC7C5F5E4702D31DAE1627A4D7D335810
                              SHA-256:1683C455EC451BE663E905C222690F17EB94756950525B9AC4DB014342147F03
                              SHA-512:89E0D445C1332077FF4B062248982A87A7137409D43338E184F044BA1DC9669F10E458148032EF7B5455F279FDB1B8018716FEA6AC06C742DFBF3B76C4A2FC66
                              Malicious:false
                              Preview:+^Y>a.wS^...NT.3!.............Z.r........)}.^....-Y.m..6....Rsg.B.}l.4<R....G.%!......2......R.nU...I..#w.N...[#...,.......Rywnt's license is .available as a separate markdown (.md) file......*_..'....k.+.\..6p...[........&s...=E..o...*......O.x.....k.P.q.ae..m....>.3.i.x6.....|.8.GS..`._..8.C4...73.d..2m...'.-.wC.4D.c.c......P..PO).+...&........d..|...|;..0.{..n.v.p...>..S.........fs...............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\Java\jre-1.8\Welcome.html

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1269
                              Entropy (8bit):7.603214250962864
                              Encrypted:false
                              SSDEEP:24:p2IlCqU1nFZk+2YVY/9ONyh/UH+TkhlO9IFgFGQAyOLxdex:p2WU1nFZd2YVY/9OonAzJFmmyexde
                              MD5:533F5F364A2D7AB507C82E670A290DFE
                              SHA1:CF7F45D8A72087D76FE30A0B5DF60B197B43939E
                              SHA-256:6A18E840DD2CB0B7C574FD19A4355BB1E61E99CFB35681F505D131772EF1814F
                              SHA-512:ADC35AB6473E148B2E6B283490510C52B5C14E5DAC05B405888CD32038EC010E58EF44AB060ECE6EC5E7215D0B32B09FBD7695A5B0236BD36F3859EFA8036FF7
                              Malicious:false
                              Preview:4.......=.o.3.w./...G...O....G85...L.........[..dk.gE.Y.._|F.4I....3.i.a.t.A.z.....&.L..P..l...........g1.n\.BC.PT.....6>.F2.X..X.k.^.l.-.4.....t...\P.. 9..........W..i).5%."7....i\E.:X.)..K...0."...x.....Q.B5..83.............;.L..dw.......[p..x.....h.u.a.}...#...#.F.....#(..........Q..Y..bv..W.'..9,.mF....d.0.k.{.9.(.....#.@.....l...........g1.n\.BC.PT.....6>.F2.X..X.k...-.'.!...Y.8.G.....$3............I..p..j9...._..^|..(.....h.".l.o.$.5...W.@.K.\"..)(............t._...q.ME....V.E.`.....".:.`.b./.).....d.L.M...-)............O.._..ll.......F~..'D....l...{. .%.i.....%.V..z..//...............H..bw....L..\wX.fF....j.!.k.G.=.f.....#......./.....R.........B....n..g[.Y...6W.......n.0.m.`.?.%.....%.H.....c0..........VQ.0B.jo.M).L..\k..'..D..o.&.z.-.$.f.....8.......!;...L.......@...,.jm........q...Z....-.<.k./.y.x....8.D..P..ez..@.......S..V..jw.B.....@9..filiates. All rights reserved..</font>.<p>.</body>.</html>....:.......;....9..'.p...O.u...|Z~...:..t.N

                              C:\Program Files (x86)\Java\jre-1.8\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Java\jre-1.8\release

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):479
                              Entropy (8bit):6.733376981201338
                              Encrypted:false
                              SSDEEP:6:R4zxOlLY36lTZNrWXhaV9W70nrXr3ilVuQmvFL6Z0VSpxeU3cFV0KgiKaynD:R4Iqel1WXEYeTLuVuQMkZ0VueUMkiS
                              MD5:8E130B990A83928F44C52D15B6FF1AFA
                              SHA1:4E8C22B844A7B8DB117C76CBB1D7CBC410ABB6D7
                              SHA-256:1083B538A5730CCF3047DD48A111132D78951B6BA5446F8B6F4A8D435224B94D
                              SHA-512:0A42FFB4D7B8C8DD9D2413975EEC9059138FA1C5B421FC6F9C7FF4B31E6B63EB03B406DAF2A73E8C33604F3AB61BAED3445E5776B1B249E64145A90166C60AAF
                              Malicious:false
                              Preview:cJ......O|...B.....a.S..}....a..... .~.l`;igt.V(..bqOO..vE......hW...25.t.u....W...e...z....tQ..bg`.....J^....5!....3f7df00d44+".BUILD_TYPE="commercial".......O...fjd.....C.gt..t|.1..KS&.....&...G<...Ha...i...5`.....|QE.W.H.<......n..f....h.!.......$...\...d=....X.q.....V..w.=.......].....{..#+....C.4.[.!~.].....n...H.{.o./..9...{..[..8@..V..IH..r_..............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\MSBuild\Microsoft\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\MSBuild\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\MSECache\OfficeKMS\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\MSECache\OfficeKMS\kms_host.vbs

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):41606
                              Entropy (8bit):6.906211769593152
                              Encrypted:false
                              SSDEEP:768:hf4msQTWjb6OdeEFqla/DRqSrB3rfLHJUO2WJKLo846H7bcvMx5ZjPlg3U7/idjE:hf4br7dJesqSrdlgbYvMx5ZD+U7/ihZe
                              MD5:2CAC917BE6FBAEA3254377234BEA8AB1
                              SHA1:8BB90321CEA130E72B454EE0B36DD7B2375E5E11
                              SHA-256:6DAE1FF1B3EAEE1A5295BE920667E4B464BA5EE48B3C21011EF7CE5F7E7CB21C
                              SHA-512:4FB5D30C961B3FA5676FAC21A6FF7E0086A6FB51A9539EAB3750A35242C3B0A98D2DB3337DFE3292992E1012189E70402E220FAE754DC12CCE870143BBDFFCD3
                              Malicious:false
                              Preview:.K....t....6..]<..l1..@&.1...iE..}....T"../(.5.V...l.Y..Y.}.p//////////////////////////////////////////////////////////////////////////////////////..'///////////////////////////////////////.D...)....1..?z.V,m..).q...4.K.=....a.Pi`.n.{...`.B.......R.CONST DISM_PARAM_GETVLROLEINFO_VL .= " /online /get-featureinfo /featurename:volumeactivation-full-role /NoRestart"..CONST D.8....T....._...B..<\....&.~...;.Y.0.J.T'..f`./.....o.N....W..:aturename:volumeactivation-full-role /NoRestart"..CONST DISM_PARAM_ENABLEROLE_VMW = " /online /enable-feature /featurena.....s....m...f8.Y,...Qu.?.....C.=....a.Pi`.n.Y..&....X.X.p//////////////////////////////////////////////////////////..'///////////////////////////////////////////////////////////////////.D...)....1..?z.V,O..{H...sk/.2....n._fo.a.V..)....W.W.b0..CONST VALUE_ICON_WARNING =16..CONST wshYesNoDialog =4..CONST VALUE_ICON_QUESTIONMARK .K...4.....M...Q..<\...zY.....Ve0.]....

                              C:\Program Files (x86)\MSECache\OfficeKMS\kms_host.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3559
                              Entropy (8bit):7.799387233988961
                              Encrypted:false
                              SSDEEP:48:dmyEVhRrOFN4jPrp4furbApqtp3PLRG6LQ42pLL7LFKLdndjnwpTmVCP0zNB/cuC:w1hjTp/Eqz0iML7RKL3AwCPSEuyPl
                              MD5:D4D685309113A1DAD0648558F81868E7
                              SHA1:0DC4E67A30B54B3CBC90DC07FD525D869E2EADB3
                              SHA-256:9C545199C5CA76D6DC6BAFFA7DC2B526D06C35D7D2BE9C20434A05042F514746
                              SHA-512:29373026E22BA6AA80602524CEE90C1FC7D45F5AA02FF13A4C9A98FC7B6156A4D71540216EDC0605360B50C87E7838F1641450819F11ABDF45D22C8441A5D52C
                              Malicious:false
                              Preview:.....B.P...C3N!....E.!......I............K.,.G.`..Z..H.....^N..R...J.Q...i`.....$(?.h0.....t...-..i.Z*>.4...8.]..c/)c..>.(..e....t#z....A-"....6..:1.....b..'..&..G=..$!..*`..}..Y.?..DHH..T...XHY...;f.....o(..:,....s...{....28&.8...5.A..x.^ .pC.7|r-.t....N.D....V L..."d9.-p....T......y..GQ.8...5.L..h^!C.5...I...^...OR.....L7>....MhsB~....R........ .... +..&k.]..L.9..DHT..X...f;p....F"<...L.vB......S........&">.">7../c..J@-D."...]YH.[....Z.....^!L...5(:.+;...;.......!&!.'...).J.. j@...8.-u~<.q...!Y...%.....(k3.;;....@........9...fZd.*.H..c34l..,.'xh;.....D.X....u.....s8gHh......t...(..)...M..#0../j..^..N.#...WA.....t!y...._!9....[hsB~....I......)......?d.. n.....N.>.....G.n..o!e...i/??....F.;.`....p...%.....G...5'..'/.....Y.1_.(.H..I....%^...:|.....'a5.hl...h...$........K.%..c}..X..H.p..3RC..J.....S...&}\P....W.7......'.......05&.2...*.[.B..I.)..DWD......E.R..i^......n"^.8...5..a........K 6..6l..F....>...IB..X..._.....,a...."|?.)*....h..n....

                              C:\Program Files (x86)\MSECache\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Microsoft Office\AppXManifest.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5036098
                              Entropy (8bit):6.647723845238988
                              Encrypted:false
                              SSDEEP:98304:fUF9l1I/Y54EzQcbEEhUhU4HELkLtpRSJTVY0hc4qpYL7sVAwSgd2HfR8NNyLS8I:C9l1I/Y54EzQcbEEhUhUUELkLLRSJTVA
                              MD5:2A0DE371B9A0809E6BE380F329CAAB7D
                              SHA1:2B99EC389E65A821669B7D0EB3C69E931DA723EF
                              SHA-256:23DCB44E01400BC4E2E6E917CE73EE01429513C095C04169471F19635D787B36
                              SHA-512:D0885576193C84E88FB69A7A29E47548C9E3F0A893916F944CEC29484651815689FF09EF3F9CB2AD1A4F642C241D3CBEB489A760A93612FC2C80A449D381670A
                              Malicious:false
                              Preview:_...v........j..-.....t...Bv... ..T8..#..5...Pcq.WK...o.....leNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.com/....2.......m..<p....j...A;.L.a.]<..(...-.....>..UT.@.|."...appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">...<Identity Name="Reserved" Publisher="CN=R....k.......d.Cjc.KE5.X.e.M.c...)..d........75n..fx...1.l...B-47e8-9721-4577B7F124EA" appv:VersionId="1A8308C7-90D1-4200-B16E-646F163A08E8"/>...<Properties>....<DisplayName>Microsoft Offic....!......j..v_.rWT...X8......E$..\...].....'6...k.M.a.)..isplayName>....<Description>Reserved</Description>....<Logo>Reserved.jpeg</Logo>....<appv:AppVPackageDescription>No description ....o......J........c...B(...$..[v......5....!...wI.L.p....e</appv:AppVInProcExt>...</Properties>...<Resources>....<Resource Language="en-us"/>...</Resources>...<Prerequisites>....<OSMinV....r.......F...7....j.`8B.2....c-..{

                              C:\Program Files (x86)\Microsoft Office\FileSystemMetadata.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):595
                              Entropy (8bit):6.9705203104879585
                              Encrypted:false
                              SSDEEP:12:EP8wp6wmmLntT789C7/wHrZ/kU2L6ZAf8XAVLkXDyhD+WG4DrGv:K8wrmEx7QA/wHrJkTeAf8XcLKuhzxf0
                              MD5:A947B352AC7708D5FA9CF9BCBB4CD5CA
                              SHA1:7EE45272A18481653D422D0E0E282E2D9B0ADB16
                              SHA-256:6B16E8651BA3D25DA3AC387314B85FA1318CE797B1BD819C27DEE712F7B187C0
                              SHA-512:D8489F24C2395B9BF61F5B44A2D99D780E14027BCAFF24FD6D4F64F5C2E6A2E4463EF80F7D479860FE9F1E83F079F72BC2BB0C0A9B42789C32E000F2929BFD1E
                              Malicious:false
                              Preview:0.d..3....ej...UE3........c.x[*.. ..lv.A:..$.h../.%z?%.o..P....'..t..r....ow.....-...R....".uHo..d.. 1.?c..5.m..:..)^A.r..M...G{x.q..|..J.O?1....q..;....Q.,.-.;b..s..-o..rL...n.}+.%. U.h....*^.s..3..z.,%Q....f......]...eE..8y.::.(r..9....p.W7sw."M.Q.,.Lmctories />..</Metadata>........qu..f..)..........d..wo.....Fm.x...{.....F...[$........O.f..*.s..$.5g....T.....$....^*Y.n...j.......+.\6.....'...N...4vsSKg.....8.A..N.Z..U.{.#E.........I#.).....(/....r... ...wY'..L...FE[B>".............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\Microsoft Office\Office16\OSPP.HTM

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):174842
                              Entropy (8bit):5.51176116608254
                              Encrypted:false
                              SSDEEP:3072:3jd+fUNRo5Tz8YIdJalwatCwMrToHCtU8RdjavMu1IWpXVVqFau9a257dZ+Ajh2L:Td+fpTz8YIdXAeSjx7r
                              MD5:82DE775B96ADD126C6261726F8B6E39B
                              SHA1:7FA74D940740618CBAF9C1FC3F842D5980CB9E90
                              SHA-256:B99C1C4B46740FFD6EEBF18FAE460C4F1002FDCDFCBCE56B14B34DB444A47A5D
                              SHA-512:FF41AA8D9E03A1D56BB87FA73BF1836473A2CC1D37C9DACE5CC63AF3871B5ABB24A9816AC24FD1C44BD1545FA477A86FFBB02A29D2047A041361D8E947E1BC32
                              Malicious:false
                              Preview:K.Q...y...o.^K..].)."8./.S...^..t.P.)o...N>=..9.f............ho.s.o.f.t.-.c.o.m.:.v.m.l.".....x.m.l.n.s.:.o.=.".u.r.n.:.s.c.h.e.m.a.s.-.m.i.c.r.o.s.o.f.t.-.c.o.m.:.o.f.f.i.c.e.:.o.f.f.i.c.e..%`...u...o..K..\].z.s8./.SP..^..e.V.vo...N%=..9.n............ht.-.c.o.m.:.o.f.f.i.c.e.:.w.o.r.d.".....x.m.l.n.s.:.m.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.o.f.f.i.c.e..%_...=...,.OK..I].*.<8./.S3..^..k.R.}o...Nt=.. .s............hw...w.3...o.r.g./.T.R./.R.E.C.-.h.t.m.l.4.0.".>.........<.h.e.a.d.>.....<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.C.o.n.t.e.n.t.-.T.y.p..%M...b...w..K..]..e.%8./.SJ..^..r.S..o...N5=..5.u............hi.c.o.d.e.".>.....<.m.e.t.a. .n.a.m.e.=.P.r.o.g.I.d. .c.o.n.t.e.n.t.=.W.o.r.d...D.o.c.u.m.e.n.t.>.....<.m.e.t.a. .n.a.m.e.=.G.e..%....l...l..K...].).%8./.SJ..^..K.W.po...N%=..2.s..........h1.5.".>.....<.m.e.t.a. .n.a.m.e.=.O.r.i.g.i.n.a.t.o.r. .c.o.n.t.e.n.t.=.".M.i.c.r.o.s.o.f.t. .W.o.r.d. .1.5.".>.....<.l.i.n.k. ..%....0...j..K.K]..."8./.SV..^..`...1o

                              C:\Program Files (x86)\Microsoft Office\Office16\OSPP.VBS

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):107326
                              Entropy (8bit):6.573360018507263
                              Encrypted:false
                              SSDEEP:1536:WCnUQdFO9+KyIbQV5JzsNj9vM6LbLhpP4eA5:5UQdFO9h1bqJzUj9vzrr9A
                              MD5:217E8BB6172D2D9D5818ADE57B16920B
                              SHA1:B2BD50E8F142251613D7AFB1EABCB185B9A2292B
                              SHA-256:7BC788BC8487879DF6A346BC5ACFCD13ABF6CA861B8AE220CB957C2E6FEAE7DF
                              SHA-512:00D1B347E2F8EC3A42953513052B88478F42ED8ED8B85D39B0BFBF4B2F6081B9E98B4791953A71116E3257D3D285856D9402711CD3689306B00271E174B6E42A
                              Malicious:false
                              Preview:....7.l..."..-.c.U.`.x..V.?..90.......r......f.....W<.+...P.../////////////////////////////////////////////////////////////////////////////////////..'////////////////////////////////////////...j.$.L.%.".%...<.1.:^b..d~.VG....1.....\=.....v..8U.W<... =0..CONST VALUE_ICON_WARNING =16..CONST wshYesNoDialog =4..CONST VAL.......T.6.Y..B.G.u.3.>.5Qm..kl.Ke....M.....&W......l...t.Y#a.. =64..CONST HKEY_LOCAL_MACHINE =&H80000002..CONST KEY_SET_VALUE =&H0002..CONST KEY......]./.O..-.*...3.>.5Qm..kl.1X.....`...S@......j.o..8W... =1..CONST OfficeAppId = "0ff1ce15-a989-479d-af46-f275c6370663"..CONST STR_SYS32PATH ...e.+.C.*..0.(.{.z.z..f-...?4.JZ...].a.. F......w...k.Y#`.. = "\Microsoft Office\Office16\OSPPREARM.EXE"..CONST STR_OSPPREARMPATH_DEBUG = "\Microsoft Office Debug\... .=.,.Z..H.X...K.<..V>...k..>7..>

                              C:\Program Files (x86)\Microsoft Office\Office16\OSPPREARM.EXE

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):162106
                              Entropy (8bit):7.3383053146085455
                              Encrypted:false
                              SSDEEP:3072:0Xzhk3i7OJyY1SZ2hQq4TrRkojLR4lU/BRmLWYsnN:0XdkkqF1k2mDP6EPzYIN
                              MD5:C2250C96475A2D696134313775AA4828
                              SHA1:B959043933621DA47ADD79412532DF979FB17F81
                              SHA-256:A9579FAACF00E6119D601E0FC16E2E212BB0ACA361F8C28AED0F432FE8EA1253
                              SHA-512:972FE42ABC861A4976FF498545DBA3DFC04D1C77E4E6576CED57A44E1522201E4C752B1EAE1535D381FA978C6B91A8CDBD786903DBBF846B472953D2F5136880
                              Malicious:false
                              Preview:.6...u\.....0../!.......\.L.NiAg.x...'.%%\..'=u-]...}......5..........!..L.!This program cannot be run in DOS mode....$.......X.u.....................|.......|.......|.......|...?............^...G.. ..n..{X..~........YfU.8....I...7.59<...D...fh......@........................PE..L...-1.e............... ..........................@..........................`............@.........XlV..e\....`...!.......L.NiAg.x...'.%%\..'=u._.._}..?..........8...............................@...............,............................text............................... ..`.rdata..l.F...].....pQ..!.......\.L..N)o.x....'Q5%\..%=u#]..........4......@....reloc.......@......................@..B................................................................................XlF..u\....p...!.......\.L.NiAg.x...'.%%\..'=u-]...}......4..................................................................................................................................XlF..u\....p...!.......\.L.NiAg.x...'

                              C:\Program Files (x86)\Microsoft Office\Office16\SLERROR.XML

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):36650
                              Entropy (8bit):6.486652070525305
                              Encrypted:false
                              SSDEEP:384:+t5FhvljQZ9mLq1ATynBfONcyNVy92fkAYVaEIHbYQ5bu1G4UVcBG8gvcm6+ited:krWEl1WhAB699vFhb4sMwQKxpqtZ
                              MD5:AD3618417EC07B17E3DB74C77C967EC0
                              SHA1:98042FBF3682BDA0B6B7FC0709D90BCF777CAB6E
                              SHA-256:C6153122D8F4E9A24847760F3CB123CCDE42D13A594922DD7B747C4645EF14E9
                              SHA-512:860E6BC9B8E26DF9D7E9CCB15CDEE03319EE849E871BE74A74E9BB30BAA8666BD9336D82B0FEC51BD4B0988FD55C83D454BBDFF56ED2CED5A9B09DACE4E1AB9E
                              Malicious:false
                              Preview:.>.y..o8..b...N<'pa....... ..3.rN..lA~...=z..j.......k.....the license is invalid.</err0xC004B001>..<err0xC004B002>The activation server determined that the license is invalid.</err0xC004.]...My c.cn....N< ........N7..3.}...p.h..=|..b.......n....license is invalid.</err0xC004B003>..<err0xC004B004>The activation server determined that the license is invalid.</err0xC004B004.`..u2.,~.!n......*dv.0......N...).aL..".h...5a..kH......g.....nse is invalid.</err0xC004B005>..<err0xC004B006>The activation server determined that the license is invalid.</err0xC004B006>..<....h.C,2.!n.......og['......T$..?.3H..m.y..,`../...........ould not connect to the activation server.</err0xC004B007>..<err0xC004B008>The activation server determined that the product cou.....4S~c.p=...."/.4......u..j.-7.Xg.....h8..?X.[....n.....ion server determined that the license is invalid.</err0xC004B009>..<err0xC004B010>The activation server determined that require.M..c).yu.1*......xaKq......#..<.fT.J>

                              C:\Program Files (x86)\Microsoft Office\Office16\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):22164
                              Entropy (8bit):7.251298822156911
                              Encrypted:false
                              SSDEEP:384:kxMlZQOzTt+h40ptGx0iGrGmEonPVmGqNBR44EEapvRtrxu4fCYeaSDWWFHMAcj5:jTfwxptGyiGymE0YF945p/xu4fCyOWWa
                              MD5:E837EBCD78F76E5E0933190FC49BDF00
                              SHA1:B723070DDA67796E403CDFA8B98440F39CB50012
                              SHA-256:B06D050999C616FFC07743071612939CF1930C21AE674AA084AB47523E8EEC1A
                              SHA-512:2969E903263A255B5DA8483293ED872ABC1857268CC51D99A99A5B38D5378004D7378FAB645D18012A6321D248CB28733F74A548C632BA7D63937C8264F968C1
                              Malicious:false
                              Preview:..e...`./7.>.*..'..o...d..{n..[y....Y....B.-Y..V7{...>...of the state of Office licenses..# as well as some basic management of licenses...#..# version 1.0.0....param ($action='list', $S..N...(..J..F.j.. ......|..l+..ne..>-B...A_,E...{N...."...ost...Write-Host "========== Mode per ProductReleaseId ==========".....$vNextRegkey = "HKCU:\SOFTWARE\Microsoft\Office\16.0\CommP..g.....h.f...P.g..!..*..A..q,8...JG...,......b*Y.&%a. ..tRegkey -ErrorAction Ignore | Select-Object -ExpandProperty 'property' | Where-Object -FilterScript {$_.ToLower() -like "*retail...D....U.M(..A. ..#..*TBI~..}#...3.v.q.K.....WS*l....d8...r...l)...{....Write-Host "No registry keys found."....Return...}.....$vNextPrids | ForEach `...{....$mode = (Get-ItemProperty -Path ...N....j.xg..R.l....k+mi..q....].[.\2B...;"%1....v5...;... = "vNext"; Break }.....3 { $mode = "Device"; Break }.....Default { $mode = "Legacy"; Break }....}......Write-Host $_ = $mode...B..V...t.b3..].Y..!..'...l..e>..L[...

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-0015-0000-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):322907
                              Entropy (8bit):6.406476257876292
                              Encrypted:false
                              SSDEEP:1536:c+EuU6UAroBw4eUmeagursko2DoCMdMJRxYkPhxU78kWmVTcCOdl+7g0gN4cavBd:c+PrroBw4eNJo2xJRK9tWmfOduLs4/
                              MD5:84C0975E8A2FB9FA91313F991693A6E9
                              SHA1:FA2AF10F8ED3756313A4F90975A9FE5A8BF5E973
                              SHA-256:884062C62D0C47B2EC2FFD61B93D311E3AC7E17C3962F2A0C5483CF2FBC8DBFE
                              SHA-512:B3A2437410C2CC0BC5E1206EDE606EBEB98E1BFE6FDD74F70A80B3D9343EAF5CB1EB907A80126F18CF798761E4C94CB241B5BF3B4F5427BC983F6676DCA095E7
                              Malicious:false
                              Preview:..I.L.-........{......3....+ ...7..\....x...j...M.Y.<./.../.rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c7...9].i..`...`....p.&....r$...g..^'...s..Mh...VE..>.0..<..om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher=".%.',^.4....o...z...p.h..X.~}...d..Lm...9..nj...@"....oZ..x..-0015-0000-0000-0000000FF1CE" appv:VersionId="cd725cf9-c73d-411e-995c-c7c0f6ae293a" />.. <Properties>.. <DisplayName>Microso>..:/K.%...s.#.z......3..{.he.......<.....Ng.%.H...8.:..,..PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescriptionf%ZU-H.%....&...l....7.b...>..........,..Lb....KU.}..K..8..:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <..P.,\./....<.j.).R....... .:6.h..@`.

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-0015-0409-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2044
                              Entropy (8bit):7.722122204110251
                              Encrypted:false
                              SSDEEP:48:iB+Ter06mJPzDuvAOQsYKhx7lUBOZOiBNfwy5rQxrStGOXdK7:i8erUJLavAOvBhx7CjiBNYy5ryN
                              MD5:371BD2B2ACA44891657D4BA9AD1AD8E8
                              SHA1:77A3129DB6C173241BAEFF2C2C6129F2E2730826
                              SHA-256:AEE0D4A8F4A248695FDBF27EC68DE46DAC6F5728C423F1F2B718978DCCD5536B
                              SHA-512:6E613DEB6393DB783A343591FD33E3BA774367A20BAD0401B4BF7C93AB81A6315F1BE5A2E9B36A4FE197B33BBF383E14047042412803335B8836FA0D9B9C0BA4
                              Malicious:false
                              Preview:dg..Q.2...........}q.Q...S..5Z....@Go..wN..T..8\.k.k...zRJ........~.4......RU..abm....B..hU...Z.}.|i..N.X;I. .(...cG............)..._.@...xr9C...._..5]....Ef.*qE.....-G.6.$..eW......J.@.v.........b`~....A\.6.....Ef.*qE.....-G.6.$..eW......J.@.v.........b`~....A\.6.....Ef.*qE.....-G.6.$..eW......J.@.v..........b`~...R./.#.....)o.;<]....>O.g....cW....].X..C.+....8......)~...\.P.tP....W,.?q...$..#K. .-...:.F.U.O..U....m...^.BG..!$l....1wD.'...S.}.1o6..V..~..v.+..8.]......R....`....Z..O..1;b=..Nb..6...EY..~!_..0..8F.<.(..GM......E.V.:.....A.....pm.Q....8F.fG....Z.}.;s;....1d.(.w...oV....P...C.<.......9..t*Q:..R.".5...._.`..d.....t.. .*..~M..[.u..E..|.>..........{d9W...U..Km.....~.(;>."..+A."....xM..........U.:......O...tf9T...B......U.o.;E.....<C.+.D...*.L........y............-;=@...3B......s.z.S._..[..'Z.7. ....P.Y......U.g..N.=...df?U...U..!......}.~.A..T.Kgx.6.<..y.}.E.C...A.0....P.eW..1(.c..$W../.....[!.

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):802349
                              Entropy (8bit):6.269291747586535
                              Encrypted:false
                              SSDEEP:3072:FFPYhOnqKYm8cIwHwX2REvNcUAZ5qJNXLTtknTp8+hibGWzsKjC1DSPPYbARJA3b:eqY4RJC4t8Gi6b3IYbcB/Jg
                              MD5:DE657B2116E083643386073E6E56FB94
                              SHA1:3FEF384DC43A635F554A0B199158EA7A977E7EB7
                              SHA-256:0123603890DE795761C18A41CC65B9E6A6125B8394BCF58AB883D1D3855EFEC3
                              SHA-512:535E751A63839FF30A88CA830B395EE420C9A004470F0B8AFD419219E73558293D05440358CF98D0677C315D79CBC73B1D76209D422F13F565C5055B2DD054D4
                              Malicious:false
                              Preview:...+7hy....5.......5.. ....AaW]..2>..Z.v..gQM.S+............rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c...v.yl....%.......$..5.....eT....su.'^.p./y.O.F0.D.....+....om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="38.E.z.....7p......m..{..^..<.W...s{.m..p.vl!M.H<.R......i.....-0016-0000-0000-0000000FF1CE" appv:VersionId="450a5204-2fe0-46c3-8dbd-106ff646588b" />.. <Properties>.. <DisplayName>Microso...X.os.... l.....).. ..}..$.@.. $.<B.r.i%.@.Z..Z......*....PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescriptionN8.7.li....a9..H..."..q....T>e....#+..M.D.s5.E.W4.Y......x.....:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. < ..e.xo....p#..b..l.....&.PwM...lz.`e

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1842
                              Entropy (8bit):7.708849761870098
                              Encrypted:false
                              SSDEEP:48:SheKqhweqCBRWZgSp73MTexBoPQzWnsSAbgYu:seKqhx9WZtJMeHoPQins9I
                              MD5:0173FA24AE69DB7DF7A7839455BAE92B
                              SHA1:85ACEE39D0FE2877E5BBE0F54DD373D11F329677
                              SHA-256:AA8E22282629B9D288A8A390095936CE154336B214E6C14B813BEDAE5AC1B5C3
                              SHA-512:6746A1A7D4595E8636899DE42DF8BECC1EA2899947182C6DAFC77BC402EC5F6C00862CF7FC5B0A2E89DA617E7DB1499792A015D9541A986C595D2FA8449F6319
                              Malicious:false
                              Preview:.e...7.L...1...!.. ...o.v.N'{j...*c?.<.m.0...+....jX0...~..';..t...5.H..T...q..<..U3.d._2/7..."~%_..?.uZ..e...!.s....k...&2..u...5.]...HP..>..%...v.%.B(pj.E.*et.5.i.;...)....7D.....{...g7..9...".....W...:..?..[z.i.\~.i.R.t"t.5.i.;...)....7D.....{...g7..9...".....W...:..?..[z.i.\~.i.R.t!t.5.i.;...)....7D.....{...g7..9...".....W...:..?..E..%...z|.P..ji.<.x.#|./....fJB....{...tv..+...1.[...X7.. ..".J4.5..r&+...j"z...|.qX..+....!#v...9..yd..&..d.....HQ..c.K|.KD.4.jf>x.T.`E,C..r.HJ..~..].r\ ..>....0.p..m.I..IU..b.Yl.v..%..6qi.V.3v:.P.=.!...#....=$s...a..:;..6...=.H...DN.. ..-...o.;.%d>9.../q%X..x.EG.&..&.).,...z...u{..t...<._..F.......).q".%...{j.V.*g ^3.O.rK./..G.!.q...a...D^..6...;.B..P....6.U&...>.I.H+ ....z3uP-.k.@^......#.V...a..&:.y...'._..A....6..)...>.d._2$X.T..r*Z<.x.d].#....*T.....(...9".f...:._..p....!..p...r.?._4HP.t.5p.I)...!........6.{........1..c...'. ...XA..6..9...".d.H1.~...?}dD..=.?#..j..:.7.g....6..ih..s...!.^..P._..s.[l..(O.k.J6mp.J.l={.r.

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):496471
                              Entropy (8bit):6.416482623607463
                              Encrypted:false
                              SSDEEP:6144:CHazYDrh/insHpMlgcV5huZO/XymXJy5omPX/O:Arh/2sHmgcV/r/X5wxPPO
                              MD5:94456914A92AFEE5B64AE4F87FCDFEB7
                              SHA1:2652400DE550E8C2E50721D445DF8181DAE7C55F
                              SHA-256:F5EB297C1C507FC5B33E41EC380594CB999D5F0C2BC583C0F2378CFB502258A0
                              SHA-512:2BCD3AF0C3F7D5B6D1CF383291FD19BB9004300738C32F21BA216F4DFFC9B10451135F166E835C507065A2A68FC5CBB5161711CB43B0D88672BFABDE0E4B9C2C
                              Malicious:false
                              Preview:..E..#..^...Y.x.)..u.xU...hS.NG..K..t..E..+..V.$...A.C.K......rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c.4.._.6.^.S..S.y....d.9@...z..M.....Nv..A..5X.N.?.....A.T..:...om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="'..+J.%..\...h.e.!..-.(..J.8...M...@d..T... {.E.3........l^.-0018-0000-0000-0000000FF1CE" appv:VersionId="08d77957-af3f-4fbd-aa84-18f7ff89b692" />.. <Properties>.. <DisplayName>Microso.-.6I.)...S....~.8..i.xU.D.....Z..N..=..P...i[.G....].G.^..9..PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescriptionZ.NYK.3..P...Q.7.&..b.}....yF.|...k..?..P...yY.V.;...n......=...:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <4+D.J.5..P......[h.U,.Ju...lB.T.....Ah..

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):7.610974219940194
                              Encrypted:false
                              SSDEEP:24:5oDfH6OitCwt4itZv0ZrLV/HLEh8uqGTPwRf2xVKenGjeOVG3PyTUVcWzlRMqtbZ:AiMwtbZv0Zv5w8hGTpjGjFrn4MAky
                              MD5:28D9C9863690DFFEC6AE46065A00E520
                              SHA1:3401FA214FC460EDB6B6A30C72B8BD588B60AADA
                              SHA-256:BAD4B4C29A44E8EDC642763D5494336F87D5A00369FD179AA359724020414CBD
                              SHA-512:475C943A9E06536E1CCA95B03AEB49C8B36BF922FEE48A4DC7F36C9D4DD87C5DBA4E23F3BF8D62656871D00D0138C0C5F3159A97851D378AB1DAB5C6C8564BE2
                              Malicious:false
                              Preview:.......i....=....K..............*.B.J.xE .8.Mb...VC7.G..'.1...&...}..,..o.....4..U......R...d...TI".:.g.X;.....*.RU$3.7a.......v....D}....`..W...........(.F.L.y[s. .V2....A5.BH-4..,"[.3..PL>..`..<.....'....Q..A.C.T.(.F.L.y[s. .V2....A5.BH-4..,"[.3..PL>..`..<.....'....Q..A.C.W.(.F.L.y[s. .V2....A5.BH-4..,"[.3..PL>..`..<.....'......".._.....D._.....s.:.^7...@+.BO.2....I.&...k.o.. .....'..[...]....@.T.:...LM NP.+.Z4...K.~R..{p..n.D.{..KN7....D..VU..5.3..I..A...3.x.[.Rt2I".|._a...[.uZ...&..nw..z...F9..*.Gc._G..;..U......T.....4.8...vHD.;.W2....Gy/XD9/.%;T.%.......s.0;....K......K..."...c.Z.Ny?.p.).u2...$G4.CQ.$...:..*...J..?..+........U.../..R.....e...YN3.v.,.......K7.XH%~..coT.....0..<..$..K..`..Z....;.R.E.k.B..|&.V.).P2....Q$.XW?).}...'....g..&..r....`..Z.....A.$...a.U.xX%.r.8.R<...|.gB..*0.y...../.a..7.J&.....d........_.....r...6.vH/.:.K6....Qyo;.k|.0 .. ..As...o.H......f..9.....T.P.........[~ .t.i6....A"..*A`...=..&...g..<.yX.FE..J.........^.L.K.6.}

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-0019-0000-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):254926
                              Entropy (8bit):6.360496392106605
                              Encrypted:false
                              SSDEEP:3072:WzTl+iJDmfS3zEiZPJ9NxTGFDcIq7MdUYs5Mot2WYfkGh:/qt3zLPPTGF477wM9YcGh
                              MD5:C2D5CDC92D73A6CB3FC9BC38271A1855
                              SHA1:4111AD33E32F75BCA833AF935DC776DB15A75027
                              SHA-256:63A9521B2D82CB5A529DC101E34E4F68EA2099F41B469BD9DD3B6B749994E085
                              SHA-512:A864A51E852AF831B636ED6055251AC81A7730521E7AE53AF7AAC9A39743E8A6238C89873A1C6106C738B48285C98D2F71202E95B065874264C7A3B73D7964C7
                              Malicious:false
                              Preview:&a.%.7.....n...Pe..S.d..GZZ.....D..`.....".31...90x->~)..rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c...x.&..B..vd...xWz..HF.{...^YL.Q....f....:.(a....;2g(kQ:.om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="...K.%....y_..w]g..Y..'.^.....R.....f.....1.$g...zy8j2.~..-0019-0000-0000-0000000FF1CE" appv:VersionId="2d65b2ab-6fa1-4936-b591-4840e9d67c2a" />.. <Properties>.. <DisplayName>Microso...V.0....e&..n^h..S.).e.....0..^....d.._..3..a....=3m)rR*..PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription...9.3......0f...pFl....v..R.hL.6..Q..R..O..".,o...x`({8V>..:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <...k.'.....*7..W>.)..;s.y..VL@S.^......

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-0019-0409-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):7.648546153683532
                              Encrypted:false
                              SSDEEP:48:h2+lmOHCO95FYsL6bm1OeeWZJIvm82nteDNrj:UaisWKUeenO7yj
                              MD5:02ACA1E859F0776F98516C8474B4FEFB
                              SHA1:4642E79DD90476B2AD3E1543F634068DA391704F
                              SHA-256:0100E0437B67994B9B096525748925963A640152E35293C07E70ACC8D22EADB8
                              SHA-512:26D2B335CC20CAD7CDFC2DCE7EEDB5042F99726228840A9A2B9AC630AC2B49443D40E1A80F25BC7F19FDD994824145834A62938EC2737A302DD89BF540B4F2A1
                              Malicious:false
                              Preview:DN.e.P..Ch.5t.[O.Q...fS...P..C.3../K.?M$Ag.4..i."d. ....r......5....G|.t^.F...C..)....A._..3..2Q.-.v_".u..6.7=..VX....:-......6....Rw.'.....]...tJ..\..C.p..)..6I Gl.*..q.94.<ZB..'$....8.A...?.%..TN.V..'F...B..@.g.n..6I Gl.*..q.94.<ZB..'$....8.A...?.&..TN.V..'F...B..@.g.m..6I Gl.*..q.94.<ZB..'$....8.A...?.!..TN.V..93.@...U.e..&..?P1.t.`..k.11.2g^.. '.S...B..Tj.7..PR.\.6...N..V..?.n..|.5G&.?..z.52.[S.....~r..A..h.....6.%..........7x..#t.NQ.a...X.-T;Y..8....a7.$....ev.....`.....8.w...........4..\a..@.c..:N.S7t.v.9..j.84.\VF..+0.......W..G/. ..qI._...fS..m;.N..-..=Q.-U1E..v..x..4.w.y....>'..^...5.B..PK.fM.TY.^.....@...C.c..+T.0..R%.w..}.{..aTY....',..{..y.}..M1.pN.GV.....`....V.P=.1.....M"...u..x.?4.wsN..86......y.T..Pf.aT.[..G...c....A.Tq.a..>^.?Z1s3.f..i.=:.,:!....t#......).x..P`.PE..T.V...wN..!A.8y.A..<x.*.Y=v.9..k.$0.f^N....hb.....+.T../..5...r.\...b....V..W.,..1..-.t.h....%..0.}BY..EH..M...+.@..Qf.pN.8*......Ts..6T..Y....q..qr

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-001A-0000-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1135696
                              Entropy (8bit):6.3213003883156125
                              Encrypted:false
                              SSDEEP:24576:e1JQ3TYUx2K93xD6A+jJtYCdFwIJEgh+QRjuPS+YvgvbMnR4:ePQ3TYUx2K93xD6A+jJtYCdFwIJEgh+l
                              MD5:4B3BF0BE5BE7EC6B23937C83967500B4
                              SHA1:DD4D4BDDF69EEDBDC104EA262BED9DB9E211E01C
                              SHA-256:FEB5E0C588B8531B337CE8A03776D296427741F30B12C5A57AC29AB00F03FA1A
                              SHA-512:FCC93FA07101DE5E9012CD44450C40BE7F2B6A0F087CC32E9CC1107154119063FBA9059BC909F87429194B454BC73F3B5237680B2191BF5AA66EE26526985AF0
                              Malicious:false
                              Preview:.....x&...@h..u..O...q..l..YS.........<.j..g.:...A."..q..I.rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c{zrD.i3....xe.z..H.....d...]P...Q.R....7.t....!J.... ..t^...om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="WY`w.j ...Ajj.~..G......'........O.\....}Ja..t.-L....a.6.....-001A-0000-0000-0000000FF1CE" appv:VersionId="1dd72097-ead8-4554-9d92-bfb1953b6b77" />.. <Properties>.. <DisplayName>Microsorc}j..,....}v._..^...q..l...............IU(..v..J..].&..uG...PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription*Y2..|6...U<#.uQ.@...Z..&...a.../....."hO8..g.%D..n.c..'...W.:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <De8W.h0...Q-9..{...L.p..`..OI...I.]...

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-001A-0409-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19892
                              Entropy (8bit):6.463147692052655
                              Encrypted:false
                              SSDEEP:384:81dyXdfJd4rJ7CmFQkjoItB+3hbNM+5OLIobHGaoEMsBClR:3bYCzMw7MmhO0lR
                              MD5:331F53FA1A5D3D723B2158C6572A66E5
                              SHA1:25ACEE5EBF7B6E2376DC1E7CE9C8983CD654A103
                              SHA-256:3730C1C244CCFBB1155871D9DF3F5A8F8D3F56246B9B407D75975398F1D58903
                              SHA-512:D61C68CB68F36D386C0569BCAB575E6EFC9D113BE96335A7B47EB565BC24A838E218EA992E18E9FC44ACFA314AC9F5136D2D8FB1DC6F5253F5B9B59881FB6065
                              Malicious:false
                              Preview:=..<.g.oE.|..r.a..<..[k&s.#`...D..b....*....7.h.)...@9.f.rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c..E...r..8.....s.f..-..St8a.'c.R.....k....y....j.'A+......&som/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="..W...a.mD....o.i..d...(x#.~!.......!V.....Z....|...j.L@.8 -001A-0409-0000-0000000FF1CE" appv:VersionId="66dc8756-3862-45a6-8777-c946c25fcb55" />.. <Properties>.. <DisplayName>Microso..J...m.(.....t.p.. ..[&[..f3...A...p......z.....t.tz-......4?PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription......w.aP.\..=.n..+....y&b.|R.T.d...b.....x....w.G"h...F..xf:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <......q.aT.F.... .e..Wv.w.5z.J.....,9

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):769144
                              Entropy (8bit):6.346968264857485
                              Encrypted:false
                              SSDEEP:6144:sG/1vhN2xhp1PMbviU/oNjfq0caMzDgMlSnDjYCnIM2XKLwtCDMfQ7:sG/5c71PMbJ/GjifVlSvY+k7rfQ7
                              MD5:D91960683B0B3C47A6908FBBF23048FB
                              SHA1:1D9A75372933EA4E04A4840613F3B6277DDA7A9B
                              SHA-256:A36262BF3B2799A041426290315784F4FE91B0E75428396E0B0FDD84E0382DCB
                              SHA-512:C44ABE6E65CFC5E46905AEA661A41401E9A0F0E5C49A52F282E740E848C7BEC0C44897242C49269FDDBD673FD041C6B80201907DC7284C6D3AA320A86B3891EF
                              Malicious:false
                              Preview:...y.l....c...u...rE....^A...xU..V.8.Oa..6.w...........c...ztrableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c_..$.}....7..z...uZ..>.V^...|V.X..y.Mh..7.$....P......f...:xom/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="s1...~....b..~....G../......%.....y._"....n......V.....B.$..$+-001B-0000-0000-0000000FF1CE" appv:VersionId="5b736f3e-8ace-4719-be4b-373f3d2efc01" />.. <Properties>.. <DisplayName>MicrosoV....k....7..._...|H....^....=...g.*..s....q.'...8P......g...(4PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription.1.e.h....v...u...dL..z..S..'g.^a.)..a....k.%....^.....[.5...dm:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <`..7.|....r.....0..M.R\..nO.@..f.S/.

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):7.67372840418546
                              Encrypted:false
                              SSDEEP:48:llvY/h/C/hgNNCfteEuUAZpZPX+Y67qt6FDCM8g:bvk/a/eRHX+v7z
                              MD5:365EBFD24D78EBB6DCDCB28756EEE6A2
                              SHA1:07F09800272F47A986D1EA92BCA08607FDF94701
                              SHA-256:33F54A6637EFE0248DDACECD64A7A517CCC95EC1E043282510D96D447FE4BF75
                              SHA-512:20B1EDFD57F931CC8F3D396E75A53B5A4DC01AB0E951B36CCCFB18CDBEB3BE094D4E22EB5D53326E8C6F218372F26D0CC16717C6958A523D10ED15F8732608CF
                              Malicious:false
                              Preview:.{.O.!.|M..._..R.r,Vh...[....D0......&....`...f7C...k.5u....../....zI...u.....`0E..].I...].?....^4...:..G94V....8... =.........o.g\._.&....~)UC........D7....../...a...~"X....".0 ..A...b..0.8.QA.9..S.u3G....D...G}..^.../...a...~"X....".0 ..A...b..0.8.QA.9..S.u3G....D...G}..^.../...a...~"X....".0 ..A...b..0.8.QA.9..S.u3G..a......Rc.....~&........d1P...>.0'..R.7.p!.3.eZ...6..O.......Z.....T.:.@...e..8...u,T....v...ry.F_.Y.}B.m.#.X].&..... p...*....LV}..J..B4..*..#uT....f...ub.C_.Y./C.m.!N...r.....2`...f......Gh......J...n...e7Y...&..*,......m<.&.tIAA.*..T.|!Jh.......L.-.....Y4..'...w>{....19..S.$./..3.r^%..f..D.}%.+.L......Dn....._)...+...r{.....9.* .Hb.T.mS...pC_".e..K.>*CC.P.d...R:..P.Q7...>..8w$^........*?....J."S.%.t^........d%AC.P.I...Vv}.. ..[&..=...f3\...A...cs....N.=....G^...n..I.u|.G.......:~c.....H3...n..8d(E.......Io.J=...8..%.)!kP.6..o..5AE.L.I....Ph....E4...C.H*hg...9.}B.VO.$.(..1.~_...e..7..0`.i.!.F....^b..F..h.

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1772
                              Entropy (8bit):7.666593715124812
                              Encrypted:false
                              SSDEEP:24:+1AFgZQcwaCdqklkmA2qXj9mwcFncIBGFe0sUt/K2C+Dce+/TCz0QSw13aD5h4v:+ostCrkmA2qYwOTBGFRHreQSwaAv
                              MD5:0C039836C3A61B940B9B66C6E65BC816
                              SHA1:AC5EF83B1E7B8B07235D7071152E11F80EFE965F
                              SHA-256:8DA85AC9F5C03AE55B2984D01F82D1247BEE9EAFA1FC6F3DD0737DF5ABFCB5AC
                              SHA-512:266AAC0D91258BE5BC1029F13F0948E07BCC248DB4AFCA38E0F066B3C7E0ED93C36119BC10FA85A37B5093E477BC3519C938853D75C7B108D347AB962CF3AAE9
                              Malicious:false
                              Preview: ...D:8/.7...KM.j..!e...@.6 ...` ...e........j.)bTu.4*j..../.lK.q.:).#..IP.:..=v.YC..61.B..`a...+.R....5.<;.*.gew.....&.#J.yt:4.(......u..$f.....>,...#1...g.......r.22.i.}(h....Q#.`..d+-k.`...AB.q..>t.W.H.(2T...4p...g.......r.22.i.}(h....Q#.`..d+-k.`...AB.q..>t.W.H.(2T...4p...g.......r.22.i.}(h....Q#.`..d+-k.`...AB.q..>t.I./.f}'...6(...........h.:7Xg.a)v....Bb.C..q(>6.5..zF.k..#=.FD..hpXK..ls...u........y.>4...)i#....WOp.=..Rvkp.i......(.O}0.G4c...LS..27..7.........#.<6Or.9-/....TOt.5..qvhs.6...ME.+.]m/.zx..z.....05...{..P.....i.32...y.$....../.y..r=2'.p....g.k..,y...@.KKNS..~....,........{..2.".F.i....Co.xK.}(3!....@B.V..(>.}R..f}*...0(...*.".....~.p..4.f"j....YrJ.-..(.4#.n..IQ.}.Q'p..N..)&.M..ba..$.......{.42.".q8y.......CF.p>('.9..CM.}..(r..N..61.I..2..............j.6<.y..k:.....6.LY.B.5..?..X..j..q/...S..1.%...3...=.}......h./6.3.q8$....[-%.b\.w>(z.Z......}..8r..Ri.(&.....c...0.P....&..6.(.f(.....G_|..L.q*.-.9.....8._m<.$?L..$....,...y..

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2658
                              Entropy (8bit):7.755317888519495
                              Encrypted:false
                              SSDEEP:48:YdqGCTr5b+Aj5OOq0J8ZGPQEeopbWIi6XSxQNuscK6XSb9U75WM5DfeUpBvdl:lrvr60+ZGwobXbNdcXMENjvT
                              MD5:72E806E5C56585F3E15A1817EC9370C6
                              SHA1:5078AEB3DB1E85E8BD4532C0028A16711FDF3141
                              SHA-256:E31B0545234532D273E31B29123543199EAEC8F6513764422FE1DB5E0DB299A0
                              SHA-512:ECC754D1340C8E5774DF5DE32234119EBBEC9CE79D5B01B62A0724C273AAF06642F4EBECBC50A2FD754810E1B306A6D9DBFB096BFDD4C09A81B46C904EE62966
                              Malicious:false
                              Preview:..{.4.Tm....d.........q...........,....J^......]Zxd SCH.z.d../..Vk....N...Z...y...c..........G.a..V.DK.....++=JV..n.bO.,..Vv.R.........-..."......X.....(....T.....A.1f"LF..i..y.."..A)..L........j..n..R..LO.....(....T.....A.1f"LF..i..y.."..A)..L........j..n..R..LO.....(....T.....A.1f"LF..i..y.."..A)..L........j...".!..RM...g.1..p.......O(-g<JF..o..U/....Rt..........j...2.^.........|..TA.....&.e'i..D.-..;Q.r"..2..P.....H..P.x..3..J.LI...[.5..FF\]....._Iu0d.P_....;X.'..Qc...........@.v...".....YK....V....G:....!.5`nn\..r.p.....^e..L...........<.H......@.4..K........F.`#FG..y..F../.._c...]..6...E...".,.._K..F.b..G....H.....*l W\..#..6A.cX.Xa../.^........-...N.....6....H.,...R.(4....<=v3Q\..t.(/.c..De...D.......-...c....LI..B.;...Q......QuR%p..N.m., .32.YV...U....\.)..8.....Ri..Q.b....GQ4.......=vn.?R.!..e..1..D8..]..........+...c.....Y.....\.~.../q^D.[....*f5P...=..F..1..Bo...^...X..@....l.....SW......

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2658
                              Entropy (8bit):7.759802209113285
                              Encrypted:false
                              SSDEEP:48:z5WvtHt5udVpFeXW2m4BgXz4g9pOk4BgNMujILxm54HuoEP2J9:slbuf2XU4Bgj4A4BgpOQ5PP2n
                              MD5:BBD21BA0F56EA55B65336BEEFE1EA61F
                              SHA1:FD43C66FC954308231C8CC9522049F408D5268CA
                              SHA-256:3F9EF1193253D95233A9DE52307AF2D0183A924F59A698361B4CE1BA015CBC69
                              SHA-512:0FA19F8CE7F0C8ECC45E31CF5D7696CAAA2666C2B548F2E6C330E3D499957A11F76449B4AA4695489E95F9EBB7C7D437C394D016F241BBFBAC95AC218765CCC4
                              Malicious:false
                              Preview:.\.....|..8@>.u..\...4......zC2gC(.............@[J.).....l.NN..8...x..yj<.'D.N..{.......uCso^2...G....]...K....N4.....m.H...0...m.*9h.5..P...&.......}.#gEc......@....B.\...+....,.SB..-../..(&4.t..[..u......7.b9.c......@....B.\...+....,.SB..-../..+&4.t..[..u......7.b9.c......@....B.\...+....,.SB..-../..,&4.t..[..k........).:cJ~.......@....G.R)..5....?..a..8...k..:)..h..Q...d......pOa'.m......c....D.;.WB`..2........-.(9i.7VF....e......7.%-e;.........J.....AJG.h..5....8...%..z>n.)W.....X......".'~V-..E....w....B.<...g.....q.Z[..;...x..-5v.s..R...4.....g].bQ2........C....B..G8.*....>.lZ..4...o..ky5.c(.S._.......$.:gG7...7...E..V.g.....).........a...r..}z<.l......2......MAs7.b........e"...B..=..:.....m..a..9...o..l`6.:..J...1.......7..GR=......A....L.Lt`@y....r..n......o..]q-.n..[...%.......)1!xP....h....."...F.....g...P.O@..>.....8)y.H..Q...0......."\qr]s...E.....R.E.F.....<....".l]..8...n..}zg..FV...........(.m!.l..

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-002A-0000-1000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25194
                              Entropy (8bit):6.509366986803314
                              Encrypted:false
                              SSDEEP:768:SsrOn0ZL9cm9S03Q0OHI9tq00IL9pj9m0PY9j9K0N0sL9O0E40S79d6A06x91D9P:lrO5vl
                              MD5:628B0E136756EC3DC9DD23E9B9B67158
                              SHA1:677758F1A31B90C7892DEA6E3F22415C430BB284
                              SHA-256:3DAC28A651F37F4601D2BCEF06C1DB1886C616B1837F425B68E431FB80DF2944
                              SHA-512:27D3353657A8E5F2C739FA1D288A561EF695279E7246FA86DAE9E21D93A2B275DFCD8575BFB1422C8AE7487C2DB1295C0A1D4AE85B2D34A941F3712F5B9D71C3
                              Malicious:false
                              Preview:...F..ZL.!w.....+._..1{.Gr=.X.........W.5.?-D8%=.Z.6u..W[?.?.rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c9.V......ugk.....,.N..$s.Y`d.[..EG.....Q.4.l/\->m.FO.w..R.....om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher=". D(..C[. ud....&....j0.."h.....[G.....Q.m.O-W#2k.!F+6...WF.a.-002A-0000-1000-0000000FF1CE" appv:VersionId="96bd2d2a-8249-4262-aa7f-c35690038b79" />.. <Properties>.. <DisplayName>Microso0.Y5..RH.ubx.)..%.C..1{.:.~............S.r.o U1.m...Dq..S...m.PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescriptionh .Z..R_.4#-....=.H..`1.Gc(.j..;.....e.h.m%D<:c.V/.4...]..!.:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <......X^.027.`..i.....w.av,.B..]X....

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-002A-0409-1000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1772
                              Entropy (8bit):7.723615426500665
                              Encrypted:false
                              SSDEEP:48:Qv7owSvIppBMFa/brcFhbNJ/eafQmWbcv:QzowSQ0awvhJ2a4jbu
                              MD5:8572A2B16CD61353AD0D75063116C056
                              SHA1:EE8D30ADEB9EC9AA057204B3D8ABF0CD2B067C56
                              SHA-256:3E0AA7B5C522E4BDAE724A36025FCFFAE61CA72F9B0AC4D9CD13CCD0E2B4FAF5
                              SHA-512:572C708A2E76E0FF655F80D2C5A64882F4EF973B953FCF4E371D1DC429CDE19728389889E320AB0D6D9DEA920958E1560BB46EF1C0F06F021D2C345FE77324D2
                              Malicious:false
                              Preview:...@...0i.......T'..7..R<W...b..n.@....8....<.K%>...tz.?.Ju..4}....T.T5...x...R-B.K.#.. ....^.Q".........8'...us.p~I}...!vM...F.T+..%...Z0X....s..l.D....k.....s.I'!...4v.32G`..c>S......S ..v...L......2...l.D....k.....s.I'!...4v.32G`..c>S......S ..v...L......2...l.D....k.....s.I'!...4v.32G`..c>S......S ..h....a}....j....U...Dk......N.H9'...'7$. tu.'k.......\*..g....l..W.1...~..Q.Z..H......z..l~...A*%Jn-.Q...a7O...D..u..f...a......u...<._.c..:.....|.H6|...E)&J<*.t...2j.......g..[....F....w...p.......\........Ok....iz.*=iv.4.S.....E)..7.../W..E..S..'.U.n.Rh...... .O&+...&:7+.Jy.#J.......T(..\...ap....j..!..b.Y.Sn.....}.C%:..O..G~=.,..>00.....Qk..1.M:[.h.#.../..F.k.QN.......Z.Y6<...u{Y.r.t.#g....I.[1..2.R-B.$..U...%.U.O.Bj........un....jc].mVF..#a......@ ...&...c-D.,..q..6..=....7.......w.YkC...MHp.1hTs..\.B....;.F*..3..L:A....!..;......+8......k.I0=...Q:)7,xTu."g....c..e.......t8F....=...r..

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):7694
                              Entropy (8bit):6.683572176314361
                              Encrypted:false
                              SSDEEP:192:nULQ0w381OrR8P19ww0e9kUsR9LNd54tFMXfnmLLqt+AcVh54ofV:oQ06n8P19ww0e9kUsR9L/54tFMXvm/XV
                              MD5:5CB9110A379960AC56A541C15FCDFD75
                              SHA1:8B570ADCDD0C8E95F5094E15BE2DB0287230585C
                              SHA-256:D86C202642318AC75553937B158BC0EC5D9C558D68B914AF417A45AD977989EB
                              SHA-512:70BA1324ACA86582E0FA1B0F51E27C081E1EF90C77D91A0C128CB102855197529DD439F802327987DD84C9DC40982BD08853F00F4C6E9AF12AC4F69AF6A4997D
                              Malicious:false
                              Preview:.......C.~}..*.KD......-.q.tv..^G\.....|.P........d9.o..E.rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.cE.|E_.....*m...+.L[......3.(.w;H.........w.......^.f&.:....om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="i,nvJ...T......7.FF...J..s.$.5|.......B..=.. ........-y.c.N.S-006E-0409-0000-0000000FF1CE" appv:VersionId="4dd1ff28-baad-4537-b9f4-c4b6c60b9470" />.. <Properties>.. <DisplayName>MicrosoL.skI..G.*h...,.EI....P.2.'k..[UFI.............e.g,.#...LPublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription.,<.K..P.k)...e.]M.@..-.d.F;N.~VIK....(.........=.4i.i..[.:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <z.6VJ..Q.o8..O.......1...`.n$P......-

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):367674
                              Entropy (8bit):6.292781219482748
                              Encrypted:false
                              SSDEEP:3072:JS/xyQO3Rmcesezw/aaxCHirC3VOl+WwwZLOkkClM:J7Qp9vielCPwwdblM
                              MD5:71594FDCCE7216F0DBDAFE5D05058DEB
                              SHA1:34164C5802EFC8E8C546167C06E6F7BD233D434B
                              SHA-256:72D1DF444A12C15ACE9362ECE0E3188B355E4ABC0AC9AE4309D39CF1688B686A
                              SHA-512:4412F88519EB2D2EA0DCF8CBB7FD97E7F0B7788719C9AD69C15DC2F3D7787F8CDC6E2D3CAFF070113D02FD9FFF268BA12FE40B41BAE293E252F43A76080D293E
                              Malicious:false
                              Preview:...h..O....8.._rE....Sm..y\...oZ....iJ.(p...%Q.M... ..&.c...t.qrableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.cuu,5 .Z...(..Ps^....?,...gN..."....UkC.,v...vS.X..<..$.|...gP}om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="YV>.5.I....:..ToD....?=..'....eV...[y..9v.V.UQ.V..[.e.#L..#N.-0090-0000-0000-0000000FF1CE" appv:VersionId="d1b568d4-9625-4685-8257-c784fd1d6731" />.. <Properties>.. <DisplayName>Microso|l#.6.E....-..utD....Sm..7...rD.... X.=t.I.u\.D.w..".v...wB1PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription$Vlt4._....l.._=R....xh...yM..."....."J.=B.S.wY.I..,..g.3]..c.h:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <Jjf&5.Y....}..<...J..R_.._X...=....Zu..

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):7.663227694115308
                              Encrypted:false
                              SSDEEP:48:zL6CsOyr76uzX39e+AyKphuo0dFQ86Q6B//jJlcp4:fYrmOXNCpjCMBnjJOS
                              MD5:8260C3B32442442B7A4378EDC8A1FE8B
                              SHA1:E97AF5511ECBE2A5F3606765FEF442C280E1946F
                              SHA-256:726906DE1B22F626DD551A477E49ACB2E45084EDA75F72CB332A9D0A2C523933
                              SHA-512:7F1FF65E893297E5937E9EF4A27CFF0FF4CA15018E03560BE60A7948CE39594B3992ACAD2034AB925551524D957FEC63A1A2625AD47CBACE75DF0978E8CC9F32
                              Malicious:false
                              Preview:.m..5@....4.`o.Ml.....V.}...i.cE......m.....O........\b.1....S.y..o....!..br..l..t..Wo...4!c.......s..1........KA{.y;...U.x.......~..61.Rl.. .OU....i) T......k...}W......^}.d2...N.4..Q..Q.`..j`.Vk..g.C.b....jc7..E....k...}W......^}.d2...N.4..Q..Q.`..j`.Vk..g.C.b....jc7..F....k...}W......^}.d2...N.4..Q..Q.`..j`.Vk..g.6}.S....}5M......&....{M......@{.c1...b.&..R....5..Qd.Ld..g..Y>]..($o..E.....k...\.......G.".=d...+.U...S.|..71..=...u.}1?0..{c1R.".....u...x..W......s.&`.....,.U...Z.f..67.Zi...{.1W.O..jv3P......;....wL........._.h&...G.;..G....`..(E.L}....V.0~...:3}t.......i...r^.!....._w.}1...q.y..R....8..k`.ql..H..W.S...ip3M.......~..{[.@......\f.d:...;.Ym.......bs.Zi... ..XB.....a..T....!...N^........O`.{ .....t..D....!..ho.Zc.. ..Xo...[c1r......._....wO.......E.2.75.....k.3h....2..s?.Mx...$.K.42..S}.V...........NM...........+t...R.n..D..n.q..'=.Z~..&..;o...}v|.......4....>..=......Ia..^...q.~..P....%..9...-.....v.`%..s|/..Z...

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):60747
                              Entropy (8bit):6.524877961173584
                              Encrypted:false
                              SSDEEP:768:R0w0A9J990Op50oGO90D+L0Xnm7lWAktDaD0Cf0uF9+JR0R4i9PJKFwv/OU20oNY:5nQxC17KKtnC2
                              MD5:FC299B0EE60BC81B62DB9CDBBA80F48B
                              SHA1:B0C83621FB0228614021493A7979F5B7497369A8
                              SHA-256:D6860EA6C3962B06083A3F94C4DFF4A60B455D026C0C97D56DE630937DFFFCE6
                              SHA-512:8C4547FAF9305DE40C728F09425B20EA8D6F8FE9CCDC2F4BD022B704B911E87326A0CE536A231A35EE94B5522B399CF8A9C309A2BB5D30FD1BE2F497D997A06A
                              Malicious:false
                              Preview:.U.,...N.m......z..v....2.{..,......G,@U.}8.X..l..."`.b:)y..rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c-..q....:..h..~a..i...-.i..a.......C(F^.ck.@..<..kb.}?|V...om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="...B..W.o..g..b{..t@..q.+...&.......=F..vH.K..:..?#."}%....-00A1-0000-0000-0000000FF1CE" appv:VersionId="e9040d30-9a34-4ba2-8045-d6e7cfef26cd" />.. <Properties>.. <DisplayName>Microso$.._...F.*..{..y{..{..........1....._9D .?h.I.'<..Pd.w>eU..PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription|..0..F.c.U...0m....... .j..a.....P9r../j.X..2....!.2l/Q..:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <...b..L.c.D4...(R.:A..../....~.....x

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):7.667257313608406
                              Encrypted:false
                              SSDEEP:48:XOg1ZK3uGKLODtwh+X6yFOVtWPIA/cmXtw:+g1ZS/KLODtUFyFAtWg+tw
                              MD5:A8655579EF74E9ACCEC13151A436891A
                              SHA1:277B8406EF67A12E0A00EF2515FE18FE226EE42F
                              SHA-256:36F8F5EC57BEEB112E40C04229254D4001945743A0AED427B788E96DCD70F5B5
                              SHA-512:DA18720CA55D18A74474F606C485C43E0328E949BF697053997448F24E1D3055ED18D9894C7BC76974C9672BA88547363FF438483A154F549B3C105B36F0D08C
                              Malicious:false
                              Preview:`R*.M....C{..=..._......QR&._1..#.jm.F`..)...S...xg.U..N.eD4j,....x.....V:.. ...M....Y.CR7..l..b.ww.T-...s......38..U.W.-b k%....p....i..c...S.......Z*.T1..2.l&.Od..(...K...%{....Q.0k'* ....m....C.k..2...X......NL4.[2.s.+&.Od..(...K...%{....Q.0k'* ....m....C.h..2...X......NL4.[2.s.(&.Od..(...K...%{....Q.0k'* ....m....C.o..2...X....e...{.^'..+.c;.F}...U...Q...tu....W.7h!9a...x....By..6...R.M..^...v..p..p.+(..0...q...@...3..HY...i=c4s...,...J.k..c.R..@.....a...#.4.L~.Ty...c.......c`.X..Z.r925u....|...F.?..7..P.._..b.....U2..6..h.*...'...P.../.....s.<.<w,..{....S.n......Q......./M..b....xw.Tx...n...B...;0.'..[.)h78l...t....7O(..2...P.N..H...{._1..+.nr.I....b...G...3&....J.0cm.I...!....Mt>..!........T.nM ..O..b.:'.W`...w...B...10....L./y:k-....y.....V/..=...I....T.CR7......{x.Fw...t...S...8k..[...cl#t5....K....E...m...X._.....c7.l...0.y^.S..'...Q...$!....3..-oV&....~....y.{..o...R....H.CL .[%..`.t6.T2..........%:....M.R.s$....x....R>.^..B..L..%.Lt".I+..|.4).._

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1891
                              Entropy (8bit):7.699409892859871
                              Encrypted:false
                              SSDEEP:48:n/eC3gA4uU10s3YgsVz8GUm7ZMjG2b40bOFTU0c+O:nwhn1V3xCkSZMy2bRbOm0cX
                              MD5:85B511F3178A46A155A86E688A894920
                              SHA1:F89BE6CA4191D68F954EBDEBED464535633F8926
                              SHA-256:2245253ACACD14D0F9A544121FC7AD3BDE7A9E89E965DB77C72ACE44477FE7FD
                              SHA-512:36B0BF334270A93140AFF974AA6FE4C4B9936291FC7C13EBE4D55FBF23B151BD0E7A6CBAAA519236F5BA9902422724D8D4F2FA898153229E33E2DF7FB156857C
                              Malicious:false
                              Preview:..T....5..t.K..-.x$..h.N~M...!Y.A..&.f....3.e?b.U-zy.].".>)..h.p...P.3..a.a....x6.....;_...u..A..;.(.B.vU$%,WV8#2...m.'<...i.?...1....>.2.m.x(..C.W9....*Y.... .d....8.{l`.@6*$... .!,...(.|..n.q^. .-..,..#....[vR...%Z...Gg.d....8.{l`.@6*$... .!,...(.|..n.q^. .-..,..#....[vR...%Z...Gd.d....8.{l`.@6*$... .!,...(.|..n.q^. .-..,..#.......... O..../...... s1lf.S>/u./.!.',...;.._..m.,..u."..0.p).....5....|..M.Yg.v._..rWnOb.N:,2...a.~n...6..!..3.n\.<.2.o.)v...e]....dK...S..4....KEi=2N.=}g.M.r.,i..`..(..3.o_.".1..#.}d...);....+Z....3.x.u..".h[j.U7*....&..6...u.e..x.=.. .>..+.i*..h.N~....d.._..4./....FH'oo.\.*:.A.&.+-...:..d...m.;..x.r..;.x+..+..;....!Y....".).A..qD&if..t.2...*.:6......1..R.9..C.q..4.}h..C..4r...z'.C.Iv.'....CQ$IS.F0*0.;.0.<6...i.._...{.=..a.k..b.w2..C..4_...~k...97.-....gR7mj.Q2$9.r.c.n...v..P...W....r.z..6.l#.G.Sm.....c.3..5.>.A..".h0S.J+.%...0.CU..T.~...{.`a.1."....j)..E..W_...%M.^..8.3.]..<,^?#D...$... .=a..&..c...o.7..e.q.H.9f.i.nrP...7C..._x.z.0

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1606
                              Entropy (8bit):7.656487941496442
                              Encrypted:false
                              SSDEEP:48:9jyvfBp8sdy96BGF3SvwSqJPTfE7VRmPkfXv:GBpRyMGRQwjFTfE7/m8/v
                              MD5:152EC2AB0E194555B69238A1E4FE970E
                              SHA1:8E2775143B079600E6CF0B8A07FB27DD0E98595B
                              SHA-256:7C65AD568F11AB293523F4E72C1AED2C40664C37ED165B1A83472D13D64BA0E2
                              SHA-512:036796A3C6789579B59B9FD1ACE5C2F76A6396B47488B33EC37025E5F93FC0909825DCE8C5802C89AE8E03DC216BA2C1AF16AF43CD0EFE3D7B95F2124F264C4E
                              Malicious:false
                              Preview:N}k.r.....g=..i...v..[..D..8.OA..M....1Y..t.a.[..D4..FD.....6...G.....r|..t..d..$.[...-..N..E...BcG..5./ZX.T.kT..Y......?..O.....-/.[7...z..p......7.OF.M...5_.j.c.N.].(X.DF.....:...R....R3-..f...q..7..L..a.L........5_.j.c.N.].(X.DF.....:...R....R3...f...q..7..L..a.L........5_.j.c.N.].(X.DF.....:...R....R3)..f...q..7.g+..@..Y..I...$... .e.].XH&e.EX.....{..G.....f?.<b...{.7.\...Mm..K......._ _....a.@.[.OQ...C.....i........[/-.Z7...$..%.,g..9y.].........A..x.6D...Y4..........:....C....R0|.\e...6..+.`...,).L..T....ua..y.i.[.].HT.B.>...6...D..B3(.EC...x..[..D..v{..\..H....$]..6.l.R.].c..BG.....v..K..&kn..f...y...J...@..O..M...A.J..7.e...x.uV.ND......S.........\Px..u...:..p.V....4.1v........7...5.P.H.].cq.TW......7....F...ri..i...`..p.V...-.}...m....$k..&.i._.S.88...S..../....t.....aX..9...q..t..W...+.u...R..AL%.y.P.D.Y.r\.T.~...<...A....h"=.J;...{..v.Jm....[...X....]a...O. I..Y.i@.DQ......e..G...vx.T....4..Z.'H..).U........0

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3326
                              Entropy (8bit):7.788567501224405
                              Encrypted:false
                              SSDEEP:48:Pfrj//MKb9VvgwwiMiwD3L2MW/w0nutZM6ncBGMKslUPLNX7kwmp/8lXTpqRGoaY:Xrj/EKAiMd1JsimNMLJ7kRUqAoYH8tk0
                              MD5:1E6295FBABBFA949ED7C7DB4E3CC408A
                              SHA1:3BCBF735530060A8A236BDA696FE9FD87FC9B69E
                              SHA-256:441C1E0A401F3ED41FECE35F447C81B3927388B25E3C906824FE17AB36696D93
                              SHA-512:672E18896D2B1B3FD28C4A4BCA5C4A9D943B8AE5449BAD0A744B5BE89B76FDC09A5622B8436DC6D9E906785060D7DD882954D81EF61AF73DC4392CB9784ED9FA
                              Malicious:false
                              Preview:..q.jh..p...z.}...^.\....<u...|(..s9b...]...LG....V.....%005.....Ej..d...x./S..B.#.T..-`P..|i..iwpN......L.D.E....H...m.$4......$j..oN..,.=...[.w..V..0z...?9..8;k...\...TR.L.......p.#u....{}.P'P..p.|...A.0......,..(x.L8;k...\...TR.L.......p.#u....{}.P'P..p.|...A.0......,..(x.O8;k...\...TR.L.......p.#u....{}.P'P..p.|...A.0.~..a_..* ..%Wb....!...NA.I..$.....w.%fI...xn..r...K.`...\F0.Z..l Y..p{.L6)!S......_\.J....D[[.)Igk[....&;.R'L..-.?AX..K"..2...4A..?.+`kp........V..........2Mn9].....&i.Tv....sB...T,..T...d..,=..v'.y...S...OG.L.....\&.|.8(....mb..7P..2.{...S.\.....W6A..b...ipp.......]N.L..J.....i.3gD....xc..S...q.k?..WE..T..aR.., ..lvmM.......X..i........p.iVa....Gd..)3..x.d...X.w..[.:y_..~i.]9xs......3]T.L..0.....o.>4....nx..~...r.2...W.w..[..-`[......frb.......LC.B..y.FBK.#.'+....Be..x...i.f....Ts.....-f7..;..@awM...S..3NX.H.....\f.?Yk.......nx.o.A..=.@...G.q..8..:c..ck..(lpQ...~..C...H.........sw{W....z~..~...#..QH..G].....8d..0w.S7%,<

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1606
                              Entropy (8bit):7.629515147170368
                              Encrypted:false
                              SSDEEP:48:7ORHK0CK0QPKb0mPQdI/xMgJTWgVFvnUvDP0V9:owQvEmI5M+qgHvQP0r
                              MD5:D8ECAE1A5617F66D37C4911204F5BBF8
                              SHA1:AF7F2D629B2792501FA2157F50C942264D1251D7
                              SHA-256:06B4B1FFA3F71EDA4551CE3070D9F3DB5E45C01FCC61D7CCA967D5DADAFBECA7
                              SHA-512:F24413B48FAE5AD01652582463575B92D9C126E5598D4C28AE53F6C3C45010749FEB126A0DECFB4B8E73526E74DB778481928F4A9B841654C81C522CB734AF7B
                              Malicious:false
                              Preview:579_....C...Cl.u.....>.....,.6..'.8r;u..:....v.0.....#G/3U............G....Aq.%......b....x.9.X/."<)8.......).%[..U.lZ6&.............R.....2.j.....'....'.1..'.sp2q..1....n.+R..Y.!E06...........V.Y...Ic.n......+...V(.{.Iy.sp2q..1....n.+R..Y.!E06...........V.Y...Ic.n......+...V(.{.Iy.sp2q..1....n.+R..Y.!E06...........V.Y...Ic.n......^...%-.e..#.n.;h.Y)....t.#W..d. [66....Z..1....T..rg.t.....e....Zq.<.Jg.}bx%..{....e.'T..P.`.otY.L.H...&..TM.P....2.7..........Ni.{..m.+ )l..B..0Aq.....u.mwB...M......W.C\.F3.2......Y...&.n..>.=lW..D+....u.*R..U.'..,........,....GI....F.t...>...Li.+.(".";)m..O....g..R....'D:7....W........P-...Hc.I.....s...(,.h..'.'=4;..x....bMiw..W.+G+,..B.r...C...MW...Ap.b....o....w...Xw.r3*u.^J....g.-R..p.1T-,........C....P....Kl.b.....o....s.{....-9;b. n....v./\..9.b..eS...........)P....P<.u....#......e..8..*.;.n+...t.6V..].1.ROO.@.........G/c....>.b...s....(.n.Z2.c')'.K5...:^.V..A.!R,{b.\.D........Q.......'..........:.d.Fa.|nuJ

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-012A-0000-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):551871
                              Entropy (8bit):6.3136956981604
                              Encrypted:false
                              SSDEEP:3072:iFEyEMWEu+7SU/OMVEIFX7xobcZVsBEo/ftdvcTxe:yz7SU/OM5mbcXst78e
                              MD5:1A167C809BD7996344528A419CBF74F8
                              SHA1:2300CF203285F082D7729BFD92559DDD2A555F18
                              SHA-256:5860C66E8243EAC31D5204A785244AE166911FB3744F1B16CF033D3429610B07
                              SHA-512:80BDAD43D57E9D9B23DAC5512F15493F8BC094808CEBBE0E8ED0136481422CFB051D40E632A004A812EB312132C0175D04CD417022F3CC1CAD647B4D1F89B320
                              Malicious:false
                              Preview:.'?.....m..j..T.e.K..G.....zGZ......>:%(....KP.n*..5Y@.a[..Y.rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c..]...G>..z..[.~.L..+.....h.^.[V..ou8,,.....IH.>w..|[B.d.....om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="..n....z..h.7_.d.F..+.EU*.......o{*fx.....KC.8ac.(...&W..^-012A-0000-0000-0000000FF1CE" appv:VersionId="f8fb15ce-0677-4345-a083-0f2aa248c79c" />.. <Properties>.. <DisplayName>Microso..s....i....N~.d.E..G...Kv........<$s70....FA.>iO.G]C.e....APublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription........~..>..TRr.]..l.....kR..[P..?+q%?......CP.0j......7]..G.:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <...N......./._7x7L..F....-~VL.DN.pz&k.

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-012B-0409-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):7.684504342901585
                              Encrypted:false
                              SSDEEP:48:fv2brVQQvwBSv1b4pqyTwQ6jjku3cRlhsdJ9jTu:MQQv8qycQdu6qjTu
                              MD5:B0B8DE0400248B6F3975C1C22DA0CC84
                              SHA1:DCFA298EDC1091390AD8178F57668DBF1C0F4B04
                              SHA-256:C0026BF391D34622B967AB6D655850245719297218EFE9A994E3B97A128287B4
                              SHA-512:BAA0D912F437A866DBA02FF4B5CDF439539F05EE29F605AAD7EC3A9565C1D88092C9ED15C3B04DA0D0D14F0B9C0AF20BE34A503B87305228BB99EFABBBBF3BDE
                              Malicious:false
                              Preview:.c..(......K(....m.Fh.8..J.....-.f._...... /.M~.9k.v*k=..e.....}.............[m.Z{.w.X...E.".'.B4..SQ.Ozn..!.,2.)i8r.p......|........YQ@..m.Ck.*........*.w.Ye.....!1.Of.";.je"?..`......0....@..[N....j.Yy.y..U.....`.6..e.....!1.Of.";.je"?..`......0....@..XN....j.Yy.y..U.....`.6..e.....!1.Of.";.je"?..`......0....@.._N....j.Yy.g.......~.n.Vx......\{.I|.*>.dX>>.`......"........IA'...e.D0.h.....L.'.5..k..N..Kx$.Mm..=..lv~.."........:.N[..[QA.I<..=.i......T.`.q.y=.....rj#..6R+8.p9fk.. .........J.F]...W...H5..".T.......u.s.J+..dS...".E}.#;..i&9..z......?.......^]^...|.Kt.8......T.0.W.M4......gm.@o..;.!6.9..a......}.............7m.O3.S.......s.n.[1..P!.Hkl.IjV`..7k95..z.....?.D............h.@}.>.u...J...'..d.....z~n.|o.$;.!L./.z......p..............b.O..=.X...N.`.Q.N;.....^}}.E~.&5.z.A|..3.....o....?.........y..".)......".~.u.L...P~...".||.??.0a./.........j....Q..KAQ....._..<..X.....u.%.Au..LS......2E.?.+}9?.-......z..........O.Y,..1....W.......9..j..!

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2515
                              Entropy (8bit):7.714476323568017
                              Encrypted:false
                              SSDEEP:48:oGFgqQc7lYbjcZ0c9upktdQrin5W6NzCu7tIP+/gjgNrdeN:oGHQc7mHcFupni5BNzL7tB/1Nr6
                              MD5:E32D9CCF127106DF1E0DCBFA780F7A14
                              SHA1:19145199F554E891DF692FC171F41902D448B733
                              SHA-256:DC74754045AD17E5EA970BF21E44DAECB8E1F285592411CF429FE8AB9625327A
                              SHA-512:5B5CCE02AF7D9422F93FE960F178C081EB336EDF74E5C8AFF885BB537A0E6F9D7B851079479A323E3CB045701D8F3517BEA4CD85FDE6C1F380CFF34CE1BBBADF
                              Malicious:false
                              Preview:..2.L2.^B..i.]...........%..N.G"D........I0.3F.....V..G.M.R..y..XF..(._.Y.......%...FH".........jH).^...........Y.T[.q|.ES.I{..XK..........-..E.@aU.......B1.`D...........^..O...l#....Wy.W.........;..J..v.Z......B1.`D...........^..O...l#....Wz.W.........;..J..v.Z......B1.`D...........^..O...l#....W}.W.........u..O..tL.......UZL]`B.............X..c;..y .GU..k.l...........{..ZM..D...\....h.CF.....K...K.....F..-~N...Ky..XI.F_..........pSN.......1z.1AF_....[....P.....L..)~..@._+..ZW..M.....i..D..rQ....s.HX>.WN............E.F...z5.VF.W|..,........X..HZ<u........<wKcK....$....N..p..u .PQ..:.V..........u..N..rL.........{JeB.T.............U.. ..RL.4,._....A.......:...ep .T......R9nHEw............C..;..x6.VQ..=.U.D..........%...).ps$......,.m[aN......|...A.Z..4..J..eQ....NV.............}!.PW......bX>.<w...........]...S....6....Fi..T6.........;..J..=........GF.23.MG.........p....p..y".\P..,..en.VO.........X..n.B...Q.

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-0000-0000000FF1CE.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3440
                              Entropy (8bit):7.814409586590198
                              Encrypted:false
                              SSDEEP:96:LSwgfz0YLXuEEHFy7C9Tl+gYfxEIZsMl+uw5BIH:LHg0H47C9Tl+nrZsm+uwG
                              MD5:10CF733A52E670A6223788A56BE45318
                              SHA1:30495CD386D16FFAD1AF740A0E461B075BCAD97B
                              SHA-256:895A99038B98638943BA9EA2FA069DE5BFAE5703B6601CF8319DAEBBABCD54DC
                              SHA-512:9998BEF02B789C8BB437F9BF514D85B711ABFED38B1049C11E0A58DB31741B81552ED4C616F3A12C59A4BEE30ECA5FB3DFB9FAB51F1F6B8CDFD909E66E0E5A9A
                              Malicious:false
                              Preview:$..k."..-X..B.....Q2...A.P...PH.........-..0.y6l9..E...<.}.o..b.E.;....)L.h....C..`P..B...........V...Fq.7io,...X.H!.h.I..k...8.l..<G..;....]7.4.X.....[H.....E...)....{.y"..YT..>.x.@..n.II6.3.Z~...$.....V-.s^T.O...TKV....E...)....{.y"..YT..>.x.@..n.II6.3.Z~...$.....V-.s^T.O...TKV....E...)....{.y"..YT..>.x.@..n.II6.3.Z~...$.....V-.s@!..[R.Q^H....X...8..`d.}4j*..Wi.. .x.C../.j[..0..:Z..+....\0.sO...U_........K..K<..D;.y%w...>].Du[:....=..Wg.n.E|...;......n.aNj..8+..ZV.......2..V<.($$,.......R<....?..To.n..x[..=.....~.os&..G>.ZKC.......a}...=.q5l#..9X..r&b.T..b.PF..%..)...7....._?...A..vd...........8..[r.t'e.......?.y.C..".Q.;.0..>{.{.....^;.\t...[R.PHE.......U...Ws.}" `...Z..<.b.H.....Fw....#..x......4.4...o....6,....D...+..Bq.H'.$...}../.b.R..c.j.w.&..>V.b....G;.4...B....zV........8..Ab.q6h&..I4.FlK+.G..{.e.'...%>P..s....Vb.0.\..:..crH....=..UP...=.H4s?...P..rf.....h.K.%.&.KA5..+....\+.2...B...T\C..U..I}..?..8z3....L..).5.,..1.V.%.2..?V.x......~..-a.M-..FRI....J..$

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifest.common.16.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2015220
                              Entropy (8bit):5.30664415034156
                              Encrypted:false
                              SSDEEP:24576:PAo6AbzIg6O5cnFh1bEaJnygt7R4E20Ql74srGQ1BYQ1aogxa:PAo6Ab0gdAPtDJyu4aQR4srGQXMHxa
                              MD5:0021BECBB2EAA03AE5146C808554ABDE
                              SHA1:77531C20DB618E3FC9C90CD0F168ED8078501A42
                              SHA-256:AACAA816BC47C6D50A5724AA5AF7C1C49828813A5D48255AE239A6018546FBF4
                              SHA-512:F71C26AFD32F57D53A75BD7AC2DF783CE1177E738D8583BAA746F40F691E36EE29F23BF1DA7B231D180A14DFBDE0190582ABF9B8443478E11750B52435750B9A
                              Malicious:false
                              Preview:......DbM...1..4..Z.G.Z..s?.9.VE.....;....Q..L.{..|..9.L.......p.p.v. .a.p.p.v.1...1. .a.p.p.v.1...2.". .a.p.p.v.:.I.g.n.o.r.a.b.l.e.N.a.m.e.s.p.a.c.e.s.=.".a.p.p.v.1...1. .a.p.p.v.1...2.". ..?....Kb]..r..4....~...Js..8.TE..........Q..V.h..|../.P.....c.o.m./.a.p.p.x./.2.0.1.0./.m.a.n.i.f.e.s.t.". .x.m.l.n.s.:.a.p.p.v.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m..?....UbX..b.4..J.!.P..s>.".QE.....W._..Q..S.e..|..=.O.......1.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.a.p.p.v./.2.0.1.3./.m.a.n.i.f.e.s.t.". .x.m.l.n.s.:.a.p.p.v.1..?.....bF...$..4..U.!.N..s8...ZE.........Q..P.x..|..(......../.a.p.p.v./.2.0.1.4./.m.a.n.i.f.e.s.t.".>..... . .<.I.d.e.n.t.i.t.y. .N.a.m.e.=.".R.e.s.e.r.v.e.d.". .P.u.b.l.i.s.h.e.r.=.".C.N..?...VbK...&..4..X...k..s".8.^E....W.N..Q....%.B|..d........0.1.3.0.". .a.p.p.v.:.P.a.c.k.a.g.e.I.d.=.".9.A.C.0.8.E.9.9.-.2.3.0.B.-.4.7.e.8.-.9.7.2.1.-.4.5.7.7.B.7.F.1.2.4.E.A.". .a.p.p.v..?...Wb]...?..4....3...Ts..s..E....B.

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9404
                              Entropy (8bit):6.837040678483769
                              Encrypted:false
                              SSDEEP:192:TIWF4nDR8SIH8aAhqvhzPdj3l+cIBd0LPGKV+41pXZYUgmFI6ZTf:Tin8JzPdj3lYUPGKV+ypp3FIkf
                              MD5:8FB08A30CBC198CDD1E98973C135ABF5
                              SHA1:E941C8A88014D52615D188A5BA1ADB6863F0A632
                              SHA-256:A9D864FCAD1D3503F3D77C4EFA586DABFD24CE2585879208C7A48A3A68454A2C
                              SHA-512:BF72667DFD7721E442CD43F85B9F36324254254FFC80DF0260DA9CE1911124B7EE3312AE264A327A554935233AF2FCE13965ADC631261AA1C1153F9B432131F1
                              Malicious:false
                              Preview:......@.o.....:?.........t..s{K..SD.=.....G..!....a.`....../.ath="//appv:ShellCommand//appv:FriendlyName[text()='&amp;Edit']">&amp;Edit</String>.. <String Id="WW_Shell_Verb_New" xpath="//a.).F..D.j.....=q..........D?>V.._q.x<....7..$....#. .......2.</String>.. <String Id="WW_Shell_Verb_Open" xpath="//appv:ShellCommand//appv:FriendlyName[text()='&amp;Open']">&amp;Open</Strin.gwv....r.....=c..".....&.E!%G.._D.n...X.~..k.....l. ........ellCommand//appv:FriendlyName[text()='Open as Read-Only'] ">Open as Read-Only</String>.. <String Id="WW_Shell_Verb_Print" xpath.{US..Q.<.....63...........f!.}..VS.|)..H.h.U`.....t.R.....u.&amp;Print</String>.. <String Id="WW_Shell_Verb_PrintTo" xpath="//appv:ShellCommand//appv:FriendlyName[text()='Print &amp;To'] .g*...U. ...K..eq.......i.Y...3j..]..yy..k.C..%....f.Q......6.h="//appv:ShellCommand//appv:FriendlyName[text()='S&amp;how'] ">S&amp;how</String>.. <String Id="WW_Shell_Verb_Design" xpath="/.8....r.c......80.......^...E=#t..[G.F0.

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):687
                              Entropy (8bit):7.1312951541481775
                              Encrypted:false
                              SSDEEP:12:aHJd+2OH1rdJFQJ44j1RNjk6lpD77v5wxtlkT8Ooz5E59+MGnKp:ap9OVrdDQ11XVlpDZWlcKz5EiMV
                              MD5:14E8F403547D8DB06FC0F9D2F7A9A4A9
                              SHA1:AF755803DE396C2456B37DFBA19D4D522010DF35
                              SHA-256:546A9C9AA3136D06E056C8DE5D3140EF414A07EB5835DD9E349CF98CCCE239FD
                              SHA-512:4147850E2FEE30F5EB56CEDFA1CE31283705727A55EFE191C83783F9671A6CC9A8325E0D585BC01F0460D2A7CB3F2C33587F77BB21CEF954F3ACDA024BB0C427
                              Malicious:false
                              Preview:V*..DiP.i@.k..r......A...........F.:..C;..Z....$AjG.......U.%.l..)..2k.y.3u.M........U...[....X.V..E4..B_...7e+q........Z....7.GuE.q;z..`!.O..V.....J..[....D.t..E ..1B..Gg.9U.......A.0..T..9..s%W#.0q.I..T.M............~.5..L&...G|.3..>o........_.2..1.Qd}..i.z.4#.M......GO....H....Z.q..-Y...B...7Cs.........Q.!Variables>.. </appv:Extension>..</appv:Extensions>........j...59.......v.1..!..S7..S.i..}._..e...W.........e.U).....Y.f.C.T.q.5..&.u....oc...^.i..+G...(..G.?..@.# ....B..gC...d.zf..W.4V!.X=.)l....c....[>.J..Y.w.6..]j..Lg.W...F....c.U..hra).S........B....................................................................................@.........tmrk2oxcouu.

                              C:\Program Files (x86)\Microsoft Office\PackageManifests\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Microsoft Office\ThinAppXManifest.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4925
                              Entropy (8bit):7.8807081415987685
                              Encrypted:false
                              SSDEEP:96:FJS/96VirCmHbez393vpT9B1kobUx1GLqnJA3v0zV3ROj:Fg1eYCmHG393BT9B1ko4OLqJE0z58
                              MD5:E8624ED62D7B4107D4D8027834DC8C1D
                              SHA1:765843EF97E58196388E13E09CE5D5879CC980CB
                              SHA-256:3E79D48B5A48909CB2601595DF00D96ED7609F3D190988CCD2BE56B9FF529659
                              SHA-512:C0C3929DD60C3387578F027769563C9DF518D820D98126130AE03CBFC024714726DEA00F156637AAEB35CFE668C891268AE6D58EB9E4B2BF526DF93050977F34
                              Malicious:false
                              Preview:.....K...D.5!!.;F`1M....Qbq#..y..G...a.W.R....bOL.Z:>/a&...!..%-..O.n.(sq.)ZsN...<.@w%~..8..]..H3.........;....u#6tn...'...-L..Z...=.ka>.7Cc._..}.]mz#.h......e.\.L....2.P..8<0ds...<..0.......".: :.<Yq]...1.C;u ..)......e.\.L....2.P..8<0ds...<..0.......".: :.<Yq]...1.C;u ..)......e.\.L....2.P..8<0ds...<..0.......".: :.<Yq]...T.yeq>..l......,.4......qA...7',.y.......3...O...[.)=:.7.'N...s..9&g..(.....a...3....6(..Xb..'$....a..mW.....?.vzf.nh29......!u .."..C.......A...Mk"I.Ck.n:(.......mU..l...L.c.k.v..u%./.@df$..k..;.IU........6_3..)!,xz....5..`R.....}.:7..4O;r&..a.Ecx9..}..X...p.(......6....ga.b~...6...3...S..h.VDZ.en`.O..-.Ynzn..k..G..I>........<.@.pRGc[s...6...6...@.1..!4.g'.v%.-.F;U ..H..Z...U........=_0.Z?+,tn...<......O...l.+8i.)ZS/M..<.UEq#..q..X..K..o._...G....35.-x....'...|L..Z..}...=.+Ef:T..P.9=;...h..E.../.l._....!...DVDV. ...&...`/..M.h.y+=.,Y'P...T..Sq#..j..B....6...... ....eCU......:..2...D...?.t...0DS.^..2....Y..W..P...c..

                              C:\Program Files (x86)\Microsoft Office\Updates\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Microsoft Office\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Microsoft Office\root\c2rx.sccd

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15621
                              Entropy (8bit):7.160957027260204
                              Encrypted:false
                              SSDEEP:384:Ox+RAWMitgqN+huBjfsk3fYTu+FvNik1ev7IeMsr/j:OxOAziiqN2uBjfj3fYTRFhcvkfsrL
                              MD5:63D20281D709FF1DF055EC92C3156F47
                              SHA1:621FCF4AD171CC1317BB608B9052B5993243DC22
                              SHA-256:F9B8E287DAA5E1F21D7ED3F6FC9E6D79D06B203FE90B800EAA019FEDC7C4A5AA
                              SHA-512:FFB86A0E731705621D2E44E03DCCA349045328C72785250A8269B70802F1248D3561E200218303F23DF69FC3A189EB530D6F309A544BF87C6CCD0F4820A191BF
                              Malicious:false
                              Preview:{.....j.f.........,..Ef.Kp.f....TI7..z..q..g./.z.......K2f...tor xmlns="http://schemas.microsoft.com/appx/2016/sccd" xmlns:s="http://schemas.microsoft.com/appx/2016/sccd">...<CustomCapabili3R....t..).....@.m..J`.[>.:..4.v.G...F...i...i........Z.=...yb3d8bbwe"/>....<CustomCapability Name="Microsoft.classicAppCompatElevated_8wekyb3d8bbwe"/>...</CustomCapabilities>...<Authorize#~....j.+.......U.c..\l.gp.2.....E.K.q.W..a...k......A2j..COffice.C2RX_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217ac722205d7729ba409148cfa9e6d9e5b1cb94eaff1"/>....<Aut/T....J.a.....q.o..Al=Cs.7.....L7.A.b.A...&1..c.......6`...3d8bbwe" CertificateSignatureHash="b116c36fa11678efb3bbf1fb1ef99b6b5ca9a85ba290736c6ced9fb0cea2cb01"/>...</AuthorizedEntities>..N.....`.+.....k.c..N..l_.8.....)..k<|.q..p:..D.......t.H.0.EFADCCARAGCSsGAQQBgjcKAaCCAQEwgf4wDAYKKwYBBAGCNwwBAQQQvlDSv13nQkWnWYx6y6RRbBcNMjEwNDE1MDczNDAxWjAOBgorBgEEAYI3DAEDBQAwgbwwgY0EIJ.C...(>.w......X.#...d..O.:....,.!..'[

                              C:\Program Files (x86)\Microsoft Office\root\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.mshtml.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8007994
                              Entropy (8bit):6.27751312453401
                              Encrypted:false
                              SSDEEP:98304:8RslpjoRKm5sb2ZS9fepID2fTOII88dRNEi2zjj8Sj:8RslpjoDbp8/NEiUj8Sj
                              MD5:DB9CA6E2064366D9C75D43DD3C204BDE
                              SHA1:5E56ADE3D719E7F0C2DA28F9FD378619761FE85A
                              SHA-256:C4E420B67D3732E895A291728CD698AC323B065BA00CCE2FDE035035E4D0CB2A
                              SHA-512:BE1910F5068E4BA6769A290608A1EB5BBA7D119CFD2341CC5BAA0E8452F01C09EC8D35D38C3D751010D3607E3CC5E956E68BFFE82580922678207465BAE90C58
                              Malicious:false
                              Preview:h........:....1....._.}.H .Ct..]...+..0a..?.k....r.I......*........!..L.!This program cannot be run in DOS mode....$.......PE..L...0.6<...........!......z.. ........z.. ... z...@.. ......!.k......:.....1.....O.}d.Z.@t..]...;..0q../.k....b.I.....(..*..z.S.... z.x....................@z...................................................... ............... ..H............text....t...7...:.....1....._.}.H .ct.../.jo+...3a....k....r.3.....(..*....@..@.reloc.......@z...... z.............@..B................................................................................%.k......:.....1....._.}.H .Ct..]...+..0a..?.k....r.I.....(..*................................................................................................................................%.k......:.....1....._.}.H .Ct..]...+..0a..?.k....r.I.....(..*................................................................................................................................%.k......:.....1....._.}.H .Ct..]...+..

                              C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\Microsoft.stdformat.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13626
                              Entropy (8bit):6.417912692315544
                              Encrypted:false
                              SSDEEP:384:Y4UY5O901v7+epEEWn6kf+fMbyQU+wgR5e723w6QKyWVWWekKKC:Yn01v7JxWRWfM1wa57d4
                              MD5:B594F6E8476C0BB99375457D3B98658A
                              SHA1:69D780A24D19C5C6FB8380003D637BF0AEF0FE20
                              SHA-256:DAD6E1F7F79087F28569C9253DF4A703CEAB437FA02F6D1DAE453A4A6C3EC093
                              SHA-512:D7ADDB2634D90352CF4913FAC84A609ACEF4B7EAF0D83A0363C2BA6188C91003CAB62D5BDB673902F50414646BD1DF5EA3820156F6A169572734574658851EDF
                              Malicious:false
                              Preview:.......V.J=.A...:..j..I....g-0.X.uKp......}...[.{...4.Z.l........!..L.!This program cannot be run in DOS mode....$.......PE..L.....6<...........!.....,..........~J... ...`....@.. ........I....V.J=.r...}...j......g-0.X.eKp......}...K.{...4>Z.l,J..O....`..@............................................................................ ............... ..H............text...a.I..4.V.f=.r...}:..j..I......B.*.uKpQ.....}...[.{...4>Z.l....@..@.reloc...............2..............@..B................`J......H.......|(...!...................'........................I....V.J=.r....8..h..K....e/2.Z.wIr..........Y.y...6<X.n.............................0..............{....9........{....o;...**...0.."...........{....9........{........o9...**...0..".....I.J..V.S=.v...}:.......I./.....0.^._Kp...?..}.....{...44..l. ....}.........}.........}.........}....*...0............ ........... .... ...... .... >..... .... ...... .... ...... .... ....y.i....v.J=....}:.U.j..A....G<0.X.}kx

                              C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\adodb.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):110906
                              Entropy (8bit):6.658703344488604
                              Encrypted:false
                              SSDEEP:3072:9oj+VBoXUlo/+smBvHxi/7UpLVT5Iks+Nn:9ojGBoXUlo/+smpxizIjIq
                              MD5:C98CD831B05119C15038D9A4134E08B6
                              SHA1:0E6DFADF4F424BD9F6D0F09E341923905FE9A087
                              SHA-256:A9FF58FEB3E0E58869F91D2EDACF57724AAFA64546DEF08DB6A95CD36BEDBDBE
                              SHA-512:1479FC40A526AB5E2FF7B832EA30AE0C5E3908B689B025C373FB3F1FB34FA633EC4C87AF78DC78E0230E96774AA70C25BD140AA0901D075B856858E21AC2AC9E
                              Malicious:false
                              Preview:..?.Ck.d....E..(?....YF=].d.<.D..M.....d....'.c...,......K............!..L.!This program cannot be run in DOS mode....$.......PE..L....[.=...........!......... .......... .........W. .........@k.d....k.(.....IF=..e.?.D..M.....d...7.c...,.....K......W.......P............................................................................ ............... ..H............text...G...@K.d."..{.(.....YF=..d...D..?m...4......c...,.5....K........@..@.reloc..............................@..B...................................................................................@k.d....k.(.....YF=..d.<.D..M.....d....'.c...,......K.......................................................................................................................................@k.d....k.(.....YF=..d.<.D..M.....d....'.c...,......K.......................................................................................................................................@k.d....k.(.....YF=..d.<.D..M.....

                              C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\msdatasrc.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4410
                              Entropy (8bit):7.387321377343912
                              Encrypted:false
                              SSDEEP:96:EcbbrnCxbbWwx6EG0ye6RNoUKFl3jBPm1bKE41xZ:lb4WhEDyewNkF10Kp1xZ
                              MD5:BA7A94B1DB2680B80B8E3684D6C9F4EF
                              SHA1:24E2FCB30BE1D19DF3E370753B02116AC1D9C654
                              SHA-256:1753EBADC646BD78748078C2AAAE2F5D65A0EC1EBA38E6A1C4808675328C33DB
                              SHA-512:AA14BEF9038720CEE335E7D8E53754BADD3E0C9F356716B18CA1287A22DBE41F2C2E9AB47C9160DA5DA7FDB48261C8DFA9D92EAB770929FE4194B30F0F252BC8
                              Malicious:false
                              Preview:..p..I.......zF.......$.IC...4.w.....hh.{.......(..`G.*[6L.Z....M.............j....(-f.......b...H.4....w.$%..`G.1*[6....JH..@`....z....G..9..".IK...2.w....hh.[.......(...@G.1([6F....I......z.T.......$.JC...4.w.....xh.k.......(..`G.1*[6j...UI.....U.z.........$.IC...T.w.....hh.{.......(..`G.1*[6B....I......z.........$.AC...4.w.....hh.{.......(...".E*[6.....i......z.........$.iC...F........hh.;......."..`G.1*[6B...FI.....z..z.........$.IM...4.w.....hh.{.......(..`G.1*[6"....I.......z&.........$.IC...4.w....hh~{.......(..`G.1*[6B....I......z..........10iH.+&@.P.-.C......[|n.bv.2...........j-..j.Q.tw.%.u>"......<...;..t...V..S[%|...0.........Q.R....,.o.../B....i..T.G..n.HC...4.w....FX.H......(.`G.}([6a....K.....6.............$.YC...s.>......hhNz......h(..`G.0*[7.....I...Q...z.........$.AC...4.w.....hh.{.......(..`..0*[6B..FI....4.z}........"..C)..4vw....Ih.{......(..`G.0*Z6.....I.......j.......... .IC...$Mr....

                              C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\stdole.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):16698
                              Entropy (8bit):6.465853096641212
                              Encrypted:false
                              SSDEEP:384:OS5hs5Np6a4r94hbesDWFsOb0+E4e4jW9WW4:OS5hs5Np6aJBYDdqg
                              MD5:83312B60822EDDFB6736B1908981360C
                              SHA1:03BC47BD03952425F251C44B635685A8AB8F60E5
                              SHA-256:DAE4FE9CF020F24F86CA1FFC5B4D2D2363F72ED29AE73289E81C6377931C1CA3
                              SHA-512:EC1CFE0C2DB13502A20B76C85CBD088F5031589D53C8AD7F5982178ACDC7EB9D9B08F96F520F1EB890CBDAF62697D0B67CD093A5D8778B063D3EAF048C81AC1F
                              Malicious:false
                              Preview:.N...Sgp6.xRP....E...........?.#E.....bS..})$...... .!>.h...q.........!..L.!This program cannot be run in DOS mode....$.......PE..L...x.6<...........!.....8...........V... ...`....oV. ......T.b..Sgp6.xR....u......(.....?.#E.....bS..})4......0.!>.h.^.q.LV..O....`..@............................................................................ ............... ..H............text...."b..sgp2.xR....uE........8.?..7.....b...})D...... .!>.h.^.q.....@..@.reloc...............>..............@..B.................V......H.......`%...0...................$......................P.b..Sgp2.xR....wG..........=.!G.....`Q...+&......".#<.j.\.s..................................................................................................................0.."...........+.b..jtp2.[....uE....j....2.?.0u.....bS..}.-......*;(>.H.^...........}....*...0............ ........... .... ...... .... ...... .... ...... .... N..... .... ...... .... ...... .... ...... .P.b,.Sgp..XZ...>.E..?....5^.?..M.....B

                              C:\Program Files (x86)\Microsoft.NET\RedistList\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Microsoft.NET\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Microsoft\EdgeCore\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Microsoft\EdgeWebView\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Microsoft\Edge\Application\117.0.2045.47\msedge.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):263538348
                              Entropy (8bit):7.325189986687162
                              Encrypted:false
                              SSDEEP:1572864:PJz4AqmOfxarqBrPkJ7d9xWmMeqOuhUFOFoTeOze6+GNLlo4uS3JwHumk0y9PBNQ:SmOfxaYLuPeedVF1R/F6ujD9TI2gNYL4
                              MD5:3F34E2093CC35D55112631F45C71C300
                              SHA1:4D2C45E636509CD526CFA6B057B3FFCB03322E0C
                              SHA-256:5F2370694FCA503E607A2EFB22CA02FC90D3DD89ABDDED21D82C6637C977137D
                              SHA-512:3F38965B98F0DEF84CFB28CE9ACD44D86F449C67E4958912099CC94190CAB064D132646A3B367CAE69FD4531DB4D62B791D1D7F02E2A44BBD2E398EE0D25C43A
                              Malicious:false
                              Preview:.o..X...]u.{....eI..OJ........T&`ZY8....<..5.M.Gsb..:.p...........!..L.!This program cannot be run in DOS mode.$..PE..d...f..e.........." .....4.......... i...............................5..Y......{........O*........T&`ZY8....<..%.M.Gsb..:.....n,..7....@..x......8.....*.|.x.....8(......h....Z..T...................HE..(...@x..@...........hQ..H............................A..-...n..{....Q...KJ.......T&@ZYX....d].j..O...n.=(.................@..@.data...8./......Z..................@....pdata..|.x...*...x.................@..@.00cfg..0.......................5......":.......!I..O.....~...T&`ZY8...P<...G.9.+....:...M......F...................rodata......`.......H.............. ..`.tls....)............Z..............@...CPADinfo8............`...5..Y...]u.;...?......K..../S...T&`8.7....<..5.M.Gs.T.~M\...\............t..............@..@malloc_h............v.............. ..`.rsrc...8...........x..............@..@.reloc..h........'.Y.g..]u.{....eI..OJ........T&`ZY8

                              C:\Program Files (x86)\Microsoft\Edge\Edge.dat

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12602
                              Entropy (8bit):4.874969020476556
                              Encrypted:false
                              SSDEEP:96:FyhQJJ3X/zGueu3BjGc4lo7Aho50xLL/AUjZ6AFWSRNMD/y6l0ORlu:+QvzGuLBjeaix7jFWq6DB0ORw
                              MD5:D6F78B2E088B873329B426433BDB492A
                              SHA1:7D9FE83565E5F69D9402C65CC7CBB8314EE2AEF5
                              SHA-256:AE85463FA99CD60E562FFD69C7BB0951E40D0213267DB323A653F55AF31FB87D
                              SHA-512:095270388124E1F7FF4A832B419D4256E2DF50BF696657F2C9394C79CF7276875A829B2CBDB79993305405800C799306BAFA76DD6CFAD3B63462A0EB581FAE91
                              Malicious:false
                              Preview:.x....!...:.1.....*.....o..3.A._C..q....P.5Af.e...}.A...?Ba..TM.i.c.r.o.s.o.f.t.\.E.d.g.e.\.E.d.g.e...d.a.t...........o..:...........o..:...............o..:...rmtmF..0...................u......!...:.....e1+.....o..3.A.^C..Q....p.5@f...4.U.9....BH.T................................................................................................................................u......!...:.....e1+.....o..3.A.^C..Q....p.5@f...4.U.9....BH.T..............................................................................................................................u......!...:.....e1+.....o..3.A.^C..Q....p.5@f...4.U.9....BH.T................................................................................................................................u......!...:.....e1+.....o..3.A.^C..Q....p.5@f...4.U.9....BH.T................................................................................................................................u......!...:.....e1+.....o..3.A.^C..Q...

                              C:\Program Files (x86)\Microsoft\Edge\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Microsoft\Temp\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Microsoft\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):103708
                              Entropy (8bit):6.923919790421063
                              Encrypted:false
                              SSDEEP:3072:sRFOTKjgcM4zCPtZ91/LKKxR9ew+zpalq56f:sLOVJiUtZf/rxR9vSU0w
                              MD5:3CBDF8B55085E9DDA4198BD51BE995AB
                              SHA1:6B6AB5D33A6698859DC36E2AA76D74805A12E56B
                              SHA-256:85ECBC9A3F45481E56435927E1A779C035CD945559B2EBF5929F8A8D1AF0649C
                              SHA-512:01A04DD1B011DF4F6FD91D7C2FCB4FC4153A6A32376D8D5D2DDD4F94CC061B086D2BF90ED0289C4F2598A87F06A1ECC20867D69A5CBB83A4048B641B2D612137
                              Malicious:false
                              Preview:..\65&?...K3(]..~......K!..C>..B{............ .N...e....>.;.........!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf..].66&?...K..].{~.......!..F>................!.N...e.E....;..4............@.......................... .......k....@..............................................r...............)...........].66&?...K..].{~......K!..C>..B{.............N&..e......;..................text....g.......h.................. ..`.rdata...............l..............@..@.data............................].6v&?....*..].{>..w...K!..C>..B{.......z..z.Rx<...e...}?..t..................@..@.........................................................................................................].66&?...K..].{~......K!..C>..B{............ .N...e......;..................................................................................................................................].66&?...K..].{~......K!..C>..B{....

                              C:\Program Files (x86)\Mozilla Maintenance Service\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Mozilla Maintenance Service\logs\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice-install.log

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):582
                              Entropy (8bit):6.977378318274748
                              Encrypted:false
                              SSDEEP:12:bDV99YiFZcSdxSEJ0dqaEx8F7/OnQZ1x7FtpKllYv:dYiFFLSnqlxyOnMfKl8
                              MD5:C8C55A7447A23F923CD16B2F35117DDC
                              SHA1:C66B8778C82699E60FF5A7EBD531081724F48EA4
                              SHA-256:2F4DA70B591283B5FFD730DB48DDFE28CF5D5DD4CC02E8D3BF66CA0F50802B91
                              SHA-512:04AFA9DB84EC01EABB22091D9198110C598CE3304BA205BA8EC8DE0B99D5D0B2CF2D184CAF8D914E0CECB4294D3FB60905DA9DC0E17486B1E16BE54D540E947C
                              Malicious:false
                              Preview:..O<&....O.@l.9..!?.....gs...G.....?..F.9.!W...|........iTJ.0....H6 ....F.$..~.we....< ...G....l..A.<.d.I......1<Ig.3$...L?&....M.Dd.9..$7....56...A......z..F. .-.I.......7=G..bw....zg.L..v.Ao.!..96.....hj.......O..K....5.2.D........35...!g.ccessfully....2../#e.s.nP.?..T..._.I..%4..w.0..........D.r;..F..?......9...."..(^*.....7.-.l.K.V.HK..@.S..p@...H\.a..%..H..4.L6.|,..7...Nbk....P.j.a....)......d..(}...Q...mDfnf&....A..VY..{O`...\....,.......N..............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):239322
                              Entropy (8bit):7.116471058841213
                              Encrypted:false
                              SSDEEP:6144:ydmVDcAyGrj+PLgWaAvZ7RN6qyzxS0qC8J/I+Rz:yMSGKt/xXAoCPOz
                              MD5:6B482E3E38E1C949A6957743D5BDBB1C
                              SHA1:1875950AA93E211111A8CA1810CC53A6D309864A
                              SHA-256:B513CA9A3E27DA11715808FCCCAD148BA39065BCC7DA34C431077922BECED95B
                              SHA-512:8E310AB4F9BB602E1766962CF147A4E0010350071F08A776C5F5A85398803626BEFFBE5921061ECD79D203F40348DB274861D7155A67AE358813D6719871ED8B
                              Malicious:false
                              Preview:.1z.9(Y.,/3..1.Y .."rs.Z=L5e..Z.K....!.1..Hg....Sn5RZ......CL.........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@....................Lk..8(Y.(?7..5.Y.E."ps.}L.e..Z.[....!.1..Hg....Sn5RZ.....iCL.........h&..................`....|...)...........$..........................(....p..8............,..............................h.g.L(Y.n~1..!.Y .."rw.Z}L5e..Z.K....!...)......Sn5"X..r..y.N.............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..........Fk..x(YT.[_..1.Y).."r..Z}N5e...Z.K....!.1..H'..1.w<.A06.4...y.O......h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...............t..Fk..8(Y.(/3..1.. .."rs.Z}L5e..Z.K....!.1..Hg....Sn5RZ.....yCL.................................................................................................................................Fk..8(Y.(/3..1.Y .."rs.Z}L5e..Z.K....!.

                              C:\Program Files (x86)\Mozilla Maintenance Service\updater.ini

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1516
                              Entropy (8bit):7.598099641902666
                              Encrypted:false
                              SSDEEP:24:CBf6lMntZdKadLGtcCe6+UF6S2VRKlyaIiUwtnieop1DXP+AKk9jpaP9UNUZHo+t:y6l4ZdHUtcYNyRGyP4m1DXP+kpmUNUJN
                              MD5:3D04C2A049EB7436BCD3C7A212B89877
                              SHA1:9B98EAB40651DD45907266430AAD348A502A1925
                              SHA-256:473E7CE19F4BC65B7882B96BC78262487CF8231DEE343ECDE6A7BF1508CDB6B9
                              SHA-512:3CABA7BBAD98A49BEF0FC342BD33C176EEC9514FEC04DB725C2669D4A7BA3DE1D7466FAF471EC4D858796227301C033D598A59FF7FEB17E1C90DF88D8BD58FEC
                              Malicious:false
                              Preview:6."...+R...#.m,/.KN}....*VDu|.{b...:j.cb.m.',...(P.+.N{....7:x.....Xq...(DKok.-.!..4l.P7u.ho...:j.cb.S.#m.N.3L.o.Ru...c.i......U...}.H*'.-x`....d.^ub.qx....>.rb.k.n#...&Q.g..n....G&".XQ...r..../D.%"..-H|...]~MT7C.^;...t}.b+....x...;K...Hu....~.h.......\....YH,v...Di...y.Xye.yz...}>.i7..j.0m...|Y.o.Vh....c...V....X[...+XC&%.......cI]v[.qx...{p.c...|.=|...2..c..L....{.-......\...fdK1=..h.j....oV.c~.l6...:v.p'..w.t`.../L.j.E!...7.h.......O...(.A%k..wHc..;cWTqy.8y...uk.&!.o. i.@..].{.OfC...r.b.V.........#.G0k...X/....xQPyb.~y...uk.&-.v.1,...)J....!....Z.w.......O...*N.1...`Lj...]~MPc6.wc....nKr*.?.1~...9..e.Cm.....Q-.;1...9s..._G0k..aD/....fA.vz.yo...n..rb.k.tm...+T.e..h...d.-.V....X..6EA5"..i.z....oW.~x.8r...:p.rb..{.#e...=..n.Mh....,JL......T...2X./*..nI/....x.Py6.hr...:v.ub.z.t....9K.m.Mm...g.d..O....N..+B]7k..-Ha....*VPzs.|....nq..b.?.t....8Q.n.Un..qJy..A...^...?.A%k..h+4....fLRvb.wx....}.r#.z. d...5V...@u......-......X..."VZ&e..]N|....kQT@..E...?b{9

                              C:\Program Files (x86)\Reference Assemblies\Microsoft\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Reference Assemblies\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\SFrfkqdxVphNajByoUYgUPPIuMWevzqwCdPGTfHvAxLPzNcPUKybAdDhH\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Defender\en-GB\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Defender\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Mail\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Media Player\Media Renderer\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Media Player\Network Sharing\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Media Player\Skins\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Media Player\Visualizations\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Media Player\en-GB\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Media Player\en-US\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Media Player\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Multimedia Platform\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows NT\Accessories\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows NT\TableTextService\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows NT\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Photo Viewer\en-GB\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Photo Viewer\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\Windows Portable Devices\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\WindowsPowerShell\Modules\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\WindowsPowerShell\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\autoit3\Au3Check.dat.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13399
                              Entropy (8bit):6.702201016039428
                              Encrypted:false
                              SSDEEP:192:F2EhtF9FqT7mPhExum5VVxLjvdblKpHDTCs6WvTQdfLOTl9EGCBry4O9H9Brj:AatNWRxLjvdxKPOWMNLqLEGCBiHXH
                              MD5:F7E7FD201C6FD48529223F52E6C85559
                              SHA1:FE1016E8EDC39DB582FB9068EA2D2D1AD82E1177
                              SHA-256:175F6582542AA931880013550ACACE17452E99B1B9EF61A6C78B9A1439563BBA
                              SHA-512:FE5B1F88309FB2349E519E2F94ADC98AA99983EB1F799AF6AA1938E6D9D71AC76DDF7CFCAA3D90558C9F881AA5BF7C5359A3BB11139BE2AC6091FF8B55E2F0E5
                              Malicious:false
                              Preview:.).....j.wF9.X...[....gZ...=.|.V~E7w.x ..v.b..C~v_..s{~VL..e @AutoItPID @AutoItVersion @AutoItX64 @COM_EventObj @CommonFilesDir @Compiled @ComputerName ..@ComSpec @CPUArch @CR @CRLF @Desk..4....~$OF...T../U..S.O;.."/.i.IWA*9.U7..i.n..ERk..W}aMj..fresh @DesktopWidth ..@DocumentsCommonDir @error @exitCode @exitMethod @extended @FavoritesCommonDir @FavoritesDir @GUI_CtrlHand..d....S.TXb9.q...e..D.Nw..JV.Z.pLl*x'X6..S.y..MJVI..u[CfR..andle @HomeDrive @HomePath @HomeShare @HotKeyPressed @HOUR @IPAddress1 @IPAddress2 ..@IPAddress3 @IPAddress4 @KBLayout @LF @Loca..4....T.T.k..V...t..N.Nu...3.r.}|E9p.1...i.u..T_m..vOS.E.. ..@MON @MSEC @MUILang @MyDocumentsDir @NumParams @OSArch @OSBuild @OSLang @OSServicePack @OSType ..@OSVersion @ProgramFilesDir ..6....c#IYF2.u..{z..D.Fv.....].ZaA(m.x ..e.O..dOsA.Ff*yV...ptLineNumber @ScriptName @SEC @StartMenuCommonDir ..@StartMenuDir @StartupCommonDir @StartupDir @SW_DISABLE @SW_ENABLE @SW_HIDE .......0 uct..i...`.p.xV.....G..S{.F.

                              C:\Program Files (x86)\autoit3\Au3Check.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):234402
                              Entropy (8bit):7.08120689435632
                              Encrypted:false
                              SSDEEP:3072:Deol6wrJhArF3ladZgQCz+QcJis3djMHwVLkkhDXpXY+gwRIdCC9QM54DBGu9dr:DeO6GA5laH2cJF3dYH0kkJScwe91
                              MD5:2E0402D2150D9AF1FEA485EA9A744791
                              SHA1:D3518AC9EB955E8E2B5B67401319210AA49DFCB3
                              SHA-256:266F33FFC6F7565A3F3348598BB0819FB1545006219CC9C8C28BF94C07602C24
                              SHA-512:F895741C9CF24F11E888FCEA3ABE932D8F3193AF57077FE6F2A81EBA7064680EA588A6F4670652BE02FC438B8768FF13B4A66D2905E9F4806D14FFA8F163A2DA
                              Malicious:false
                              Preview:2.S.m.?*....}G.SN.....UG....lrX.rw...}.....h!E..&.. ....d.'>.ky........!..L.!This program cannot be run in DOS mode....$........S.~.2.-.2.-.2.-n.G-.2.-n.E-J2.-n.D-.2.-.Z.,.2.-.Z.,.2.-.Z.,.2.-...8....c.q3...~......txx.N.>^.u.@V.p>.*..q9...O.....9.d.'..ky................PE..L...g.(c.....................6......&........0....@..................................e..........................~.?*.......S.....U....-irX.rw...}.......E..&.. ...((.'..ky.........................L..@............0..,............................text............................... ..`.rdata...8...0......n.=*.......S........).f.lrX..{..|~.....h}F..&.. ....d.'n.k..rsrc........p.......f..............@..@............................................................................................n.?*.......S......U.....lrX.rw...}.....h!E..&.. ....d.'..ky....................................................................................................................................n.?*.......S......U.....lrX.rw...}.

                              C:\Program Files (x86)\autoit3\Au3Info.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):176546
                              Entropy (8bit):7.239079386858462
                              Encrypted:false
                              SSDEEP:3072:LnYhAXFqmratmTbb2cZTX7H5yXElfCaVssS8rAewb37E3H7/uY46IG2oi:LYebTH287YXixpYG7/tju
                              MD5:0AC9502DCC8F8C23B409546865B17168
                              SHA1:711CED6CE387D444187D800CE8D48F3B720C9F06
                              SHA-256:6EDE81E4F96ED42D8450F993406E6E54C3AB911BAF5DB8043361CE759384F577
                              SHA-512:0963757A3DE7C26598B6D85C477DC5DEA6DDA90408EAECDADC9A08517C169FE2C7B466D25DFAD29CA8EF66347F579C09E9112F1771512C318CF30A2DDCCD4175
                              Malicious:false
                              Preview:.e=t...5.;..w5.....F`.....u..m.5C....=..2.~2........#b.DE.|.w........!..L.!This program cannot be run in DOS mode....$.........jZ..9Z..9Z..9...9Q..9...9%..9...9B..9...8r..9...8K..9...8H..9...M.SI.k^."...0.(>...X.J..L.v..o.c..H....Fi+.!|.....DE.}.wPE..L...C.(c.........."......:...........\.......P....@.......................................@...................................t0..1`5..#5.....F`.....u..m.5#....=.'..~.........#b.DE.}.w............@............P...............................text...19.......:.................. ..`.rdata...|...P...~...>...........?.t.....Zo..5.....F......u.Dl.5C....=..2.~r.......#b.t....w....................@..@.reloc..D....`.......r..............@..B.................................................................?.t...1.;..5.....F`.....u..m.5C....=..2.~2........#b.DE.}.w.................................................................................................................................?.t...1.;..5.....F`.....u..m.5C....=.

                              C:\Program Files (x86)\autoit3\Au3Info_x64.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):196002
                              Entropy (8bit):7.07009597247026
                              Encrypted:false
                              SSDEEP:3072:On1ZgdMjNaWwk8BaEL/E8M8uIgzL+MlxpIJSmVMUrtiXzol+vN6thOOvb:Haj3wkJA/E/8uNzL+au3Vl1uNyhZb
                              MD5:5D5CF7634759F0CB2BF1E66BDA9B563A
                              SHA1:5C3A2AB88F0F8586A85EAAB1F5154A5E50541AF1
                              SHA-256:24500E5339B3BBCF5F4834A60A26289E01AB79CC40E6C4568D16BEA2ECCBBB25
                              SHA-512:48ECD45255CCB2C11F128EF61F15B80090F4264EFF39C704DFB3146DCB7109730284BDF2AE0A9024BF3486CFD5170705E8D808E190E0C24FCB92FCA71E39878A
                              Malicious:false
                              Preview:Q..O......H..TW..W ...tI.lg...b...^...j >..L.........-c.@..........!..L.!This program cannot be run in DOS mode....$........9..X...X...X..-....X..-....X..-....X...0...X...0...X...0...X....@=.B....e..)....L0.x.tEK..?)3...{".........I.....M=...-c.A..................PE..d...G.(c.........."......J...^......Tr.........@....................................e.....`...................>.L.......q.T...G ..HtI.lg.;.`.6.^...e ...L........Y/c.g......L.......8............................................`..`............................text....H.......J.................. ..`2.J.8{...h.....T.d..Wn..HtI.lg...b...^V...T_..L4...5...-c.G..............@....pdata..............................@..@.rsrc...0.... ......."..............@..@.reloc..L..............................K....q.T...W ..HtI.lg...b...^...j >..L.........-c.A......................................................................................................................................L.......q.T...W ..HtI.lg...b...^.

                              C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1634714
                              Entropy (8bit):7.721231075352731
                              Encrypted:false
                              SSDEEP:24576:WXH6hXJtk6E8YrMC9WBoAZI/26hAQODlpRVmcJNkaEOcM8nI83o:LVTCMn2Z/yQSH4cD59z8nI8Y
                              MD5:46A89FC35D2E8E2C6834FF9E5F15D0BE
                              SHA1:A6A2714E0AC2908835D714CD42E40D84980E2DEA
                              SHA-256:A83F06401C890ED823A80A723A5FC6051CE70B945B6E3E5DAD20AA817D1B9636
                              SHA-512:B10AABD8673FD99ABB5BEC11F09EE67186143D4E3B79E8720D47093A29A428D0D2DDDE751D4B5AE04E523429BEC5DB549DF8B3607192AD0C3B831F8C58B055FB
                              Malicious:false
                              Preview:P.`B.!`..dC.G./f..6.y.k.....sd.L....tZ....<......p..x:r..F..........!..L.!This program cannot be run in DOS mode....$...................Y;6....Y;4.x...Y;5.............................t...,b0.....3.w.9...k.... .,.tP..3..C_y~.Ug.HN.e.}^*S......................PE..L...9.(c..........#..................d............@.......................... ...............................K.B.!`..dC.../V..6.x.k......sd.L....tZ...........p....t..G..............................@...............X............................text.............................. ..`.rdata..$H.........B..e..dC.../...6.y.+.......s.KL....tZ....4......p..x:r..G...rsrc...X....p......................@..@.........................................................................................K.B.!`..dC.../...6.y.k......sd.L....tZ....<......p..x:r..G...................................................................................................................................K.B.!`..dC.../...6.y.k......sd.L....t

                              C:\Program Files (x86)\autoit3\Aut2Exe\Aut2exe_x64.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1800602
                              Entropy (8bit):7.6583178169914055
                              Encrypted:false
                              SSDEEP:49152:eq5jfV6LQwl8+ulyAvcTwAzqd/0Z4LUKu:XfiywAvcTwA0/SKu
                              MD5:C145C5D560B35484C50B1D199E5E69D6
                              SHA1:13BC38221287DC6F2E46ACA7C1E2E7D633ABC496
                              SHA-256:673335D3E851CD44C936B9E978D73C0DE2CE16B4BC72BD4720661DCB782F5739
                              SHA-512:D8423C9B944F1A8730E53872F3E891C613D2536AB0B851A90D05613855474675D25793FC578F84A9CA3CAFC3AF604E9352777CD9D337215EC839109443F0C761
                              Malicious:false
                              Preview:.Z...PX.....*.u.CK_Y.^.e..e.}s..^]4...Jen.H.{r:..=.U..5[..^............!..L.!This program cannot be run in DOS mode....$.......<y..x...x...x....~.s....|......}.a...*p..i...*p..p...*p..H....`...H.-{........S...Gz....(&kpx.,D5......P..j.Q.L..n...=.............PE..d...>.(c..........#..........0......(..........@....................................4..... ..............................PX.......u..K_Y.^.eY.l.yr..^]>..[[en.A...:..o.Uw.5[..^.....n..p...................0p..(...0o...............0...............................text............................... ..`.rdata..L....`_..^...1r..K_Y.^.e..e.=s..p9U..Je..H.{B3....U..<[..^........@....pdata...e.......f...@..............@..@.rsrc...X...........................@..@.............................................PX.......u..K_Y.^.e..e.}s..^]4...Jen.H.{r:..=.U..5[..^.........................................................................................................................................PX.......u..K_Y.^.e..e.}s..^]4...Je

                              C:\Program Files (x86)\autoit3\Aut2Exe\upx.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):305466
                              Entropy (8bit):7.997518123685114
                              Encrypted:true
                              SSDEEP:6144:h8Veu/yMuU8SzJHuerkzAjYQYZuSrL/rGSMRW9UOT7wA3+NYeBFBuGQ9yl9qOOtj:keuKzStJY8wuSiRcvR+NPHn9qxu3bi
                              MD5:9E37B393EDE456405B99F1568A51E3D0
                              SHA1:4B59C6FAB5D86DD536AA920558F1DFAF3EBCACDB
                              SHA-256:459C4E1E63DD65764B854C7B3A3C40D7ACAEA4FA957FCC0C2CADEA20D46F629D
                              SHA-512:B2988813B71803A49C76C23FC2A231A59ED0A5947D3E71308309ABC632E337F08CE91782BD4170099C78F543245AACB3B7A18CF76390D0A94A7A74DB6AD55209
                              Malicious:false
                              Preview:....kV.;...%d.<..A....#.=....#,.P~m.d....)yz..C...^.O+`y..&.C.........!..L.!This program cannot be run in DOS mode....$.......PE..L......................8.........................@...........S.iV.;...%.k<......#C=....#,.P^m.t....9yz..C...N.O+`y...C........................................................................................................................UPX0......F.hF.;...%.i<..A....#C=..0.#...&\.d...>-yz..C+..^.O+`y...C.....@....rsrc...............................@...3.91.UPX!..........5.............&......*.X.b...x{...S..H.....b..>....:cJ....Vf..8z..I.a'..g..Bk......m.P....8_.6=.W].........ZI.w.f...*<...........:s.@.o.n..B%.4.c6.6{...G............N..G........M....,R.|.....Mb{....*3w.|S.+h.g.GS0x.nq<!k_..4.N......h"Ai.......i...)[E.8...3...vyst-X..P.Y..... `.I.3..6l.D........H.]......1.03.,>I.>'.Rx.....Z'...G..wIk}/{...3.....qvR..[.k.ob.0..z.t.%...nj.......9@..a...X..P/..v.V....jE..H|.E......G.N..D..D.....).&.}.c..p....C#...h...m.

                              C:\Program Files (x86)\autoit3\AutoIt v3 Website.url.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):518
                              Entropy (8bit):6.800030369456645
                              Encrypted:false
                              SSDEEP:12:AsilqdrrG2+bDLzuFYjrfF07rzEYVP7TLbS6bj:AsilqFG3Li+jMEY173bS6bj
                              MD5:1BBD23C4293A65CD4C4A1BF44C4D3F35
                              SHA1:35A7374657094D8F009427577E3D49DD0F2A6073
                              SHA-256:3426BD03F66772E90C7ACA373A82E89C7B756D4C0B664AEDC463939B325A3825
                              SHA-512:A22B88D9A7CE81E65424120F62F9E5C2627D7895ED194795C8E24F966A4301C5A2092CABDF826E17CE86EC807168C09E11B81A50D0579FB740E469EF755E91E8
                              Malicious:false
                              Preview:....../.......I.`.Y."... .......-....&..}._ZO......l.....lD.....$.......l.E.J.#...{.....:...."..f..\A.....c...".~x.....9.......s.8...f...;......tq.....\9........N.=.....IProp3=19,2....oNZ].&-.A.w.J. `...l,U;u..'.+k..'..i....|..-\~F.S|Sv2Wu.{.Y........7..V.X/....v.^..........'..OP..h.G...k),.MmD.~)......?{H..'0....x.u.1.#j.....".t...{.A....9.a._,vr..tT7...p..J...x.....r..?GW."...............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\autoit3\AutoIt.chm.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7185955
                              Entropy (8bit):7.995350626612748
                              Encrypted:true
                              SSDEEP:196608:KetORfcxy7iReF28HaXQzusZJSLRv9IADk:oek+kB4QzBJSVmsk
                              MD5:FB526E0C91DF9D6C8939AB804BBD2147
                              SHA1:B132A1AAE35F7B6D7AA3235E398B8385838D638A
                              SHA-256:F0CFFCCF48D0B743462FCCF04438C5D54729B6896E9A2E4E0897F66C96FF0C19
                              SHA-512:DA612D1FFAA29AA4185E27C576E6EC30E7F702317EDB608048658B2421080E38259CE8DB9D4F92EEA2E2137A9DDD8C4FA2B1CE7EF49FF712A3749486DF461F5B
                              Malicious:false
                              Preview:.M&..<-5.....9.4=.b~.c.t......3....c{.^LIk..D'..S.,L_BgL.....n........x.......T`.......`...............m.............ITSP....T...................5.......4.......6.......j..].!......."..T.....F]....qBP.t.x...k.t...L..."q....I.C..._>..&w..f..N..J..n../#IVB....q../#STRINGS........./#SYSTEM....E./#TOPICS....$..../#URLSTR....0..d./#URLTBL....$..../#WINDOWS....%.L./$FIftiMain...M..*..$......w.`..#....a.b..L.M..t.7.,&.#dU..6..wE./..h/.b....Links/Property....e../$WWKeywordLinks/..../$WWKeywordLinks/BTree....}..L./$WWKeywordLinks/Data....I..b./$WWKeywordLinks/Map....+o.l..kz~.....].]...3.....4....O.5....4....{73..S..;z.o8-.Z3..../utoIt3 TOC.hhc.....z./html/..../html/appendix/..../html/appendix/AppendixRef.htm....W.../html/appendix/ascii.htm.......!"/html/.i...XDM.....p.w...h..........8.,6...)..#.)g...R..|q....)$.n....>.9./html/appendix/ExitCodes.htm....P.M./html/appendix/fonts.htm....m././html/appendix/GuiStyles.htm....w..9!/html/appendix/Limi.j1..]XY.....T..FA..u...+..l.G..|....,

                              C:\Program Files (x86)\autoit3\AutoIt3Help.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):124818
                              Entropy (8bit):6.824678962421165
                              Encrypted:false
                              SSDEEP:3072:DsVsvkvBS6o7pIZSI1Y+lfCEMXPkTToOLLu+5WHaADXKyl:DsVNvVoS3I4ToIXpADXdl
                              MD5:0549A69A6C9661F3E677AAF6B61A5FD0
                              SHA1:A2E0654B6AD7CEBB4BCD1CC30525037795F38ACB
                              SHA-256:AC2EFF642A72D8B3F74234B36B8F82E50D84F4CC949613038C57547F25878F56
                              SHA-512:DEEEE7BDDAB908A8870238F02624E578BC701542567BB50397CC8FA9A5C00CDFCB7C0015942F9BC3277FB06AC85F1930ED14020E85338B51B85A3CF879594F64
                              Malicious:false
                              Preview:....0....W...V.....q.).uD....-d!.vgt!..M9.$z.c.E.....h.]..!.........!..L.!This program cannot be run in DOS mode....$.........[m..5>..5>..5>OC.>..5>OC.>..5>OC.>..5>..0?..5>..1?..5>..6?..5>>.....'./c..c.E......3k.-R..Z.faH........w.O.=.r.....:..5d...........................PE..L.....(c..........................................@.......................................@..........Vj.. ....W.QtV.....q.)..a....-d!..v..!..M9.$z.cnD..!..h1.]..!.....8...............................@...............t............................text.............................. ..`.rdata....z......W.A.V.....q.).5D....-$.....t!.aX9..{.c.E..'..h.]..!.....@....rsrc.......P.......*..............@..@.reloc..$...........................@..B.........................................Vz..0....W.AtV.....q.).5D....-d!.vgt!..M9.$z.c.E.....h.]..!..................................................................................................................................Vz..0....W.AtV.....q.).5D....-d!.vgt!.

                              C:\Program Files (x86)\autoit3\AutoIt3_x64.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1072018
                              Entropy (8bit):7.15481309084005
                              Encrypted:false
                              SSDEEP:24576:Qe8hccufhaaJTks8PNaillG6k011srNchvT+7R1C1OST2IYwvVnqaa7CqQNwoi:Q5OfhF9kskNaiHGB011sB0r+11C1OSyb
                              MD5:37F929E6CC31ECECA1AE0A30B465323C
                              SHA1:D69437D93A482E432DF7D6D837CA78C5696E5E5F
                              SHA-256:DC9EC9A3B6532062ABB021982BC51968337E12C112434730138F65C65A8BC951
                              SHA-512:1D75D7449D766E544067B6DD0C1321724B6BC0646C1FF17089A7781B876635B0FACE9C1B8D1FAF665878A0A908F425C151C86AC474EFD7FBABD8762A314624A7
                              Malicious:false
                              Preview:+!t.r&.iT.0j.] .....Z....K.@.9 ..`..}F....N...3..X..u.<D..&..Z`........!..L.!This program cannot be run in DOS mode....$.......}0tp9Q.#9Q.#9Q.#...#,Q.#...#.Q.#...#.Q.#...#8Q.#k9.".Q.#k9."(Q.#.B..@w.J`..I..:..H.b.. .byc.h:..1..i...K.Z8...B/A..$...8m..A@C9Q.#;Q.#.8."8Q.#Rich9Q.#........PE..d...3.(c.........."......H...*.......Z.........@.....................................q....`.f{..q&.iP.0j. ...Z....[.@.9 ..`..mF....N...3V{V..t.<D..&i.Z`.P...o...4..X&......|... .......................p...(...@................`..8............................text...<G.......H......f{.q&.iP.0j. ............@.Y+..$..}.....N...3..X..u.|jd.RX.Z` ........P..................@....pdata...o...P...p..................@..@.rsrc...P............P..............@..@.reloc..|.......fw.q..iP.0j. .......A.K.@.9 ..`..}F....N...3..X..u.<D..&9.Z`................................................................................................................................f{.q&.iP.0j. ....Z....K.@.9 ..`..}F..

                              C:\Program Files (x86)\autoit3\AutoItX\AutoItX.chm.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):200700
                              Entropy (8bit):7.9319208878684835
                              Encrypted:false
                              SSDEEP:6144:J3I6ocJtiqvYSHzj9CrYpC/KgsZpgoiMmObiGltEbJ:tI6oE0qtHzj92/KgMUMmO+GtE1
                              MD5:56ADBF4FFE8BC5DA00B460A3AF6036B6
                              SHA1:B4591B707FB1639AE2BC2C6C90E273198C0A1DD9
                              SHA-256:390289118429B4618E65E39C515006D66176BA3D69F943CEDF62E32CB2D5EF78
                              SHA-512:D8EC8966E01E15E99A6DBA60B8F1A4963A4C0016BAC1B0223E822BFC290FD41CAC9FD38A4FBCC3ADF3C0425E78BC5F1E8D954E14DBB1C65B20227EF0FF7E4A6A
                              Malicious:false
                              Preview:3ET.Nb. .LVh.....C..7...n..v8D....&j.j...*..'>[..ebY.......1..........x.......T0.......0..............................ITSP....T...........................................j..].!......."..T......g....g...I..)wm.>.....&..C..-..........T...(...TT!.[..1.../#STRINGS...4.-./#SYSTEM..N.6./#TOPICS...x.0./#URLSTR...L.h./#URLTBL...(.$./#WINDOWS...u.L./$FIftiMain......c./$OBJINST...z.../^FP.>.zC.-".o..k...>...Q....0..O....}.%?..@..w..z......f..eywordLinks/..../$WWKeywordLinks/BTree...A.L./$WWKeywordLinks/Data.....'./$WWKeywordLinks/Map...4"./$WWKeywordLinks/Property...VZ.(.8.zi..v!w...+...?...........C....r...5.Z.0D.~.....6...>.tml/appendix/..../html/appendix/AppendixRef.htm...R.j./html/appendix/ascii.htm...<..L./html/appendix/SendKeys.htm.....S./html/co.Nn.9.gF./3G....*...R.m..|...&..M.....n...1u..[..f..Bw.q....m_interface/methods.htm...M.[./html/com_interface/methods/...//html/com_interface/methods/AutoItSetOption.htm...$..'/html/com_in.tu.,.p..)".v...F...y.z..W..T..G......

                              C:\Program Files (x86)\autoit3\AutoItX\AutoItX.psd1.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):33768
                              Entropy (8bit):5.7228497863123025
                              Encrypted:false
                              SSDEEP:768:s3If5NRr4nnIrsjPYtBSNOvQ1CU8WzUucr6+o0DwGNi:s3I3Rr4nnwSNOvyCUVIucm0D1i
                              MD5:87E54885D12B4DAD311CA9E60053562D
                              SHA1:6EBB72D4918DD540EF3E6AC5CEDB737602A8FE30
                              SHA-256:CD136D239FF47504AFA258B1884C85346B70D27A6DE43D7B78723355A49551FE
                              SHA-512:99FBB595E758DEC1A6FCA8986BB916C73F644008AB54EE88D6CD6FFF7418278CD8F5DBDF778CFC49505DB1ABD83701E031EE846B5F97858A4C6F7451EE47A07D
                              Malicious:false
                              Preview:?...,...y...y.Y...\^..}..S+.,..4..6y.........Bag...._...s} .'.A.u.t.o.I.t.X.3...P.o.w.e.r.S.h.e.l.l...d.l.l.'.....#.....#. .G.e.n.e.r.a.t.e.d. .b.y.:. .J.o.n.a.t.h.a.n. .B.e.n.n.e.t.t....w..,...y...y.Y..\@..}..[+.,..4..iy........S..ah...._......}#.........@.{.........#. .S.c.r.i.p.t. .m.o.d.u.l.e. .o.r. .b.i.n.a.r.y. .m.o.d.u.l.e. .f.i.l.e. .a.s.s.o.c.i.a.t.e.d. .w.i.t.h..w..I....y...y.Y..\T..}..J+.,...4..<y.....7._a..._...e} .=. .'.A.u.t.o.I.t.X.3...P.o.w.e.r.S.h.e.l.l...d.l.l.'.........#. .V.e.r.s.i.o.n. .n.u.m.b.e.r. .o.f. .t.h.i.s. .m.o.d.u.l.e....w..l....y..y.Y..\@..}..Q+.,...4..ty........S..aw...._.....5} .I.D. .u.s.e.d. .t.o. .u.n.i.q.u.e.l.y. .i.d.e.n.t.i.f.y. .t.h.i.s. .m.o.d.u.l.e.....G.U.I.D. .=. .'.9.1.e.2.4.4.f.b.-.b.6.6.6..w......y...yLY...\...}..Z+.,...4..fy........D.=aM...._....c}t.h.o.r. .o.f. .t.h.i.s. .m.o.d.u.l.e.....A.u.t.h.o.r. .=. .'.J.o.n.a.t.h.a.n. .B.e.n.n.e.t.t.'.........#. .C.o.m.p.a.n.y. .o.r..w..D....y..yXY..\...}..W+.,..4..7y.

                              C:\Program Files (x86)\autoit3\AutoItX\AutoItX3.Assembly.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):44442
                              Entropy (8bit):7.0315223434510195
                              Encrypted:false
                              SSDEEP:768:Wq2TopellNfivRkLe808l6w48tUZDKLooCPLCLOg1sMUSwtttItphgKryj7Kjini:WtTlE2ZybVLuitvlGVUNTy
                              MD5:F45C1E94243C0BD26914F17B9E5C744F
                              SHA1:9F7A451A4F0FC07D9337CF839B79D790F82561B5
                              SHA-256:A1E7D0EF6DFB8536236BFFDDA638DD4833BAFB8A5CF073720D13C314EF9669B0
                              SHA-512:AA6655BEB20903FE1E3EC9821A27C80779B6B556BC6E3264B2BDDCF3594A45AEC3A01E845AB99125DAC04D5A828B713ED9AB9D93B74C591ED013553FCD698D6A
                              Malicious:false
                              Preview:..\....3......B..7.(aw.%...,..B..'3.(.cg...........'..v.<...........!..L.!This program cannot be run in DOS mode....$.......PE..L..._.(c.........." ..0..|..........v.... ........... .......W.....3...VY.Bx.7.(cw...../..>B..'3.(.cg...........'..v.....$...O.......(...............`&.......................................................... ............... ..H............text....-.....7...V[.Bx.7.(aw.e......l..UP.(.Kc..........e'..v.........@..@.reloc..............................@..B................X.......H........2...e..................l........................W.....7...VY.B6.m.(g[.M...*.B...}.r.ca............!...,...6...(....*..(....*.0../........s.....(Z...,...o....(....+...o....(.....o....*V(Z...,..(....*.(....*.(Z...,...........(....*........Y.....|.WY.nv.4.-os.`...,..A..)7.-.ng.........6.'..v...i.....(Z...,.........o....(....+.........o....(.....o....*.0..8.........s.....(Z...,.......o....(....+.......o....(.....o....*.0...W.....9...VY.HP.6..Ma.f...(..Db.'3...

                              C:\Program Files (x86)\autoit3\AutoItX\AutoItX3.Assembly.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):49832
                              Entropy (8bit):6.222393108797496
                              Encrypted:false
                              SSDEEP:768:Fvv1LMk2TRuluiYuAwORwrzc+c0RHTZ3F0:hv1LjwZbQzk
                              MD5:F3AA55ECFAA8A303D27BD69CA5ED2A3C
                              SHA1:2F0E2BB2CAB43ABE220E81C8A8DA75092DB70CDE
                              SHA-256:8DA4ED3777851C176412DA00670F39627B3941A91861B8502899ECA444D63E7B
                              SHA-512:98E56F05199E1A4CFFCED8A717765FE114500CE19D6EFF362CC9AB6B80B8EB8A2BE136B9271D0F8B13794E460102F66C686B01D9E02A9D2254B616A91705778B
                              Malicious:false
                              Preview:...B.:..&..Ue.m..n....=.g.>..8..w.VYL.?*.....y..~...........ItX3.Assembly</name>.. </assembly>.. <members>.. <member name="T:AutoIt.AutoItX_DLLImport">.. <summary>......:.t...Z</.c..%..t.y.H....yO....IE..5.....-.V~..........X3.dll... </summary>.. </member>.. <member name="T:AutoIt.AutoItX">.. <summary>.. .k.J.[..;..Z,..c..0..e.y.h.@..~P.k.MO..<2....O,.\............ </summary>.. </member>.. <member name="F:AutoIt.AutoItX.INTDEFAULT">.. <summary>.. .Z.N.v.."....H!.1.."..e.y.j....j^...@XZ.u*....}-.];..........)... </summary>.. </member>.. <member name="F:AutoIt.AutoItX.SW_HIDE">.. <summary>.. .......t...ZHg.c..~..m.8.}.>..8..k.....0#....0T..~....Y..... name="F:AutoIt.AutoItX.SW_SHOWNORMAL">.. <summary>.. .. </summary>.. </member>.. ...J.x..t..Ue.y..%..t...p.z..6l...jxd.

                              C:\Program Files (x86)\autoit3\AutoItX\AutoItX3.PowerShell.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):53658
                              Entropy (8bit):6.911058580829466
                              Encrypted:false
                              SSDEEP:1536:7W4nECqqc16gTTtCKho/2w9LM11avjhTEzlSdtLKLDB:q4oJ1N1Fo/ZyojaZSdtm3B
                              MD5:0CD511A33C9A026B6158248169128A3E
                              SHA1:8C1E6D7EEBA9A08E6FA1926FEC1E950710CDC5B6
                              SHA-256:73A1E89E7BBB9B4A1028640829EC1B15A2419B5BE50D3704BB5B58A3C14B2D57
                              SHA-512:AF6D37C468FCC854637E72B0EAA54FD3458FF65C0B183F8770B4FB79FA2E02AF06275186EB06E2B9EEBA08F848D6CB7E9E52A5466B67ADAE6601BE7C33E5264E
                              Malicious:false
                              Preview:..x8q_...m4c..v.u....?.8...!6....3U..V.p..9....\..;_..RF.V.........!..L.!This program cannot be run in DOS mode....$.......PE..L...c.(c.........." ..0.............R.... ........... .......@.8r_...m..k.w.u......8..!6....3U..F.p..9....L..;_..R.V.....O.......8...............`&.......................................................... ............... ..H............text......8r...E.m..k.v.u....?.8..|.D.ot.3U!.V.p^.9....\^.;_..R.V.....@..@.reloc..............................@..B................4.......H........J...q..................H........................@.8r_...m..u...u..5.=.E....(.f..3Q3.T....9...'..;[..P.R.....*f.~....}......}.....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*...{.....{.....{....(..........(....*:..}......U.8xu...m..h.p.u....D.8..>#5....7...-.p.......T..?u.).V.*"..}....*..{....*"..}....*..{....*"..}....*...{.....{.....{.....{.....{.....{....(..........(....*f.r...p}......}.....(....*J.(.@.2.G...z...u.^.u..5.=|4..6.4.`..3Q

                              C:\Program Files (x86)\autoit3\AutoItX\AutoItX3.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):726954
                              Entropy (8bit):7.290249641184009
                              Encrypted:false
                              SSDEEP:12288:wXGz+ta0zHaker2pMxm9e+UeinSL0/CRyiKGL8xZusq:4aj0zHspx2wBWW7q
                              MD5:80971D15C9B1AE09F68EBF1572F03891
                              SHA1:0F2142D93B73705351DB512ECA72EE41FD6DA087
                              SHA-256:C156997D56CEF37A27FE646E0F221AFBD7BF4820EC05E3C47C314DCE62C24A32
                              SHA-512:39CBCA8EF001F3828183BEE2612571D5FBF123C73BAB6A8EAC4EA574CF48E10A8B492561A49ABC2C6D2ABBDF5DE560F06863C78EE8167CE1B3F654BAC2FE06D0
                              Malicious:false
                              Preview:........hn.E..W...OV}..n...O.#*....YD.onk.v0....\.I}...}k.........!..L.!This program cannot be run in DOS mode....$........<.q.]o".]o".]o"...".]o"..."-]o"...".]o"5..".]o".5k#.]o".5l#.]o"`..)(.....IJ>.*...uyR.m. .;.D..A.E....Wp.L.6.T>4{.RI32. .(.!...4m#.]o"Rich.]o"................PE..L...P.(c.........."!.....~...........s.......................................0......Rh........3......h..E.4..W...OfL......+.)*S...Y..o.'.v0....\.I....Zk......J......p...........................@...@............................................text...8z.......|.................. ..`...z....h.tB.4..W..O.}..n...O.#*_..w6.....v~....[.I.....l.............@..@.data....)...`.......@..............@....rsrc...pL.......N...V..............@..@.reloc...J.......L................s......h..E.4..W...O.}..n...O.#*....YD.onk.v0....\.I}...|k...................................................................................................................................s......h..E.4..W...O.}..n...O.#*....

                              C:\Program Files (x86)\autoit3\AutoItX\AutoItX3_DLL.h.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13307
                              Entropy (8bit):6.88752703775169
                              Encrypted:false
                              SSDEEP:192:3hLKzx2BLkVdby8t08WwR5W9qQLLJy08kzSexHHdKnXCw7e4mJ:RLFdkVdbbiwR5W81gjB9KXCw7exJ
                              MD5:80ED91F1D485B52F6DE6FCAF9EE1F8DD
                              SHA1:6604DA6285D1281574EACB6EA000B29FF3C143A6
                              SHA-256:1AB24E26A8116FC78181ADD88C0CC8B1C0CF071C68B0BE21B8A31ECB642B19A3
                              SHA-512:EBE1C9ABEC02223E7B41ACAB3D1E8285382FB2ECC622723033EEA37D709D0A84A13E4F5381850CD91CEE550DD6561D90EB39BCD473E4964E77C90EAEAFAD61D0
                              Malicious:false
                              Preview:......OR.........]CH.(......C..}./.Z.lj..z.A..{X...L..D.....(///////////////////////////////..//..// AutoItX v3..//..// Copyright (C)1999-2013:..//..- Jonathan Bennett <jon at autoitscript ....CL.eH.....RN&.Sk......r.o.U.,+.<....&....L..D....t file is part of AutoItX. Use of this file and the AutoItX DLL is subject..// to the terms of the AutoItX license details of wh......@R..G.......R...'K......._./.x.lj..=....'.H......*....._3.dll as a standard DLL this file contains the definitions,..// and function declarations required to use the DLL and AutoItX3_D...............]CH.(......C..}./.Z.lj..z.A..{X...L..D.....(/////////////////////////////////......#ifdef __cplusplus...#define AU3_API extern "C"..#else...#define AU3_API..#endif......// ....Z...........L&.4|.....*......|.nw..b.V..`@...C.......% value for _some_ int parameters (largest negative number)....//..// nBufSize..// When used for specifying the size of a resulti....G..O...........G.t........7. ....

                              C:\Program Files (x86)\autoit3\AutoItX\AutoItX3_DLL.lib.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29290
                              Entropy (8bit):6.575168091838858
                              Encrypted:false
                              SSDEEP:384:sMnLe1unaIcpnLI5ANSID+8OEuL2niIKnQjeZA/2zbjhIErA/ETUCnknInClgoL9:uYk9K8CusZJToiVfDCK88dA
                              MD5:CFEBCC2DA2BEEFAF013FF7FAD02B2D02
                              SHA1:881065B79DA095390CA683B6F71C358B8B976C0C
                              SHA-256:D9B4F35A3036C14E184D1C316C88715A577DDE54DCFC7823B08B61B5EFC1349A
                              SHA-512:F67D8F24CEFDE0E94105C9C4A8EFC19E8D83272C34C4C6962B2B1D661561E21E01DA500EF6C8966DC29EED08C2B635D0A55438392E600D8823297ABF3131062D
                              Malicious:false
                              Preview:p...j..Sr....#..X.5..IlO..\....VN...Y.*.c.X\..>...r.>.3I%$v.,.. `.......7f..9...:...p...p...M...M...< ..< ..<...<...=...=...=l..=l..=...=...>X..>X..>...>...F...F...G8..G8..?H..?H..?...?...@8Q..Z....]......x.T.-i..=.=#.'.dn..:.y...C..|8..*3.T...o~.U8...?..C...Dl..Dl..D...D...E\..E\..E...E...FJ..FJ..G...G...H(..H(..H...H...I...I...I...I...J...J...J~..J~..J...J...Kh..Kh..K...K...L\Q..>...]......x.X.-i.u=.2..'..n..y...C..|8.t*3.8....~.Y......PL..P...P...Q,..Q,..Q...Q...R...R...Rp..Rp..R...R...ST..ST..S...S...T8..T8..T...T...U"..U"..U...U...V...V...Vr..Vr..V...V...WNQ..,....]......x.M.-i..=.$/.'.n...y.~.C..|8..*3....s~.L$......Z...[H..[H..[...[...\,..\,..\...\...]...]...]~..]~..]...]...^h..^h..^...^..._\.._\.._..._...`P..`P..`...`...a:..a:..a...a...b Q..B....]......x.v.-i/.=...'.n...y.n.C..|8..*3....]~.s.......e...f4..f4..f...f...g ..g ..g...g...h...h...h...h...h...h...ip..ip..i...i...jZ..jZ..j...j...kD..kD..k...k...l...l...l...l...m.Q..z...-].F...^x.xT-i!.=..A.'.n....y.P

                              C:\Program Files (x86)\autoit3\AutoItX\AutoItX3_x64.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):921002
                              Entropy (8bit):7.160404502978802
                              Encrypted:false
                              SSDEEP:24576:2GJmmIDaK6Cr7e60exEZrSyr6FVR4nPiRbcHCa8:22IDaEr7U+FVR4nKR+Ca8
                              MD5:1AC712002960C084018C8959779E32EF
                              SHA1:FD98B578C0CEB6FEA7E3F8E96E577B7A65480FFC
                              SHA-256:7AB68494C8064362CE3537BF4F42212DCCB8ED59BE621FB33021BCBAD4593249
                              SHA-512:2C836029B5A73250E9E4558E0524E587DCFF10234DF535181172B586C08A9B28231521473214565E5A0852A64F8282BA3EA0135C8536657E807B8877FEF2FC70
                              Malicious:false
                              Preview:.j.j....-.:.y0........C./..DP.x.....A]O...(..>....;...@............!..L.!This program cannot be run in DOS mode....$........>a.._..._..._..$...._..$...._..$...._......._...7..._...7..._..K.ql.........?S..~n|]..Y....!K..N.\...hy.0Bw....V;L...E.C....%56..._..Rich._..........PE..d...Z.(c.........." .....X...........c.......................................P............ ...@...... {.i....-.:..0.l.......C./..DP*......A.....)......;..@........p&...0.......:..p...................0<..(...0;..................P............................text....T.......V...............0{.I..r.B.Jn.0.X...r...A./.%MP.x.....A]O...(..L....;yx.@.........\..............@..@.data....8... ......................@....pdata...s...`...t..................@..@.rsrc...pL.......N.......0{.i....-.:M.0.B....a..eS./.OJP.j...6.A]O...(..>...y...@.....................................................................................................................................0{.i....-.:..0.l.......C./..DP.x.....A

                              C:\Program Files (x86)\autoit3\AutoItX\AutoItX3_x64_DLL.lib.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):27860
                              Entropy (8bit):6.500805212419417
                              Encrypted:false
                              SSDEEP:384:yDqdT8kOD0cYz9rS05CiKz/Q8ll9BjE0JN6kTM7wK:2ql8e6PjXjE0v6h
                              MD5:4D0035C5262AB36A64CE102CFD2293B2
                              SHA1:E40EDD48219EB731CA146AB3D1F74B1CDD8C5749
                              SHA-256:139AD640E38B630F16489615ECC89F6D1AA1C5F0B186130992824981999CD108
                              SHA-512:666EA519F73322E15D4AA11F79B473EDDB9FE22D7E71F0B50827D86D0A7B62CF6A874BEB7C3BF744DBCD78AF61520F54F3BB8C1E905EC23A7CDE4A46640596B0
                              Malicious:false
                              Preview:.G.F....s.......;b;.a'K.HW.......^...7Vq.2...xO/ZVZ.....u... `.......1`..3...4...k...k...G...G...6>..6>..6...6...7"..7"..7...7...8...8...8|..8|..8...8...@...@...A`..A`..9l..9l..9...9...:\.{.h...\..q....B .A.Peef...4....B....vQ....XR#zvGG...CU.....>...>...>...?...?...?...?...?...?...@p..@p..A...A...BP..BP..B...B...C<..C<..C...C...D*..D*..D...D...E...E...E...E...F...F...F..{.....W\..Y....B\.A.#.ef..4.z..6C...3vQ.6...p.X&.zv0.....U.a...J|..J...J...K^..K^..K...K...L<..L<..L...L...M...M...M...M...N...N...Nr..Nr..N...N...O^..O^..O...O...PF..PF..P...P...Q...Q...Q..{.....U\..[.....BI.A.9.ef.d.4...-...vQ......X;=zv.E...AU.~...U...U...U...U...U...Vt..Vt..V...V...WX..WX..W...W...X@..X@..X...X...Y*..Y*..Y...Y...Z...Z...Z...Z...[...[...[...[...[...[...\n.{.Z...M\..C.....BF.A.6.ef.f.4.... .....vQ......X0=zv%A...EU.K...`...`...`...a...a...az..az..a...a...bn..bn..b...b...cT..cT..c...c...d<..d<..d...d...e(..e(..e...e...f...f...f...f...g...g...gz.{.N...w\..y...%.B|6A...ef..4..........

                              C:\Program Files (x86)\autoit3\Examples\_ReadMe_.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):521
                              Entropy (8bit):6.824370623688086
                              Encrypted:false
                              SSDEEP:12:jYAeOtXOyuxZawho5HRFEor2XY8yOEHyjKUi:jAP77G1oor2Y1OEChi
                              MD5:9AA1413FA29D2EBEF597466F7FD14894
                              SHA1:DD72B899FC628892B6A8885FDA08A9C897847792
                              SHA-256:59F223C0252FF9C9E3954250A314B204E8AB9DFE8D82E7B369F780DAFF88FE42
                              SHA-512:C28B1D352F027ADB84E1E676F4D97B41F46AEAEE5128A51E97BD39BBCAC5697C209C1E99D4E7E36A255163764B89A4C7B2C0D1B1A3676A31027CEA5FB8DE8BA2
                              Malicious:false
                              Preview:...y.SY!.....+...M.\..g..2..h..^.....1.....D.{.N....F e.p.9R...p...W!RL........\.Y..l.Q2..<.._D....r...6.].x.......E>k.=.kt...<..rTBxM..1...Z.X..a.I2..<.._.....%...A.G.r.N....Zrx.a."Ons.....- Jon.......l`0......Iuz.T..........Zk..=.0...%f.6..r\....Z1........UL....3:-..yc........K..w@.."8g......S.....j.V{U.?H...Sq.?..Q..Y..<U%T..4..\j........Z..."aK........v.a(.#......`....j0.P..s....O...................................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\autoit3\Examples\calculator.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2181
                              Entropy (8bit):7.705351922074254
                              Encrypted:false
                              SSDEEP:48:cc0FJ9LV1tf8CydyV9i27MWVtIdbPyN5sA/MsAUf:cc6HL/1824WVWPO5TUsj
                              MD5:DC22ADF7C2B5DD4E8CCB16CDDBC2D79B
                              SHA1:B99E1676D9D877518E3C142F73BE7CB971139234
                              SHA-256:5BD7570E16653CB768129B33A46239DD9A43A9181A2C2C1CA3008E0D7D089668
                              SHA-512:9DCD5631AF368CDE6E6D99483CC5254D1AE92412428D07E3B0478D5E7608A61888D9B42945F0285CCF840ED009DCB86BAFD3116CB5405C8A9CC615DB22C7895D
                              Malicious:false
                              Preview:=. }woQme.s.b...Q.r...h.....%..,.@<.........C......5."-]...Kc>!;jtSA(..B.e......lbd.v.....'..r.@ ........./......r.@U=...ax>@nIrt.pj.d..R...Q.3.T.v...S.f..'..t............T.r.NR$...2;l.>j;~Z|e._.%d...h.8...3...S.f..h.,i........E....X.g.HR=...45.ju..!.[&.Y.xI.F.5...[...S....1.@w........A......(.%.].....f.#nw..!H.u.e......5...>..~.K..=.. .......Em(....O.V.@J ..)=>.={i:Age.E.,...V.....v.....f...../.......L.K......&.CF7...39s.:{i:Fm1.Q.,]..@.|...v.... ..-..o.........K....~.&..k?..a|w! ml.G(x.}.k+..g.( <.r...*....d.DM.......#$c....V.s.@n$.. 5n.+<7:.\-.C.....Q.+...v..S....+..c.......@V......&.._p...a`>.n/-:Tf!.D.i....L.rON.9.....1..<..o.......Em(....T.=.lO5...50{@;m~h.{e.^.{...J.(...&....f..-.@t........G..T.u.mH(..5-l.nhzv@m6.=.,I.....:OL.9.....f..!..e.........Q@......&.WN$..$x{./skvP(#.^.x.../.|ON.0...2.5..:.] ......m(....T.&.bT7...i|S".MBIaM....M%...d.(.'.t...<.h.....!.......L@...........p..%.xmD..:.(e...y....@.?...#....K.h.@R....

                              C:\Program Files (x86)\autoit3\Examples\count-do.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1617
                              Entropy (8bit):7.659055218852519
                              Encrypted:false
                              SSDEEP:24:E7A947p4WyRz/fgoZjzDxiHDlXCMraPHlZcTo+UMUBxBdvxezOESoCky+Sr1Rl7J:DCEjztUrMSTlCbv2OErytr1R3+I
                              MD5:125583C5B167A1A8F95AAF96EC6B8B30
                              SHA1:06A832E0D9C5B89C3240E149975F969CDA16BAEB
                              SHA-256:5D5DFD2E550B9F7FE4FA0A6C15E5C7EA402BF242DD23318CA978638523475F4E
                              SHA-512:7BD9128800AA2FC32DB7EF2B73ADA5BB19252D0A76F65172A49F582B5C434A4AFDEB61BB0CAB811C79EBAF5DB884DCCC7533737C6DC76803A0ED1BD404F1285B
                              Malicious:false
                              Preview:...<@.*x...........{...K!1..$2?.B..2...A3....v#.kP8pH8.>........\n=.........R..o...3A....$Sj.e..K&;."g..0|.[K8..v.kR....+D. =....x......Qo...4XT...v.:..o..D....Q...7w...}X.v.kR....6\.%....V,......QH...5ET...?Sj..d...O.G|....1}.A.8.M9.k.....R&#.e....$......3a...nd...A>..J..DJ..\3... r...}..v........;.^g............}...`!1....j.j.s.......Q.....a...l.]>.k.....0..;s...M.......\....aM....J.j..d...H..\4..xu...8LH$.&.....:X\/i...i.......k...'EW....vS'.n......D/.....|...8.@..8......._..r....C....0.(K...m.....] ...F.%$F..~.....g.$.yQY:.i^.....,..-o.....e......z..a.....cS+..O..D...Xr....xj..Ko]G".?.....6XCl4...d7......Qz...4_^...e.9.y...H..M|....(g.I.}Y."..R.....9E.+=.... .....R..z...aZZ...-~@..+.DJ!..|....;....}X.~..6.....h.\:u.....e.......v...-I....p.%......HK.i2....x..E"\rfv.#....._..r..../S....7.<A...m......M.j..j....M..~....xQ..J:.$\.B ....R&u.s....g....!......aOT...vS>..:..m$..I0..7f..K%..[.Fx...:O.:x...M`....P..z...aXS....q.>.+.

                              C:\Program Files (x86)\autoit3\Examples\count-for.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1400
                              Entropy (8bit):7.599637708009413
                              Encrypted:false
                              SSDEEP:24:KbhSvUyrJ8sS+qo3S0+BTGDWHQ5wJd1POD3XmOwIT64CEv/yJkAqhLjtH1gZbY:mhSvUSWsd80+FG6tzVc38InyqAmx1
                              MD5:4CCF7FEF3244BC4F2056FEB72D31544C
                              SHA1:B9DA95D5E6431C863A1CF3835B368C9FDE238551
                              SHA-256:6753DDB208C132FA086AD59A5C121558BF6B73A817C90805CBE91B7578EC1832
                              SHA-512:229D3B7E3CED1295EED4A68ED366B51CC27E761BA22D9D13B9C6FD7F69425ACE8F10086BFE14415D1BDEC8BB34CE92385EFBBC854BD67D8D46332FED744E6EF0
                              Malicious:false
                              Preview:iS..._"....2..Tut.X.l.04.k.CG.../o.(:?.@..8..}......i...L.8M..Ap....fTo..1..H.....a.wl...s\.!./.F.<...."...)......Y..j....D.n%T..K(Th..3..T42.D.-.w*...&..r.}G.(u.....%...~...........D..jW...E-y ..W..swh.[.-.vd...&....4.F|......j..2.e....C..hK.-.D.K%J... .1R..-...=..f.j.lr.E..#.X.[k+..2.,.Lh..f........./....".J#I....d]'..%..-.!.m.c.pb...Dv...z@.|.3....&.;.O.......>..7]D.W/H...4.D..5..Swh.[.-.#....(\.d. `.|%.....j..f.e......j].-Y..P/H..^f.^..}..Eq:.C.-.ff.A. ..!.`\F1:..@..>..~.l.......j...V..A8...Y!6E....oF2.f.R.FY...iX.C.\w5..;./.-...2......C..+@.3]F..hn....5.X..)..Ixv.H.x.w*...|\.r.aIF=uQ...Kj..}.k........jZ.1LD.KjH...C2K...W..)/:.C.n.#~...<..s.|..2&.....%..z.e........9H..L..."_...L/.O..2.mg}.D.-.f~...i..m.j]OQ_..@..j..}.e......!H...@.`.u...oT^..3..X}n._.h.fr...%..g.aM.5:..j.%,..{.+.....^...i...0.A$7...g5.h..u..bKI.x.H.NE. .e\.@.{A/(u3....&.>.g.....!..k..R2m.v/N..'L}o.....*.....H.fi...i..d.cA.,uC..../.......... ..$Y.b.U.p%...#OO...4...`r...b.m~.k.@1.f.`VNx.4.3

                              C:\Program Files (x86)\autoit3\Examples\count-while.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1609
                              Entropy (8bit):7.663924881204082
                              Encrypted:false
                              SSDEEP:48:2MtYT1SoUdk2wZ2I2L2eFXWk3LwFbXZI82Rlx:2MWT1SoUdjIcpFXWk3abmJ5
                              MD5:E651685C9242442C2BF94850585B7EF4
                              SHA1:4473C6F5FFCB83463267F9485C0A2CFA2C336156
                              SHA-256:C0367A34BE9C1AB7B2B9AD7A3F305548FC8A5D92ABE800B0A4431B73C33B1F51
                              SHA-512:A9D23487DA7B9FA98F798E489F507125D3B3C77BDD5E47F4004591C67A5D5A77C6B513F241419B343485833AEC99D6972FE25760EA19BCB6865D9EB5231D3BF5
                              Malicious:false
                              Preview:...Tm...j ......(....EN#....}..)..=a.3v{..2^c......R.x.......8..8......vg.....,[......}....p9..P.c.|%6.....>.6V........Py..3......T6.....["\....T/..)Z.&5.5ke@.V_c....Yz.6V.......Hw...mn..L...5...1.. ]....=f.}9.</.%$|..iD6.....<.~.......5...........Tu....9,Q....d....7.....((K.).,....Qn.sT........P}....n.....qV.....0A...:W..3.....7ix..tMN.....Ss.bV........l..#.......?.....Vc\...n8.....93.;t|I.5.+......P..6.........k...7..L..9.....&E....R}../Z.&3.v`m..5.0....._..6R.......8..........3...5.".z....z....).....@I%.pDa.....[.w........Pq..5......0.....7....B...:Z.if.>md..|.,......S>.y.........j...?..E..qV...4.. B...B...z..(/.!azI.3D7....Qn.6^......P}...0...L...|...5..c[.....+..(..`L._?( .|F......}...........vW...aJ.....\9...W..&.....[8..(..=(.8..`.:Dg......N>.6R......V...........X....../.d.....}..(...5..|i..0.a......>.o........]l...[i......Q...~.[.L.....>..3..;L._Hg..0Dg......#.&{........]{...v...L...,......&....T2..)..i(

                              C:\Program Files (x86)\autoit3\Examples\functions.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1586
                              Entropy (8bit):7.558795832203676
                              Encrypted:false
                              SSDEEP:24:QQ8s33RfomrE7FJ2qczl7ic8r1BETRY2lm8M7B3JyPwLW10KybACYh7BCIgOgGTc:QOhoIimJxi5gm8OHLo0KJzgOgG2v
                              MD5:4F41401E194EC0D62BD461EBA7EB2424
                              SHA1:EF75B18EE31130EB91B740994ACB2056980699D9
                              SHA-256:24550E23D378F78C480B682BB987F57AF0CBE6BB154CAB65D1FBE47E9F1D6307
                              SHA-512:BDD681B98D4D5C484527C761842B2CC9DF78254802B93512879CF96DA6BFC8CF0BDF952E3DF78ED8DC3731C2ECDB730B76FD08BF26E4AC5FBA4F7871D4C67155
                              Malicious:false
                              Preview:..7.W...^/~.u.eh..\=...gS.OP|Hev...t.|P..wZ.'..ky.4.~.;j;PA#:@..t.....z,y.iq.'_.Q)T..3.T}VSe..>.S.$)...9.i.V,?.K3e.W+u..b}o... .C....s.u.u\#v...)T...*..)..7^...Y.(&..i..C...8.Po,..1u..b}....=.M....J+ZR.yu....U..7..g{y~..I.X.3&..$F. .Dx1.Wj1..e&:>yP/...C..5i.pL.l^...lm.>.. .;>.s.%....s..MG...B5'.\+i.UM<Y]15@...}.(...J+ZG.eu..X,...`T..3.S.r...M.9....:.i.Q7:.M)1..+ DQ0}Q...!.....n#b.q.+1_.N-...4;.[..S5E...I.+o..$G.,.E46..y$..f0CQ0}V...5......x%0.i.+t..MhF..~../V.*E.I.X.=o..->.@.L;6..-,..x"RFb`.....Z...R.8^L>TE:.s.... ..'.%'.z.&.|.u*..EF.&.Wx..Xd5..)y...5L...7.K...t,|Zb.gp_..+O..;..;V.=V...X.:s..pZ.'..xw.V)<..+"VZ6}Q...!.....4M.w.u0<<.X+K...;.....bD...N.9t.k..!..(%.Ty1._x0R.65@..8....=&..!1x{=.EhR..,.T+..0R.@.7.g&..$..&../6..j)..`0S.jyl..t....u%~Zd.bh_.U-...3..8V.0Y...R.Q..b.. .M+ .K)x.SB.y{b.M...^.+..r88^L>TO&.i.m.)..X}T20C. ...|$..*....Fyu.4.L.%n!BF,P/..0.D....{0(t.+H..I.U.\S.}...1q.....u....:.i.V6w.\z1..e6.9HTq....L...-i.pD.oZ..^h...Pc.+...(G...7.V

                              C:\Program Files (x86)\autoit3\Examples\inputbox.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2142
                              Entropy (8bit):7.723038856112731
                              Encrypted:false
                              SSDEEP:48:m/Mb5pFkGfb7uRHjqEHwmJFKjghxCRvdSdy1CBU7u48Sh:m/G+GfuhqK3bHhZy1CBq/nh
                              MD5:1775A70EBD53D54158F5393DF4E450FA
                              SHA1:F00CC1311681121BB358F01BE05B7C21533DD35A
                              SHA-256:6EE3EBC6B5A994F929DA050243BCF21C04DFEC219082DD992AAF8092F2761071
                              SHA-512:8488F4A8D061031E9130032393148281AB041F8EEB7AE72C36A1D67476AB0F0F757E9F4EAD4B3AF567ECC3D2A0C2DFB6E2C4856759036505EC3FF712D98DA99A
                              Malicious:false
                              Preview:.o.....}...[K.T&.]*......x.|.c....5>.!r....;..E.....m..nr.....&....8..XL.HJ..y.....b..L.N....`...?O.5Ew..k.....v../<...R.h....8...Z@.Tg.C6.....l.......L.0>..iC..%T.!.......?.5<...R..k........>..s$.@)..5..n....T....`j..kX...:..NY.....8..{^...R..i.....y...@M..2.Ly..S.......c..3.M@.-~V...-U.& ......m..fr..........v..q].M7.Lq.y..-"......J.%j..cE..h..E.....$.{<......g....V..FJ.P3.^0..S..hR....._.!'..cE..<]._.....v..j<.....o....j..F@.D".H0..Z...>......W..9..t...,;..DR....~..MC..<..&...A..yh.d...u.2..b;.V....N.%j.-hP... ].EF........|<.....&.....w....D....Y,....-........./?..i....-].E......3..!<..R.s...8...FP.....{.y...I.5......(/..uR...h..X]...."./l............p..QI..!.E<.....@..4...[.58.HpV...;T.!#......../k......e.....<..{...p..-.....u..V....[.!'..c....+..DD....r.ao..R..".....L...9/.)..N...[..O-./.:..s....D&....'4........v.j=...x..T.........ZA.FJ.$S..S..b.......Z.5$..j....h..NX....v..y}...R..s.....8..C@..g.A0.....c..V......%$..r^

                              C:\Program Files (x86)\autoit3\Examples\msgbox.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):773
                              Entropy (8bit):7.220804423059025
                              Encrypted:false
                              SSDEEP:12:thLOoxZpYywAoG8SkcxMiwpABylzyAb8GNDWhMqvmy0pnBqRoKY4Bsv:rLOoxZpNLkAjGABylzlVNq4ZpAE4c
                              MD5:876E97EE4D3C35D197E33C8A05DA39F7
                              SHA1:1BAB5E6689EB2012E963FB71F90C5351AFED0D5C
                              SHA-256:BF7339AD2FA452AE9316A0B10FACE1BE4C60A5F86E0AA93E7691162564E0E500
                              SHA-512:060CCC5CBC8D66006A202E9BD1FFB5D6DCD9E153CB5DFA2C1A13D44917003F784A80DCCC49782C1948C836A3B4256421DFB77A1DD1FE67B797BC1764EFB4E622
                              Malicious:false
                              Preview:.'.....Eg.O..j..6..U...&.N...A.F. ..U.....L..lV.25.3!...y....#..n........k..j..RI.+...~.6.9.k.F.u..r....2.@"-.us.L....8.Y.Xd.Y ........b..m..p......8.1.l..8...%..x....R.v.W.. .mHU..l.?..'._!......g.H..vE.>R.....8.1.w..'.F.<..o.......q..f~.\D_..#.s.r..c=.......^..9..;..[...{.!.w..*..."..r...^.6q..nc...N.q.Y..).Z/....T/.,..9..x..U.H...7.A..c.+....O.....{.7.L.@n.QbS..`....!..n........,..w..iP.].<.J...%.....u..<.......[$L.BI.x....L...X-. line 3")....yw..L*.....x.`.n.73......-7.Y.+..C.Q.6....a.ih..T...FoQ_&M@I.a.Xlg...m"..!r.....x9.i#....U..dd..R......0.....W.pccnN...c#.P..uM;.M.S.p6V..).?_......8..59.qh.E=.*w.O.j..Rwg.....1...0Hf...z..Hq....5..w.............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\autoit3\Examples\notepad1.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):2152
                              Entropy (8bit):7.697538061043791
                              Encrypted:false
                              SSDEEP:48:O/xteSZCn2FkawFkjblLK4TofG20UO+RdoeLYnCdrxIgSVuCMB55CYV9ukMYo:UxwSZCn2uZkNofG2q+RdoeLYnwWNMB5c
                              MD5:952F452DAC9AA056820D27D5C45F9276
                              SHA1:52F1DAAB3CA14D10523F705666D11E1D1E963547
                              SHA-256:B07D23F4E675EC663E0D2045489DB51641A3F8C3914F02EFDBF118992241415D
                              SHA-512:61A1E3C162C6EC7BC662197C0F99221DD0CAA625C1E6CA6BB0AEAC8B2AA77C52B5D61E2C61847741F60636442EA64AC9D52E66CF6AB4F092B99759E2824D4F29
                              Malicious:false
                              Preview:..-....w.<@..V....~\....g.............e5...z4.........b......cP.U.2.nd|.Jr....Q...... ......3c.vN...4O...o.....,.@...."....2.em~.V_...>.......u.......95.yc(...5...t..E..,.@............;....q....$.%.....u.......-?.* ....do....d..S..b......&..U.|. wx......#.....j.......PP.T.J..lo...5..*..e.m.....-....v......W....E.....3.......-..-h"...q|...o.....i.....c]...w.a#I..1.."R......n.......:z.8r&...q|...=.....$.....c....2.iou..M...."XC....v......1z.0A)...f...z..X..e./......).&.]. ']..q&....p,..D.:......%;.)l"..6Z...n..I..,......-P...w.ag<..[...>....M..........84.(u...4J....h..A..,......*..W........a....pI......h.......}..yt/...fa...5..E..d.@....%....t.r#]..`...5I......v........<.{N(...u}...~..D..(.$....tY...w. fh.....5E.....|.......T..y$....ck....9..n.X........7.j.$NR.{,....r'..M.[...........y ....6'..O..U....i...Nz...).Rv~..M....40i.....8......%?.p.M../....=..R..d.@..."....2.e`.......&XM.....y...........

                              C:\Program Files (x86)\autoit3\Examples\notepad2.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1862
                              Entropy (8bit):7.708190702608225
                              Encrypted:false
                              SSDEEP:24:hXENlvGP/14HetEXDnm1UvYAe+TpCrzGOMx9OMciKN0j9Ph9bqVI3Va2GuW8d+lz:UlvG314HWEXi6pC0UMWaNh9eVIvHdcz
                              MD5:FF3C13F9D82BD137B8FE3F8ED1598C6E
                              SHA1:2571E092368428AFC1502F928D359A2F0E889228
                              SHA-256:2BF36966FA95CB04E110027A7121D5D937B38EA726C082D84BCA91E74320FCCA
                              SHA-512:5D760F33DAA6594DBCE02A7E787D4C26D45C7CF5E6F9495C3BE8F8EE6D88BE9AF72917733B12511C3D4EC1BB6371D6E55886CB6176433B1BDAB6F701992F90F7
                              Malicious:false
                              Preview:.....5.%.QW......[\./....D6./.f.Iq.?....5O.(....J3Vl.I..X..R.iNK....`.`..s........."...o<V.4.L.I.......Ld(Vo..a.t.3.y..4....(.d.....!.`..z.....E@.n..a;O.}....Y.?U...CI.6L...JM.8.%C.p....(......./.M.V......F_.n...c:R.z.a.R..k:....24...A.,X(.3O.4....gDK.....`...M`.....F[.`.. n..|.L..H.k......3.....w.|."S.4....mGJ....0.#..x.....LG.<...e<H...a.d:.......OTrh..X.tuV.cl.z..].l.#.......`.(l.......".G...r!V.`......8...........H. .?.*Z.4..@.m.O.......`..{.....[G.:..f"Z.4....].?.....^\:....Bs.9.7B.4..Y.(OG....2.-..q.....C\.C..o-Z.4....C......Y.....b.t7..gg.K..f.G........... Y........;...tn~.u............B\.....H,X~.+C.4..G.x].....2...#{......[V.+... =T.q....D.*.....O.{...TD X..cS.a.T.|.Z.....`.4.O=.......l.+...t&^.a...NC.*.......4E..EJp.3.3^.<..P.|AK.....`.)..4.....Hm.6...t;I.4....U.bx..Cc.{G...Jw./. F.w..Q. .g.....`.i..|.....[..&...x/V.x.L..^.?....i#5=E..a.s.9.c..0..{.(}F.....I.3./{.....|v.....O.z.8.N..D.....Ae7uE..Y.!Zu.I#.F..@.f$$.....&.J.g......a@.+....D2.a.D.._......

                              C:\Program Files (x86)\autoit3\Extras\_ReadMe_.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):491
                              Entropy (8bit):6.651684709751777
                              Encrypted:false
                              SSDEEP:12:N5prQIj6Y9jjUpl/LGhUdGO/uObF0zlydltz:/prQ0M/L2UDPbpdltz
                              MD5:ED8E39FAD2E788AA80AA4D0ECFEF85BC
                              SHA1:59DAF38D4FB2B7A056A820BEECD665A98F4E63A5
                              SHA-256:66A2E9FAF9CC2CA92415DE0A28846C2BB1676488B3FFEEF82D91CECAD9E87FD9
                              SHA-512:2458C8A59099FA3BA2B4EB44C4B3DF87095BEBE92BC297F9CAF153ED18E2F92D7ADA993DD136ACCA68534F4AF5D283855AFA8D74F3E1D02B1335EF6F31124A85
                              Malicious:false
                              Preview:...@..5B.Qr.U.9.7....O.T..@.]F.7..OUG...XY......#.#.#..^..a/..z..P.&L~... .c.....M.X..V..P.{..O.&...1K_.....-.g.?...E...Ave been kindly supplied by users of AutoIt.........0.r.I.Xi.....Qwj.`.......@I.4eT.9.t.........j...hd.O7_@.#CU.L.+.,..>.?.>|X.0...Z.B...ml.:.....r.....di...E.3#.=.T..@..O.+..A.2.......H'.....c..x.S.....`s.`yQd...?....i.f..u..&utyf:>..q:+6X.Y...Z.............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\autoit3\Icons\MyAutoIt3_Blue.ico.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7720
                              Entropy (8bit):6.0026866414447895
                              Encrypted:false
                              SSDEEP:96:L4jPEmUEaZTOHqZsmDlYYESUEt2N9KHNRSnQKSuH//53:sjtPaZTOKGmDluvEWEHNInys3
                              MD5:B57FAB9F6C3D8F77D4A41C1B5607572A
                              SHA1:D81BE10A5B5E7EF332B89BD3766B7F6DDFC54860
                              SHA-256:D25F267882807902E112B2B614D2F0D4E33AB9EA8C55B6481CDACC387F54D192
                              SHA-512:A93C9DD88F4F7B97A7934A80D1AD9DBCE5B5138B018A426A3F25FB3049600C31560FFC005B00E71D9AAF1119D3E693C19245B103B79B65DFBE73FF04FB84958C
                              Malicious:false
                              Preview:1.."bLZ..(#.Pf..$.He.mI.B.l&..3....,k.~`..$...+.v...j=..*.............................................................................................................................???.CCr.Zf%L/...gm.PO0F..P.eZ......&Ta.3."=...~'..$>T.+uB.....=.q.%...................hhh.XXX.\\\.ZZZ..................v...c...]...b...t...................|||.GGG..............g...e.........LL}.Nr1L9...}w.P.....e;....0.&?q.3.a|...~.~i$;Q.+0..6..=..P./3........h...d..........._...........g...........y...i...^...p...............................b..........^..............r......L..9....Pc5...>.e.....S.&%..3.......~.OJ$ok.+}].....=.?...5....n......................j.................\...a..................................e.......................c...............<L.....LP.b...[.e>....#.&5h43.I'...l~.Zt$v..+Aq.. ..=..J.'.........n....................................................|................................................}...x......L.~.....P$V#..e.e!...C.d&..3>....K

                              C:\Program Files (x86)\autoit3\Icons\MyAutoIt3_Green.ico.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7720
                              Entropy (8bit):6.045652753981562
                              Encrypted:false
                              SSDEEP:192:AuJKbmkCoyY1r243LVbUYKq+6ctNm9Z/N:AZmxm2O2qnct09H
                              MD5:03ABBDB674353CB101EC18001DE220B9
                              SHA1:36A6EE78DBEA598A563CE3AFA51311E58E591B79
                              SHA-256:DE685D2B9061AEA1EFD34CF223064A7481A82EC4762AFAF979C83938957D9EB1
                              SHA-512:EEE3F1F7866D051AEA15DB2AF49D3D299609BE7034ADAE7E6001E3C9468BD8048BA71D96ED79952DD2D7F5BD9FA5AD77679A37672297734388FEE9278D655EC5
                              Malicious:false
                              Preview:......]....Bg.i=yM.z.4."?.@{...f...!..mZ}}w.!U......Q..D<..%..........................................................................................................................???.CC...;.v.....BN..=..yzi..".+.{t.+f.?..?.m.;3w....*.j.T"..=..E...............hhh.XXX.\\\.ZZZ..................v.{.c.w.].v.].{.b...t...................|||.GGG............~.g.}.e.........LL.../.`.....B..;=..#zq."B"+{...f.Z...W.m...w...hP(.+]...../.z...........h.|.d.........w._...........g...............y...i.w.^...p.............................z.a.z.b........w.^.......j...=......U.BQ_.=...z)..".m.{...f.~q..^.m...w..<..(X.....h......v.^...............n..........................j...............v.\.y.a...................................}.e...............q...Z.Hl>.65sB.H.=..+z...".41{N..f.Hg..Q.m...w.. .^./.....R.W.!.h............y.`...........n.........z........x.`.........................n..............|........................w._...J...8.....K3uB.G.=3..z...".3.{A..f.Mj..

                              C:\Program Files (x86)\autoit3\Icons\MyAutoIt3_Red.ico.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7720
                              Entropy (8bit):6.068982631211068
                              Encrypted:false
                              SSDEEP:96:zg3X1M696rAiSlC34nOAgevb/as8juf5z9XwELZshcWDYOkXb33G//kt/:kVMG6Uwonngev+sWs5xLZshdDYOG3v
                              MD5:CB79EED8ED7FF27BB47A6FDECF11DEBF
                              SHA1:9C39B01BB5CC0CA2B2602073ABBAAE6F355910B4
                              SHA-256:CC23F67FB7735409EF5DDE90AC08808C6CCE9CA0D8016D08394EF31CBFEA3E3E
                              SHA-512:ADF54E041C4950E245A76ABF0398C4201DA7848E3EC07A4B66D288708D52D1689A99A27820C5076AF4399ADE1405249DF141E9A517D8FE8BF7127AE9DBE4F5FB
                              Malicious:false
                              Preview:.....n......:.t....C..zlG.....5..A...*..8..&.".D.o..."^U.$..........................................................................................................................???.CC...........:..P....Cl^.z..+..sD..a..&..m.8,'......$t...U................hhh.XXX.\\\.ZZZ.................wi..eU.._N..dT..ug......................|||.GGG.............hY..fV..............LL...........:.(..VAQCiSsz..0..O6...%..=...(a8)"...N...P....U.J..vh..........iZ.........aP..........iY..............zm..k\..`P..rc..........gW..............................cS..cS..........`O5.R7_.."Q.k..:8...ot+CJ.nz..b......kt.>..z.8\W..j..,.\....UF...........z......o`..........................................^M..bR.......}..j[...v......................gW..............v....n...U..9T.C_3:..6...#COrhz..o..6.........F.8........ES....U.....|..rc..........pa..................bQ..........aQ.......................~..}p...................w......................gV..dS7.H.F.4h...+:5..._O8C-.Kz.._... ...$..n

                              C:\Program Files (x86)\autoit3\Icons\MyAutoIt3_Yellow.ico.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7720
                              Entropy (8bit):6.029658879893488
                              Encrypted:false
                              SSDEEP:96:JAZWzCq7rWE712g10eGkymxf/Q0YBFFFtIoY8pCe6fxFDU7bv1LA91m//2v:557rZh2sGOu1FFFthxeFKb5WR
                              MD5:9C9FFB766ADD813FAB81ACD70B89EAD5
                              SHA1:7F718145855F43F275F1F7CD74C663F6EE03A3F5
                              SHA-256:B47B9011C5AE53A556F40CDF8FCC4096B02B761A04D41FFF69DD8F3A98A9DAB6
                              SHA-512:05A9DF26F5641A80DF2233EC48BAAAF676BFEAEDAB0A6548ED59ACAF7A40AA37B1C152624077F1700E76B29A248DC7CCABECAD8E86F4351450D593E4FE18AD82
                              Malicious:false
                              Preview:K.*iF.9 .[....,..te.......}........:.9?.U....J...<V.E.~..np.............................................................................................................................???.CC..o-..LU_[.....Qyt.C0.B.....?.....r.:.....Y..........-.......w..............hhh.XXX.\\\.ZZZ.................V...>...7...6...=...S...~...................|||.GGG.............B...@...........LL..{9..ZCI[......t..j.tON...M...X..5G:......................q......D...?...........9...........C...>.......Z...F...8...O...........................w.......;...<...........y...........Q...r..@......['..._=.t.K8.FHI..O..U..;I:...,.[...............j|..t...............S...........................5.......l...E.......d...........n...................e.......=...................C..q...H..[5.....$t.F5..@A...J..._...q:...+.X........%........L..z...........:...........L.......}...............}...............9...............L.......m...]...............v...f.....................[W...,4.t:u...wv.0.~.!.`...p:..

                              C:\Program Files (x86)\autoit3\Icons\au3.ico.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31840
                              Entropy (8bit):6.815763271899651
                              Encrypted:false
                              SSDEEP:384:++s9lOwhq2HQaUn37PfDYWwOZYRxW25jK1obJzmg9Hdm/i99yY7rOliubh:clxHi3jMROZcBmg9Hdmk8zQg
                              MD5:0DE7E9927F95B5FC772FB1E8E2FB5D90
                              SHA1:A1017A069E894B5F83D3243229094D573294100B
                              SHA-256:36E131F092B4D64D2316CCCD47E1C91AE904A1F9AC7F5EFF2E967149A6012B3C
                              SHA-512:1BF3376CFD9487C2FCD90F6EE4D9249B88E280898C8753EDDBB9C21A24BF46E814A5009A454EAC21C8DEC85B50FB09A579E351986FD5F21A6B5D7477CA2B9688
                              Malicious:false
                              Preview:_;..v...Ne4..+>.=..".Nd.X....5.U..yW{.O.%.....&.. .L.....&.(]..F......................................................... .....N... ......0....... ...........!.. ...........#.. .... ..._;D.f....Ne4...=.=..".nd.X....2.Uf.yW[.O.%......&. .l....&..|..~U..(....... ...........@...............................C ..N ..!P..v...3H..XP../\..&...n.......5...................<........._;R.f.I..N.7...=.=P..";]d.....v7.U.yW..O.....U..&.. .t.....`Y..............................................................................................p..t....wpw.tp..xuwvww....v.wHp...........|6.Bn..F.J..u".).).x...B..0.Wc'.n......}..x..\g..Vk..@^..w.....x............p......w.<........................................................a......(....... ........................._;..f...Nd4.....=...";^d...x.6..U.v.W.}....$....&K.......@;.;.5.@BC.KKK.NPQ.QPP.VY[.[[[.kV@.w_G.t^J.ubO.kaW.``a.iii.pje.npr.ttu.vvv.twz.uxz.xyz..`/..a8..j=..r<..aC..eA..qJ..qV..rP..uP..wE..~.;q.=.J.jN.L}..Gi=P.f"..-.../..U.7.W.%

                              C:\Program Files (x86)\autoit3\Icons\au3script_v10.ico.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):71860
                              Entropy (8bit):7.61670650506223
                              Encrypted:false
                              SSDEEP:1536:TXN2tC+cuDAri8QFPx2PcqrmZPY17MGK3X:4E+rNpf2PcqrmNy7MH
                              MD5:A7763B51D17AD2A448D807BCEF2A02AA
                              SHA1:0663FDAFEADE28C1721F18C2638635C83370DAF6
                              SHA-256:7CDEF84C575884731D57E7BFDEBCCE1FC9882D4F4DEA4D06D959BF181B105B6B
                              SHA-512:6E8B9EB922772BC515929FEE4C5E563ED4767B607620DF458ADEF6B07A92D757D4278C89BC12D22450B9EF0C6C99B9BCCD05CF879F7333EE474F0C7217F43C75
                              Malicious:false
                              Preview:.S.R.}.V3..(..Y.O.n.Z,."...l.....{...."g..<4..FU.9.&.....oQ....... ......................h...n"........ .....'..00.... ..%...... .... .....j......... .h.......(...0...`..................S.R.}.f#..(..._.O.n.Z.42.XMl......C{{}...y.....\.94....o....................................................................................................................................dR.}.f#*9...+(v7.....K.& ..lL..kzH<...q.T..H...#0\.94........gwwpww...............wwwx.w.ww..............www......ww............www..wgwx..wx...........ww.wFgvvGg..w...........wx.dv|v.gCx.....dR.}.f#..u..8.1]*<.{..& ..lL...0.<.5x.D...B.#0\.94...c..nw|vFRG.x.........x.`dvgww.|vd%xx........xx...GdlvGfE$.8.........wx..A.A......`Xw.........xv...`......pg...........t`...x......C..,dR.}.a.-.^.e..v{3...i3.. ..lL.Cl...|.p.[..V...0\.94...A.r.qt.Cx..du...........tvwH.qg...w.b..........xv|ww...x.v~vW...........tw~tx.tx.Hw|gx........x.wgx...x...wvwx........x.wg|.....w...wx..dR.}.f.-.T.cS'..c..,{<.& ..lL..l....s.

                              C:\Program Files (x86)\autoit3\Icons\au3script_v11.ico.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):41601
                              Entropy (8bit):7.008103203680149
                              Encrypted:false
                              SSDEEP:768:X1MoLQBkni5c4uydOrcJ4xnv8b3EASXPR:X3QtdOGYKaPR
                              MD5:233146216CE620FA7B64D75E5480456F
                              SHA1:890E8FA2480DF0AEDBB091379CCB8DDD53F89ED8
                              SHA-256:BB6093AA2BA62311BE704B5E03A68B5C9B3ABC98DC47A116CCC15AC534C4AFDC
                              SHA-512:594FA93A00227D954AB0F12D9211DC7A4D4077DAD4C4E3244E8FA10B67B1B5062BB4535B8F8CF86247BB2FB62F1D895BD21DE73FE97CB91F2E26BBE775761287
                              Malicious:false
                              Preview:.=b.T...S......A....Yy..<......8%..[.&f....^..`.:.TZ.`.T.....E.. ..........WJ.. ..........?M.. .... ......U..00......h....f..00...........l..00.... ..%...{...PNG........IHDR...........a.o2.......>u.g....?U.&V.d..&..I..D#f.D....[.#...J.,0X..36kk6cc.ck.=;uPGO..lo..H.R....*..F@.%@.B.M*..?.?...G(23.#".#.}f........}....H."E..)R.H."E..)R.H."E..)R.H."E..)R.H."E..)R.H...?)A..Z........8[...a....u..QS6.V.w..mt...;.4N..r.h.k..?.[.4R.Z........7.}.....?..>.......g.y....O.....>z...xU...).R.p..V.\..'NH..$Q...-..Dky.oG.2........g.`....../..j.........'..... .......w!..mw.{.% .&..B...=..F...b8.....i......0.......Bg4.xv..~.._H...p7..H......x..1!......$..@....|.....Vl.Y.......i..;.%...."I@...2..... .`.U......q.(i...N..s~7.p....%.H..q.X\%.k.b....c..2Z..V.........^....Y.,.*.(....."..?.+......Gd'.q.8.>.s...]......tf.k.....g..f..p..\af...3.c.......T..Lf....H....G..},.e...~.?.......|...${:..^....\......$..(.@..-.u.6K........iZ.`...'.it...R7...D..c....~x.\.+.5q

                              C:\Program Files (x86)\autoit3\Icons\au3script_v9.ico.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25528
                              Entropy (8bit):6.649234927497562
                              Encrypted:false
                              SSDEEP:384:28d7cEUmZG7RwHES/tpdNsIDmf4dcFGJ4y5N0V0J/lPzeQg:28d7dpHESl3NsIqf4dtJ46E0J/lCQg
                              MD5:D9C9C7C52D56732A951DE7FCF680781E
                              SHA1:F38242979C6204FCCB3E30866ECA002028E17690
                              SHA-256:B2A67C1D42B7F9CE7491945004C653691781C2ABBBA078A33A20A01059C84BF6
                              SHA-512:7B1CA4BA819340EED98B247CAF75C0DBA4B7B3CBB490EBAEA500F9DD912B65851A10400F9CE643DF8BC558650DE0A63BCB246BF8C542086D9126480FF4975146
                              Malicious:false
                              Preview:.Fl.$,....MDe..2..N ..o........'....2G\....v.).~......7.. ....N;..........(....?..........h....@.. .... .....FF.. ...........V.. ...........Y..(...0...`..... ......%.....................Gl.$.....Mded.2.N .._........'"....w\.....).......6.< ...................................................................................................................................Gl.$.....Mded.2.N .._........'"....w\.....).......6.< ...................................................................................................................................Gl.$.....Mded.2.N .._.....3....D...d.:+.zi!..O....e...EP.Z.gf.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff.fff............................Gl.$.....Mded.2.N .@9..'..36......,.+.GT!T.~.R..eJ..E..n.RSR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..RR..NN..NN..NN.fff............................Gl.$.....Mded.2.N .@9..XNi3Eq^..0 ...

                              C:\Program Files (x86)\autoit3\Icons\filetype-blank.ico.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):48363
                              Entropy (8bit):5.802192543873274
                              Encrypted:false
                              SSDEEP:768:YWF6yHiddxRusZ3P/5kLwE8kFIwdU8JRrsTl5+z:vFPi7WU/5kLwaIW/fITKz
                              MD5:D4B065859DDF94017AF077E9FE3BA7B2
                              SHA1:14F765444DE7C782D711232902300ABD0ACB17D7
                              SHA-256:1B7A60B6916B88F6CD4748C4CCDAE24669E8BF116B366DE6C1EEBDF38A68CAC8
                              SHA-512:86A8567EBEB620403CCCC640D8D3F40C1FC9F4C023B7BA32E40001975853BFB3A8CE69D75E6490161066C7B5FBAE21A00F4E4AF7F4B919342AB3D777F9EC50C5
                              Malicious:false
                              Preview:..i..}.b.%]U...JX.........;@.^.k..=P!C....0R4....d......4.=..&...{.. .... .....a......... ............... ............... .h...I....PNG........IHDR.............\r.f...jIDATx.........R.@~.3MhVX.+E[V....p~Y:N..R225.I.M....,W....D..u..|.c....N......p.9...'.j7..R...!.C. .ch..t.........14.B:..@H........!.C. .ch..t.........14.B:.v.b....O....{...u....Y.....R6...r.[N...9.C....T....x..-..L.O.I...Yb..F....o.....S1.._4.S..y.Jzh......%....~............|...;P.......B;.......}..w..0..F.E.9..cO............{H.@.s.k..."L......i.....R.=}z-N...}....i.&.`..Z.6*.FI.......s..l...o}."......T..|..g...R.....G..T."..@...:(vL.#.^.3..../.=..d.........9~ ..7&"w...nw......+....J*.K&.[.u.b...<.s........h... .1..;.......WWW...L.&.B..@l36...8q.7o.....H..X..pV.SQdN..&?'O.0U..4.=.E.I)4.[.4#p*..W........."9.....<{."..a...S..c....i..@..<..........oM.K...?..q..o.....5......~.+....g......8'@......,um..OR8<;@..... -....W.p....k...4.b..y..+_.8G.....z..w..d......p.8.^.!LYy.;...

                              C:\Program Files (x86)\autoit3\Include\APIComConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1285
                              Entropy (8bit):7.299890309728865
                              Encrypted:false
                              SSDEEP:24:/5ymhayMf+cu6H43Q/ymyKCmy/08CEFb3myMfu:/1zYRus4g008xFbau
                              MD5:40D7FD6EF0DCD442147C69ACCC38F32E
                              SHA1:5D0F41A4F5A18001A2329819868861E4B355AEC7
                              SHA-256:7EB64DC3B088ACE5CAA4EC5D72D70E37D1FF9D82CDB27B1C8519E547860ACF51
                              SHA-512:051B1555B4CE83CF08B491B9740976A83CFAB4206A8B72335FADD470B280EC2127DF69AEF2312C11FB3761A0B4BA5DFCEF0B883A46530BC7E62CC26546F825AA
                              Malicious:false
                              Preview:..!>.M..E."M.Rx.......&Xz12...m........vS&1.T]/.I4.u...\OU...r`....U.q..bO.......^=d,2...m........vS&1.T]/.I4.u...\OU...r`....U.q..bO........t5t/...~.........'Xc.I#}...h.<.3.%4H.V.=<.A...lo.+........t6X{..#.........zX5=.c[2...n.).v.O\F...u}.V....$#.dR.R.....o71!........W...#.o,...2..T|.-.3.....j..}.Q....5#.dR.U.....J w?!.........]....&c.7.T]/.I4.u...\OU...r`....U.q..bO.......^=d,2...m........vS&1.T]/.I4.u...\OU...r`....U.q..bO.......^=d,2...m........vS&1.cm..WJ...G./&;...r`....U.q..bO.......^=d,2...m........vS&1.T]/.I4.u...\OU...r`....U.q..bO.......^=d,2...m........vS&1.T]/.~..s.L...).v..2.V.... G.:Z..+..... .~a.........f.....#^B.=(@..0L.h.3..BZ.5.#2.Y..+."]..V.h.....*S.SC..........c.K...s..7f.;.3."=!.v....t..<..k..7......n..}`..............:D_.,%V.."L...V.. 1....%....S.q..bO.......^=d,2...m........vS&1.T]/.I4.u...\OU...r`....U.q..bO.......^=d,2...m........vS&1.T]/.I4.u...\OU.=========....(...<.&Q.?`{*y0.M.u..e..y.@

                              C:\Program Files (x86)\autoit3\Include\APIConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2062
                              Entropy (8bit):7.65414176853421
                              Encrypted:false
                              SSDEEP:24:umahvzQ/HtdNTGOaNNoFrFRjASQuprbTXoWE3EVOkwt+E3ErOME3EK8E3EO5A9Rb:umS0/TGKFz1QuprnXozNV5ATz
                              MD5:C563913D9913FF4095A8DBDA8A43E732
                              SHA1:D354071D54EC7E18257FE7A344D922B3B1EB8114
                              SHA-256:4F3B21FC113C5C73243A580D633EFD01DEF3CC55FD27B83D3756BD4C32FC9526
                              SHA-512:19D785B0DDBCC63D9015E57A4F34B976552BEAEB38F9E909497D53F64CF19AECFE7C015F1B3C5A72A4F8B110182208AA5BB403B8A09B8A86B7504D08B2CB3BC0
                              Malicious:false
                              Preview:.v.;...>.'DT._<...N.f.....yF....U8+_.T.L...l.1E.j/?..Im...<=....[.9...}.:.P.f.....C.......h_.T.<y96X.[.KO..*..B. (2..Xl..-$....}.....g.'SB.4D.....}.....-.@..^?.D.I.^R..q.I|..K...Nd..LV....w.6...|.:SP.!B......J...\k.0..j..B.Y;PR..>.H<.b4o..'+........Y.....p.&IB.4_....X.1dw..Jc.t.{...b._.|S..+.R;.- ).. .........:... .`.&IB.4_....X.1dw..Jc.t.{...b.R.SP....R<.b/(..L}...fW....m.2.P.C..Oa.!Y....Y.}.....-...2T54^._X.}....O..m2(..Y{.._V...v.;...3..wx.=T....C.g.....Hz.2.Q.?6H.O.Z...0.X*.@.2..Lf.........;.9...w.i.r.9^....^.r.....\<...xS8;G.^.....1.H..w2r...*.........}.u...P.'TE.;E......c^..Ez.u.y|?4N.U.LH..+....0cQ..Df........v.....g.'SB.4D.....}.....-.b.6_.7E.N.QH.>..m..b5..A}...N3....v.#...`.(R..X;...A.w.]..D`.i.4T%,J.N..].}.6l.m"0..H(.........l.9...r.z.<.vX....I.3K-..L|.S.5I"9E.IV^I..R..&.`-)...*........w.$...g.gFD.w<...N.f.....@a.@..U8+_.T.L...l.1E.j/?..Im.........a.>...P.'TE.;E......c^..Ez.u.ym?6j.s.TY....R<.b/(..L}...fW....m.2.P.z.-HF..^....C.`G....$....{...o.b

                              C:\Program Files (x86)\autoit3\Include\APIDiagConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3220
                              Entropy (8bit):7.689044717950427
                              Encrypted:false
                              SSDEEP:48:9tW1stptc5tX4Hw9zipLTkgLiUV945KNPqMrwHhFbdmwIct4THPU/l:9t5tptcfXkwFiug+Ea5MPzQFbApHc9
                              MD5:8F483294708A901B346557F5EF6AA708
                              SHA1:93815E8F6C82AB175AF2CCF5A72EDE8F23619FA4
                              SHA-256:427DB19000A91959217638705F19F9A18E88FF92E72F8FC9D2987F00C3F0A1BD
                              SHA-512:A94196010101F6C4CD5C75F5A43A4ABB532DF6CE152F566F0E9C9E35C38812D5E07A7AC15772C2517293101F39C10620EEB3B96A489D7DD19D3715A39D80A574
                              Malicious:false
                              Preview:.yM.y.]..7.n..,R....i...W............eZ{H|X...U.n37.2.N-.D...-.-..(N.T.e.0..b0......`.I............eZ{H|X...U.n37.2.N-.D...-.-..(N.T.e.0..b0.6....4..S......=......(4.,pPF...ad.{P.d.Yo..0.yA.t.@I.7.-..R0D...*.....Y~I....Sz....xThFoT...e,h.F.aV.q.....>.>..56W..1.e...I.H.R.)..X.....c|....6.5U5.UM..G=.h./D.u.YM.x.Eg.5.P..9.t...L.O.O....T......yr..<Kf?1.93.H.n37.2.N-.D...-.-..(N.T.e.0..b0......`.I............eZ{H|X...U.n37.2.N-.D...-.-..(N.T.e.0..b0......`.I............eZ{H|X...e,^.1.,r<^.-{.C.0..(N.T.e.0..b0......`.I............eZ{H|X...U.n37.2.N-.D...-.-..(N.T.e.0..b0......`.I............eZ{H|X...U.n37..<y+.&m.Q.Y|.{.T-.4.....v..|.O.1.7YYN...y^....+.:.:u{t'j.ZO.\h>R.5i..0.h..%C.Q.h....I=l...O.).Penp....a_....".:.$p}u-u..7.?IC!.I... ..d.z.X....c...{^.v.p... yhm...c@.... WvEpU...e,.be.n]SS..I..4.In.E'f*...R..u.C.r.i.}.T.O.....#...4.$.-EwVI.Rs*Y.B~#D.=...W.-..mK.Y.h.=.,.a.Y.L..2..B.....pG....5.0.:xvf,us3*.w.C .I.....WO.w.UI.7.~....T.t.t....5t{x...sA....

                              C:\Program Files (x86)\autoit3\Include\APIDlgConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11069
                              Entropy (8bit):6.740288448717774
                              Encrypted:false
                              SSDEEP:192:JH/NFbA4MlYarLrOsiciMQoUC9bfGBGuwcbJDpiOupiHlv2di0bf+:JfNFs4MlYarLrt9iMjUafEGuwcbJDIOV
                              MD5:36A37A324A00AA4179C281940B3AD690
                              SHA1:C29733BB87FC82B1D2B3D8C696D633550188A5E0
                              SHA-256:15F98B54F473FB2DB075642D2E0861ED620DB07AB8F071AA6055646F06969C2A
                              SHA-512:F75076371A798150DC5C7496972CC37C884EFF56B3E404CBDC7D7480957E752D6427DFAA50B5BCAD072EBCA71971A2BDFA64364BAF6B23EAF9A09B744D186313
                              Malicious:false
                              Preview:.f.....).._}.....k.{....2.z.$..!...i6...o.e..........7w...X.==================================================================================..; Title .........: WinAPIDlg Constants UDF L.m.....*@.._..x..F......~`3.O.o..Zt1...a.n..+...i....+...K...: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ================.2.IP..q.I.#V.*..v...q..,.z.$..!...i6...o.e..........7w...X.===============================================....; #CONSTANTS# ===============================================================.2.IP..q.I.#V.*..v...q..,.z.$..!...i6...o.e.........f%.......st $__DLG_WM_USER = 0x400....; _WinAPI_BrowseForFolderDlg()..Global Const $BIF_BROWSEFILEJUNCTIONS = 0x00010000..Global Const $B.I.6?...j2~L(.Z......l..!.w.(..,..s8d..r..6.Q....c..E.....5.INTER = 0x00002000..Global Const $BIF_BROWSEINCLUDEFILES = 0x00004000..Global Const $BIF_BROWSEINCLUDEURLS = 0x00000080..Global .`......f2nZ$.C....}....P`..$..d...d;..

                              C:\Program Files (x86)\autoit3\Include\APIErrorsConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):309775
                              Entropy (8bit):6.6838658191553035
                              Encrypted:false
                              SSDEEP:6144:crKXxlZUIir0+QISAcDYsmrFTwqtw68Oq24H2L8an:cGx3Lir07ISASYsmpTwqW68kL8m
                              MD5:2134A7F6433567119F921476B6507843
                              SHA1:D76ED01BEC692A994FABE169B5341AD4ED71FA26
                              SHA-256:54F51C29BEF4CAD41ECE55D94046EDB6ADB0896DE1B2EBBFF81BDACB651EA7B0
                              SHA-512:6237173E0DC613C84B2CD77F14E555DD91C2DCDEF2F91D9C932AC1B6F6DA78D695F3F895DF12F22AF2D2C7FAE7355201D6C6007C3E72C19BE4980AFEFC6E30D6
                              Malicious:false
                              Preview:...iE....k..+kC%$.`...T..+.=...*...l...n.... ..~{.M.M..N.[..==================================================================================..; Title .........: API Constants UDF Library...x.&....q.x,Znnj.,...iR..yC ...9.......h.p@.z.W$#.^.^..].F.glish..; Description ...: System error codes to be used with WinAPIEx UDF library..; Author(s) .....: Yashied..; ===============.E7.Z...8.H.\s.".~..1..+.=...*...l...n.... ..~{.M.M..N.[..================================================....; #CONSTANTS# ==============================================================.E7.Z...8.H.\s.".~..1..+.=...*...l...n.... ..~{.z...C..F.nst $ERROR_SUCCESS = 0 ; The operation completed successfully...Global Const $ERROR_INVALID_FUNCTION = 1 ; Incorrect function......hH.....v.U.$.}P.....Sn..IkO.a.7...j...6.OX.i.[c%...........the file specified...Global Const $ERROR_PATH_NOT_FOUND = 3 ; The system cannot find the path specified...Global Const $ERROR_TO..5Kg>....K.3o-.|?.c....XH..eTs.J.7....>

                              C:\Program Files (x86)\autoit3\Include\APIFilesConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):27747
                              Entropy (8bit):6.712507164951695
                              Encrypted:false
                              SSDEEP:384:gNt4a+Vw7S60YAItvlFicP6pRHI0VA828g6qIlGOI4b7+OdjleWjztvynN+61nt+:Y868qElI4hReWj4F0v1
                              MD5:834D2C00F1A01FAD7488614DC63CD524
                              SHA1:7C5CD5AB4DE04886384CB9DABAEEC23E3F1D1C88
                              SHA-256:5FC3E8A8364DC3C08D1BAFA4B30A11FC5296BB811204A3A785FF6DE22C942822
                              SHA-512:2B9755291B50C1F75E951E715E99BB5ACBA18763F6C7996EF24F962E24E81F1C920AF3084355C6912482EB4DB1D784EB69E46E38BE6463D1DCFCB316653FC8A4
                              Malicious:false
                              Preview:.4.......bY...A*a.3.....~..,..}........M.,..2..?.* ..XG..Q.(==================================================================================..; Title .........: WinAPIFiles Constants UDF.........cH.J.8O.N#.....*..e.c%IE......C."..>..9.[|]@....L.;....: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ==============.`.C...R..1..6.q.g.-...w.c..,..}........M.,..2..?.* ..XG..Q.(=================================================....; #CONSTANTS# =============================================================.`.C...R..1..6.q.g.-...w.c..,..}........M.,..2..?.*.9*oA.;U{API_BackupRead(), _WinAPI_BackupWrite()..Global Const $BACKUP_ALTERNATE_DATA = 0x00000004..Global Const $BACKUP_DATA = 0x0000000.P.9....OU.x.l..{S........E..}........@.#....`.n.Tr]T.Z..-.^UP_LINK = 0x00000005..Global Const $BACKUP_OBJECT_ID = 0x00000007..Global Const $BACKUP_PROPERTY_DATA = 0x00000006..Global Const.y.?..?..Ij.Y....{D....z.n..!..p.;...\.

                              C:\Program Files (x86)\autoit3\Include\APIGdiConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19736
                              Entropy (8bit):6.80177044190285
                              Encrypted:false
                              SSDEEP:384:W1tQ3I2DPC/eg2l+xW23HJZ6tX4cDYrEBxxvGsm8zE:V3Bd23rCOkvFmJ
                              MD5:C8C67F5D94E62965F34F789E177B28AE
                              SHA1:AE3F5DB0E6A9278FBD304329D0F627490722F619
                              SHA-256:93FF32D914A71409EB53A80641B926882E19842D908E86C3646249FC02C069CC
                              SHA-512:EB086CADCE39E05CB4151006FF79B40369737329E2BB1AAEC7A889AA96DEA88879E874B91E0A4D706021428DB60860DA89F83D23F76FEB0D7C1290F1CC307BDE
                              Malicious:false
                              Preview:...)D..Rl[..hm..}Y....g6.c....:.A...G.2..<..v....2i.SX...E},==================================================================================..; Title .........: WinAPIGdi Constants UDF L...7H...q.......ut6x..W.....q.u....I.!../..A...a3.....Vn?..: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ================..x..DB>..VXZ..{D.~..S.~....:.A...G.2..<..v....2i.SX...E},===============================================....; #CONSTANTS# ===============================================================..x..DB>..VXZ..{D.~..S.~....:.A...G.2..<..v.....Y.UE.....AI_AddFontResourceEx(), _WinAPI_RemoveFontResourceEx()..Global Const $FR_PRIVATE = 0x10..Global Const $FR_NOT_ENUM = 0x20....; _W....n...sG...%.+.L...QF.N.dK.e........L.sQ...n...P..:(...(.V = 0..Global Const $COMPRESSION_BITMAP_JPEG = 1....; _WinAPI_CopyImage()..; in WinAPIConstants.au3....; _WinAPI_CreateBrushInd....1..tuDY......).O7.`=...aw.S.9...O

                              C:\Program Files (x86)\autoit3\Include\APILocaleConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8071
                              Entropy (8bit):6.697410267792323
                              Encrypted:false
                              SSDEEP:96:JJrAQ0C0vGqJoQj+mXw5cX0IGMIdvveGdHG166BSHhdFZ+z3O+K7BW1yOJy+kHo7:frUVyG0fvveGV9Hru3O+K7BqyOe2
                              MD5:1927182F77EA910D6CF4F45806606C05
                              SHA1:FE022B5A83E5D8A06AC0B75B60012D79D0072E55
                              SHA-256:F2EAAF5682BD71E63554F3BC7FF5B901F59D6F34AE64007FDB58391F9688ADB8
                              SHA-512:9430521E71D37900EE8AECDD587AB0A22DD964669B03CF354DB54CA5E558FE4ECD1A2628307FE2C72714F239A38D60A691F1DD8F68D1E3ACACA0434FAFED542F
                              Malicious:false
                              Preview:.(.>{.*...I.oO,}.%s..Z^.f.._ua.i.m.....d...7..4.~.....Qy..kSP.==================================================================================..; Title .........: WinAPILocale Constants UD.a.4u./.]...^($7R).r..$&.3..+<|.1H#..C..y...$..'.N.....#UM1.M......: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; =============.|.`*.sI.....5X..{.;..";.{.._ua.i.m.....d...7..4.~.....Qy..kSP.==================================================....; #CONSTANTS# ============================================================.|.`*.sI.....5X..{.;..";.{.._ua.i.m.....d...7..4.~.....fI*.v1:MnAPI_CompareString()..Global Const $LINGUISTIC_IGNORECASE = 0x00000010..Global Const $LINGUISTIC_IGNOREDIACRITIC = 0x00000020......2u."Tg.X(A.i..Ys..PT...'ha.dB`.....i..9M..k./..[...d.b.< {IGNOREKANATYPE = 0x00010000..Global Const $NORM_IGNORENONSPACE = 0x00000002..Global Const $NORM_IGNORESYMBOLS = 0x00000004..Glob.-..x.=.....~E:.a..T...[R.f..R0l.d.`....

                              C:\Program Files (x86)\autoit3\Include\APIMiscConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2193
                              Entropy (8bit):7.624283334855522
                              Encrypted:false
                              SSDEEP:48:ux91TYcrGGYhW9Y9w9Y9dRtIchwwRPEJGpB5Cqqry/mJz++Y9l+Xf:uldBYhTgchxWGvlP/mqq
                              MD5:5CEA1AEFD18F8B513B475860A32C33DC
                              SHA1:9AA82681C1285AB4B6D89BEBAA0215174CFD838E
                              SHA-256:88A4B14F242597F38BB878DFF5614BC29036C000C7B7649FA7696FD34FE50321
                              SHA-512:E10581302424D230024191BC1A64D84321470A8E1A6C720A34EFB0798C445D9A86B9F28E2CBB2B2D02A00D93AF13D446EB1ECA181CF1A6D7C6F63025BF45EA4F
                              Malicious:false
                              Preview:.1.[."|.w.C.."#_.f..}..l+M'.;.0s...g%........e.t.c._.O`..S.@..b..\{$.%,.....h.{......5P'.;.0s...g%........e.t.c._.O`..S.@..b..\{$.%,.....h.K....@d.:.(.#`...`8.U}..ec..x}&.-.......*h]..=.V.?9.wc...\A..u.....A|.S.&.h<.A..z"..=.....R.i.?....:W.@.S..q..$(~.qbH......5.Z.]g.:.(.7n.G...y.H`..DO...9Pi.;....9...Z....../{.ycY......2.A...(C4.(.7n.I..3}..3..A#..e.t.c._.O`..S.@..b..\{$.%,.....h.{......5P'.;.0s...g%........e.t.c._.O`..S.@..b..\{$.%,.....h.{......5P'.;.0s...g%........R3C.~.!.<.f. z...b..\{$.%,.....h.{......5P'.;.0s...g%........e.t.c._.O`..S.@..b..\{$.%,.....h.{......5P'.;.0s...g%........e.t.S.o.I}m..@<....[.?J.m.D..%$..)._..[f.n.".C..i...Q.}G..b... .y.n.R.BP8..A.....X.5m.<Bn..ib.........8]+.6.=C.o..8y..P.._Z...z....#.-.v.S.M..o..Qv)...g..JO9...@...[#^.G.T....j`..#......R&.?.B..3A.N......~-.W.UT....Ve.v.....9.*v.d.an.G...8.o]..`a...e.y.n.R.Bm..c$:..=.[A.v.ke..fj.....a...(]b.6.=~...P_.Sq...m..,.m...=.=.w./{1..b...v).(!...%$..)._..[f.n.".C..f...W.

                              C:\Program Files (x86)\autoit3\Include\APIProcConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5425
                              Entropy (8bit):6.774480237223261
                              Encrypted:false
                              SSDEEP:96:Q4nyCPnXpFJnL7gKGTH7Qfr0TEJVY+aEHQsOxR5aEaL7VvBf:Q4yetgK/jeuJf
                              MD5:DEE9ECF0D6B4369ECFA7B2A735A0666B
                              SHA1:4C8DEF1282BE299ABC6658366A0A06785E3624E8
                              SHA-256:8BFCD452408836443E8FA6864AF0019A4E14A1552D17B7B5E5217529731F6791
                              SHA-512:01B03202EB111C6826D5C25D72F24845C04BA99A1FCA36ADCD9F19A86726A529D7DBC74CBC1C36E84BF96360642DDAB48C40E46A39F53A38FDB192A2991C3FE5
                              Malicious:false
                              Preview:....5.w..`rL+..v..h..]4..y.B..JB.BO....F..$.......s.t.2^,}. .==================================================================================..; Title .........: WinAPIProc Constants UDF ....8.j.W`n.....O..F..90..6.........D...H../...,.../...n.t`.3....: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ===============....d....2!.s.F;.v..$L.d.B..JB.BO....F..$.......s.t.2^,}. .================================================....; #CONSTANTS# ==============================================================....d....2!.s.F;.v..$L.d.B..JB.BO....F..$.......C.D.4CN..s.PI_CreateProcess(), _WinAPI_CreateProcessWithToken()..Global Const $CREATE_BREAKAWAY_FROM_JOB = 0x01000000..Global Const $CREATE......_.nJN}...6I..k..)..i.O..Gr.8.E.....X.m...twm.....X<R..N.LE = 0x00000010..Global Const $CREATE_NEW_PROCESS_GROUP = 0x00000200..Global Const $CREATE_NO_WINDOW = 0x08000000..Global Const ......V.a]S{...>B.....\"..d.O.GO.OB...

                              C:\Program Files (x86)\autoit3\Include\APIRegConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4873
                              Entropy (8bit):7.814945531940821
                              Encrypted:false
                              SSDEEP:96:M/Pb/P58cb/Pb/b/Pb/Sn5NKI9mb3fIA+Isia34DNGL8+RYK/k/+pUoJ4+WK5gT+:M7Zt7j7aneI9u3fI70Dk4+GK/G24+WVa
                              MD5:172B3D7A7AFEB04FE4A365949EC32E60
                              SHA1:5B8BFD8DAB0A32720B20626105DE4578C8584820
                              SHA-256:11BDF93D44664D51191154283095CA7421E0E4A4FFF2C3CCD09C283D27D4D7A6
                              SHA-512:47FE25551B8FD64CD372331BC575623E104D8FD882473FA47B4D1ED4ED2A9DEEC1650ECC09309FFEBBD6B9CE604BF85A0800438C691A4CD1224BCC41E9A9864F
                              Malicious:false
                              Preview:...6,%v..Gf%.=...Ez.-..V.A..Y.<..W..%..b{.j.?..tu.g..!'<....{a}..h}m/..5{..'..Xd.^h.3.\..Y.<..W..%..b{.j.?..tu.g..!'<....{a}..h}m/..5{..'..hS.C..z....J./..D.."..6(|..P.i..4.[}tu..bm.|.[..42)2..Z(..Duj..hS.C..z.(..2.s....."..qu.f.,..Cs...A{o`....hrn..u.>u..[`K..:g...+..!.a.A..J.!...@y.,fI?.v..(&.8..iid..@@24`g..u,9p..ZqK..:b...6.K&...O..J.!...]}....M:....tu.g..!'<....{a}..h}m/..5{..'..Xd.^h.3.\..Y.<..W..%..b{.j.?..tu.g..!'<....{a}..h}m/..5{..'..Xd.^h.3.\..Y.<..W..%..b{.j.?..CE.a.._UO..vg..c..h}m/..5{..'..Xd.^h.3.\..Y.<..W..%..b{.j.?..tu.g..!'<....{a}..h}m/..5{..'..Xd.^h.3.\..Y.<..W..%..b{.j.?..tu.g.%..:.`@(..{..&3?q..\X#.S.J......0.'.k...`..).Zk..{.x..G.......YEB..cf.|}..XJ.~..Idf._tP..A..1..G.$.0.Q..?.gH....t.."..dz.P.Csx`..tF(/4......W..mL..iJf..*..&..3.L..n.m....[.,2.s.G......pHCQ..bg...e..h``...Dg$.\:`...-.G..\.$..!.^.:.kL...f.w....%'.;.._uo.......q.....M..xM..}[d..Xy.n_.b...D.n....H....t..F......zXSN....KV.^..4,pQ..[|f.`_q..,..'..W.$.-.D..W.....

                              C:\Program Files (x86)\autoit3\Include\APIResConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6799
                              Entropy (8bit):6.796911032072646
                              Encrypted:false
                              SSDEEP:192:68RQtaXMu6iJD5bvOnmO2F4Ry/tLo65/FS:68RPMu6iJIHUtLvFS
                              MD5:6DFF71CD56BFDFE549A364D20D7C14AD
                              SHA1:ABB832E0FB8973895DA0CABA53613F8AA7A93313
                              SHA-256:248785DB7E7167B22CAB4531459B492D310BBA6068C6E30B379B48372961BADA
                              SHA-512:3E69FBC13558F68600A077500869BE08CA56260038B1EFAFA16673A7C1813DAF14308EC0E3B66BB01DC97B3742652DAA06398117FB9210D4CFFF75339EB4EC1A
                              Malicious:false
                              Preview:.O.`%CWW..B..~..]m...0....1c.7...(|hZ.3J....#..5....0...D.==================================================================================..; Title .........: WinAPIRes Constants UDF L.D.b;O.T...#...#e.......f.,..xW[.{aoG. D.......(....j...W...: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ================...>t......_.N..jk....H....1c.7...(|hZ.3J....#..5....0...D.===============================================....; #CONSTANTS# ===============================================================...>t......_.N..jk....H....1c.7...(|hZ.3J....#..5.....-...8xI_FindResource(), _WinAPI_FindResourceEx(), _WinAPI_UpdateResource()..Global Const $RT_ACCELERATOR = 9..Global Const $RT_ANICURS.t.>i..?.@......9.....'..n.E..Ej..5sgj.I.....]..{....O...).= 2..Global Const $RT_CURSOR = 1..Global Const $RT_DIALOG = 5..Global Const $RT_DLGINCLUDE = 17..Global Const $RT_FONT = 8..Glob.J.@&X@F..~6.5........B..h.c<.f.q.{2!G.

                              C:\Program Files (x86)\autoit3\Include\APIShPathConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3485
                              Entropy (8bit):7.790225243427575
                              Encrypted:false
                              SSDEEP:96:rQnMa8+aWjd1m/c88pF/uOngO8nEwVdRmqC8:EK81m/evrngZF9mQ
                              MD5:E04CD6EB56C2C4EE8A62C7BB916440EC
                              SHA1:C0F95554B0FE070FD87AAB9C385D1883DCF4D2B9
                              SHA-256:8F2B0FD7FD299BEE35F09CA3BCC640F5AB37FA1D131DBC2E32AE6A637391D868
                              SHA-512:CC3C7C58632CEA62524C4F51935B9F542DAFF6D2401ECC63D39E8058AAA90B7629E7A03DD27543300FF4054EE30B0B937E1E57313754A82EA82E2AAB73A1F258
                              Malicious:false
                              Preview:........j........"..j4\..*.y.PZ..z....eb...|jF....^.Y..j...|......_L..z...'....$...G%...7.y.PZ..z....eb...|jF....^.Y..j...|......_L..z...'....$...ZL...o.j.CI..i.....6..C..+V.\. ...D6X..a..........g...:....P...p#...~R..M1.4..B.b... ofM..9.X.(.^0C..$......XQ.. ...r....]..@.q...eSd.CI....._G91..35?.C.W......"E..a......$Q..%...c....X..K.j...*.j.CI.....DZ=;..Y1:v=...^.Y..j...|......_L..z...'....$...G%...7.y.PZ..z....eb...|jF....^.Y..j...|......_L..z...'....$...G%...7.y.PZ..z....eb...|jF..9.n._...y........_L..z...'....$...G%...7.y.PZ..z....eb...|jF....^.Y..j...|......_L..z...'....$...G%...7.y.PZ..z....eb...|jF....^.Y.:Z<..........2..."...2...u..B.8...yId.85....i~....E..2s...N.i.w;Y..-.....F$......_...W..l-V.:0N....+..C]++..F..$d.|...;.d....p........Q..)..>...J..f7]...^md.MU.....NR4...}2#[..f.<.'.u.s........Q|.+...v....j.../J...Iu..(8....c.e.....;.U.X. ...Dw...........=?....../....v..OZ[...~.`.?+....av....Caj[..>.....\wu..2......12......_...9...w....h\(....3..ya.

                              C:\Program Files (x86)\autoit3\Include\APIShellExConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):33423
                              Entropy (8bit):6.872692888871156
                              Encrypted:false
                              SSDEEP:768:7nCX1pAO6x5/atr/u+iR+eRhreW5Id1crmoK/2:2X1iO6O/u+U+e3reWed1crH
                              MD5:EFE7A722BD7273F980B68CA97319776B
                              SHA1:9E205DAB557CBC1B560D3443F956EB1022EDE1CD
                              SHA-256:2B9A6B5F2F6F674EFCE80A6D970B17BFCF6563CFAE869B441715A0948E08B5ED
                              SHA-512:52FE2CEA536F9662337E2E38690A846DC164D5B77B03710650039149EC5EEC75ED3463D93BFB162E5521C80F7CEC18B41DBA7FD2B233AF64A97EA1CB8E52A173
                              Malicious:false
                              Preview:.t.0......~7Q.}S..YS._..S*:...<%.}...0...|c`.........u......*F==================================================================================..; Title .........: WinAPIShellEx Constants U.[....i...02[nW....9."..0)[..Hl..BMEd.F.{~n.........h.......r[......: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ============. .n.&..-i.!Jc..DM.,.64'...<%.}...0...|c`.........u......*F===================================================....; #CONSTANTS# ===========================================================. .n.&..-i.!Jc..DM.,.64'...<%.}...0...|c`.........u......H,inAPI_DllGetVersion()..Global Const $DLLVER_PLATFORM_WINDOWS = 0x01..Global Const $DLLVER_PLATFORM_NT = 0x02....; _WinAPI_ShellC.|.4..t...i|..}......1..ezn..I[..x~zA.~..................u.l Const $SHCNE_ASSOCCHANGED = 0x8000000..Global Const $SHCNE_ATTRIBUTES = 0x00000800..Global Const $SHCNE_CREATE = 0x00000002..G.r.2..X...dt.O?...&4.]..N)'..1(.p...9."

                              C:\Program Files (x86)\autoit3\Include\APISysConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):16526
                              Entropy (8bit):6.870657873475127
                              Encrypted:false
                              SSDEEP:384:nzHVfCKtzzIKKUxXbTA3WdgAL+0Qj/IweX5fPBHAYY:pjmK7xXbTATAZQj/IwkNNHY
                              MD5:5B60C8ECAC368DC6C1760E6265E49FE8
                              SHA1:3A06855083B06584E25DFFF3B2428BBE462AF4DA
                              SHA-256:5971EBF1B3703D0022103179861CBD173693745C39D17D1C4EBB2611B310672B
                              SHA-512:50879D4C7E9AB225DA3009A3236FBDC97F4A69A9DDDEB0FAB1599876CBA68AADE18D088E92F2C97DC0BF15DBE0DEF49A1CE1BCDFBDFC17F11547833A7BF7B2AA
                              Malicious:false
                              Preview:.1.f......."..7..e.k....U..T..v...u.........U]E.......%..==================================================================================..; Title .........: WinAPISys Constants UDF LF:.d.s..M.....R...H.......<......$..{.........$....R...6....: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ================.eX8.7.O...|X....x.......H..T..v...u.........U]E.......%..===============================================....; #CONSTANTS# ===============================================================.eX8.7.O...|X....x.......H..T..v...u.........Umr.......v~.I_ActivateKeyboardLayout(), _WinAPI_LoadKeyboardLayout()..Global Const $KLF_ACTIVATE = 0x00000001..Global Const $KLF_NOTELLSHELL.eE5.:.B...yU.7..'.........../..............XXu.._....8|.nst $KLF_REPLACELANG = 0x00000010..Global Const $KLF_RESET = 0x40000000..Global Const $KLF_SETFORPROCESS = 0x00000100..Global CoA+.%.A.4}...#.q..e.....D..d..'...h

                              C:\Program Files (x86)\autoit3\Include\APIThemeConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12166
                              Entropy (8bit):6.726812950780171
                              Encrypted:false
                              SSDEEP:192:YJDYb06Lv+53Vs7/M1PiTDgbwkcxTtt7ig21Ss:YJl6Lv+5O7/M15bwYp1Ss
                              MD5:810137AD018C311567B138A5751C3D19
                              SHA1:D6FD438D254240C39D7ACCD542194ABB049A6DA1
                              SHA-256:FEE6038A1B5733263C567D8E506A713ABD906B347FC38B371D185723F2C05FDE
                              SHA-512:A4B6BCD02B5341AE480906C2257EAEDDCDACE49C84CAE93765A2A970A20348EE815304EFEA63E537F9FC8117FDB8717D24544EE03CD36B8E82DCF8B9169B81EB
                              Malicious:false
                              Preview:..cg...a...MO..t.vj......=K.......=Gll.96a..E.M..O.... .F..60.==================================================================================..; Title .........: WinAPITheme Constants UDF..df...}...\.....>.@....Vi.b..\.i.?q.$8r..I.^..x...Y.z....+#.....: English..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ==============.09.U.9.......D.pw.p..g. K.......=Gll.96a..E.M..O.... .F..60.=================================================....; #CONSTANTS# =============================================================.09.U.9.......D.pw.p..g. K.......=Gll.96a..E.M..O..5...@..\d.API_BeginBufferedPaint()..Global Const $BPBF_COMPATIBLEBITMAP = 0..Global Const $BPBF_DIB = 1..Global Const $BPBF_TOPDOWNDIB = 2..Jh...h...@Y..]........lJ8f...}. Gqb3..V.......1..L.9.+..TH.ASE = 0x01..Global Const $BPPF_NOCLIP = 0x02..Global Const $BPPF_NONCLIENT = 0x04....; _WinAPI_DrawThemeTextEx()..Global Const $..Y[.-.P...ax..Y.5z.}..j..|l..X..C.?"J

                              C:\Program Files (x86)\autoit3\Include\AVIConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1897
                              Entropy (8bit):7.579785687014385
                              Encrypted:false
                              SSDEEP:24:4HutSqCybDL2bmuHu/uHuikoDoNtLHvd4ibzm+IuFyySqkugsnrvWfuOrZF6V9h:PSqnTMkxHLHvd4ig4yTq7gQqTaJ
                              MD5:794C1878933A1E25108CF19CB2896CCC
                              SHA1:A369FF4C33999F3DF4C65509B811F0EC256D9A4F
                              SHA-256:1DD289C6A3AB551A966F40107A4EE5D01212E4D9533B1A69875CC1BB01E60072
                              SHA-512:B6700ABAA297C9DB16649FB72BFCA8944407EEE584D3BFEB518C0905F48A490E1858DFAD90A3C9E1E76AD29DFE4E61FD6D175004D923306FABE50D11E3D18956
                              Malicious:false
                              Preview:\..3..8T.NS..(..}..k..#4...x)...[...8..bA...ti.6.L...KKO.....qB..m..a.........J..uc.ZL...x)...[...8..bA...ti.6.L...KKO.....qB..m..a.........J..Be.3...Je:.=.H...+...*...&:....K..MV3...Z.....9|.|.........F..s~.....N"q.=.H...?..1....!Y.0.5Z.........bE..?}.(P.UN..J..K.. ,..L...ju.c...D.*w../...,'.c......TH5....A.8...pR....UD..V.....ET.G0..G*f.`.F...+...*..."Y.0.L...KKO.....qB..m..a.........J..uc.ZL...x)...[...8..bA...ti.6.L...KKO.....qB..m..a.........J..uc.ZL...x)...[...8..bA...ti.6.{2..U5=...`..\..m..a.........J..uc.ZL...x)...[...8..bA...ti.6.L...KKO.....qB..m..a.........J..uc.ZL...x)...[...8..bA...ti.6.L...|MR...K.Au..?q.0..NS....4.....34...e%.....O.i..0....m..X.%m...&7 .....~r.<|.=].bR..Q..6.....3>..n.4.3.k.j.jR.3\...: ./.2l..;3 ...#.....1...^.RI..d..(.....&?..n.Q.G.[....:.UG...' .d.Q[........B.?r.<|.=].bR..Q..0.....85..n.X.L.0...%.../......[.#z...|{x....].-...]..0^.@Q..J........18..a.@.].9.`.Pc..\...1`.;.{x....R...Z.h>...\........z..!.....30..p.Y.F.#...%..o

                              C:\Program Files (x86)\autoit3\Include\Array.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):85539
                              Entropy (8bit):6.7371926938599405
                              Encrypted:false
                              SSDEEP:1536:xpn6wEasemZWCiOXrwzBAao2tBT2aa7ByAuCGphbgUIdC+RNSY2VsCH35ISV:v6wRMZ6xBBKv7ByHXhbhIdCSNS3VZH3H
                              MD5:4042307C7B0878DC3D8FC682EC35356E
                              SHA1:F8F55F8ED55EA7BCF8FE3EAF3383F0DEDAC9E8D7
                              SHA-256:04D1C1876674E5DB4AA9A45DE265DA5C71162DA97D71E9D9DCDA0F56986DAAA5
                              SHA-512:AFFD77A2F58620A4C15C5DE24DB1A5C94692703129AFE2A049000C6EB03F686B35B0DAA4822D25699E00530FDFC5CB89DF224292F51832A51388A368382B2D00
                              Malicious:false
                              Preview:..!^.5........G@...X..Y..(.....h.4.wQ_V....f..L.+....Qf......`"AutoItConstants.au3"..#include "MsgBoxConstants.au3"..#include "StringConstants.au3"....; #INDEX# =============================......l.....&ww..Q......7.....<]y.+.+.R.Y.:.._.c....O2....L}==========================..; Title .........: Array..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ......7\.%.......ij'..K..\..d.....x.j...6y....u.K.p....H/.....Q.rik Pilsits, Ultima, Dale (Klaatu) Thompson, Cephas,randallc, Gary Frost, GEOSoft,..; Helias Gerassimou(hgeras)...0[.?......;.#..^..p..b....s.%.y.6t....h....~.]..^/....Q.uttall,..; Adam Moore (redndahead), SmOke_N, litlmike, Valik, Melba23..; ======================================......l.....&ww..Q......7.....<]y.+.+.R.Y.:.._.c....O2....L}=========================....; #CURRENT# =======================================================================================......l.....&ww..Q......7.....!?..dIo

                              C:\Program Files (x86)\autoit3\Include\ArrayDisplayInternals.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):42789
                              Entropy (8bit):6.872724688338539
                              Encrypted:false
                              SSDEEP:768:ORlRg6nsyE7FGqeTJnqH8sutc+3DXoYdVpiIK2BS5loJtOwq46JFui:x9u3XoYd/tK8lKfFui
                              MD5:DE96576D954170FE2EF06E3891324DD6
                              SHA1:3012C0F4BC9C89FDEE1D598FA4B49DB35AB1F1F8
                              SHA-256:0DA9A4DF0B951BD39C85A780E88CA9F5A465C9826D5F48F26ABF0A080A38C44B
                              SHA-512:F76B3EAD5DFA09660611FABB9076F7513EBEAC02232CF03E417A3C700373E8E8EB80D403ED937CE9941C6D4D029A32179B896F761751D503E5B2C62CB383FF6A
                              Malicious:false
                              Preview:(.w.'!.... z.J~Co...i.C."...=..o..\..<.h.z..Dm...u.z.......xConstants.au3"..#include "StringConstants.au3"....; #INDEX# ===================================================================6.$.vi.....~".}Ntq....!...=...o.......@u..4Pt.?ss.x..>..*..cW.......: Internal UDF Library for AutoIt3 _ArrayDisplay() and _DebugArrayDisplay()..; AutoIt Version : 3.3.16.1..; Description .%.#..:..../?.5.*8...<.I. ...r..^...I.Nh..mM..`;)...*.....3..".(s) .....: Melba23, jpm, LarsJ, pixelsearch..; =================================================================================6.$.vi.....~".}Ntq....!...=...o.......@u..4Pt..CD...~.q...*..,. Variables and Constants....; #VARIABLES# ======================================================================================6.$.vi.....~".}Ntq....!...=...X..J...]..h..}.i.j+n...p.g...(..(.....Global $_g_ArrayDisplay_bUserFunc = False..Global $_g_ArrayDisplay_hListView..Global $_g_ArrayDisplay_iTranspose..Global $_gT.k.*-...."f.)7 ?...N.Q.....0.....w..

                              C:\Program Files (x86)\autoit3\Include\AutoItConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13068
                              Entropy (8bit):6.831078517680806
                              Encrypted:false
                              SSDEEP:192:jQcZCtoGBbNOasa9v+0E3w3drrsljWWgQcWIHSQ:jQcCLZMasaw0E3wZnQLQ
                              MD5:4565F8DACF2C6766499999AEBA914FEB
                              SHA1:D35D5E509A2B37F225EE7315415F2D9C465E3D09
                              SHA-256:A8EAD5663DDC7111852D701EC3910B4F90B743A78ADA77A915F1F1604F2DEE43
                              SHA-512:A47AA4E4897FA553EEDA8F05B0E43950CE1509E94911EF6156C601B3B8F9D7E9251B4CCA31FF9222900FFE8685843C9322B0536B310BEB6B8C699F3FD39F2CCB
                              Malicious:false
                              Preview:^..eIo....L67.b..'i.H..J...r......^S.|......E....H...|.p.d.C==================================================================================..; Title .........: Constants..; AutoIt Versi....).%.....c7.T..f$.s..w...a.......(H.......Q.......o.c.yq.nstants to be included in an AutoIt v3 script...; Author(s) .....: JLandes, Nutster, CyberSlug, Holger, .....; =================@..4.6.....n..R..:w.;../...r......^S.|......E....H...|.p.d.C==============================================....; #CONSTANTS# ================================================================@..4.6.....n..R..:w.;../...r......^S.|......E.....N.P5.m.1W^way coords are used in the mouse and pixel functions..Global Const $OPT_COORDSRELATIVE = 0 ; Relative coords to the active windo...eSi.]..@=I.O..W..E..@.....t...CS.p.........F.......[a.".+V.nates (default)..Global Const $OPT_COORDSCLIENT = 2 ; Relative coords to client area....; Sets how errors are handled if a Run/R...`H+.D..[:U.O..n&....~...#.x...CJ..o

                              C:\Program Files (x86)\autoit3\Include\AutoItExitCodes.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2792
                              Entropy (8bit):7.482270395768446
                              Encrypted:false
                              SSDEEP:48:xvFlFJ7NkFlR1Fl1ZA8UTFlFO6FlFcUFl1ZFlFHGexqlFlUSwlFq5FlFz4ZP:xvH/hkHR1H1ZoH46HpH1ZHVGexyHUSkN
                              MD5:E2F162C1726F96A3A62F26757AC69E73
                              SHA1:45684968017A84520288C773B697AF4092266BCD
                              SHA-256:D3539636F92D530363DC136FBEB8E3C9F1346252F7C30658ED986FB26A5D9372
                              SHA-512:1B402F26D960ADC5A170C6E979EE91E3AA71D5D0A776EDC993AC24BC75A37F9BCFBBC0E5063BE142AAF5C77A6FC9A3887798CE14616BFDDEBCD745B066A78DED
                              Malicious:false
                              Preview:..&.7.$U.&m,p&.n.b!.{..Ul........q.z.|.g..8.....1J.L...T...p....).:..H...a'.X..Lxa.b..=F..E+....[.*. ..T.d...../.P.E...I...9S...uKf.}...u3t@..Y.6r^*...q..C6.j.b#.4. ..T.d...../.P.E...I...9S...uKf.}...u3t@..Y.6r^*...q..C..l..w.e.=.=G.w.....2b.[..T...pN...-.V.{...<a.....Jx&.y......P:.y.R..).|.t..>.....<.C.X......d...-.8.)@..'`iS..^.g&.7...*..j.w.:f.}.r.vd.b.j...}QE\Q..Z...$$...BM{.}...u3t@..Y.6r^*...q..C6.j.b#.4. ..T.d...../.P.E...I...9S...uKf.}...u3t@..Y.6r^*...q..C6.j.b#.4. ..T.d...../.P.E...I...9S...uKV.M:..kM.3..%v_.@7...q..C6.j.b#.4. ..T.d...../.P.E...I...9S...uKf.}...u3t@..Y.6r^*...q..C6.j.b#.4. ..T.d...../.P.E...I...9S...uKf.}...B.C:@..Ygo x..Dl..&B....[.R.@.!4.d.p...*dt\.. .W+....;..l..)z<.M.D[g .~...n..^T.].VE.L.T.P%...t...Jj9.X......f...!.{.5^..!a'S..H.TBi......*H....A.P.Q.P".y.H...w..VX......cN...-.2.`_..<f,]_..Ly..9..l..t.....F.].Q.@,...g...TeA.Z......}N...:V7.'_..f,.Q..i2.F83..y...1X....M.\.Y.D'.y.H...w..VX......$....,.,.n.....Ct%.i20o^*...q..C6.j.b#.4. .

                              C:\Program Files (x86)\autoit3\Include\AutoItFatalExitConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6698
                              Entropy (8bit):6.68395722989785
                              Encrypted:false
                              SSDEEP:96:aAxgWVX3Z9u47wihswCNBm6LthuVcXndigQxZTJJJ7XFy:aFWVXpMA9hQNVLCcXkgQxRJTXFy
                              MD5:EC33A4985CC9F056D113D8F8CEC9316B
                              SHA1:9B272EF313809332609E4C8827FF7EA6C8E4853E
                              SHA-256:2A0408417F13FAC3C1542C0D4B16816A99F185549AEDD9C71F5B09DEBEB544A2
                              SHA-512:8BB315B3593FE11D6AFA2E0238ABA7D673153FCD381D05F73ECEE6A37DA492463353A86CC69BB3CDD8B801B1C2AD6871143860EA652BD5A7C00A0C6C4B52E9BE
                              Malicious:false
                              Preview:h&F.v_.|#.=..Zak...{...G.Y~I.d.RY.k.:Ezy..E......22T.B.....!.==================================================================================..; Title .........: AutoIt3 Fatal Exit Codes.At..o^.Pz....$...5.x.,..Wry.b.#..1.f."d..Vl......cf..r.....o.ription ...: Constants to format @exitCode set by Opt("SetExitCode", 1)..; Author(s) .....: Jpm..; =============================vr..'..$3.n.XjV[.(.e.?..D~I.d.RY.k.:Ezy..E......22T.B.....!.==================================....; #CONSTANTS# ============================================================================vr..'..$3.n.XjV[.(.e.?..D~I.d.RY.k.:EJN.)?......a|..[.cl..].ALCODES[81][2] = [ _....[0x7FFFF068, '"EndWith" missing "With".'], _....[0x7FFFF069, 'Badly formatted "Func" statement.'], _......P.\l._>...EpI1.a.z...q...$T....3.".%V`...'O.....II/.O.y...Q.ssing right bracket '')'' in expression.'], _....[0x7FFFF06C, 'Missing operator in expression.'], _....[0x7FFFF06D, 'Unbalanced )=I.qO.j..=../...f.1..%.Y.y.P.4T.a.A>.

                              C:\Program Files (x86)\autoit3\Include\BorderConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2434
                              Entropy (8bit):7.6925432752314284
                              Encrypted:false
                              SSDEEP:48:6HjAZlGAH8AbHmAxVcgybORrDBWOqBGILnRj1nCqtM8kHcZ0i9j:6GlAAxVrybO+OqBGsnRj1nCyv00
                              MD5:5D80336BDF2106B2C2D1A4F1EEF3D0D1
                              SHA1:4D9F01E72D7C868F8CFC6257337B25C988B0DA43
                              SHA-256:689DDCB6DCBF7E230FE066A14EF6E2C095765E9FB8F829FCCE7D33ADA91015C0
                              SHA-512:800D814933478BC858585903959911105A241E50135256BCFB695E9958A8D93597BA8DB2881C0850D6B143E4AEBFB8C9BB481BD889B86FD03866C35064222750
                              Malicious:false
                              Preview:n..{...*..."..<.Ny|......g...L..N>......Nz.#....~.....6....f7pz.%.APr.CM|......Sg..~.w..g...L..N>......Nz.#....~.....6....f7pz.%.APr.CM|......cP....>..z.._.]-...B...5.]S...".O#.0.q..4C9g.}... .^Ja......@k8.x....=.....]-.......+.mT...c.OM.b.D..5*ci.".?.!.../...Y.N.b.-........4...+......3.qN..c.....1.w.."*.5.k.qgt.CM|......Sg..~.w..g...L..N>......Nz.#....~.....6....f7pz.%.APr.CM|......Sg..~.w..g...L..N>......Nz.#....~.....6....f7pz.%.APr.t}K....y.=.t...i..g...L..N>......Nz.#....~.....6....f7pz.%.APr.CM|......Sg..~.w..g...L..N>......Nz.#....~.....6....f7pz.%.APr.CM|....Z..;Y...$..z..#..2J...c..!g.>....I..SL.g.s..(~mc.\.#?..-5.....d.Sz..r.@..5...Q...p....i.. ..Uy........;.....f"%.t.?.!..Pe...e. .p......z.....yD....A..).j....~{.[...2~...<.8?..?9....b.<v...........?..=F....j...&.>....7..yj.N.u...O.g.8.....VT.....c.%.{.....z..#..2J...c..!n..{..."...A.x....M...Y./(..CP......,.g..........4..S'...... ..Wr...j..{B.i.\.4d>3.<.8*..-%.......,3A...n......?..=L...

                              C:\Program Files (x86)\autoit3\Include\ButtonConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4765
                              Entropy (8bit):7.830529876548603
                              Encrypted:false
                              SSDEEP:96:lsfNjWntvDspDJE/kyJPWPs5+971eGNQK5QrqiRVQZB+A:yWnNcDmky8PsQ71iK5QrqiRGB
                              MD5:952B245247AAA757956CD4EB82E67961
                              SHA1:606BE49DFC0F1CEFF2121EE44E82AAB73748C101
                              SHA-256:C2002B3A82EE9E7A11D7FB5BA1247CC6AD9261E314FEC9111CC84985C22F8B9D
                              SHA-512:79264A84F4A2EE87601BEF17FAFFD14EE004730AE5A8EEDA8FBE5A7048B853CC22953982F784E953E8D0A3D668F99E088FCE20BBBC778784C98636E35A93F02B
                              Malicious:false
                              Preview:..#..J..*Mb'......R...Ujbl..F.jY.9...`;....wx.%....=..4n.q.....p.S..[:.1y. ....O.},..r..F.jY.9...`;....wx.%....=..4n.q.....p.S..[:.1y. ......`EFN#U.U.yJ.*...g&....$.nw.W...t...2su9.......L..i.6d.3....\.J*.v.^..T0..*...s(...&,^p.....e..`#@%....c.N|..tVm*.n...OR..`y]_)..U.x..tQ.G4~.....><A}.....#...}<Zn.......K..k.N1.i...N...%b......[3D.v[.Sq&....fenp.G...x..2su9....>.N..H).6d.|..0x.},..r..F.jY.9...`;....wx.%....=..4n.q.....p.S..[:.1y. ....O.},..r..F.jY.9...`;....wx.%....=..4n.q.....p.S..[:.1y. ....O.J.%.o..4{.0.J`..};....wx.%....=..4n.q.....p.S..[:.1y. ....O.},..r..F.jY.9...`;....wx.%....=..4n.q.....p.S..[:.1y. ....O.},..B:.[r%..t9.d1i...%+^l.....G...Y.{...}.^..l.(7d.h..S...,~M[#...[$.. v.|.I...we.`........k2Xl...m.,l.%BlX..=...EB.p.%}#_..Yw'.jG..yD.....~P.q...N..9+.|...!..^.FDMb7.=..b>...1...H.J.gi.CX.A<j.....>e.Z.{...T..G..q...}.c5..h@m(.^..IR...N.o.x.4mwY.4L..mG....($A8.K... ..V.a....m.N..W7.<I.Z..\.../.\No..(j.-.L`..}6.

                              C:\Program Files (x86)\autoit3\Include\CUIAutomation2.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):47975
                              Entropy (8bit):6.723946788124523
                              Encrypted:false
                              SSDEEP:384:JbtSKEChvbz4fP9uMQ5pUt4Ynf6zyygvRcWUAc18Aok2T/oHaeNCqGi7ibcQjSlA:Vt1B2P8pUtRfqv9B2bDSZymyTPl
                              MD5:87F2374A5DE220EAB3CE79761AEF7B25
                              SHA1:E168A51C151A8C254D889DDDE9672D5BF92C0315
                              SHA-256:1C0353F94C6773578B728E94E0B66EB7D313FDF25A37338965FE840D0BD6B342
                              SHA-512:0E884329BF90F74690945777E1AEA18EA9B2757492C5B47764A23DD641F6F5AF09BFDA93B322B118BAFA19DC67C9377C5D713271174CFFFB8C42EB5C910D2598
                              Malicious:false
                              Preview:u...H.eh....f........Wml3.........U..T7.....Kqj..{..S...(}.D...083-8FB8-45CF-BCB7-C477ACB2F897}"....;CoClasses..Global Const $sCLSID_CUIAutomation = "{FF48DBA4-60EF-4201-AA87-54103EEF594E}"..m...Q.d-.+..S........#.........&~.s@.*.:..Mua.#f..U...*;.A..p0..Global Const $UIA_SelectionPatternId = 10001..Global Const $UIA_ValuePatternId = 10002..Global Const $UIA_RangeValuePatternIdv...\1>.h..l..P..!...'.+........k.#p0...../4.r&jf`...kj.3O.3t $UIA_ExpandCollapsePatternId = 10005..Global Const $UIA_GridPatternId = 10006..Global Const $UIA_GridItemPatternId = 10007..Gl9..../nc....V..=..;..Bf.........;C.w(bZqC./.C.-p......yr.Tu.._WindowPatternId = 10009..Global Const $UIA_SelectionItemPatternId = 10010..Global Const $UIA_DockPatternId = 10011..Global Cons"...m-^Y....S.......W.#lR...q..7k.wV-.2..wWE..s..B...gV..T.2nId = 10013..Global Const $UIA_TextPatternId = 10014..Global Const $UIA_TogglePatternId = 10015..Global Const $UIA_TransformPatt3...@L<-.R..5........Wml3....)...6x.;y.

                              C:\Program Files (x86)\autoit3\Include\Clipboard.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19232
                              Entropy (8bit):6.340275260720928
                              Encrypted:false
                              SSDEEP:384:ZIWzMB7KMjwBWEv78F/TdteipBqLt6+VrYPfpmeRuabDD3JaxE+CHC7OyvnWTR+o:uX7KwwBWy7UptxpBqLt6+V8pBRueDDZJ
                              MD5:D16BC97B02A84D7138A622CA144A58C9
                              SHA1:9ACC27C05617A2AA91D7E638225B2B10199F77BD
                              SHA-256:6FC08677176211DDA306F1AC43CBA0AFAF8B0734A682FC34335022EBB9ED43F5
                              SHA-512:1ECE08626E931EE5BB8BEE1A67894ED80A4C32691A572824AF9780E9E8DB0A7A99796894E57FD66577D85636EC5CDC942BE34FBBE5641FBF28BDB0FB334492B1
                              Malicious:false
                              Preview:c5...:s....I@......f..OP........K._..]h.#...1oz_......!,!..XZ===========================================================================================================..; Title .........: .0... v..|d......(..HG.....Z......B..]^.T.....MG\.....&1Y....sh..; Description ...: Functions that assist with Clipboard management...; The clipboard is a set of functions !2.T.*d....Y......f..VQ.......TE...i8E.j.....X.......'1<..EG Because all applications have access to the clipboard, data can be easily transferred..; between a0,....c...........|..T........^K..Jsyh.#.....EPT.....2?&...l Campbell (PaulIA)..; =========================================================================================================}a.I.r*D.LS.......5..7>....9...ik.8v>wX.%...H..A......!,!..XZ===========================================================================================..Global Const $CF_TEXT = 1 ; Text fo21...EP....F....,..ev...Z......$Ds3

                              C:\Program Files (x86)\autoit3\Include\Color.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10298
                              Entropy (8bit):6.222876105465709
                              Encrypted:false
                              SSDEEP:192:VNcp4Z3yKu+yoZrCG900PeZlTRk29RxJ9615nHL81:VN1MKt3BCT0mZtRl9RxSjnrQ
                              MD5:7DBCF6FB97EB572E13CFB8395B892527
                              SHA1:B91D7E3C96DD882C497270A602F3CF22D82491EE
                              SHA-256:692DD025CB2FBA132A48825CFEB49A3D6CD2C3920E26A1D303D2A6ED1FC9CC8D
                              SHA-512:C0D43067E910C76EB7A58C2C1BBB4AA6A3AA4F2E7AF4E94CA454C76B986F0052F21800024389E846DEB8F94E00D7BC72ABC4877D89D10806C600B641AD573D1D
                              Malicious:false
                              Preview:..u...I+.|..1..9.*h..kN.y}.o...d.....k..dg.`.g.#..<..358h...====================================================================================================================..; Title ....5....t.p..;......s..W^...J{.o.Fn+.Y....6..o.!...m.Y...XC5f.English..; Description ...: Functions that assist with color management...; Author(s) .....: Ultima, Jon, Jpm..; ===============..&....s...Wi...~;Y.#.....5.=.[i6.J...%.,i.P.W.%..H..KP&u...================================================....; #CONSTANTS# ==============================================================..&....s...Wi...~;Y.#.....5.=.[i6.J...%.,i.P.W.%.3.....z$...nst $__COLORCONSTANTS_HMAX = 360..Global Const $__COLORCONSTANTS_SLMAX = 100..Global Const $__COLORCONSTANTS_RGBMAX = 255..; ===..&....s...Wi...~;Y.#.....5.=.[i6.J...%.,i.P.W.%..H..KP&u...============================================================....; #CURRENT# ====================================================..&....s...Wi...~;Y.#.....5.=.[i6.J..

                              C:\Program Files (x86)\autoit3\Include\ColorConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12870
                              Entropy (8bit):6.746538896750991
                              Encrypted:false
                              SSDEEP:384:jssEV4mZO7j8qh8XSJRdFFwn/CpiPeiF/lZ:uZ8j8y8XQ/UeeZ
                              MD5:B9AE44DDC2D44CC1F5ED71B6A677DCB6
                              SHA1:220BBC439F04284CA38DAEC88A7AB68E1067BCC6
                              SHA-256:FBEA883F1E3A96F7D95AD37BD0500C4C78A093E0239193E39B65A100C7BA9C49
                              SHA-512:048021461EB0870D590FACEB4878B50B17E6D2938DA80A0F15A898AC960438DE43AC687175EDC2177BE3766CB0D12E22E7382A71866070966489893755A4096A
                              Malicious:false
                              Preview:%Z.`.....D.........o.@w.H.."H.9..[!.q.....C*.*.......R..g==================================================================================..; Title .........: Constants..; AutoIt Versii]..,.K.........Z.A.eU.K..1[.*....{.%VW....:r.t..........Ubx5nstants to be included in an AutoIt v3 script...; Author(s) .....: JLandes, Nutster, CyberSlug, Holger, Jpm .....; =============;...1.E.............9..V.."H.9..[!.q.....C*.*.......R..g==================================================....; #CONSTANTS# ============================================================;...1.E.............9..V.."H.9..[!.q.....C*.*......>.O.O;ndard W3C colors https://www.w3.org/TR/css-color-3/#svg-color....; Color Constants RGB Hex..Global Const $COLOR_ALICEBLUE = 0xF0@.........K........e.H}.4.K<.Q../H.l.....;U. ......w..1Oz$COLOR_AQUA = 0x00FFFF..Global Const $COLOR_AQUAMARINE = 0x7FFFD4..Global Const $COLOR_AZURE = 0xF0FFFF..Global Const $COLOR_BEIAv..,..>.........Y.J.G]....;6.H..$U..p

                              C:\Program Files (x86)\autoit3\Include\ComboConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8085
                              Entropy (8bit):6.835167113348044
                              Encrypted:false
                              SSDEEP:96:rZj9M1Ix2CyRoqzxa8CM2dbQgyAyNgzCH3qdgErhak4LxVnfgS64pbiYbAv8FjI7:dj935yRj1V2ZDkH6dgGo3HK8BAAv5o5
                              MD5:FE79FB0F643B0FD9F62EA41A350FD7B1
                              SHA1:DEE6EA756E34ACFB80A68179F31CAEA6DC806DF5
                              SHA-256:FBF9A7A47D611794B20B1C0708A11CEC2BA229C9DA891305FAADC5E7168C80D1
                              SHA-512:5B5056FAEDC6C3CA434997498EE861DC9279BF52ECC7C400FC1FC851C68A578B9FE27BD3FB32360A018B2EE2F52885EB023A0FAF83C4D1E84BD6A86284CD59C8
                              Malicious:false
                              Preview:.....\.i....=.L...d..n.....C...gON!.,.'..&C.x.B.......L`o)7\V9==================================================================================..; Title .........: ComboBox_Constants..; Aut.....L......b.u.".u...C........=.S2.?.4..^.S)......`..> }z..kn ...: Constants for <a href="../appendix/GUIStyles.htm#Combo">GUI control Combo styles</a> and more...; Author(s) .....: Valik,.......~....R.f.,.y...s...C...gON!.,.'..&C.x.B.......L`o)7\V9==============================================================================....; #CONSTANTS# ================================.M...1.T.e.{.,.y...s...C...gON!.,.'..&C.x.B.......L`o)7\V9===================..; Error checking..Global Const $CB_ERR = -1..Global Const $CB_ERRATTRIBUTE = -3..Global Const $CB_ERRREQUIR..P........:.*.R.*...j..j.,...7S!.<....t.U).<......3.._K8K9 0....; States..Global Const $STATE_SYSTEM_INVISIBLE = 0x8000..Global Const $STATE_SYSTEM_PRESSED = 0x8....; ComboBox Styles..Gl.....j.b..I.....P....s...y.^..nBS'.P.n

                              C:\Program Files (x86)\autoit3\Include\Constants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4547
                              Entropy (8bit):7.799443075573907
                              Encrypted:false
                              SSDEEP:96:KWSnOdgQ5dMLX+iUAq3MzyfW63KDPrzFuS70H6:KtOWLbPqqZRDrzFZ70H6
                              MD5:97CBFD12C6B6887E8EBE8D66CAD285DA
                              SHA1:016892E40EB1884E5CEF6A9B1FD0776A0244B686
                              SHA-256:84E979D03C20F91205694681703A4C022D8107B1F3D83C2E3F2D10EE06A845D6
                              SHA-512:6E5F1A43A08E8A2400EFB9BD5EA0B1B1216CF604720BE06EF96CFEE509BB429DFF8A38390E15FBB832F7DF9236D416059AB300CBC81AC64634B01C9520947E0C
                              Malicious:false
                              Preview:.W`..y;.v7A.+F2.K.V..DC..\.8l.&;..9..z...`.r....cu....[....../.hQ`..m1.(vN.}i5.b.Q..]R..^..k.&...7..}... ....R..:...........3.JPz..m*.yU%.'%[f4.Z..eE....:v.:..."..o._..0..X..2..S.\....:...__`..">.hz".m"Vi-.[...e.....Z.'...8.. ..N1....U..#..Q.z......4.EJ}.yl.VR".uk.C..z....O.A.D$.tO..k.3..@.......Tk\.L....D.}...3..1b.fe..sv.7|.....O.A.D$.tO..k.3..@.......Tk\.L....D.}...3..1b.fe..sF21a.V..M.\.R.W7.g\.....}...g......."....x......z...=..:q.VR...*Vm4.X....\.R.C9.'...%.....9v.p..K..9.._........!._M...,=.{1A.">\o%.V..IXR....P.i...%..g..S..(..N..9.........C...JPj.. ...,\.+9.*..]..{Z..P.1v....v. ..F3......Tk\.L....D.}...3..1b.fe..sv.7|.....O.A.D$.tO..k.3..@.......Tk\.L....D.}...3..1b.fe..sv.7|.....O.A.D$.tO..k.3..@.......*./.%.`...D.}...3..1b.fe..sv.7|.....O.A.D$.tO..k.3..@.......Tk\.L....D.}...3..1b.fe..sv.7|.....O.A.D$.tO..k.3..@.....6.Rv2...........`.DQ|..,>.>xZ.+/.c/.K...[....Yx.-R.........p.z..H.cmA...o....:...__`..">.hU%.Dp.Y$.L..GAR....k.i...v..`..

                              C:\Program Files (x86)\autoit3\Include\Crypt.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):27575
                              Entropy (8bit):6.570240019929509
                              Encrypted:false
                              SSDEEP:384:g1KeehR5IMR0l7DLa5AM6oMbFUP8kzUSR1htXIj5bMb4XAVU6qakfA1zhz7hAKhF:gheCMRgroXj2Ob4e9GKhF
                              MD5:C0D3B522759860345362242154CDE953
                              SHA1:F719EFBFB021C81F88A0902EE2E2C65FABE04BB7
                              SHA-256:9E786D2EBEB6FDD160991E813FD0A172AB7744178EEB562CCB79EBA582C8C10F
                              SHA-512:753B6E15D12FB34B2492E7CA7C5CB1FEB6A4A3876C0120D7E8720C39359C850F1013B21173B66C8665DFB07D80AFC5B0CAF8D0757EA859AF0B2E816395BFFECF
                              Malicious:false
                              Preview:.MG}.4."i....../...:.......(.0..-Z..VP..#_...o.Cd....3r....rror.au3"....; #INDEX# =========================================================================================================...#.|.zy|..,......-..\...o...qG..>M..u;F.@'g.uXyt....;......16.1..; Language ......: English..; Description ...: Functions for encrypting and hashing data...; Author(s) .....: Andreas Kar.WZq.a.*+/..c.....:..q..-..v]..b..^V.G.@6e.hK.?....n .....===========================================================================================================================....;..jK.....b..,......dN.A...|...b@..q..ME.@.<o...<E.,.@..Y&.....================================================================..; _Crypt_DecryptData..; _Crypt_DecryptFile..; _Crypt_DeriveKey...>...>45..b..J. ~.G...8......5D.4.E...i3..s._e.8..b.....e..; _Crypt_GenRandom..; _Crypt_HashData..; _Crypt_HashFile..; _Crypt_Shutdown..; _Crypt_Startup..; ============================...#.|.zy|..,......dN.A...|...b@..q..M

                              C:\Program Files (x86)\autoit3\Include\Date.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):86394
                              Entropy (8bit):6.418649688168852
                              Encrypted:false
                              SSDEEP:1536:MgGMIoOjmmujflHEBTMQYecX98M5GbWZ4d:mm/jeBTMQYd738
                              MD5:E8CFB147FD91AA380A4C5B67D8EFB8DC
                              SHA1:E624CA3C0A74319D56A1D793D5DBB44D08188461
                              SHA-256:894574192B57842A5802D56C3CA31F9011230CCAB9628434EA764BA797C0EE6C
                              SHA-512:81D335DF3805CAAD1623F7643B292F7C762BCD79C2342CE169B79E1F7506110D8693473F163D1FA86689CB6B1F66C8E93F23C36484531D046E4F04C9851D656B
                              Malicious:false
                              Preview:K.r...n{g.....4@bJ.....a.o.Is. .I*0`........../Z.i....;du0I]fo4ory.au3"..#include "Security.au3"..#include "StructureConstants.au3"..#include "WinAPIError.au3"..#include "WinAPIHObj.au3"..#in..i..U(I#....Q........'.E..)Ff.n..{.B.Y.}.S..gT.Y.....j,,hTB.7d=============================================================================================..; Title .........: Date..; AutoItH.y...epj.....|^G..J.I.!.xs. q.i{..L.D....S.2d._.e..%xa!..E*w..: Functions that assist with Date/Time management...; There are five time formats: System, File, Local, MS-DO;.}..U]w$......m<......i.;.i2.0?C3<L.....4..T.z........Z.*uI_.*y one of these formats. You can also use the time functions to convert between time formats for ease of..; H.<..U*>j..............j.o.cvF!8S79B.o._....R.(A.M....y+1...i&yjlandes, exodius, PaulIA, Tuape, SlimShady, GaryFrost, /dev/null, Marc..; ======================================================U.!..H7#w.....pUT..L.8.r.0/[xl.zh.._.Y

                              C:\Program Files (x86)\autoit3\Include\DateTimeConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7368
                              Entropy (8bit):6.814123707699499
                              Encrypted:false
                              SSDEEP:96:qg+IuIW5KhF/21QpfilMT2LFWy/K/bu8fEwIaK9joPlFJ:q1IZqKhBZf8LAy/K/bllIaK9jY
                              MD5:82AF6FABF9C17A6A84D7490664E93DC5
                              SHA1:E28F4FBAEDFE76088B17F120BA3A1F1B8D49E20B
                              SHA-256:7A020D3E157BFA9500625CF7D6AA43122220A198918666A0794B19F7D4C26395
                              SHA-512:3AD9D7DBDB2D55258E0D4924223873C27B6EB463D0712FB699E1853DFBD606AB91E44F98B27A1A37EF0BAD9A8E7E3F2E7108B12F043B65529717649D2D39695D
                              Malicious:false
                              Preview::P...[6..K#..s...z.*.P........O.M..2.........z)g6Q.{4L.~.>...==================================================================================..; Title .........: DateTime_Constants..; Autvp..9.M L.K`.J..k.Mi.A....U.....^..!......D4|W.W..l._1YsG..n ...: Constants for <a href="../appendix/GUIStyles.htm#Date">GUI control Date styles</a> and much more...; Author(s) .....: ValpR..(.M*..W/..t...g.^e)v......O.M..2.........z)g6Q.{4L.~.>...=================================================================================....; #CONSTANTS# =============================$...R..n...}.D..g.^e)v......O.M..2.........z)g6Q.{4L.~.>...======================..; Date..Global Const $DTS_SHORTDATEFORMAT = 0..Global Const $DTS_UPDOWN = 1..Global Const $DTS_SHOWNONE $...e.S<G.I`......~.7.K.....f..=..1..2......L+4.d..2)Ux.c\g..EFORMAT = 9..Global Const $DTS_RIGHTALIGN = 32..Global Const $DTS_SHORTDATECENTURYFORMAT = 0x0000000C ; The year is a four-digit9_...2Yb.J"..Y...).C|P.....q.."..#..2.

                              C:\Program Files (x86)\autoit3\Include\Debug.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29607
                              Entropy (8bit):6.581818381853153
                              Encrypted:false
                              SSDEEP:384:ntEB+/R6xQZQQMy1eNQg9Mtwisk3IZdm8WviFKY9FtkzAC8uS2eEeUxNf:PDiQxuPZdWvi/Utvv
                              MD5:6A4DEA912BFDA2D75E2AF5BCD9C738BF
                              SHA1:7BC0FFC1CE7BDA762F01E5551B543BC6F25A0792
                              SHA-256:FC16878288874E9742D2BF361BE3C58B82758CC795C5BD1489BEDFDAC295A056
                              SHA-512:A0C47255EAEFC96BEDF274B7B6B811F9B9EBBE4F6AD2CAABFDEA9ECAEB5B0F0E3D976D10DC05781EC254C1E159AEE1580F85C4106C2F60D4053E6B02B77C8DB4
                              Malicious:false
                              Preview:..7.....a.K$..k......0w."K}G.9.C5..+.{!k.5.b.Q..e.;...d.'.."AutoItConstants.au3"..#include "MsgBoxConstants.au3"..#include "SendMessage.au3"..#include "StringConstants.au3"..#include "Winz.......o..c..k...T....J.^.2..@..xYVo}(h3.f.3...U.z......5.~..==================================================================================..; Title .........: Debug..; AutoIt Version :..w._.......a...u.....z<.M./c...Y6.fX{5.k.8.g..Y..g......}. .ons to help script debugging...; Author(s) .....: Nutster, Jpm, Valik, guinness, water..; ======================================..d.L....3..|..[/..J...i/.^.2..@..xYVo}(h3.f.3...U.z......5.~..=========================....; #CONSTANTS# =====================================================================================..d.L....3..|..[/..J...i/.^.2+.:._'..r.z;}.{.Q..o..".^...f.,.ext_Debug = "Debug Window hidden text"..Global Const $__g_sReportCallBack_DebugReport_Debug = _DebugReport..; ==================..d.L....3..|..[/..J...i/.^.2..@..xYVo}

                              C:\Program Files (x86)\autoit3\Include\DirConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1409
                              Entropy (8bit):7.371988987923833
                              Encrypted:false
                              SSDEEP:24:sbpFrpF7keAlD5ElOfrpFrLDpFrXgrjHk00tpFrpNNNH:stvhkeAlD5E+TVhbvNNNH
                              MD5:A9783988B9F4C64FEEDBAB24C8B7835E
                              SHA1:18D95EC7352A4BB786B118B33283FF389E703ACA
                              SHA-256:7BBA0D665971261B87802A4CD916F190B07FE7310E1DDF14C7997D876C9AE855
                              SHA-512:8C51FAC93FAB29CA9A8170F71FFE0CB05A4965100ECB2ADF5CA5DB6F619039E03890E594910E95728443D0CC97BB5E2D23DC3BE7B232E74B74F1B2C408A7C447
                              Malicious:false
                              Preview:%lNxL..O2...%...W{%v..TN...0L..r.p6.TP.L. ..!#t....*e.......". ;8.&...._`.\.....Qf;...,+...0L..r.p6.TP.L. ..!#t....*e.......". ;8.&...._`.\.....QV....xb..#_..a.c%.SM...B.Yrm=P....R......uk.KcwSrO..Bn.R.....aQ=....q.NhQ..a.c%.I(...t.^..r....t*.H.....1.3<%ctN....).A.G...L2h\..us..@cQ..o.8.. ....=.Unw9E...r6.M.....[.o&cUuC.....l......3iM..86...#_....!b.EM...d.pnq:E..9v.2...". ;8.&...._`.\.....Qf;...,+...0L..r.p6.TP.L. ..!#t....*e.......". ;8.&...._`.\.....Qf;...,+...0L..r.p6.TP.L. ..!#t....*e......6$.>EJnHt...1~.\.....Qf;...,+...0L..r.p6.TP.L. ..!#t....*e.......". ;8.&...._`.\.....Qf;...,+...0L..r.p6.TP.L. ..!#t....*e......."..AiOyA...3.......3.T|..GS...=.....};.Y`.6.r.Wp>.^...7|.|....nZ.IIWy;....Rm.Q.....f.jP..}6..G~......T.;$.4.=..,fy...'h.5....^~.=EjNhT...&..$.k...%.C...!n...=I....GL......^.Xoji....H..|.....?.e65.+....oW...J.../4hL.5R..v_4.....R.TM...-..,.y...{7.Y....Rl.="AdW...&..(.m...\#6...!&..$.6..-.!+......9.rPA.h...Zx......./.-61-....._`.\.....Qf;...,+...0L..r.p6.TP.

                              C:\Program Files (x86)\autoit3\Include\EditConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5148
                              Entropy (8bit):7.806104492797392
                              Encrypted:false
                              SSDEEP:96:D3rFRcWLBjFc4HEQdPlWZaXCipgRPZ6UTm5NjDDpdf0jqdl:rrFoePIgXCipCPZtTm5xDnRdl
                              MD5:D16222A9681268A4FC8A47B6A84AA148
                              SHA1:E6E27C7493A5EA9BB31D3488B1214B64EA02FCA7
                              SHA-256:BE66973D002A23B4F8583C3D4F7FAD25237E330F6FB92E0744B9934A5A239122
                              SHA-512:552825B777BCBC7CE0B9CE005FFCC04A920F45B1AE31CC838D42BFB7946FE7839B2AEDCEE9CE234FA3E1A2C5889C35D9A4651B370F79AC2DA3CECC553A6F3D3E
                              Malicious:false
                              Preview:......z.-R.5.b.S:*....[..2..yz.ig.".a.Z...tm~..9r..,q.^..E.5..L0.....I#.=..k.R.c.,...r"xq,..yz.ig.".a.Z...tm~..9r..,q.^..E.5..L0.....I#.=..k.R.c.,.7.oK,8}..ji.zt.1.r.Gy..=.._.w;..e?.i..9.|..-......p.:..x.A.h. .7.oS$"v.G#".zt.1.r.Gy..%90X..t..t?.....g.._#.....Tv.e[.t.A.?@a.S.&gj.D.u0>.1).w.1."X..kn.e.$,.e>......|...}.....r.s..7.O.0T1.H.'?(#c..'(.'..q./.j6..%7X.vg..1b.M..B.^..f......>.rR.".O.p.....r"xq,..yz.ig.".a.Z...tm~..9r..,q.^..E.5..L0.....I#.=..k.R.c.,...r"xq,..yz.ig.".a.Z...tm~..9r..,q.^..E.5..L0.....I#.=..k.R.c.,...E.Ow1.e......K...Z...tm~..9r..,q.^..E.5..L0.....I#.=..k.R.c.,...r"xq,..yz.ig.".a.Z...tm~..9r..,q.^..E.5..L0.....I#.=..k.R.c.,...r"xq...d..-6.l.V..S..%p._.w;..T../..,.5..|.......>.oS.".K..oR.s..Meq1.+N..;8.s....O..m..o.M..1q.Q..?.g..-.....T:.Sb...;..y_...o+HFV.I&&.t..q.(.Cy.....u.G..1q.[..?.g..-.....T:.Sb...*..qB...o.sA..J+%.8z.p./.G......c.S..1q.P..r.d..a......>.En...;..cR.r..?xl'.+N..;8.s....O..m..o.Q..B..,..X.(..I......r.CR.%.O..cN.r..[..T..yg.al...0..]

                              C:\Program Files (x86)\autoit3\Include\EventLog.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31421
                              Entropy (8bit):6.468981560849005
                              Encrypted:false
                              SSDEEP:768:FXagm88UmkuLRoyzlQmmRvTJjL8nAjWzVH2nrNx7wgN:wg9gojMA3
                              MD5:E721364FA3A912CBC2900BE888527DA6
                              SHA1:601DA0AF2550BBCC3897137BCBEAF8E91D1445FC
                              SHA-256:D2CAB8B730488D7F08EDCE54C2030438B164A51A88A76E7184418DFC8817D7BC
                              SHA-512:C9115FC912855FD1976AACC06287C6FDE77CF30DCCEF91BC8653F0EA37A41C035B56477D6DEE960DEDA8B64618297C6517AC06F15B3BCFEA95F85BCB6E382A7A
                              Malicious:false
                              Preview:;..\.6vBt]'N.~j..).=re.8..g...w....{L..<.n.?%...T..Y....~s...include "StructureConstants.au3"..#include "WinAPIError.au3"..#include "WinAPIRes.au3"..#include "WinAPISys.au3"....; #INDEX# ==%.[..~/.d.t.ZN]..7.n,4.a..x.../.A..d|..h.0.w|...s........6}...=====================================================..; Title .........: Event_Log..; AutoIt Version : 3.3.16.1..; Language ...6.H...|@5[:Ejy[..o.0c`.(..+...<.\.H7"..:.~.>).../B..D._.o/...ystem logs...; Description ...: When an error occurs, the system administrator or support technicians must determine what cause|.FK.&2.<@;B._m..*.s1).|..e...2.\..85..8.y.>....-^.....O.g/...ata, and prevent the error from recurring. It is helpful if applications, the..; operating system, and othej..F.7wJyA,_.....*.6rf.8.(...fJ...<7..!.-.?"...=......[.y9...ditions or excessive..; attempts to access a disk. Then the system administrator can use the event log to8..Z.32.=W=H.....*.$yh.Q..e...2.\..ya..u

                              C:\Program Files (x86)\autoit3\Include\Excel.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):57934
                              Entropy (8bit):6.639574387347109
                              Encrypted:false
                              SSDEEP:1536:g5JVGNQFq2InavLvhZB7e+ZDgr0DsQz3QOiRYunQUrmt1NMAIJGWKEBvwn6Y:4JVqQfInavLvhZB7e+ZDgr0DsQzQOiR+
                              MD5:C22ADB4D4D69D10DF3E274A627C9EE68
                              SHA1:FE055549AE55A6CCC9BC6A46C9ADF41C494C6059
                              SHA-256:6385C856F74D5744F2391D17071A42E26F3172761C03D204A43577ABF80365C0
                              SHA-512:A0CB39596DBCCA9035C0F6FE7D97D2B75537886D06F529862C1ED83B10C220E9DBA18C4880B016D292CE21CFCD619E63179027952956CD31C8983FF27C16F0FD
                              Malicious:false
                              Preview:;....{y.......~...n..h8}.,.Z...n.2..t(....V{XI...[q.......&T3"....Global $LastExcelCOMErroDesc = ""....; #INDEX# ===========================================================================%@..3 .......#.*....M6...w2.h..Y..^.,.Z*y....O.tC....1E.....i. Microsoft Excel Function Library..; AutoIt Version : 3.3.14.5..; Language ......: English..; Description ...: A collection of fm....as......}Br.....+.YMjb.;MK.......GZ-....XT....QsK.....1M. Author(s) .....: SEO (Locodarwin), DaLiMan, Stanley Lim, MikeOsdx, MRDev, big_daddy, PsaltyDS, litlmike, water, spiff59, golfinp....aj......Sy;....n....n."MW...i.1..d+............a.....z.=========================================================================================================================....; #[(...@I.......#.*....M6...w2.h..Y..^.,.Z*y...I......"V.....z.==============================================================..; _Excel_Open..; _Excel_Close..; _Excel_BookAttach..; _Excel_Boos>...k.......{MH..<b.C$@4..aC...<.~..

                              C:\Program Files (x86)\autoit3\Include\ExcelConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19931
                              Entropy (8bit):6.647282039370262
                              Encrypted:false
                              SSDEEP:384:R3b/n4pJsNg5t/v8JFrhGx10U12kF7O3Smv8ae/aaereo2e:Nz4/v8JFrhi0U12kxO3SVMN2e
                              MD5:F385A5A88B0B45A547477E3007F233F9
                              SHA1:EB7F95EC6366EDF653289D074ADC4A8481911EA3
                              SHA-256:1159BCFDE96868172E48088AB4B5C3AF6B5D30E66CEC50295291A6853DA1F872
                              SHA-512:68451E973C52A54A02D025C5D7902C5883313F74067521AFA50B1D1EBA77A01B76BD258D7C2019D28A65A7A11E7910D3D9AEA430AB9CF288F51753106DA719AE
                              Malicious:false
                              Preview:.()REK...J.Z...w..A:k...IV...h.."._i..s0....".H>...G.!y..==================================================================================..; Title .........: ExcelConstants..; AutoIt .$5B@Q.......N..l............{..1.':..'~.?$.?....q.HT.Zrd..: Constants to be included in an AutoIt script when using the Excel UDF...; Author(s) .....: water..; Resources .....: Excel 20.qgtGK...D.P..@._.mR........NE'..y...;..+c.G].s....q..F../|..5(v=office.14).aspx..; =========================================================================================================.|z..........G..\$.....`M...hh...K..Bi..s0....".H>...G.!y..===========================================================================================..; XlAutoFilterOperator Enumeration...7TJW...V.M.....R.xV....V....R:...l...5..ny.].]m....j..A.Ep-.. by a filter...; See: http://msdn.microsoft.com/en-us/library/ff839625(v=office.14).aspx..Global Const $xlAnd = 1 ; Logical AND .'gr[W...L......t.pV..X{...HD4...p...

                              C:\Program Files (x86)\autoit3\Include\FTPEx.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):46540
                              Entropy (8bit):6.598052695853867
                              Encrypted:false
                              SSDEEP:384:zvOTqrGNCLup1jm99SUxii6zLSLA4ijWdW7osYg2a/kcwOSwvRPYBEz5/FuP3GRp:LqH4A4l0ona/kcwOSVE0N3uj
                              MD5:68DE7037D0FBF473141F63D3B5117A59
                              SHA1:66F8678DD176A731521ACAB5806AD02B63F66692
                              SHA-256:625F207FA7E586365E13270B8F015441E38FB6869136D43B0D9907BB7F4D711F
                              SHA-512:9C76A54DCC7FA66A3DFE0BC8E63B0C0292CC46B213BB37D09C6E88E3877FACD6784DFDF861D9A6BF09D59DCD903273224E5918CAFF20A3F2D049212F42DBE896
                              Malicious:false
                              Preview:W."~n.R..^.hl.yF.C6..#._...w..<{.`K.4\.....H.9OpR.3...e.y..5...3"..#include "StructureConstants.au3"..#include "WinAPIConv.au3"..#include "WinAPIError.au3"....; #INDEX# ======================I.q ?.......0\)Iq..e.Wk....g+../'.nT>.B......$P...k..+Z%^.{...=================================..; Title .........: FTP..; AutoIt Version : 3.3.16.1..; Language ......: English..; Descriptio..b3,.....S.d.z.l.B9.J7.IA..6..fr..=S.r...X.v..H.v..8I"C.)..r, Prog@ndy, jpm, Beege..; Notes .........: based on FTP_Ex.au3 16/02/2009 http://www.autoit.de/index.php?page=Thread&postID=483M.A.9.......0\)Iq..e.Wk....g+../'.nT>.B......$P...k..+Z%^.{...=====================================================================....; #VARIABLES# =========================================I.q ?.......0\)Iq..e.Wk....g+../'.nT>.B......$P...k..+Z%^.{...==========..Global $__g_hWinInet_FTP = -1..Global $__g_hCallback_FTP, $__g_bCallback_FTP = False..; ============================I.q ?.......0\)Iq..e.Wk....g+../'.nT>.B.

                              C:\Program Files (x86)\autoit3\Include\File.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):44443
                              Entropy (8bit):6.704645659677546
                              Encrypted:false
                              SSDEEP:768:2k3kbJ6C4x5sQkzGc+tN0qk3HwgT+Z65EHokikV5RMU0W+Bs:nUbJKOQkzx3H4pfjLJ0W6s
                              MD5:F7CA3AB397D36F15F07BCCE7343BE905
                              SHA1:14DC2126CC486ED98FB56E4C8FA4B03706BE8CC6
                              SHA-256:85F93311D0EED0CCD5F61F3CC16507C71FBBBE80B68DDC496789FEE981379CC6
                              SHA-512:B868DF99D927B4A749C97960217777926357A18F0F45A7065BB2DEFEB1AF7B0945611DFA56B60BC6B1C0E89458AF0B4A7027E2E1232BC158C1175621E6324C44
                              Malicious:false
                              Preview:..p.s.yT.8.....D.OZ....e.......^.yy..J...y*84{...a.|._.....u3"..#include "StringConstants.au3"....; #INDEX# ===============================================================================..#.". ..jTL..t5Q......x.i........fI.....R..hf.R<..l .!.......e..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with files and directories.,.%.^.iY.%A...g&B......+........f[8...d...hk6Rw..$o.g.....JdeB, Jeremy Landes, MrCreatoR, cdkid, Valik, Erik Pilsits, Kurt, Dale, guinness, DXRW4E, Melba23..; ===========================..#.". ..jTL..t5Q......x.i........fI.....O.!7'O/..3.2.....====================================....; #CURRENT# ============================================================================..#.". ..jTL..t5Q......x.i........fI....#I..Zcv.Q..,z.f.[..._FileCreate..; _FileListToArray..; _FileListToArrayRec..; _FilePrint..; _FileReadToArray..; _FileWriteFromArray..; _FileWriteLog,.%.@.t]......&D.]....... .....!.{+.

                              C:\Program Files (x86)\autoit3\Include\FileConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):7048
                              Entropy (8bit):6.794214894438035
                              Encrypted:false
                              SSDEEP:96:vRk0bSnwrmcgVkaGaDzm75sttoneN7zS35dxunaiMYt2RjFl3Ij5xHf3Y+txi:vRtbSntcgKaGavm7y+y4bxdNTeHgwQ
                              MD5:324E3E04BB093914D54A0C99A6F57B1F
                              SHA1:7FA8209CC75A7F33CE7A659C4C3DD6F888378680
                              SHA-256:4A80C01363D64F17549D271CE752C96F5D8775001F5D1D5C6AC6D77E40F1FFD4
                              SHA-512:027A9CB95B22CE5409A462BD2FECBD8B6F252A6547E8430B259B332BFD77BFAE0A902976F6EF87F29495FF7A9B1B092F16F4331C53FB298E9DAE366C76DDA3AD
                              Malicious:false
                              Preview:..C..!(f.\*.5:..o}........W.Be{Oo"....;k..".'}..H.g....m...0==================================================================================..; Title .........: File_Constants..; AutoIt ._..;"#..w.c...Kw......U...=f\|1...&.^..v.rM..1.)....?X..#.: Constants to be included in an AutoIt v3 script when using File functions...; Author(s) .....: Valik, Gary Frost, .....; ====...E.iq>..y.m...X{.......J.Be{Oo"....;k..".'}..H.g....m...0===========================================================....; #CONSTANTS# ===================================================...E.iq>..y.m...X{.......J.Be{Oo"....;k..".'}..H.g....m...0..; Indicates file copy and install options..Global Const $FC_NOOVERWRITE = 0 ; Do not overwrite existing files (default)..Globa..n..'8#.u...aa.2.j......L.0.#.%m....c.Y..v.}`....W.....<...cst $FC_CREATEPATH = 8 ; Create destination directory structure if it doesn't exist....; Indicates file date and time options..Gl.L...#m.Gd..c{.*.j.......G.Dx..&z...&"

                              C:\Program Files (x86)\autoit3\Include\FontConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3920
                              Entropy (8bit):7.80592946934614
                              Encrypted:false
                              SSDEEP:48:QG3fGFwGerVeV7RV/Vlx4xs5jUlD6Q5KtjwP6N4DpNoEh+lJ948+FLSWx5hC/YWE:WP2+qR5cwPE4T904vTqY6arr
                              MD5:0CE5729F9E4CADCAAE5DF0F723266B01
                              SHA1:5FEFED55CB054C57033C9DC346AF7BEE49F96A57
                              SHA-256:175F4EADA314F1C7CB169BD829832FEEDA7137BB2A84685FAC597B50F6E93D01
                              SHA-512:54835B6414E6E9F7EBE1165897F0AA5E8884151AB63E8C051D53CC13702E5634E704E274D1346480F68369081A9EB0BB46CCAE0A25219CA8C5D7817B1BF5DDD9
                              Malicious:false
                              Preview:o?.2..p.=.._c......H...........&.Xn..'.@..c..a....7a.O=.......qk.l.f).-.}.;.......;...........&.Xn..'.@..c..a....7a.O=.......qk.l.f).-.}.;.....&...D.....5.K}..\....../..]IyQ.I ..SMu...3.".4z.*.s.5.....&...T......5.K}.._....-..V..wXy?..p..HL...bl...5g.q.4O&...~...&...U........E..r....w..r....*...y..UMO.6Fm.l.f).-.}.;.......;...........&.Xn..'.@..c..a....7a.O=.......qk.l.f).-.}.;.......;...........&.Xn..'.@..c..a....7a.O=.......qk.[.Q/.3..rU..k..;...........&.Xn..'.@..c..a....7a.O=.......qk.l.f).-.}.;.......;...........&.Xn..'.@..c..a....7a.O=.......qk.l.f)...`Zi...2...d...N.....L.!...Y./..c..Q.._Rh=.RC..TV..}......4.0.p......Z..E.......w.O.$..R.]..l..Q.._Rh=.RC..TV..}......U.Y..h&......j.........F.?.2...].)..~..l..tQe>.. ..IQH........Y.\.}.2.......g...O....t.D. ..[.]..j..Q.._Rh=.RC..TV..}......A.0.`.6..T...j...R...e.H.(...V.]..h..Q.._Rh=.RC..TV..}......V.\.`.&...2...d...N.....L.'...:.]..n.....Q\f|..n....z.d......[.T.}.>.......g...O....t.D.)..X

                              C:\Program Files (x86)\autoit3\Include\FrameConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2382
                              Entropy (8bit):7.69651237380071
                              Encrypted:false
                              SSDEEP:48:E7cEH3lvc9FCipdu5loL4riurDNhtDK063tyLfUQ:7EH3l090llobCNT63tyLfd
                              MD5:934C590FF07B3CC90C2F4EBFBC93FAE5
                              SHA1:A25763F1E58FC99D2C40E5658AF1D4BF8165DCE4
                              SHA-256:2A3C2E4DFF3E3067AABC79F80C829C45C678407275A0EE3F2CD78EBEF713F21B
                              SHA-512:CF605C96A17D29DFB1B3C3489125BC113E9C007A42D8491257BD21BFDC6EA161DF977E7D1DEB7525E9E01EF64122568D1C5ABA17FCC0EB18382A4CE041E66AEA
                              Malicious:false
                              Preview:..$..3r......u......7..9...g+.bn&...A./.N..M......I.YR|_...z..j*....4.B......)..9...g+.bn&...A./.N..M......I.YR|_...z..j*....4.B......x..*...t8.q}!.j...w.0....D...*..T....+...5..8y....:.I......z.e...t8.q}5.....~....K....D....../B...g..9d....).........K.e..@;{..<u.^...;.~..1P...U..].JAoL...&..wQ........B......)..9...g+.bn&...A./.N..M......I.YR|_...z..j*....4.B......)..9...g+.bn&...A./.N..M......I.YR|_...z..j*....4.u.......G.J...z+.bn&...A./.N..M......I.YR|_...z..j*....4.B......)..9...g+.bn&...A./.N..M......I.YR|_...z..j*....4.B.....m..$...<d.26..k...s.S....Q...a..6.0;.,...J..;x.....f........D.K...z'.U.w.N...Q.....Ta...j..!.YOso....%..wT.....-..<.....Z..9..?PQ.01z.....a.S...3z...h..T.D\Lh.....#~....h.._.....f.a..u6y.>?;.C...2.7.../g...h.'.%;.B.......{.....J.........V.P..q.S..s&...L............T.P.",.=.......D....q.r.......W.w....P...Y.x.3.@.7...M....*......-B....3...Q....]..1.....S..9..Jk...?t.M

                              C:\Program Files (x86)\autoit3\Include\GDIPlus.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):304934
                              Entropy (8bit):6.390069963536487
                              Encrypted:false
                              SSDEEP:3072:7tTQqbgu46tbpEwoqjWvF52aipc3GqRXqUvLSExcJJLNLI0Xp0HoVYVZD0m72oCM:ZQqeSCBqaSpTHoW/qH0q
                              MD5:3F899C653DD04FE0993B4BB711136D33
                              SHA1:EB59F1F5BDB253630E492E33AFD63A882FD064DD
                              SHA-256:65B9AEE2ACA73871BB24C7817C68609611AB3B7CFE4AC5D5B21DC3F5D64B0F37
                              SHA-512:A4A58D2B716BF10265D42CB7D0E9C6B68D956ACA450989BE5B369A82FDD3D02542A6758B3854DFD66AA68D4ECBA717F68C6855AD92119BCCA1B6DD94CBD0AE99
                              Malicious:false
                              Preview:..\.gEx.K....h..._m.:...'..L1.k?.n./.....9..%.;..Y...YS.....ctureConstants.au3"..#include "WinAPICom.au3"..#include "WinAPIConv.au3"..#include "WinAPIGdi.au3"..#include "WinAPIHObj.au3"..#.Q.~Ty.D...85.C..j.w.......C.$..i.......*V.+............v...==============================================================================================..; Title .........: GDIPlus..; Au.{.+fy.....Y_.9.O*.o....<..i..r+.H.o....7..q._..=...hR..."..on ...: Functions that assist with Microsoft Windows GDI+ management...; It enables applications to use graphic..S.o.z........*..|.y...h..(..bj.D.$.....{..6.X.D..\E.......; Applications based on the Microsoft Win32 API do not access graphics hardware directly...; .A.nQx.F...RE.d..v.:...n..(..q#.H.%.....7..6.S..\..J....'..tions...; GDI+ can be used in all Windows-based applications...; GDI+ is new technology that i..[.h\i.....E.c..k.*....f..(..bj.D.%...

                              C:\Program Files (x86)\autoit3\Include\GDIPlusConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):26520
                              Entropy (8bit):6.933111989246408
                              Encrypted:false
                              SSDEEP:768:oOQ8WCoDTXZXx14Rj2DGI7TC+6N+P6VMDB:K7Bx4a5lP6U
                              MD5:5C2BDFB8F2414B42C62AAC80520BD3A4
                              SHA1:8FB9DBBFE70F50EDF4AD87F5AF36D533F93064B0
                              SHA-256:61DC332425CD9535497D5A32766745388059F5A46EB9ADE6C39BA590285D92D7
                              SHA-512:2E8D7179801D856B89C6ACAF60EBC4331FDC152BB871DC9EDCB90266194961AE04634EB4BF8A80E63A0508B6070A0C889F48116918ED79A3C9428AA305920926
                              Malicious:false
                              Preview:.0...".&M0C.....S.`..vp..>..X..G.#.T.....t.@...(..)'w.}9.4.==================================================================================..; Title .........: GDIPlus_Constants..; Auto.-1..%.*.1..+..w.m.\8.i.......T.0.G.....%......5.Fgy8.0p.f. ...: Constants for GDI+..; Author(s) .....: Valik, Gary Frost, UEZ..; =========================================================.d,.Kj.~]b..%..d.~.l..t.#..X..G.#.T.....t.@...(..)'w.}9.4.======....; #CONSTANTS# ========================================================================================================.d,.Kj.~]b..#..<...."Z...n......p.r.......:..Y...E.gUI...T.E.T = 0 ; A square cap that squares off both ends of each dash..Global Const $GDIP_DASHCAPROUND = 2 ; A circular cap that rounds o.?1..#.c.1I..w..<..+.5SF!........9.p...............E.q][...A.4.3 ; A triangular cap that points both ends of each dash....; Pen Dash Style Types..Global Const $GDIP_DASHSTYLESOLID = 0 ; A sol.=1..9.Nj.A..y.....0.q.r..N..$...#.[.(.

                              C:\Program Files (x86)\autoit3\Include\GUIConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1323
                              Entropy (8bit):7.508778246805147
                              Encrypted:false
                              SSDEEP:24:1uTwor3UwoFgnOCOfwor3Uwor3zheqiwjkLk2sywumFYmLKpY8N2tC3CuxX:MKgO7bilXiE7GVmimLKb2tCy+X
                              MD5:E61527A8BBE67285C5C94888E0B011AD
                              SHA1:D497E6C9ABD4D4976EA3FDA96EA76DBA583D1196
                              SHA-256:F2693827B669B71B8C2EBA61D917D544F80C8E0EE4F6B5F569118C605F2A23FE
                              SHA-512:04C285F954B2CF612B23B3D1C8BD051D87DFA49CB7BA9E35941A9E1CBC81038AB3D25A7844E444123A211A2F9AEEB7E666142A1E716CD5A0EF455F8A43C8E921
                              Malicious:false
                              Preview:G.z.......5.t.rk]H..W"..H.8.L.g.f.+.*..E.s1..6.v...d.'$.[.=3?,.Y.)..XH..PfE,.E[jN..#Q..-.%.L.g.f.+.*..E.s1..6.v...d.'$.[.=3?,.Y.)..XH..PfE,.E[jN..%L..d.}b_.t.u.8.9..9.",.B.$....7.i..].A{v~...B.....DMaX".KHfE...f..\.v%..=.{.8.9..B..b..b.#.....iz...tgm..J.:..&..Y.:.e.X.?...}..r.87..>.,^b.7e.1..|.b.*....*..".'.tfmc...4..K[..M..}..Jw....f..T.tb_.t.u.8.9..B.D7..6.v...d.'$.[.=3?,.Y.)..XH..PfE,.E[jN..#Q..-.%.L.g.f.+.*..E.s1..6.v...d.'$.[.=3?,.Y.)..XH..PfE,.E[jN..#Q..-.%.L.g.f.+.*..E.s1....h....,..9.'.IMm....z..K...OVr2...;...>N..d.w,2.4./Vx.d....l...b.(....y.Yv...Calb...`......`Q[x..."..<(..u.q/..5.(Cw.cQ...}...(.%....<.8\...Calb...`......`Q[x..."..<+..S.v1..4.(rn.vW.Z.D/..h.>......im...Calb...`......`Q[x..."..< ..d.q'..5.(Cw.cQ...}...(.%....<.8I...rkqb...g........K3.rE>...k..2.q!..>./ty.dV...=".8.F...:.o}.F.Sbku...{.....^.u.d.Zk]P..}...u.:.....8ty.dV...=".8.F...:.o}.F.To`R...`.....K.hZ..[.9...z...D.}''.?..Xx.cC...`m..).A....5.~|.D.pJmf.Constants.au3"..#include "WindowsConstan

                              C:\Program Files (x86)\autoit3\Include\GUIConstantsEx.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4363
                              Entropy (8bit):7.825997338102069
                              Encrypted:false
                              SSDEEP:96:rxtxXZxtx9xtxhSn5Ir+2moedKUWuncX+mM+ZqW0DLvxtPr9U:rH7HTHhr+2moed9WuncX+RtPHpU
                              MD5:C5CD2D3DF2C0365474A2FA91FC9DCB8E
                              SHA1:5A2F78246E8223334306F6C76BB7263BFF274C3B
                              SHA-256:7316F9BFA44812A36FC03FD391F368375C89E5FD9E0DA68DB690E916DC735015
                              SHA-512:34BE1A38E6BD3942E1920CB77761921FF8CF1C68503F93CE8E87A681BF5A2D35B89F80D201001F5D8259F23B4727E4B409B789F96C07BAA4D34172F810F11D81
                              Malicious:false
                              Preview:^...d.....P..E....V.;E..B.XxP.g..+X...d!.....$.5........I=d.@...5W.>..@.u...K.O6..'.ExP.g..+X...d!.....$.5........I=d.@...5W.>..@.u...{.I+.n..eC.t..8K...y[......m.f...A.......I-.+..a...9..S.f...{.I+..t..$..z..8K...yY......3...J....... w.S...g...b.J..<...V..n..s.X.8.z.Pf...G-u......".I...V.......Z.w.]..$J..o.Up.s....V.\%..4.VkC.`.*-E...d!.....$.5........I=d.@...5W.>..@.u...K.O6..'.ExP.g..+X...d!.....$.5........I=d.@...5W.>..@.u...K.O6..'.ExP.g..+h..,b<...X.\.........I=d.@...5W.>..@.u...K.O6..'.ExP.g..+X...d!.....$.5........I=d.@...5W.>..@.u...K.O6..'.ExP.g..+X...d......w.{...].......sT.:...i...l.M..l...3.7E.I.6.!.z..&E...=y......9.m...W.......l<....|D.D.Q..$......R/..S.=.(...aD7...d<....m.z..X.....Tc6....a...w.[].>.....+.n..!..z.Np...G-u.......d...U......PG.."...F>..L.{].h.......j..Y..6..~.u_:..c.H....9.(..3....7o7.....]#..U.p).....?.7+..7.uO*.5.AzE..H*h....\.M...k...I t.p..g...#.Q..<...?.7]..N.5.5...zSE...o.

                              C:\Program Files (x86)\autoit3\Include\GuiAVI.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11270
                              Entropy (8bit):6.265096888675748
                              Encrypted:false
                              SSDEEP:192:sAFph+SLU0OxfnIf9cygUQBvrVdlcBSUrK75cWsZdZma//qYlrDAdN:sKph+oHOxfnIf95grdlrUrK7bsZdZmaK
                              MD5:C5B3758E261F5873C3E3231D8F125CA8
                              SHA1:5C55E15ADD7EF89476A76F71814A3379F3E9717A
                              SHA-256:D2D4CE6B449499EB4100E32C97AF43EAAC9D96FE33FD6FE07AD75E6FE27F47B4
                              SHA-512:C3FCD904434F0856BA8239353721B759DC929BC8048ED1D62489A6C5C5793B02A057E13F3C92B125E194DD3927CBE782FD453E483B3C7BC09CF9422C371FFCF3
                              Malicious:false
                              Preview:..JbL.k}6r.@y.u4.i.O.7.}..wx......PD.*I...Gu#..g...}...nternals.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3"..#includ...VI.NHRT.Wy...R...Y.`..~..B]........xb..n-T..Jx:..0{.4...#INDEX# =======================================================================================================================....UI.c};3C.2.V..:.m.+.)..O<........gT..N,N...*x...sf..4...nguage ......: English..; Description ...: Functions that assist with AVI control management...; An animation c..PsO./qh=..k...Q. .D.6..4..MP.......^...C&O.Jm3...$>.......) clip. An AVI clip is a series..; of bitmap frames like a movie. Animation controls can only display AVI clip.PiA./|t=.Lh..Q.t.E.b..(..N............c....9v...e+..S...se for an animation control is to indicate system activity during a lengthy operation. This is..; possi..A!B.lynn..h..XQ.e.M.+.}..ST........

                              C:\Program Files (x86)\autoit3\Include\GuiButton.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):28799
                              Entropy (8bit):6.374905005417324
                              Encrypted:false
                              SSDEEP:768:oPdtS8QcwQBkpq/393AdUsvN1CO8+bYQUCiMwXc6Lmz+5:Wtsl5S7
                              MD5:FB3D537E86CF8B1B9B5A9F4B898D87CA
                              SHA1:3DB3F41F35E024AE15CC966C908E47294BDB9C1A
                              SHA-256:D5D9889AE215A64ACD8D7D4646D558BD7B0F676B9A4CC868AED10B05B0617E86
                              SHA-512:5204C66BAF4AA2094D137F438E3D8D49FFDD47833C54F6891AC8A54F50AEFE13963045D98FFEA47317650232B1155318C131E4579586663DDCA2CAB55199314A
                              Malicious:false
                              Preview:.......>......^Ivx..Ab........$...J.X.n.V..K....g.h....LWs.8nConstants.au3"..#include "SendMessage.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3"..#include "WinAPIIcons.au3"........#s..X@...SQu.Wi....Q.js......Sar..{;.YM9. .B..3.:.j======================================================================================================..; Title .........: Butto......l....|b...N8!...4.....h.G5..Y.W.x.....h(.D5j.q.....'.2scription ...: Functions that assist with Button control management...; A button is a control the user can clic......u8...p~....lt..K'...........3... .....{;.YM9. .B..3.:.j========================================================================================================....; #VARIABLES# ======......>l...$-.@.%&...:....._.ZD...... .....{;.YM9. .B..3.:.j=============================================..Global $__g_hButtonLastWnd....; =================================================......>l...$-.@.%&...:....._.ZD.....

                              C:\Program Files (x86)\autoit3\Include\GuiComboBox.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):41931
                              Entropy (8bit):6.138898201886382
                              Encrypted:false
                              SSDEEP:768:xfcALqMQPK4KfXVZRxbzlIVb9TG1OPrj4DYfqEjl2wZRwvRv8NSJuHUX58WIY57Q:xYKwahIo7I5EA
                              MD5:2B3F803B60256EB9F703E652679A47C3
                              SHA1:35ACDC1AD0AAC69F902BC46AC8BC29556C2A0112
                              SHA-256:8E5CFBBE03252155F1A965FC6A9C6998721B5C4FFBFB6B87943F6F9255D46F67
                              SHA-512:A88946105283C4D19B7FABE0844560905D1ABDE0BEA32B653FF0B1F542B23830E7F7AA8D4E61E7B7C6309A472ECF6B6EBC4C242BFF64FA42CB1381D04285AF5D
                              Malicious:false
                              Preview:...t.{.......=>\..%Y.Ik..N.Z%c....}..4.O..o.{.*.`...rx..?V0.4stants.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3..i4.`.......^].`5.u.V!._.8B"....m.b3.....%.z.`...x|.\U^7..W...; #INDEX# ===================================================================================================================.^*...........x.Re...5....W'C.....)..4.(......`.`_..%3..J.l..P; Language ......: English..; Description ...: Functions that assist with ComboBox control management...; Author(s) .....: gafro..O7.o......[Z==vp...2..Q..u<TP..4..}Y\.a.K.4.3B..+ ..F....g====================================================================================....; #VARIABLES# ==========================.^*.3.........k.Av...2..Q..u<TP..4..}Y\.a.K.4.3B..+ ..F....g=========================..Global $__g_hCBLastWnd....; =========================================================================.^*.3.........k.Av...2..Q..u<TP..4..}

                              C:\Program Files (x86)\autoit3\Include\GuiComboBoxEx.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):48540
                              Entropy (8bit):6.123624173326748
                              Encrypted:false
                              SSDEEP:768:b/1NkGwF/hK2EzyXsjKMZu2ezTL2HRa0rt4PA9qw9vxactxyvedSjvE06JsrWfdW:Py7EzvRhgDI7c
                              MD5:70F3CB3DA0B18E9CBA457F02D1491FE5
                              SHA1:24F1E6D87F1E8001F764FEF05D70759B78A5DB79
                              SHA-256:03C148DBEE469BC9E60DDA76126FAB7D7061D6B2AAE3190C8651B3FC6AC7561C
                              SHA-512:F73AFE4F91F5C65D4FC8CF394A82D76A62AEF635E66664C881A6708F93FADC4253635A2CA3B5BBD4B1C4AEE1E819CFF4E60FABD24EDF45DB00BBB6922CC64BCF
                              Malicious:false
                              Preview:RY......6.Q0.-.y..q...E7.P.;.G...O...!...X\..F....(Lr...T.....Box.au3"..#include "GuiCtrlInternals.au3"..#include "Memory.au3"..#include "UDFGlobalID.au3"..#include "WinAPIGdi.au3"..#includeQ...... .{;.B....l....p>xIX.$...k3..2...Gl:....C.q.o.......q.==============================================================================================..; Title .........: ComboBoxEx..;Qq.......<.A<.I.I.X1....|..Ni.H...O...!...T.=.j....?A_-..y...>.ption ...: Functions that assist with ComboBoxEx control management...; ComboBoxEx Controls are an extension ofQD....6.P:......m...U:R.d".k....]K..{...Z"rZ_....*F ...X...!.ges...; To make item images easily accessible, the control provides image list support. By using this control, ._......y..u...S.K?...1R.d".k......../....%nEA....5.=A....... box without having to manually draw item graphics...; =========================================================================L.......d..h...N.V"....o.Oyo.9.....V..2

                              C:\Program Files (x86)\autoit3\Include\GuiCtrlInternals.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7439
                              Entropy (8bit):6.441723759666785
                              Encrypted:false
                              SSDEEP:192:/9yJLk4+BuvDD5PoZE2ZK4DeBwMCgMkTA:/9yJgHIPOzZKBWgw
                              MD5:4F9ABD2AA66E04BA7420FEB19264D6F6
                              SHA1:25CA1BBCDBC9A2B88474234962A9702F36E8F1E3
                              SHA-256:2B6EF69AF72F209CD621372EEEFDF666A98211D15FBC56424A165919FE6C2947
                              SHA-512:FCADA9BD46A68F3ED11869C5717AB7D5DF9FF0D3346A850E4BA2D96635520DA67DCF9ED8613E6F39E67F097F0F07821AAC797779B77F19C7ED18EC8627AA4235
                              Malicious:false
                              Preview:9&.g..B..&S.m.-]}.....n.9t.k...B... ..E..R...~.uG...Fq .7&7>.Dnals.au3"....; #INDEX# ========================================================================================================='r\9.....t.G5.*ZL.....%.5..(F#.V.~K........>~.3u...R~S*-.++.O for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Functions that assist with _GUI control management...; Author(s) .4aO*..L.]D7A(..mJ....L].6.&..;U0.Q...?..[D....w&.j-..+.N[yRdwC.============================================================================....#Region Global Variables and Constants....; #VARS.#H.....t.G5..mJ....L].6.&..;U0.Q...?..[D....w&.j-..+.N[yRdwC.===========================================================..Global $__g_hGUICtrl_LastWnd..; ==================================='r\9.....t.G5..mJ....L].6.&..;U0.Q...?..[D....w&.j-..+.N[yRdwC.============================....; #CONSTANTS# =================================================================================='r\9.....t.G5..mJ....L].6.&..;U0.a...?..

                              C:\Program Files (x86)\autoit3\Include\GuiDateTimePicker.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14223
                              Entropy (8bit):6.175087432147066
                              Encrypted:false
                              SSDEEP:384:6eLifnAMkS/0wsPKYnS+b9ul/D38gIMY5:6XfhyoQ4zcB
                              MD5:BDE208FA05C7D5A03542B06F7A52B5E9
                              SHA1:77D1C94EA2C9A8C2B444733EBB1C78DE4D63B6B4
                              SHA-256:13C1EA21405B95A1958082D66C13C97E825F94F048062B88C830507F447DA2B8
                              SHA-512:3E0712B9B300610F7B683D9667A67FA36257BD9D27418F847A53B73307005067644CD1C93A8AE15AEEF03558BA30B5E7FEDD843C27A9D8B516F76E9A511E99B8
                              Malicious:false
                              Preview:..}......../.[.u'kA.GH.K.9...y...#..vh:..v.%...s.cT...EG./'<-...CtrlInternals.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID... .r.W....9.3.Zz!F.tm.@.o...>.pu..:o'..m.3...)./..!.Ob.?'na....au3"..#include "WinAPISysInternals.au3"....; #INDEX# ==========================================================================...B.IO.Jq.k.E.u.......$...0.Gs.$;t..%.k...{.:7......el2!...: Date_Time_Picker..; AutoIt Version : 3.3.16.1..; Description ...: Functions that assist with date and time picker (DTP) contro..~........8.[.C.h.......9...-.Zn..}g=.y.2..-.N....CY.c.H_..ontrol provides a simple and intuitive interface through which to exchange date..; and time information with a ..v.Q.T4..W).7..A-..SM.G.x...]... ..vji..m.5...!..~....^..0<{..nter a date and..; then retrieve his or her selection with ease...; Author(s) .....: Paul Campbell (PaulIA)..; ...B.IO.Jq.k.E.u.......$...0.Gs.$;t.

                              C:\Program Files (x86)\autoit3\Include\GuiEdit.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55244
                              Entropy (8bit):6.289265842699799
                              Encrypted:false
                              SSDEEP:768:KLUjzhxl5GZBKSZNWo4tfyex4qVwDB+0z60rcsGHbNNF9LZABitOUfU6QjZlLLQW:uUcBzGKW1evYwpS5BygTsT
                              MD5:3C637C857B64338564D7E1D281D98CF7
                              SHA1:ED0083BA4BAED9D2B716E3B2E19A6C8B09A05F76
                              SHA-256:80EA14913CC65498DA37DACEA3808EB878E55E94E00374D243E459058F1DE757
                              SHA-512:D5D261D5882673931A63F46D186E99589776C8CBA3D1912D7CE0002FE5C2956C585F2ABCFDB7CD7ED30FD4B22486505881A53A2DE6F17609DCCC76807CF42C84
                              Malicious:false
                              Preview:.z4.....Q...M...7..vCuvg X.P...J..sPA.O`..A.K8P...\..H.......kusBar.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "ToolTipConstants.au3" ; For _GUICtrlEdit_ShowBalloonTip.:W.........4..{o.wBxoJ.V.`U.....nGL._v..c..t....Q...X.......sude "WinAPIHObj.au3"..#include "WinAPISysInternals.au3"....; #INDEX# ===========================================================..g.Y..AGZ..+....C%.$>>xE.([..4.R=.........T.g..K...J.....b.?Title .........: Edit..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with Ed_gz.......G.Ix..XE.vT7..~X.5F..).O ....3......?......YE....H.?rectangular control window typically used in a dialog box to permit the user to enter..; and edit text by typinQ35.....\...Jy..Y.s..9>>xE.([..4.R=.........T.g..K...J.....U."=====================================================================================....; #VARIABLES# =========================..g.Y..AGZ..+....C%.$>>xE.([..4.R=.....

                              C:\Program Files (x86)\autoit3\Include\GuiHeader.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):41894
                              Entropy (8bit):6.262852432835088
                              Encrypted:false
                              SSDEEP:768:zszJn5ogRUd728mwLNLqaPmFxQ734q7VimSZCPuY8hED17NEgpUqDOaTYa:z2RFYQmbjVoExYa
                              MD5:65EB1316853BA2F2A4C59A7F38FD5EA8
                              SHA1:490C792FC6AA80B14777DAFDC013E35596C63230
                              SHA-256:76E4E5A64CF1C677EBF78971E5CFC875B084863BB242F1967B403F793CED4C61
                              SHA-512:24E7F09CD6E575928EF8386779BEC5D46F0F34650810F0CDEC16161F4858796D4ED4A25FD204679D9B884B5464EA1949E76A6FEC01224234FF7819ED85F76BD2
                              Malicious:false
                              Preview:..iu.X.......}...u........:./."......E..d$.)..LPr.b....E.H&erConstants.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID.au.U...D........ ..R.......m.f.. .....O._.$A^.kz.._d.5...[c.E7de "WinAPISysInternals.au3"....; #INDEX# =======================================================================================.J:+..........J....&...M...r.Q..D.........K?9..6...Y.v...?.U..utoIt Version : 3.3.16.1..; Description ...: Functions that assist with Header control management...; A header ..ib.B..........;.......:..."......Y..u7.Fw.@.r.{...A-.Obtext or numbers. It contains a title..; for each column, and it can be divided into parts...; Author(s) .....:.'fc........W...w...}..r.Q..s.....P...X,*..%...,.*....0S..==========================================================================================....; #VARIABLES# ====================.J:+..........J....&...M...r.Q..s.....

                              C:\Program Files (x86)\autoit3\Include\GuiIPAddress.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12733
                              Entropy (8bit):6.136840604271079
                              Encrypted:false
                              SSDEEP:192:S1NtxU/J1fbkylFSl2PlvVlbrWp3SlqJGEL5GlMQ4+y:S1NzU/bfbkyl8lilNl3WslqAIGlMQ4d
                              MD5:D0F854EF1FA77EE1FA295E8F3A784C09
                              SHA1:7D14D8C17A471ACEB6A5EC576C65CFC025FC7603
                              SHA-256:407DCB94CB3DF452991EC78D231605BEE79EC4537E7C2E32A6E6F9FEE650153C
                              SHA-512:2829311BCC11FCD4BF471F981980D6B6411EDC0AF74D65C304B2DEA8A0833AFC4C3F2C759271337C16E3417141CB13DD5C3FBF3DAD45640FE8CDA9D3B305EE94
                              Malicious:false
                              Preview:&...i@...E.,.O.(eI.e 4.2.}e.S:#}.b~.T.^Fr.FyP...k.i.H.^...K..."dressConstants.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID+..'8...D.#.&..M=.e.....31.g.S+...y.R.EC{.JOL\..(.d...^.\.c. .%lude "WinAPIHObj.au3"..#include "WinAPISysInternals.au3"....; #INDEX# ==========================================================8S..8.....Xr....RW.6~e.k.`z.;N]4...-..L..#.U%....\.=.....C.T.D.} Title .........: IPAddress..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist wl..Le...X.<.b.J...d/x.7.< .k..}..!+.p.DOq.@k....O.....J.../.&.2 (gafrost)..; ==================================================================================================================8S..8.....Xr.O.(eQ.(........UP@4...-..L..#.U%....\.=.....C.T.t.{==================================================================================....; ========================================8S..8.....Xr....RW.6~e.k.`z.;N]4...-..L.

                              C:\Program Files (x86)\autoit3\Include\GuiImageList.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31828
                              Entropy (8bit):6.293650301377012
                              Encrypted:false
                              SSDEEP:384:79sE7Dvz7cuFJgDwygsDFiSq3RvBXbQJM4lpVqXtLRj01ElmjhY+aJZB0e9CldcZ:7jeqHSdRXcK8OTsm4bmShLFbJ3ovC
                              MD5:184C93BA59EAB5539C95EED92944717F
                              SHA1:ADEF12DDE4E6291CFCCCF445EE1AE86B6C96731F
                              SHA-256:15644069EA0852CCAEE152CB42A5671904F3E9FFEF8957531F1CAADE43E1A63E
                              SHA-512:BB866841EB79B5857A635320DC720144E51C415A268D78ED2F6D79246592F3BB5961BF8F656D8EBA9E4648DE6A6AB022FA63137ADFEB93281CE50063304028BE
                              Malicious:false
                              Preview:eV.T..&T......'..=...S;..R.Y...J[...w#....:..O..QT.[..=..@[....istConstants.au3"..#include "StructureConstants.au3"..#include "WinAPIConstants.au3"..#include "WinAPIConv.au3"..#include "WinAP.z.E..lPv..}a.S..w...J*..P.s.6!q_..b7I..x......X[...7.+[.....au3"..#include "WinAPIRes.au3"....; #INDEX# ===================================================================================={.......>..MV....#._H.s.O.'GJL.%....yZ...7..C..\.U...c...s.....t..; AutoIt Version : 3.3.16.1..; Description ...: Functions that assist with ImageList control management...; .Q.^..%T#.....D......S"....u.W.^8...d'...{......P....#..Bw....f which can be referred to by its index. Image..; lists are used to efficiently manage large sets of icons or b/K.V..l.B..P..L..m..../....{..QTq...b0...5......0q...y..B2... in a single, wide bitmap in screen device format. An image list can also include a monochrome bitmap that..; f.....b.#.....D..>...T=....~Z...|...#+..

                              C:\Program Files (x86)\autoit3\Include\GuiListBox.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):44404
                              Entropy (8bit):6.2308147029876775
                              Encrypted:false
                              SSDEEP:768:JvAAXlkmbfXYTSHw6WQCCWkNcvYfVq62ijwUkJObvPSKz9sjw/41ZzlyErkh6hb1:GIkGRWcM
                              MD5:565AB7CAA67DF8C413E077928F967933
                              SHA1:ACF6364093382356A21F31A931D63F9F14A440CB
                              SHA-256:2589B1CB6D2B7D1DF6A1119576656DA796B89FF42B96148A71CE4D799ACAAB8A
                              SHA-512:5032AAFEAF814863D6AEBDF71042D6E08FC8A7FC216F423B7137354A3C0232699130DCA9AA17648232B787CD79D452E44BF09DB7049FEC7F5DCDF97666562E49
                              Malicious:false
                              Preview:..r.\G>0lG....]O]IP...wB...e+RYqO..].........+\.....w..qonstants.au3"..#include "SendMessage.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3"..#include "WinAPIRes.au3"..#inc..x...t2sBy.......CAD]...6..R.,I6.%.79j........7r....>....==================================================================================================..; Title .........: ListBox....].Fj/=UL.....D.....J.yQ.z...]Db[..K........f&J....G...@iption ...: Functions that assist with ListBox control management...; Author(s) .....: Paul Campbell (PaulIA)..; ===============..!....f >......C.....F.j].M..y..8.CJ..........7r....>....================================================....; #VARIABLES# ==============================================================..!....f >......C.....F.j].M..y..8.CJ..........7r4...b...m_g_hLBLastWnd....; =============================================================================================================..!....f >......C+9'6.[../.#.g.hy&.CJ..

                              C:\Program Files (x86)\autoit3\Include\GuiListView.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):196299
                              Entropy (8bit):6.462499055809714
                              Encrypted:false
                              SSDEEP:3072:kc+7lVff9kVDHhP0g8ye3afyEKlrMJYMeq:Aflk4TrvMeq
                              MD5:B176517B5DD02378BF73B07F121E487E
                              SHA1:BDFB37E0E66F96F81AD928E80C1B3EC10B4821B2
                              SHA-256:15B01664D117882771EF08461C19C67F5FA67656B18EBD70F9821D414840E7E2
                              SHA-512:FE0C64A86B2B9DEDE939B10914C15ABFDB9D3126B053C071FFC266B1FD34859475B0C7977D58D0608375360CD93495DC90B26B011C919DB7330158E3D4FDF417
                              Malicious:false
                              Preview:1.p.).....!-.4.p;...*.....a].^.b{p..t_.?."k....+o...X}.%...0s.au3"..#include "GuiHeader.au3"..#include "ListViewConstants.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include 0.j.0...G..!.J.._...(......>}L.R..7j.U..Z.>.;F..X..`!r..p.5..X~WinAPIConv.au3"..#include "WinAPIGdi.au3"..#include "WinAPIGdiDC.au3"..#include "WinAPIHObj.au3"..#include "WinAPIMisc.au3"..#inq.k. ...\....k......k.....;fK...~&.A..O...#j.X.lM......J..[.NDEX# =======================================================================================================================..;2.w.).....a`...S..+.:.....](.#R..^<rG.%E.3.w5.....s.V...(.....)age ......: English..; Description ...: Functions that assist with ListView control management...; A ListView c}.j.*...F..n.P..^.G.!....'.N.T.7+=}.2U.5.9/...'A...tr.(...9m consists of an icon and a label...; ListView controls provide several ways to arrange and display items. For w...5.....+*.M.._... .....#z@....x=&..l

                              C:\Program Files (x86)\autoit3\Include\GuiMenu.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):61900
                              Entropy (8bit):6.151075750490252
                              Encrypted:false
                              SSDEEP:768:H5jQFzhobc7TYvu91Mw5exTk4ntCOe5j1EDDPbcqUvDeq7E9OoQHukWcYj:Z0FqAYvyMw5m4sLweZZ
                              MD5:9E5E48471977B0743214F07C8A27C777
                              SHA1:087DD91BE82C3CE09B1EDBE5D96E5C362AA18874
                              SHA-256:088D0366050EA581BF7FD3CEDD8D8D1D7A4C848F80F2DB40E2FF87B094177E26
                              SHA-512:12F550E513C494B617D049335536464CDB5E5905BC8F651B45CA6714A6FF881616F829BC1447BB7D45890F8D73FC85C72F62036661EB44B34550D3709A6652DF
                              Malicious:false
                              Preview:y..........-..L......9.b2...Ni...G...O7..).|8p..p..a_..B.p.n/.reConstants.au3"..#include "WinAPIConv.au3"..#include "WinAPIMisc.au3"..#include "WinAPISysInternals.au3"....; #INDEX# =========g.Y...B...u.0|$....`..-zV....M..LM..$.'.L.n.^.C.8...,.?.0fF==============================================..; Title .........: Menu..; AutoIt Version : 3.3.16.1..; Language ......: EnglishW._....@..!.ca7......3.6y(...^.......Uj..m..Zs..}..fU..c.n.`:.agement...; A menu is a list of items that specify options or groups of options (a submenu) for an application.z.......U...B.-a9....}.b0gK......FQ..Yt..j..As.C`..h_..1.p.n:.ses the application to carry out a command...; Author(s) .....: Paul Campbell (PaulIA)..; ======================================g.Y...B...u.0|$....`..-zV....M..LM..$.'.L.n.^.C.8...,.?.0fF=========================....; #CONSTANTS# =====================================================================================g.Y...B...u.0|$....`..-zV.6 ...Q....

                              C:\Program Files (x86)\autoit3\Include\GuiMonthCal.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):40050
                              Entropy (8bit):6.294565375697112
                              Encrypted:false
                              SSDEEP:768:hwDm0jWXvW2qKHKE2E0wF9csklJfO7ESr2VD0ODXkerHL6t8ARr8s4trapd:aDmyvsCQEq2V4iFs4dwd
                              MD5:49BD6C19A571CF11B6D2EC5D9CF58854
                              SHA1:0206B0B8277FEA30BC4101789CF7DEE98A426D44
                              SHA-256:21CFFA8F262DE01B82E83D0CB82F1D59FD40A147151A24453B0BA0D9C0B3E4DE
                              SHA-512:BD12D30DBCB61761D6FDB0461169A9CC4E5504B07A79F2B8F26F15687C1ABBAF3FB0F569080E014DD7C9CDE8934F245BC740D0F8C3C004443EDA7973039233FC
                              Malicious:false
                              Preview:....N..,jzR..Ga..LQw..Z...rJ..1.S....HZa.m.MZaAW^u.W...`.7o.CtrlInternals.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID....d1..ofxD..h<..cbR.Q...f.T.R.H.L.._Wz.{..x;.....P....p.7%..include "WinAPISysInternals.au3"....; #INDEX# ==================================================================================....T...<8)...wV...&........K.e...R....[.j.I.|Mtzx.....H.{\.alendar..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with MonthCalendar co........odsT..>E...;......3.V.x...O...V`.j..L3.?:2.K...q.zD..mplements a calendar-like user interface. This provides the user with a very..; intuitive and recogniza.....^..na4^...$...K\|..M.S..[..1.Q....]Oj.>.xG7C9;8.K....i.z..ovides the application..; with the means to obtain and set the date information in the control using existing ....IO..dv:<.......M@3......=.L...C.O.Q

                              C:\Program Files (x86)\autoit3\Include\GuiReBar.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):67447
                              Entropy (8bit):6.239545772019287
                              Encrypted:false
                              SSDEEP:768:qKfncoiu7wKZTWs1jIR6GoqTVf6VkgVO275+aiEs8BM3L0Y0yp+WMnCmd4+HGKVJ:q2ncoijeWsv3V5g0GKFFqARZg0h5gVnE
                              MD5:8525C82F3EE875E76C95F74E26772ACD
                              SHA1:66549B157BCEE696EAA0FB7FE0412C9A13C52B69
                              SHA-256:5951A481A8F79D5FD56D26E4DC3B5CC9996A1AC2FFB0F0BC8496F917943FAF66
                              SHA-512:F9ED0C39E57E6CD54FD0641C0609D85CCEE8B42E41092A3BB7EB13D0EBDA9143C5DE1AB5289F4C1A682249DEC91989AFF356BC8C5959DDC4720661FDF0CD2ACA
                              Malicious:false
                              Preview:.F..j..E*..U*...p. .&9.~d..\|...}DC.k.(........C.Q.........%k..iry.au3"..#include "RebarConstants.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID.au3.".no..Lr...m.l.;...*;.n`.h'.(.-%.Xv.9.................%+.onclude "WinAPISysInternals.au3"....; #INDEX# ===================================================================================...p;...:..r.8.G.t.xhB'<..&4.`.2.7F..a.......O.u..YK..-.eG...; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with Rebar control management..%.m&...'..o.%.Z.i.e..x`..xf.).`Dy[~..........5..E..._.oO..&windows. An application assigns child windows,..; which are often other controls, to a rebar control band. Reba..."h..Ok..U .q...i.+0_us..t{.}.nFn.3.P......A.{..WE.._.iB..gch band can have any combination of a gripper bar, a bitmap, a text label, and a child window...; However, band...,h..T'..X;.l.Z.&. u.r`..tg.}.gAf.?.3.

                              C:\Program Files (x86)\autoit3\Include\GuiRichEdit.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):209303
                              Entropy (8bit):6.597216290908052
                              Encrypted:false
                              SSDEEP:1536:KYYnhCd4uTZXkvmPY0t7mN9V8J3htwMqS0zdfh07U7NIq7wSVd5hI:yhCdVFX3g0QV8JxtwxS0j0QxBHI
                              MD5:53CE0F6D88CE229452BA1514981DABDD
                              SHA1:A9608D9C92054AAB7E40E06A70134B1830069E2C
                              SHA-256:4E95FB8C7B0084D4D938C0E632E4835CE7ABF5A00BDF1A4F2965651EB4A0503B
                              SHA-512:08EFEAEC0FC1C58E26A752FBA900D4BF531D724FC1A1F306D8AC65195FF6B7DC82029C75059AD4DE7CE09C67E35754B98E836C2BE94A79C8AD10D17EBA2BB3F9
                              Malicious:false
                              Preview:\..paX.:..L.....C....n.-.i.....n!.#. ...........3.....Sn.....uts.au3"..#include "FileConstants.au3"..#include "GUICtrlInternals.au3"..#include "RichEditConstants.au3"..#include "SendMessage....1.'.6..N....%.....v.;.........|}.x.w-2..@.....t..8.HO...:.zu3"..#include "WinAPIConv.au3"..#include "WinAPIHobj.au3"..#include "WinAPISysInternals.au3"....; #INDEX# ======================B..0..b.....O.:t.@.?At.t.....2n.0.h..........k..{B.....C.&=================================..; Title .........: Rich Edit..; AutoIt Version : 3.3.16.1..; Language ......: English..; Desc...gdB.......".h.....g.d.;......]:.e..DQ..M......[..f>.SE....;.....: GaryFrost, grham, Prog@ndy, KIP, c.haslam..; OLE stuff .....: example from http://www.powerbasic.com/support/pbforums/sho...`y..7..R..K.6x.[..q.*.<...../n.0.h..........k..{B.....C.&=================================================================================================....; #VARIABLES# =============B..0..b.....O.:t.@.?At.t.....2n.0.h.

                              C:\Program Files (x86)\autoit3\Include\GuiScrollBars.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):24990
                              Entropy (8bit):6.41157282699041
                              Encrypted:false
                              SSDEEP:384:GkTnl6s5lxKOlex8l3lcXlHlR3BOO3Llnl24Plb+SgY+A8ePfl4s:zPxteOVc1F3tljb+SgleF3
                              MD5:217C05167CAC8A3BC5FC1E66AB9ADD50
                              SHA1:26CED1383C2D59D7F0959AA343EF89D3CDEC6D3A
                              SHA-256:51F302096FABD4B79602CFD620CEB6E0667358E9638A8313A10A96A9DBEB448D
                              SHA-512:35AF8E020197E968CDEA88DE73E6D0BD052461357C45F1C8F2CC5DFB105E8E492519766DD177125A66B187A28769D028B63137729B5CE9CBD817CB1A31AF608D
                              Malicious:false
                              Preview:N...(..e.M.\.W.J.7Ha.oB.....J.>......6.{.......b... ..L..l.tructureConstants.au3"....; #INDEX# ============================================================================================P..y..=..,.Pg.z.).2T>..v..L#.q....K.w.&............1....f;)oIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with ScrollBar management...; M..d.. ..1.,z.$.{McIaV.k./Z.".....K.y.`...........c....U<2w button at each end and a scroll box (sometimes called a thumb)..; between the arrow buttons. A scroll bar rep....*.. .Jt..,.5.xM/.fY.?...[.&......y.(.........H..."..A.C!*'s client..; area, the scroll box represents the portion of the object that is visible in the client area. The ....0..n.Mw..2.J././I#..k..a..q......+.d...........+..M.B<}the user scrolls a data object to display a different portion of it. The system also adjusts..; the size of a s....(..a..b..9.(.x.m.{..$..)H.q.......:.

                              C:\Program Files (x86)\autoit3\Include\GuiSlider.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:Dyalog APL version -15.-97
                              Category:dropped
                              Size (bytes):27089
                              Entropy (8bit):5.976876192188699
                              Encrypted:false
                              SSDEEP:768:4hGX+bOt6VLyaNxs2UBnMH0RyECNkJ6IeOj4ggLd7X2pw57E+5lT:iQYdLT
                              MD5:64A041908E502D37EDB8EF2E908C70A1
                              SHA1:33A3307C37F78B60F9897C5F93177F70689BAEB4
                              SHA-256:7FDBC64656523FA29B4D053C20DB3B7C648751CB84BC1C3676D7CEB1FEF0AB4F
                              SHA-512:B26EDB9D4D057C1990699A766C37E60FC93D53180AFC8B94A0046D9846694C425494D02F4B0F004DDD1ED255F4116E3299492FEB57010674B8BF71A9BAAAFB9A
                              Malicious:false
                              Preview:...,.j.....?.y.W.h...>U.^..*wou.._....r..^..oi._GU_..C+..,.stants.au3"..#include "StructureConstants.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3"..#include "WinAPISysIntern...!.=K.e.aa%PW.uD...v..C...s.7;F......m.9@S.18...H@...s..~.=============================================================================..; Title .........: Slider..; AutoIt Version : 3.3...q..R.#..=p.y8./...e..^....'Ib.q..~..9.p...,+...U;..S'..0.that assist with Slider Control "Trackbar" management...; Author(s) .....: Gary Frost (gafrost)..; =============================...}.3T.R.Vg8N#`.<...v..C...s.7;F......m.9@S.18...H@...s..~.==================================....; #VARIABLES# ============================================================================...}.3T.R.Vg8N#`.<...v..C...s.7;F......<.f...(Z.\}....S...N...; ============================================================================================================================...J..R.L.$.V'_.eR...v..C...s.7;F.....

                              C:\Program Files (x86)\autoit3\Include\GuiStatusBar.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):28779
                              Entropy (8bit):6.218514890183461
                              Encrypted:false
                              SSDEEP:768:uWUhFnt/Jm+u8wG9CVLB9mLYfL6wwkq8OUb/ysYHo0eY1H0pe:uXEGwrmLwLfLysYI0rFF
                              MD5:60954470CDF1235BD32090D5BB33922F
                              SHA1:63FCAF685999AF54F2C4138870322F47938C152B
                              SHA-256:A8CEFFEC388326104E7118D242AB5CF88DCE3F6C1B1D76DAE2FAF6FEF910AA48
                              SHA-512:779F27645EA45D7F13A4D0E09B0A6902ED8BF55479E7A735579D10ECEBBE7881EBF91C3C2B6BE8EBD31BBD08F2292A82FE60092B9F8AD241CD6D564E837EB50F
                              Malicious:false
                              Preview:<... .1y>.M....7.YC`m.EH/.(...L.Bc..?..~+.sX.y..(.^...c...=C.ry.au3"..#include "SendMessage.au3"..#include "StatusBarConstants.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3"..#v...9.0<1.J....i..c`z.BB+..A.....$'u.z..Q....&V.I9.|E.Z.;..re..=====================================================================================================..; Title .........: Status]...F.u]f.L..._..Ca`...y..A.....$._.;..j&...(E.Z*.{Xx...o..BR..Description ...: Functions that assist with StatusBar control management...; A status bar is a horizontal windoh..l.=y3.L........o..Q^/..O...\.Y...z..v$.hK..tH(.\...h..6..isplay..; various kinds of status information. The status bar can be divided into parts to display more than oq...5.0..........Z......j.O...Q.HE..;..p)...&*..lK3PNN.(..ab..aul Campbell (PaulIA)..; ======================================================================================================="...q.h!.........G.33...G.e...n.|c>...4

                              C:\Program Files (x86)\autoit3\Include\GuiTab.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):38512
                              Entropy (8bit):6.1929227927201564
                              Encrypted:false
                              SSDEEP:768:iiXzh+EVtFzpjOKdKMruDn578PVjmOX8CxDM2kNi2T2Go4DAiEcmRmUyiwfbPvHU:Xh+yjOijmehuPTdo9ebJC
                              MD5:F404055CEC62D79F7CB8465366DC4702
                              SHA1:F298F9B9541FC344EE5DE96F591E6EC38F470C90
                              SHA-256:81C460B040D978D78B3B0B2E7193FC7F5CFD345EFDC60C779F8A3E3A25E7D56D
                              SHA-512:C3565E618642D280A62C18EF74A3B66520DDB04E4A693D366A82B6D5F389800514B2EEDE44EAE2A5CDCDF82D60FD05628E73FE8081E2EA070BE5E88EBF27ED37
                              Malicious:false
                              Preview:.*........A3....&...,..+.&..&i.3hW<yV......`?...jm...!hD..1>K..ry.au3"..#include "SendMessage.au3"..#include "TabConstants.au3"..#include "UDFGlobalID.au3"..#include "WinAPIConv.au3"..#includ.c....-!s.`2......~el..,.sL.s"..tz%^q......o+.D..;Y..G.*.0:`>.X# =======================================================================================================================..; Ti./...B_...~...M.,, ..=.j%.h .2nT<c........!p...S`[..|.*._.@..age ......: English..; Description ...: Functions that assist with Tab control management...; A tab control is .-......I.[?......&..=.&A.sag)uO.uM....Q.i/.[..+..$s...3.G.. cabinet. By using a tab..; control, an application can define multiple pages for the same area of a wind.4....LQ^.N<....N..Ao...n..#a ".1N7....Q.!j...@nJ.."sS..g.... a certain type of information or a group of controls that the application displays when the user..; selects .+....._._?....K...-..E.&i.'h(52H\7...

                              C:\Program Files (x86)\autoit3\Include\GuiToolTip.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):41162
                              Entropy (8bit):6.21441701941515
                              Encrypted:false
                              SSDEEP:768:4dNTWtHW2FuU8U30+LRcLH+xqRE3TZwunBy4Iubm:4EHpzYIcL+/qf
                              MD5:A8189977B6A67DA06FD1C89C2BE3EE7A
                              SHA1:DAACBCF52A159AB9488F9ED562CF0DA50A5C6074
                              SHA-256:CB97E35698131DE5347F92F8CF06B9F8DC9F4C4385BD341122391F5B71999B8F
                              SHA-512:B0043D5F0883F32DC47BC5F384A1C47554F0E00016ECDD555BDF1AACCFA3243C15B843B40983C842B81EBB23E532E8D9D850BADAF7488D831368FA01A5DFAF8C
                              Malicious:false
                              Preview:..iuQq......|..11...B...5.~....RpU....e..o.|. b..<9...s>n...ry.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "ToolTipConstants.au3"..#include "WinAPIConv.auo....m..o...S..US...W. .a.K.:..}i.....<.T.W.\V?m....*fs....N==========================================================================================================..; Title .........: T3.kBTt.8X.......D...G.../....x..2-...O...Mt.g)k.?~....Q. .....s that assist with ToolTip control management...; ToolTip controls are pop-up windows that display text. The t9.s6Hw..o......I{.....I.z.U..!.I.t...+..hWx.3`ex.k....7{n...S window, such as a child window or control, or an application-defined rectangular area within a window's client..; |.'6.$.#..._...2...F...f....x..&<...+..qO...,$]O1...>VD....N============================================================================================================================....g.$@|V..A4...Q.../....XT.(....k..!!...6

                              C:\Program Files (x86)\autoit3\Include\GuiToolbar.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):80333
                              Entropy (8bit):6.104995414969738
                              Encrypted:false
                              SSDEEP:768:8R2I0DvtEjxFp/riTBwRji987QK5J9gAaZ/a16z2DMiluVm/IKqya841UNQZ/h2Z:38TEsvfP68fomCbBuUFc
                              MD5:709B52EBC7A9329666E444606CB58A6C
                              SHA1:48F7F45010747250F38E824AD8612A6F4E9DF201
                              SHA-256:8B7F4EF496E0F77856E170F49AE6E724A6C54659B63B8B9F1A08FD2E5B3BD846
                              SHA-512:0F96D2746E920718C77AC31B14276693DBA27D4EE108592BC638664723823F0E1ECE8B74FAC2C65DE81ACA84B50E018A0D9A2A4946ACE9964B1532C72F0AC99E
                              Malicious:false
                              Preview:..7vz.K.'..m3L...'....4...')..Hnf..Gq.s...,FE..k#.$....=..~.ry.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "ToolbarConstants.au3"..#include "UDFGlobalID.a.{...F.i..j3a3..j..).>....(..]i9..s.j.q...(.T.`.A.......j....#include "WinAPIRes.au3"..#include "WinAPISysInternals.au3"....; #INDEX# =======================================================..d(+...7..3k|,..9..W.m..]a..!7..D.>./..p.K.4\=.w...."......; Title .........: Toolbar..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist ..-}6.@.f..|v"~..v.....>....9.......Y.#.2...m.V.)A .j......}..3.s a control window that contains one or more buttons. Each button, when clicked by a user, sends a..; command ..*fw.J.~..z>$1..v..J.9....r.hez..No.>..(.V.|.t.$....?..3.oolbar correspond to items in the..; application's menu, providing an additional and more direct way for ..1p6.Z.o...".1..g....p...@=..Pui..Mm.

                              C:\Program Files (x86)\autoit3\Include\GuiTreeView.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):118803
                              Entropy (8bit):6.34885244919958
                              Encrypted:false
                              SSDEEP:3072:+iJBmoFlcqPJwaIaWl9WRpOUYpBVMHlSt+Su:+ivmoFlcqPJmHl9iP4MFqI
                              MD5:3E5669B80E9407C0733495C574C5566A
                              SHA1:10D5803733A3F915B58C4019D1B8E2DD7DE71A63
                              SHA-256:A3CA23D0959D7E9037E08D2939ABE34DE8349BF19858DDA88B1CA34BC2239E95
                              SHA-512:21A25EAF3C9D881BA5065853CE79E16EEA8719E9E38C5CC80CD30C3813DE4CE1EF204233F1DD0C6A905E28B0F5CF15631F58C8761CD811A4681AACB85BE438A6
                              Malicious:false
                              Preview:#.@..*.a......}..P8.%.......f\a.._su^.;$..9.A.oS.Oc .>II..mageList.au3"..#include "Memory.au3"..#include "SendMessage.au3"..#include "StructureConstants.au3"..#include "TreeViewConstants..[...DH%....f.U`.x..?.F......6="..TbwJ..5g.u...ER.U8%.-I....nclude "WinAPIGdi.au3"..#include "WinAPIRes.au3"..#include "WinAPISysInternals.au3"....; #INDEX# ================================.....sVqH....>.J...f.m.......)....<&...(x..&.v.;...+y\#V3...========================..; Title .........: TreeView..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description .......-.%....k....M(.#..].....qU~..M!xP.g*..v.%.aX.Fx0O.a5... A TreeView control is a window that displays a hierarchical list of items, such as the headings in a document,..; ....nKlU....#.W..V>.5.X....4QF..Te~G..z7..s.k.oQ.P6%.zKj...ctories on a disk. Each item consists of a label and an optional..; bitmapped image, and each item can have a li.Z..n.9....p..F.Q8.1.N......}D..xx;

                              C:\Program Files (x86)\autoit3\Include\HeaderConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7327
                              Entropy (8bit):6.810977265349919
                              Encrypted:false
                              SSDEEP:192:m+oDJdQSgMCVnPEzkn4jiEMJAY8+2c9Tm9TM+njKgy6:m+o4SgMCVnP5EMJAY8+2wTATMYK0
                              MD5:0D1570981FF29449CC8708BB5E668867
                              SHA1:F9B865440322E19139E0BF50A9B8E0C7677FE284
                              SHA-256:A0890BF7BB41EAE514ABEE9A639798EE009A9FD354EEAFB57AFAC5BDBA2D1334
                              SHA-512:ABAB21578861F319ABCE9C19B6196356C4F8FFCD2E10EC4E3B0D412E1B641CC3C417AD46115B3C330527D094E8F91B9FC2FC29E2BFFBF845E7AC0EDB24EDBD38
                              Malicious:false
                              Preview:0....u.....K......v.E....Nd.!.O.E...r;v...4sLW.....0..~......K.==================================================================================..; Title .........: Header_Constants..; AutoIg...x..^.K.'....d...s...>_}...V...a(q...n".......I.. ....[.....: Constants for Header functions...; Author(s) .....: Valik, Gary Frost..; ==================================================......,B.C.V.4....h.6.n..Sd.!.O.E...r;v...4sLW.....0..~......K.=============....; #CONSTANTS# =================================================================================================......,B.C.V.4...._.g.1..N.Er...\....J...4nA......=..N.....U..Const $HDF_RIGHT = 0x00000001..Global Const $HDF_CENTER = 0x00000002..Global Const $HDF_JUSTIFYMASK = 0x00000003....Global Const3...S6.3.;qF.......+.s.^i.,.B.H...#i)...J!.....jK.........V.x00002000..Global Const $HDF_STRING = 0x00004000..Global Const $HDF_OWNERDRAW = 0x00008000..Global Const $HDF_DISPLAYMASK = 0x00#......u.t..Ak.....;...w..(.xH. .9....&v

                              C:\Program Files (x86)\autoit3\Include\IE.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):153769
                              Entropy (8bit):6.771706874805446
                              Encrypted:false
                              SSDEEP:3072:SiPqqNhrIdWtpfMipui2+b+g/VNETIAaa+m7xIaI6ibzPa2QcAZ/9Ak/bD6kjuXq:NhvjEipu8AIAp+9j8uI
                              MD5:9A456891ABCA8F5878B0DA9A05328C2F
                              SHA1:F8DF8F9CD377B71C777681765C5640F6B8A22812
                              SHA-256:D9C3F2E1C8DF402D97846FB5CB7E8C1207C30602D09C805A64F3D212D6A96430
                              SHA-512:EF47187957A795548991F5A9357D44E1102508106A1B308D96E1B8BA4A8505AD5B2BD55B618EE6C2C958AA06CECDD52145FE0C8F9651FC98FA7366B42D63F344
                              Malicious:false
                              Preview:L.\....p.*.....[.U..X.;xhToQ.s..\.c*..rG..U.X4Z..G......V...onstants.au3"..#include "WinAPIError.au3"....; #INDEX# =========================================================================R.......`..t...7E..@...cew('........*v..a.L.z.i7g..G..@...YX..: Internet Explorer Automation UDF Library for AutoIt3..; AutoIt Version : 3.3.14.5..; Language ......: English..; Description A......2.,...dX.]].X.=,#ztV.\....r*...;.Q...3t[..L.....Z...ng from and manipulating Internet Explorer...; Author(s) .....: DaleHohm, big_daddy, jpm..; Dll ...........: user32.dll, ole32.d......>..-....1X..@...cew('........*v..a.L.J.o*......S....JK.=================================================================================....#Region Header..#cs...Title: Internet Exp..@....).(...*-.}].D.,98l:C.H.F..^?..U`....3zV.....@...2}..escription: A collection of functions for creating, attaching to, reading from and manipulating Internet Explorer...Author: Da..z.....T.-...nB.Q.....7$..,._..Z.-k.

                              C:\Program Files (x86)\autoit3\Include\IPAddressConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1688
                              Entropy (8bit):7.537653220518947
                              Encrypted:false
                              SSDEEP:48:qXL4n7l4nntF4n7l4n7zun7l4n70g6iGHNrcX9ANU4n7l473nax:q4B4ntF4B4fuB4ogyZcXuNU4B4zE
                              MD5:E919CB53D6C0D4A71B45F7392C0835AF
                              SHA1:8163E74A2CA9F8370B21507DD21D2B80F9ECD0C6
                              SHA-256:6CE3AE22ED632B68DA06C2F419D4D1011FA83B20D06C706E4F491605971654EF
                              SHA-512:075ECB8632EB5869D48D144021C83AA9F400CE4B63F7C9B12D61752657776074546699A84DB200847FE89AD40F4B0B49EFE3502CF071473AF3411A936FE8CC7D
                              Malicious:false
                              Preview:6..l...@...'......./b.'R].'.;O...E^?&6...=.O..).P.t....%.....(X^2..P...Ry\.-...1..^*8.:.;O...E^?&6...=.O..).P.t....%.....(X^2..P...Ry\.-......7~q.b.(\...VM,51...A...\g.2..'.N.........a.*{..W...*A.0...=..R...'zg...R.."5%.....R.Ws....D.....{....z.C!..W....7..~...cY.*GD.cDc...U..aob.....x..U....;.I..6...t..d..*D..O...c..."..i,%.:.;O...E^?&6...=.O..).P.t....%.....(X^2..P...Ry\.-...1..^*8.:.;O...E^?&6...=.O..).P.t....%.....(X^2..P...Ry\.-...1..^*...<=R.|60VZE... .O..).P.t....%.....(X^2..P...Ry\.-...1..^*8.:.;O...E^?&6...=.O..).P.t....%.....(X^2..P...Ry\.-...1..^*8.:.;.._..cw+...s.R.fK.=.........V...J2.P..(w..Ot9. ....`D..{%.hXu...z(.]XG...A.6.|G.M.a.e...\...V*-\..#q..".4.U...=..J...kYd...p..qo+.M.!.mU.).......G.....Q7&\.."k....5.G...Iy.H74.6..x..\..n;H...t.V.iY.*....~...8....J,3N..?`..,./.D...[f.6D@.'.&C...uiEwd... ...J`.I....i...V.....=A<P..,a..*.2._...B..4ZZ.TsTR...HP+.....b...z{....m.j....L...5XC'.2l..+.3.C...._..-CZ.JiS!...SC3+?..

                              C:\Program Files (x86)\autoit3\Include\ImageListConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2059
                              Entropy (8bit):7.6324484418368295
                              Encrypted:false
                              SSDEEP:48:mW7TYo7W7+W7Xkv1hIbWEicKo/rrF76h7WEtoII:mqzq+qUgbWE9KoHF4kII
                              MD5:57AD5E287049F3848A192998902AB1BD
                              SHA1:21E543BD562B7755667F34FDF848C7B53505DE65
                              SHA-256:F8AEEB5A44C69D418736870C457D319E767BCB6275A0D2A30FF83F5F10191B2E
                              SHA-512:C9B937FEFEEF0A2A4EC87110BAFA447CACAC749663759EF848FFE7316F1F657F9AD246B5C32496B880759CE9779E3E8E11B5299CEFA9538C1515828E322FBDBA
                              Malicious:false
                              Preview:x~..l`...^...K....=_@...N.Q....,S.t.:i...rw...R....l'@Y....M...f*MM=(.....p.{.... A4..+.L....,S.t.:i...rw...R....l'@Y....M...f*MM=(.....p.{.....v2..b......?@.g.)n...(/..U...M."n......K.../x9. C...X.#.|....3M?.....Q....d..,.)z...uj..A..J.[!] .....4yP^.;...^.>.'...{.{...w....1..'.s=....B@..g..M.yiTD....^...:e.PFg..<.v.{.... A4..+.L....,S.t.:i...rw...R....l'@Y....M...f*MM=(.....p.{.... A4..+.L....,S.t.:i...rw...R....l'@Y....M...f*MM=(.....p.L....>?F..W.%....,S.t.:i...rw...R....l'@Y....M...f*MM=(.....p.{.... A4..+.L....,S.t.:i...rw...R....l'@Y....M...f*MM=(.....p.{.....;e..z.2....1J...X....rj..._....a+pn.......4y.. 1..n........-.9..&.A...}..(.'....on..e0.n..^9&........k'@6E....^.,.f....i\-..I.>...1S.y.7d....~..a..C.qY......9....X<?R-.....}.v....%q...t.....b..m.K........R..Z.a*MT....z..9v.PCz...........R.;...6......!^.q......#j..H......Y"'...C...{'.@0%.....@......q\J..b.U...A/...S....7z..._....[]....3../7T9LV...c...f....-L9..&.|...s..i.h:.

                              C:\Program Files (x86)\autoit3\Include\Inet.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15506
                              Entropy (8bit):6.677143043055797
                              Encrypted:false
                              SSDEEP:384:5EcLcyyWGOwMtLkunemvsIVswqSknZzU7z1pCKqEjS:HOWGCpWmtWLPnZzqJaEjS
                              MD5:5466CC7462B08EFD8021F677CCD40EB7
                              SHA1:B0EFCFB00D08787E4FF77B33A926C96677E1B58E
                              SHA-256:BA7296041D17B4E50D7BF168BD6F7F4F87F83B01363F239AE181F8374E486FC3
                              SHA-512:716C3530BB21929F02B7226E48F1E6255025AC0ED875984D2917E3D896A518794BC0378760CA28A8663A850DC4283A3B0563BC214AD533A694A75288AE681B0F
                              Malicious:false
                              Preview:q..MB.......+.......q....<W;yC.<....,..$.-q6u.B...S.xr.>C?.3"..#include "StringConstants.au3"..#include "WinAPIInternals.au3"....; #INDEX# ================================================o.........E....... ....`.cj..2....Gr..}W0nB&...W..$!.pPc.=======..; Title .........: Edit Constants..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Function!..FO...............i.....P)ewc.{....So..nD#i_W.D..F..cf.9.<., Jarvis Stubblefield, Wes Wolfe-Wolvereness, Wouter, Walkabout, Florian Fida, guinness..; Dll ...........: wininet.dll, ws2_32.6..#$.....E....... ....`.cj..2....Gr..}W0nB&...W..$!.pPc.======================================================================....; #CURRENT# ==========================================o.........E....... ....`.cj..2....Gr..}W0nB&...W..$!.pPc.===========..; _GetIP..; _INetExplorerCapable..; _INetGetSource..; _INetMail..; _INetSmtpMail..; _TCPIpToName..; ===============o.........E....... ....`.cj..2....

                              C:\Program Files (x86)\autoit3\Include\InetConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1610
                              Entropy (8bit):7.454538714879322
                              Encrypted:false
                              SSDEEP:24:6LT9LT2g3efXgPNtGT9LTqIpvHf9LT9HpOGkP8JDDH/x090ZLahU8rwLT9LK+WrB:aBRaXg1tGBZtRW4DH/OK9csBFKue
                              MD5:7F381C5ABB3A921F6DD9AE6B1923419B
                              SHA1:C1A2171D6173216D9463903534BF555D6FE3CE76
                              SHA-256:1AA00E3628250D6D0E80A0C54C1FB03548D5936829725EFF19C67CBEFE790FD6
                              SHA-512:FD5B8484905C7F7172779B2E666150F463E04B394CEC405D78734B6B7B7F2A78C356FD02BE0E0664F1E07F5EE545E44A9ED98140FF873CA1457529F2F177046D
                              Malicious:false
                              Preview:....\.Q,....^..5...If..0.2.%..y........l....l....H}....mr..].....<.....n0.(...0..-.2.%..y........l....l....H}....mr..].....<.....n0.....YJ..u.!.6..j....G'...>..%D9).U.A...$o.....F..;.....e#.....AB..eQh.8..j....G%..9....4DWQ..4]...~a..@..G.@`......so.5..aV..t.f.8.........4...2.....&_QM..3]....!..@..G.@h.....h-.`......0.!.6..#....Z1..q....l....H}....mr..].....<.....n0.(...0..-.2.%..y........l....l....H}....mr..].....<.....n0.(...0..-.2.%..y........\....rt{m.!.z...pr..].....<.....n0.(...0..-.2.%..y........l....l....H}....mr..].....<.....n0.(...0..-.2.%..y........l....[pXL..,....#;..)..}.xN......H.(....d..rQc.[..0.....}.........s...DM>...2...#..Z..%......C.G..A.."=..t..(...]b........~`q.;.r...mo..j..F.Um.....s).[..Oj..Bi[.Y.......$H..3...?D@..<.q......."..h.g!.....^..y..a...~C{.<........e.......a:>d.."U..?!..@..g.`^......I.T..._l..T.2.)..N....Eb..".....ckg.".x.......@....>F.....b.f..Dm..Ot@.V.........

                              C:\Program Files (x86)\autoit3\Include\ListBoxConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5338
                              Entropy (8bit):6.730855159928755
                              Encrypted:false
                              SSDEEP:48:fKLr5WIBTnVSSqogq+VsTjpmivaIae9kbVSEQqyhjpN+eKD1dyB9hyJmPvnxdCBB:f6t5TVfZ7vlWbR6zLhPPPx89uwXuvVq
                              MD5:0D1DC6D1EAC0CEC3F813A41F0F9A2962
                              SHA1:982CCEA95050F2FCEF54492B3386CC72F4934072
                              SHA-256:067A60DE64FBE6773FC74713D2BCA1B1FA49F9D6316C9A268773CFEBBD2C5A81
                              SHA-512:5E0B813372524A2834282DA6064F0244C634C0B592C5B3255C8AED68FBF79DD56CEC87D55443D4CF27AFB48E1325FAA89E4E5186AD15CB47A285A26A49EDB3C9
                              Malicious:false
                              Preview:n.cJ.u..d.6,./.8..8.<.;.fg...Uz.U.!...If2.O...x....%.>V....N==================================================================================..; Title .........: ListBox_Constants..; Auto..-..r..&..oi.......{.B.TT5=...Hi.F.2...15h..^.O...Yk.q.... ...: <a href="../appendix/GUIStyles.htm#List">GUI control ListBox styles</a> and much more constants...; Author(s) .....: ValikaUJH.y.$;.!e........K.D.%.fg...Uz.U.!...If2.O...x....%.>V....N====================================================================================....; #CONSTANTS# ==========================pH0..=._t..ht.......K.D.%.fg...Uz.U.!...If2.O...x....%.>V....N=========================..; Styles..Global Const $LBS_NOTIFY = 0x00000001 ; Notifies whenever the user clicks or double clicks ,U~].i..D..9&.D........].Zf......Ug...,...Dk=.I...7XA.Ol.j..... the list box alphabetically..Global Const $LBS_NOREDRAW = 0x00000004 ; Specifies that the appearance is not updated when change>Ul[. ..-.._..J.S........<y......<..$|O.

                              C:\Program Files (x86)\autoit3\Include\ListViewConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):23534
                              Entropy (8bit):6.832224593008097
                              Encrypted:false
                              SSDEEP:384:FZxlMRWT3LA9K3+QWXr8OwaMTb+LiB3DTmUyNo9VlYEdxUgt3qLC23GE5gdN:0WaDjr8Owl9YNo9VlYEdOgt3qLC23GEw
                              MD5:071407804D020B8C6EE5D356AF0A7ACF
                              SHA1:8DB0844B6815C8EF6AB71B47D5A40C034492C4F9
                              SHA-256:55C9011F879B2E506ED2A2ACE87AEA4D0560BA8EE326EB1D265A9EFAFDD52F0E
                              SHA-512:FF6B0B7C0A3A85B9C2AC379F68F620FB43FE62222870E7B3D2E71F12BCE4F5282D38B2CCD1114107F01390C22D90DA6825747BF42D87DA5A44E33930832BDDC0
                              Malicious:false
                              Preview:[.k..XS.....sbP...Vn.b....C..............^3.....|....h.e...==================================================================================..; Title .........: ListView_Constants..; Aut..q..HE......^[s...1..-..xH..T..O........&`Z....a.N..'.(..n ...: <a href="../appendix/GUIStyles.htm#ListView">GUI control ListView styles</a> and much more constants...; Author(s) .....:X.d..F.....8.2...1..*....C..............^3.....|....h.e...==========================================================================================....; #CONSTANTS# ====================E.8........CU`....".......C..............^3.....|....h.e...===============================..; Group state - Vista..Global Const $LVGS_NORMAL = 0x00000000..Global Const $LVGS_COLLAPSED = 0..5..........<...qS....bn-.i..n......^..S>........J...6...$LVGS_NOHEADER = 0x00000004..Global Const $LVGS_COLLAPSIBLE = 0x00000008..Global Const $LVGS_FOCUSED = 0x00000010..Global Const \.S..rd....:H`.../......$t.M..K.....B

                              C:\Program Files (x86)\autoit3\Include\Math.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4964
                              Entropy (8bit):7.572400970429736
                              Encrypted:false
                              SSDEEP:48:Rsp5p0voYp5pNp5ppp5pTp5p0/p5php5p+p5p4+OPAp5pTo22SX9IMeY6b7keVLR:RbvoSOP37xVLr5z0JSQ5oNThDh
                              MD5:7771A1DB6B75F0A0E27C645A591B0BB5
                              SHA1:D2D3DAA1402133DDE4893961418B0B38339B6882
                              SHA-256:EF546AFDC7F083DC52A4FF393FD5BBBE11F9FCE0287084C7FF99EE6415CF1190
                              SHA-512:37F999046A7293DACF52ABBFF73A8406CC4F23551E16EE3C9DB345A6562E08AD075E51008103BAAD6C95988A8F47838263A014EA9A0C6B7BCFD92DE4F5004464
                              Malicious:false
                              Preview:)h&%3z..R......R.S.x}..jC..sN.....u2...\.Zx.....T.)C..8.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....y...9o-a}.t.v.$/fhq5.>.......6...6}..mS..JF.....U)...I.??....T...C5w<..k.R.*M)(8z.....G...q.P.xy..}N..../......`5.....G`.........&-ey.z.+.cr<f(f.._......>...wr..oJ..RN......gV".I..(.....Z...W&.lt.1.x.ks1f.}.........1...60..,....V....)aK^...Tg.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3...4"a.....P.5<.h.*.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V.../|)..I.*2........M;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...`.T.#.y...XD..|/.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...P;d0%.g.e.7<u{b2.NB..T...b.M.+#.3.....V....)aK^...Tg.....I...P;d0%.P.x.Nd/4:j.yD.$...U.P.[w.....lN......4aK^

                              C:\Program Files (x86)\autoit3\Include\MathConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1240
                              Entropy (8bit):7.22875125869802
                              Encrypted:false
                              SSDEEP:24:YrvvsvTB5AFJv8xs8gvvsvv0vsvve0I8zvGZvvsshmOic:EQVCL8xQQsQ/hzeFBm8
                              MD5:15A2A9198E2856D90E924260BA11ACBC
                              SHA1:08F6FA326C8E7C38DE3F2680B95DEB693447D5AB
                              SHA-256:A7E70362CAFBFAA6385CC2162388E3DF49A6C76FCFB1BA5F7F64EFE58974FE03
                              SHA-512:7899EECE515146352C0470F22252EB70B5B031F53F8DD87E57717E97834A3E65FEFDFAB6B945EF1E31E27C3C3D553A5B8CB49C3152EAB1C0CAE599E525489DEC
                              Malicious:false
                              Preview:..,...H.F..=l.ULY.(D.It61% ..%.N..3>...^G.Kw......C.........`....^..BV..c4.b|n.60}0.S/8 ..%.N..3>...^G.Kw......C.........`....^..BV..c4.b|n..6`YX.~`=..6.].. 9.`....5%..I.I...6..{...w.}}.0...B_Q..p:.nw}..6`AP.up|...6.].. 9.h....."....c...NB.N.....s..b..._....-).0a1..bc#aD.wa=...y.S..zl.Y..I..)..M.....R..I.....<_.b...O....-'.Uzs...e/...;%3..6.S..gm.H..w.Mj......C.........`....^..BV..c4.b|n.60}0.S/8 ..%.N..3>...^G.Kw......C.........`....^..BV..c4.b|n.60}0.S/8 ..%.N..3>...^G.KG..7...=.rx.{.....`....^..BV..c4.b|n.60}0.S/8 ..%.N..3>...^G.Kw......C.........`....^..BV..c4.b|n.60}0.S/8 ..%.N..3>...^G.Kw....*.E.cf.N...[.6o.4.J.&8...?e...=..+).Le&MLN..`\.%..GA.h.^Z.{@..R.F.^.SE.N......t...*.e,"..)..s^..6`Ru.uwx...4.,..jj.C.Jw.1&..\.....O_.....v..n...&..BK..p;.jvd.:>p5.]..&..%.N..3>...^G.Kw......C.........`....^..BV..c4.b|n.60}0.S/8 ..%.N..3>...^G.Kw......C.........`============================....s......C.H..<..g .Y.W@..z.".....{.wL..3.4H.$|:.!...0_@~...RH..........

                              C:\Program Files (x86)\autoit3\Include\Memory.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:VAX-order 68k Blit mpx/mux executable
                              Category:dropped
                              Size (bytes):18498
                              Entropy (8bit):6.277449048583577
                              Encrypted:false
                              SSDEEP:384:z1hqtaIY89k4ptluPkSe+7f5W3ql6c3/A/3wJUwshRdsXBOuTW:ZwH8bhI/PwshRdyO6W
                              MD5:605A2FF5243C9DC21FA2FD550D81DBE7
                              SHA1:9CB5C2BF32BFFD76EADDFE46D4F5FDC0561C6349
                              SHA-256:9F0F0EADE147C81EF2DED1C0A29897F804179AFDBAD55ADD79E54CA6DEA3E50A
                              SHA-512:C59CB23FD8ACC9138F1BCEFC3B27EC02CEF01E779B43EC9397EBF06BE196E2E978FCA2DE79294A345033A5125B7844FAEAFFD50B439ADAA8F962A7D58450D867
                              Malicious:false
                              Preview:..K..D...+>Q)..A.(y......=..Eq`..e.L.I..cC.V...b..?....`Xa5."ssConstants.au3"..#include "Security.au3"..#include "StructureConstants.au3"....; #INDEX# ======================================.R.....P.ym.q..q.6-..Z......eTR.5..+......?..I.&.6J.n..O..5.g.z=================..; Title .........: Memory..; AutoIt Version : 3.3.16.1..; Description ...: Functions that assist with Memory O.K..T...0~?F..l.+0..G....xIO.\K..{.@.O.oW...~.+..#....,|`z..rtual memory, provides a core set of services such as memory mapped files,..; copy-on-write memory, large mG.J......4?@8..-.o0.......?I.BxS..b.K.O..jS...x.nW.2....0&.P.gAuthor(s) .....: Paul Campbell (PaulIA)..; =====================================================================================.R.....P.ym.q..q.6-..Z......eTR.5..+.......;.W.~.b..s....6a|4.glist....; #NO_DOC_FUNCTION# ====================================================================================================.R.....P.IZ.A..l.xu........-).fL..b...

                              C:\Program Files (x86)\autoit3\Include\MemoryConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2747
                              Entropy (8bit):7.745462000710928
                              Encrypted:false
                              SSDEEP:48:b38P3BOQyEP38P3S8P3M9K092CSnNk4BMwntntih9Fjn4uUcSYp9P38P3ljl3FAQ:7uBOQVuSuk92DZSpjndUJYbyjQQ
                              MD5:FE11439FF882D5CC4021A3B642DF31D4
                              SHA1:CB89C441A7A3FC70EEF8AD732BDD398146070603
                              SHA-256:1AA942B1E1B522BC047FC0430AA8D47B47675206C8D91371E7E8CAE158D3C353
                              SHA-512:B77D51BD0F857128BC7E1ABBB2A58BD55B174C675C3EA48617421E8ED9E3B95B5E272E396E685260BD8BD236B24C36D0150F13FFC9B12D7914A5DC280AD596AE
                              Malicious:false
                              Preview:..f`;..8.....c...Q.rW....^...5J]..A...}V0..VF....v..MI..@..F..Z.I5>jZ.`..^Q.S...W.l#y.x.@...5J]..A...}V0..VF....v..MI..@..F..Z.I5>jZ.`..^Q.S...W.[%d.,..D..&YN..R...`&h...$...S?....".F......MT^f%..2.YL.@...\.`.N.e..O..i....R...nQ-......*p....L.......G.Z&9w$.3............{).7.]G..k........{KL.......e..^Z..-.....T.jf;..u...../...Q.l#y.x.@...5J]..A...}V0..VF....v..MI..@..F..Z.I5>jZ.`..^Q.S...W.l#y.x.@...5J]..A...}V0..VF....v..MI..@..F..Z.I5>jZ.`..^Q.S...W.[.N.e.>n..\6..._...}V0..VF....v..MI..@..F..Z.I5>jZ.`..^Q.S...W.l#y.x.@...5J]..A...}V0..VF....v..MI..@..F..Z.I5>jZ.`..^Q.S...W.l#y.H.:M..i.@......d,@...-2....v...D..M..<...X.(@8..)..$!.#...<..\..e.]...8GR..;...!.-.......m..>;l.0.8..Z.Dp3gV.P.........."jd...8l..G3)..=...}K=...YK...L$...Tl....[..*|9WY.5....7L.N..Z.a.N.)..@..K....\...&R..."=....{..@L..w......7gm$..y..&!.*...+.._....@...8FP..v...".a.......g../:`.".5..#.I(3/V.m..i+.....J.>p7.e.:l..W$(..9...p.?..fq...B*..3.A....<..*f0LF./....^L.....Z.[Y(.'.....f....;...%

                              C:\Program Files (x86)\autoit3\Include\MenuConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5208
                              Entropy (8bit):7.843370951709082
                              Encrypted:false
                              SSDEEP:96:0/NWwDMcFaE3HNiLsaJlD50KhycHSzqMzhC/Tv9pXUM5eC:XwzYE3t0saJlisyxzqKhkjvkwf
                              MD5:E7883832F2A45DD74FEDB449906B66D9
                              SHA1:53710F8D638D8D396F47762D40F790CF9481C1F9
                              SHA-256:93C508285ACD79279D7A83AED67444535D9439BEFA6A13AD50E757A21F52442F
                              SHA-512:064B8A39D9F8E35C3F3185F00A28E8886BBBD87BB762D92C58ADC2AB313937486CC27DC1B644F5851EA88766B6C5E28BA7E3D52977313170B3D6AE7D33EF70D6
                              Malicious:false
                              Preview:...Z{;#.NYW.D...(..#w......4Q.s$<...Y.......7..i...$m...b.7R....J..*szT^..@......W......4Q.s$<...Y.......7..i...$m...b.7R....J..*szT^..@......Q.....].'B.`7/...^.{....e@1 ..Lj].....~....z..J~!)IY..S..."..Q.....M.n..`7/...^.s....b#Ho.]j3..+.e.....M.zx 4..XM......^........L.f..`.......^.....*.lz...9...4.*(..A.1.Vd:kIM..p+.....W......4Q.s$<...Y.......7..i...$m...b.7R....J..*szT^..@......W......4Q.s$<...Y.......7..i...$m...b.7R....J..*szT^..@......Iz....y.]?.n$<...Y.......7..i...$m...b.7R....J..*szT^..@......W......4Q.s$<...Y.......7..i...$m...b.7R....J..*szT^..@......`~....T.J..=m!.b.;.x.....O..t...Z.=.fO..V_...Z..,-w{1d....#..g3....Y.)/. ju...".c....Ak.t...a`..3.h...{C..M7j./<em/h...3..Z4....Z.eL.!wr...).i....N..t..)`...o..e..WN...T!)....0g...R../}...@.9\.~)1.".#.Y....e@1 ..u_....ZO...TG..'~wYW;3:M...3...J....~.J$..RD...D.N.....:.zY..Tv2....d....a1.iX..9C..MY..#..Z4....Z.eL.!wr...).i....K|....s9m..o.:_....z.~{!%...z.O...^..'|....}.BL.n)y...T..

                              C:\Program Files (x86)\autoit3\Include\Misc.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):35079
                              Entropy (8bit):6.6574521181863
                              Encrypted:false
                              SSDEEP:768:OulsulvYYQLMuQ8mvNY9o/UrflbO4IQHmw3tu803Maf2xEOuDr88xd7O82rLb5+4:BWulvYYQLMuQ3vArdbOZQGw3tu803MaY
                              MD5:7C149193E17BE617B9BF4219E5DA4540
                              SHA1:9EE099CAC0AFDA761EFD835A7C705BD26229F2CB
                              SHA-256:D82A52144EEF1DB412513DEBFE44B6CE791407529D33A814F7F7BF49CA9E56E9
                              SHA-512:E718AC123CD4179593E1BA5074E1CA5ADF7BDB50280CDEA002E7140DBA4B962FFF9F2627C19F6EC3D6DEA727E21C231FB63AEA17644B62827797D1CCBA4CC852
                              Malicious:false
                              Preview:..d.......UE^........5.....N.S..S..-xz.....S.p......n..5.....2]..#include "FontConstants.au3"..#include "StructureConstants.au3"..#include "WinAPIError.au3"....; #INDEX# =====================.T7..G._......!.!..S.d...2..C....~63.......o......s..Ji..../J==================================..; Title .........: Misc..; AutoIt Version : 3.3.16.1..; Language ......: English..; DescriptW.d..T.X..NHX.u.r\...8....f.S^.N..cHa.....O.>.....u... ....a^ .....: Gary Frost, Florian Fida (Piccaso), Dale (Klaatu) Thompson, Valik, ezzetabi, Jon, Paul Campbell (PaulIA)..; ============.T7..G._......!.!..S.d...2..C....~63.......o......s..Ji..../J===================================================....; #CONSTANTS# ===========================================================.T7..G._......!.!..S.d...2..C....~63.......o......s..z^....s. Const $__MISCCONSTANT_CC_ANYCOLOR = 0x0100..Global Const $__MISCCONSTANT_CC_FULLOPEN = 0x0002..Global Const $__MISCCONSTANT_CC_l.H..3.B...^..,..%.N.d...2..C....~63..

                              C:\Program Files (x86)\autoit3\Include\MsgBoxConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4482
                              Entropy (8bit):7.782215130542206
                              Encrypted:false
                              SSDEEP:96:kATof0LPOEL4bQZoSzGJQg5TEKcKvQYeIkADBdzHMYxPR6n2p1eomt:knf0rOEcYdbgeK3Q/p2r3RRmk1w
                              MD5:66A41DDB3908DC6EC771D9B652600350
                              SHA1:0E2FE23F52D15B72E913DF56DDC1CCB8A83DCA37
                              SHA-256:D6DBB5B09AB47624C225426F1E1F68594A1C6030E52743AED0266382A5D881B2
                              SHA-512:B0954BE7ABC142FEC57E2C7DDA1C53498213FDC8C2FA234468DF730DEDDCCCAD87B1CB63A824ECF0160C9CD7B5207F75F3FB356744DB001C5294694F4315CAE2
                              Malicious:false
                              Preview:......"....]3;......+:.k.6.&......F....Q....bh8g#...-ja#.j..a..O]..z..\..m..)....S_.v.6.&......F....Q....bh8g#...-ja#.j..a..O]..z..\..m..)...........%.5....[........1&q;p....l|_.#.(......(..[.~..%....N..%..j.~....U.......R_>zZ.b>,j.8..r..H@..).....#.B{......../..+.u................-<u.>.~w)m.9..:.....)....?A..........c..+.5............/8.P%...-ja#.j..a..O]..z..\..m..)....S_.v.6.&......F....Q....bh8g#...-ja#.j..a..O]..z..\..m..)....S_.v.6.&......F....Q....bh8g#....l|=.....&3..z..\..m..)....S_.v.6.&......F....Q....bh8g#...-ja#.j..a..O]..z..\..m..)....S_.v.6.&......F....Q....bh8g#...-jQ..w./.....(.."..#MWz.....'.."....h............../9d#{...~w(v.w./.....(..k..?[Wx....NF....@.&.............+!j4$....].r.5.|.....c..>...xxW.....NY....+.n.........L...11%...|ZVY.8.0......g.#...vd@....),....6.).............+!j4m...r8.j.w..(.^@..#...."\;......N!.%..+.V.....4...)....lu>zJ.uw,k.?..).....g.....V.4.........'.L.t........

                              C:\Program Files (x86)\autoit3\Include\NTSTATUSConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):240988
                              Entropy (8bit):6.7289078354519045
                              Encrypted:false
                              SSDEEP:3072:BurUbzoOtifiiwemT0ZCKehtHcx1c8gJh2Mi:BboO2iivRY5csLa
                              MD5:A92EAEDD9AAE5EA4D0D730BEC81D8939
                              SHA1:4E01AAD56DAADB0ECC1702304E44306EBEDE1A35
                              SHA-256:3BEE78D54F3A51DCF5D6586E4F6D63ED88FA8E04924D324739727DEA6CEB96D8
                              SHA-512:52BE29A295D873C77E0E70CB0CE1A73BF48F1475C3DDAE1926FE46631D38B055D79EFB0847F8EE4C5F5BC35079AF4D1D12546F1DE26133494C533AB5C5ABDC4D
                              Malicious:false
                              Preview:.3...;.."..b.$d]...dm..-&4!...J..J ..$W.'...?...v......+K....==================================================================================..; Title .........: NTSTATUS UDF Library for i/...:T....@.]...."V..%.<...Y..Y,./"J......r.[.%......X"..N.Ar codes (NTSTATUS) to be used with WinAPI* UDF library..; Author(s) .....: Yashied..; ==========================================.gC..sZ.2.<..Sm...z....H8)!...J..J ..$W.'...?...v......+K....=====================....; #CONSTANTS# =========================================================================================.gC..sZ.2.<..Sm...z....H8....B...W^.Kj..>...W.m..u.l...+V.....00000 ; The operation completed successfully...Global Const $STATUS_WAIT_0 = 0x00000000 ; The caller specified WaitAny for WaitTQ*... ..`..!.ON$...#M..f|y..B....i..p..n...`.W.?..[...6.....Ken set to the signaled state...Global Const $STATUS_WAIT_1 = 0x00000001 ; The caller specified WaitAny for WaitType and one of t@?^..=..{..d...2...3W...Uq|y.O....=.Wk.

                              C:\Program Files (x86)\autoit3\Include\NamedPipes.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14259
                              Entropy (8bit):6.3981378248398535
                              Encrypted:false
                              SSDEEP:384:1osc9Hf60YZEH59jPDHghYUiZEgpl4dqLH/8RBg:mf/zUfg0AGg
                              MD5:A4E88B382A6E8E4915F5ACF5EEEA1EBD
                              SHA1:CEC4E86A704E88724DBC05CF0323321CC361F89D
                              SHA-256:B809F558E3061EED9BA774C2046C3358A8667578C5DB352361CC591BAAE0D40D
                              SHA-512:63AF8773352B954972296429C2DEFA90FACBA5A2FECAF3F403052DB00C53D5C63FF657602B5BE2F82DCB11EDD0CC94DEE56BA0F2B2045588A4BF3BD678064C8B
                              Malicious:false
                              Preview:.k...}..j+.........1.I3-/.R.9QH..VoRd.X.....-6'.'A.E?..v5..=======================================================================================================================..; Title.,PB.&..ijV.!....<.d.d3=%.....>AU.....9S...XC..R>%..D,....i..C...: English..; Description ...: Functions that assist with Named Pipes...; A named pipe is a named, one-way or d.r...(.7!L....\.*.L%(>....)FK..].Ib.......=ws...*..F.'....more pipe..; clients. All instances of a named pipe share the same pipe name, but each instance has its own .w...z..g%..|.........fij.P...l....]HQo.......*js..O8..F.,.R...e conduit for client server communication. The use of instances enables..; multiple pipe clients to use.v...{.."d......X.:.V/$?....#GO.....K.U......+v%..Dk....:.....ed pipes, subject..; to security checks, making named pipes an easy form of communication between related or .l...i.#dL....B.,.(Lrj.P...l.......*]

                              C:\Program Files (x86)\autoit3\Include\NetShare.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):45783
                              Entropy (8bit):6.549405178180744
                              Encrypted:false
                              SSDEEP:768:LGu4FynELiqggWXUlIIpgpDm+iT6jVbeM8zVom8PTuCvJTA874gEDfAFk:LGu4FynELiqggWElHgpDm96pb8zVo/Pw
                              MD5:0F6F71F9F050B28FDB89CA23BE50598E
                              SHA1:35C7546EBA063F87EAB0A05E73473AD4305EC2BA
                              SHA-256:300CDE0598BF25FCE535166F595698F7B4E86D10531075BAEEA3D123C1358023
                              SHA-512:0E64CC433FDC1CB5C2A0C4F403F47FE9E50F467A922EF969ACB61E9861382FF67DE9F0A062C6281551BB1E744EBF3A3DC3653C10EDFCF86C63CAD5246D1DAD92
                              Malicious:false
                              Preview:..1.b..1,H."9L.f`..........n...?(F)..@*.6C.U...Xa.A8.=6...XrnAPIConv.au3"....; #INDEX# =====================================================================================================..b.3..!~.Vz.{.Q~.mM.?....~4....dt.D.};./X...W.'./"m..=&.../Mersion : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with Network Share...; .:.`..s1MK4\'..c.........~y...%6....A;.xE...M.0...v..;:...k;resource is a local resource on a server (for..; example, a disk directory, print device, or named pipe) that ..1.l.... C.4Q"..:.........::...#9B...]-.7Y.[.Z._P..v..hr.../; network...; Author(s) .....: Paul Campbell (PaulIA)..; ===================================================================..b.3..!~.Vz.{.Q~.ZK.V..c'....wg.W...c.e..F....hV..k..uo.....; #CONSTANTS# ==================================================================================================================..U.b...pce.)G2.H..>&.4.....H....jj[Z...

                              C:\Program Files (x86)\autoit3\Include\PowerPoint.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):58031
                              Entropy (8bit):6.533750580295773
                              Encrypted:false
                              SSDEEP:1536:gnKpUm2IjFs4ptg0l5Ivoc65ly2eKyIJt6pGF0UfhNF4J4GHaECc9:O49NcUpfjFLg
                              MD5:3C8F9670905AF89F014EADBC6AA0E2CA
                              SHA1:C3800ED3E4FAD4434D2EB8F0D17E820748721AF3
                              SHA-256:25D50099FC40BB7F9A59481F372515E066D8C92BC1070C5745F0D2265B80BB95
                              SHA-512:F88CB82E7E050350B4BFB9144BEDB5053BF54B21E912AD998FB294AA5CFE3B05EB26F687123C6079B1641C7631B4AFABE30E4803D5FEAF485D27615D2FB0BE30
                              Malicious:false
                              Preview:.e.p.t.0O..N........]=W..&.......I/.(.}2......#.mE.<...=?..eintConstants.au3>....; #INDEX# =================================================================================================.1...<.h_.K...O....d?..U........`Yr.}i..A...".u..6...'..*Function Library..; AutoIt Version : 3.3.12.0..; UDF Version ...: Alpha 5..; Language ......: English..; Description ...: A coll.o.z.o.:...X.......N6@.C.........S*W1.=:.D...*.LY.+..4<...}erPoint files..; Author(s) .....: water..; Modified.......: 20170606 (YYYMMDD)..; Remarks .......: Based on the UDF written by t.m.j.).0..:D........d0\..[..B......n.(.# .....,.u_.-..;8...em/forum/topic/50254-powerpoint-wrapper..; Contributors ..:..; ==================================================================.1...<.h_.K...O....d...H..Q......sJa.nn.......p.<..d...ou.....; #VARIABLES# =================================================================================================================.1...m.7..V...."...M;G..H..L.....Zn.9.

                              C:\Program Files (x86)\autoit3\Include\PowerPointConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7475
                              Entropy (8bit):6.670475403673272
                              Encrypted:false
                              SSDEEP:192:WPceF0lNQ22HhayRXVzW82HFZPRPpXO7gHN:sD2lNraRXNIHFZPBw7UN
                              MD5:85484220B97A0A61CD61ED7BA2540646
                              SHA1:8E3303FE1E447A2EACCC721F690AF01AE9DF5878
                              SHA-256:8D497188F4C86EB49B898F62F9AFA6D792F881A9BB33BE11356E1ADB2E251A40
                              SHA-512:6EF49F4C90B067A834318B5653C1563EA0615CA109B5FE893B4B4F9ADBAAB8E14F1DE63181C16EF850398346B25A7AA319E8ADE64B2E6ABA0F3983E5E0380B10
                              Malicious:false
                              Preview:......(.O..t....Mlgr..........>....@b"y..:.(s.....G&..c..M....U==================================================================================..; Title .........: PowerPointConstants..; Au....)....yV..idi`.`.S....AdEB..]q1j..).5........>.~p.....Q.on ...: Constants to be included in an AutoIt script when using the PowerPoint UDF...; Author(s) .....: water..; Resources ...........>....cV..ww.?.#.,.L...\9.K...,%k.[t.{`......tR.pW....P./library/ff744042%28v=office.14%29.aspx..; =====================================================================================....q._L.*K..zjzl.s.c......>....@b"y..:..C....5Ug..z.#....U===============================================================================================================..; PpFixedFormat....."....v....iw.!.-.8......wIS..9?".Nb.8(.....Z}].;.......J.t...; See: https://msdn.microsoft.com/en-us/library/ff746754%28v=office.14%29.aspx..Global Const $ppFixedFormatTypePDF = 2 ; PDF......8.h6.x.....8)".n...~...KE_Q....f4.

                              C:\Program Files (x86)\autoit3\Include\Process.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:PGP Secret Sub-key -
                              Category:dropped
                              Size (bytes):4135
                              Entropy (8bit):7.680971858156643
                              Encrypted:false
                              SSDEEP:48:ayxOrEOQObORAOT5W0OO7bRaOFO9EpElycNMrk6I1Is+sn7W37tE9wcB17aY1I/Q:aho7NZG32dsn2WD7tIXnqkxTq
                              MD5:A46C2ADA717191A8E4724D888DEC5CD9
                              SHA1:1DCD3549CA6DDFB472832451B78FDA4AB4FB9230
                              SHA-256:409B3289DC631DE304447594F117A8A502091F6723E1D42A6F7872B248943444
                              SHA-512:AEA61CD1EEA7F441BAC1A064B02F1D49DDF2C17E3F15DE62E56037A17ECC2070EC45DECAE5C1DECC87ACD8F4814006CF2D51F9F4DF59DF49A9B3B6A32D061098
                              Malicious:false
                              Preview:..\.b...@u...1..v....%.48.7.....N...........R.3/(?..xkJ....9C2f....3O..P'..A....h...m.l%.Z........[.........,.....eu>.u..'^2f....3O..P'..A....h...m.l%.Z........[.........,.....UB8....v./u.... \..W:...^..X..%.>Q.G.....R..F........+...~.?=b.-..4M!u....`....r..G...6...9.?8.I.....S........J..GbQKA../!w.h..u.j(.._.`......R.1......."."1.I............|.RRtP...,<k.?..o.d>....k....:...^..u...;.[#.#........H.......BT.GN...<$o.B..'^2f....3O..P'..A....h...m.l%.Z........[.........,.....eu>.u..'^2f....3O..P'..A....h...m.l%.Z........[.........,.....eu>.u...n.`..q.\ ..99..A....h...m.l%.Z........[.........,.....eu>.u..'^2f....3O..P'..A....h...m.l%.Z........[.........,.....eu>.u..'^2f....Q".....;.O..8...p..j.......I........!..yCWLv.UB8.u..'^2f....3O..P'..A....h...m.l%.Z........[.........,.....eu>.u..'^2f....3O..P'..A....h...m.l%.Z........[.........,.....eu>.B..!C,..q.G=..M'..A....h...m.l%.Z........[.........,.....eu>.u..'^2f....3O..P'..A....h...m.l%.Z........[..

                              C:\Program Files (x86)\autoit3\Include\ProcessConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1783
                              Entropy (8bit):7.523429088705849
                              Encrypted:false
                              SSDEEP:48:U4TOlOwvTXTbOm/6iZph0hkD+OH5Wolsv:U4T+OsTXTim/6iZIyD+OH5Jl+
                              MD5:A9882E1C60D1EA4DE93155463DF6E41C
                              SHA1:72C426418339F5B165AD509E9581BCACD690DD76
                              SHA-256:696FB5D87E017A369081146029F734D001994AC64D16D9593F2400081015D6D3
                              SHA-512:F5F50F0249E393606942A4D2DECB9FC9885435A4B1EDB03CB62BB652F0BB17D29B754069B3D19B49E2283D896E59D8DD7201D1B718DD1DCAA241B9B0AED1564F
                              Malicious:false
                              Preview:j.\%D..T...WrH.%%.....(.........r.5Z<.........../F..<J....t..{......*x.....rw.P..........r.5Z<.........../F..<J....t..{......*x......tj............a.2GQ.......e..\P.|...L.........M..XR...7v.....~G.V....W.N..a.&I/......U..%..V...s......i..h...^S..Uy1W.[...*j.......F.@...!.I.u......U..FT.2...oW.....i.@)K..B...Zt1MGA..Eq.,.........a.&]!...a..V..`...-W....r..{......*x.....rw.P..........r.5Z<.........../F..<J....t..{......*x.....rw.P..........r.5Z<.........../F..<J....t.8K"...~..gC.j||..rw.P..........r.5Z<.........../F..<J....t..{......*x.....rw.P..........r.5Z<.........../F..<J....t..{..;z..Vv).k@...on.?....}.l....}\"!............<..c.....:..bx..rx..kT.ai{......,...Z......:j.......e..\P.6+..B2.......a.{..~s...*e.P....z.Y.....@.E..!O|G%.....y..pk.W)..H8....1..v.....s{*FIC..!9.M....g.z....nM&E..............q..n......'.Ff...~~..gH.iwx....j.M.........E{d.c......R..v.Q>..^3.......~....E..'u......#%.....Q......M4R

                              C:\Program Files (x86)\autoit3\Include\ProgressConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2381
                              Entropy (8bit):7.651379667784185
                              Encrypted:false
                              SSDEEP:48:KhXtTwdhChXhz/hXhuYGPMHgmSf6lQIc0zJa8TU40rVBZNXhXij8QpakaP:KhXWdQhXhz/hXhuYGEHgmSiHVJaJ4cvp
                              MD5:8ED4128A438E80CF03A55D07A4B7B8A2
                              SHA1:9470FC84649A4A4FB2BCEC91DA4C443A1AEAD9F6
                              SHA-256:BA723B5DDDD0D1E8C7F72029A2F2E085ED9E1CC0F0023D73CC3EC8CD8F51D3C5
                              SHA-512:0514E6D0650568590A3FA929780DCD5831ED5606DA93AF66D0983192F09D5A828430423F4694DF70525CD28D2748EB2511C5BF18031A1A4CAADBB46656E80CBC
                              Malicious:false
                              Preview:W@.ai%.Dx.+,..J<..5b"_..x.|jQ..B.Z?. ..g.R.-...U..=>.S.(36..4I..?8m..h.xr@.}..(|V,..e.|jQ..B.Z?. ..g.R.-...U..=>.S.(36..4I..?8m..h.xr@.}...KP1...=.oyB..Q.I8.M.=..Bc..P...amV...5+hV}.`."S5.R<.+oG.s..$wE ...../0....I,.3..z..V|..We.. GG..gg{]Jf...,+j..4.-=..}..: .a... ...%......,.i.....Vb..LJ..UJ...{zyFO)$[.ew5.Ru.16..3...+a......;.a:.._...q.|.).b;+..J...r+QG.; %..3T..nl;....76].2^..9aE?...x.|jQ..B.Z?. ..g.R.-...U..=>.S.(36..4I..?8m..h.xr@.}..(|V,..e.|jQ..B.Z?. ..g.R.-...U..=>.S.(36..4I..?8m..h.xr@.}..(|V,..U.L]W..<..4V.S..z.R.-...U..=>.S.(36..4I..?8m..h.xr@.}..(|V,..e.|jQ..B.Z?. ..g.R.-...U..=>.S.(36..4I..?8m..h.xr@.}..(|V,..e.|jQ..r.GQ.d.).ev|..^...omQ..1^Iz|D5{.W@...u.=.M.p..-aP1..(..0......p.p.?.O]y......aqS..p..nOf.H."F?.R!.a.?..b..Z.#1....R.-8.._...q.=....0b]..k ..VFp=.53+.[8D.."S9.U4.O..."P..V..b........)..6..+".=..P.e.0..Q...l#F..t{g].z.P.gv].f9.'....^..aaOV.......*.3..7P.Z...O.0..5e.. NG..tinZ..3E.`d<.b:.6;]..n..Z.9T.......?..1..0O.H

                              C:\Program Files (x86)\autoit3\Include\RebarConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6733
                              Entropy (8bit):6.8069081366089526
                              Encrypted:false
                              SSDEEP:192:c/lCACknnM5YRdbTa0b+6koMrtT2waCAZ:c/l3Gq5Rb+6tkNXar
                              MD5:274FF29B7B73EB1F40643795DB241B9B
                              SHA1:069AB48628702781ADD147EB5C79D65E32772151
                              SHA-256:00E38504CE7A777A48FA4F059C9173E46C057330916304D697C70E2AC1942B59
                              SHA-512:B6D1AE094442977BFD610B89D55B615F54FEFC7F7CFE04A55C8546112D7DA6693B665E054B2F22098302661D6CDD6F7CF1073770CADBC915699891D58A17A130
                              Malicious:false
                              Preview:Q...;...6\.....\...C.b.66Kj.oF.d.W.$.......$...1....+..WQ.==================================================================================..; Title .........: Rebar_Constants..; AutoItR...$....c.......I..6.k.{q.6.7[.w.D.#..CL.S.q...,...@.fg...L...: Constants for Rebar functions...; Author(s) .....: Valik, Gary Frost, .....; ===============================================O.Ij...d.....Z...0...(+Kj.oF.d.W.$.......$...1....+..WQ.================....; #CONSTANTS# ==============================================================================================O.Ij...d.....Z.......Xs.$.5..T.-..{...h.T.m..aS....`.Y]..+"m_WM_USER = 0X400..Global Const $RB_BEGINDRAG = ($__REBARCONSTANT_WM_USER + 24)..Global Const $RB_DELETEBAND = ($__REBARCONSTANT_%..!....y........N.I.a6R...?...'..\....e.K...^....f.XG..'3lSER + 26)..Global Const $RB_ENDDRAG = ($__REBARCONSTANT_WM_USER + 25)..Global Const $RB_GETBANDBORDERS = ($__REBARCONSTANT_WM_US7.._w...Su...$..y...WI1...:...%..M.

                              C:\Program Files (x86)\autoit3\Include\RichEditConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14719
                              Entropy (8bit):6.770512024034861
                              Encrypted:false
                              SSDEEP:384:04C80+KQHG8KTxGHDpz2t09VYQimjrgMSrt7vbDmvtJnm3w141reunAaaOQXLvqj:0f8rSu1Lvod7UxOhtnx
                              MD5:6DA331C05A5B3DF1EBF35E5F6E37AE02
                              SHA1:828504A73FC776578156647178F962FF56F2A180
                              SHA-256:26C9188F804C8A7399ABD0009F9C74253CF367F3C81AF38B5D42AC2CCDEB7B90
                              SHA-512:5922D639ABEFC7A5CFE4ED2F52226E173F7C2A383B0BBDD6D75049483D1A7823B83A49895AC9AA02A23FE91F30A48C827A6F83BA1714C5F7AFC4C8F91D8E3EFA
                              Malicious:false
                              Preview:7..".....S.M3........;9p.yg...?..2.;..:)..t|..#........7....1==================================================================================..; Title .........: RichEdit_Constants..; Aut{..a.....S..l0.......rv...;L..c../.(..).....-..v>5....Z.x..Y.cn ...: <a href="../appendix/GUIStyles.htm#Edit">GUI control Edit/Input styles</a> and much more constants...; Author(s) .....: Gu..a........x>)......BA..dg...?..2.;..:)..t|..#........7....1=================================================================================....; #CONSTANTS# =============================).P|.L......k-.......BA..dg...?..2.;..:)..t|..#........7....1======================..; Messages..Global Const $__RICHEDITCONSTANT_WM_USER = 0x400..Global Const $EM_AUTOURLDETECT = $__RICHED]...."...h.y.Oq......Nq".55@.."..a..&..JK......[......{.I..i.XCONSTANT_WM_USER + 50..Global Const $EM_CANREDO = $__RICHEDITCONSTANT_WM_USER + 85..Global Const $EM_DISPLAYBAND = $__RICHEDITCOZ.9..%...c.}.B.........J.5za..q..+..Y.

                              C:\Program Files (x86)\autoit3\Include\SQLite.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):59538
                              Entropy (8bit):6.679128803341956
                              Encrypted:false
                              SSDEEP:768:lWn8f+pHnDIbiyiRvXpCfpKFL+A3Sc3Jx1JKHwIk68qVQvHKjYRS34PN4+A:0xpH9dvZbN/hMQvq8MT+A
                              MD5:BD0A83EFE09397CF042DDD67F2ADC6D8
                              SHA1:FA22298783597512877B6C256E592A5436D268FC
                              SHA-256:41B1C8677D97356D2C35D154D667D947E720A2F5E5CC702EECD9E80EF8B89C4E
                              SHA-512:3AB6FE395B73395841E63D40D2C5EFB1BC0E43F6F516362A7035F3EB7930CB65148A47967974D56B18A946A7D4B7D8FCF1B5F72BA6B5C57098D6F0045C9D325E
                              Malicious:false
                              Preview:.9IW.U..O.kB.?..$9%zb.....x.....m.E.....".>6.#...,..V..n..=2ozine_Modified....#include "FileConstants.au3"..#include "InetConstants.au3"..#include "Array.au3" ; Using : _ArrayAdd(), _ArrayDe.5SQ.....a.zF{f..14" .{....D..1..;.s...t.Hh.....g..Z.!j....d>)....; #INDEX# =================================================================================================================.m....<...aSnP..myd&)X....t..<....!......H.."...n..6.w)..LJ..; Language ......: English..; Description ...: Functions that assist access to an SQLite database...; Author(s) .....: Fida Flor.1I...X..A.g.....+3f(m.......9..7.4.....i.Rs.!...e..i.I..._F<+===========================================================================================================================....;.}........%./...nzg%*[.......x..4.7.....j.E~.}Z.K-..(.i*..OV,;---------------..; This software is provided 'as-is', without any express or..; implied warranty. In no event will the authors .5.\.U..I.jKg...1w+f~{....F..2..9.h....

                              C:\Program Files (x86)\autoit3\Include\SQLite.dll.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):611
                              Entropy (8bit):6.953975556202622
                              Encrypted:false
                              SSDEEP:12:df+7wMlHiPYW6nGR0ldVVwzIzlGX75VrcA4wsSwx9+hTv:df+7llpGR07LwzUlo75VrxDS9+hj
                              MD5:33516B3576D556AD6CBBC8CCB1BECE6C
                              SHA1:124D1C6F13F040BBEA508525FA523A242701B4D2
                              SHA-256:9BDB6BB6EE1DF4E0DF733A4CCAB83914626144FC2526EA7BB15BE9CA55137C55
                              SHA-512:D305DB7F7C99A6D85F6A4DD383F9A10E0555653742A75D7D647FA46F666ABEABA31D691CD0650898A7D9ECE232617DB81735A9214C7D2C8AE8DE43187AA6F181
                              Malicious:false
                              Preview:..?....}.+|./......w.u..8..{.Y.90].....!G$te.....1.1.N....{W..[.......x.%G...r.0...5..q.4.44^......b../......7.:.F..!,....V....).w=.iV.../.om..S..p...3}.....G7G.......i.eX)....wq^...0....G..\./......r.0..+..{.Q.]W1...W.vH6rz.....5.+.V....?(....EndFunc ;==>__SQLite_Inline_Version....P$Y.=...j%.u...D.}.:."x7mL.F./zHejc...=*'.`...........O#.W..'.I......r.e...d.....x...u..)8.'V...c.L..m..,}..%I.B..(.....&.5?.z..VEm.._......>|:H._..5...p..9...U!-n........8|................u...Y..MC|.............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\autoit3\Include\ScreenCapture.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11344
                              Entropy (8bit):6.51229721970138
                              Encrypted:false
                              SSDEEP:192:KwoSVofw6FC+Wz/JOj8suCRnsHU0Y2SfgH7KP:KhSVoiPzJOj86hrebA
                              MD5:79C1E569187646BCC78305106BA7B2B6
                              SHA1:96F6D3487F561CD683A12B40EA57AF03378F425F
                              SHA-256:E5DFBC06AEC7353C75855052F31CC788E1B4004996DB9272DA3AFDA77FB0A679
                              SHA-512:8A225FE767E2EC21FBD85289B82BBA51FC7586525933DA89F24AF93D90BA2D1A36D39CF6C4CC9087413180CA9FA34A48F292FD330B0513114C9D32B1649F62F6
                              Malicious:false
                              Preview:s L.."P....q..>..u..a......../.z.....p..n..d..:.<ZbG..b..F.rnals.au3"..#include "WinAPIHObj.au3"..#include "WinAPIInternals.au3"..#include "WinAPISysInternals.au3"....; #INDEX# ==========mt..Jj.J../.....k.E?.....p.p~.4.G....G.W=^.,.'.V.1;f..;.....=============================================..; Title .........: ScreenCapture..; AutoIt Version : 3.3.16.1..; Language ......:p.L..>G....2.vG@.?..k......m.8-.}G....... ..b..n..Zxn{.t..F..apture management...; This module allows you to copy the screen or a region of the screen and save it to file. .,R..3]....|.g\F."..g......m.mc.).Z....Z..fC.|....KJcs{.h..M..various image parameters such as pixel format, quality and compression...; Author(s) .....: Paul Campbell (PaulIA)..; ==========mt..Jj.J../.....k.E?.....p.p~.4.G....G.W=^.,.'.V.1;f..;.....=====================================================....; #VARIABLES# =========================================================mt..Jj.J../.....k.E?.....p.p~.4.G....

                              C:\Program Files (x86)\autoit3\Include\ScrollBarConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):812
                              Entropy (8bit):7.004812132534498
                              Encrypted:false
                              SSDEEP:12:eML7SRf8yUf8yvdy1/OajqoZjLnf8yi9Bjdzk0fqO07qwUZJv:erlElvs1xRLfli9Bxz35
                              MD5:14BB12867451FB8EC9A49D7C09612F1E
                              SHA1:1FFFAEB9755EA87B282E4D497CACC23607B1B389
                              SHA-256:D5E50F56B9697ADDE7B4FA4B06CC06E978F439FAAA4B302E4874524C30340AD9
                              SHA-512:11CBDD8A3FF0CE4E21861956448C195C4548170CAA755380CBF810BD259FBE4934E9AAB576711F817A0CAE2E3318D7FFBD4D69BA71A7BD84698104F825E88CE8
                              Malicious:false
                              Preview:..D.].5|&.@.N...L..pa'.y.C.<...k..Ng..4n...a;~D..WMo...y..$b...X...mlt...~....AT!)~.d.-.s...4..05.M}2.@.rg6J.`}X.......A|...X...mlt...~....AT!)~.d.-.s...4..05.M}2.@.rg6J.`}X........-O..K...~.g......I>.nK..7.d. .......x|.94/...<3d...}sK.......vz..K.V.74i...m....`..p}0.T.+.....{..dg.Pn!.G..?{...22E..V...(F.^...$9i.O.c....K.G..x...d.!... ..#&.J`e...Ea+J.`}X.......A|...X...mlt...~....AT!)~.d.-.s...4..05.M}2.@.rg6J.`}X.......A|================================================.......uZ.....R..v3g.I.H43.Q....f..I.........!..$..j..T.W.....F9....NM.G..d.`.~.n...../v\.W..x.iT....OI..:):.7..r....-4{.1..z ..].E..kW!32..f7l..oF.1.$.u0..~`......i8y.....9.%T....:SlH.g......9...CfL...................................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\autoit3\Include\ScrollBarsConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2275
                              Entropy (8bit):7.622055233691929
                              Encrypted:false
                              SSDEEP:48:6VJVlx4RtVJVDKYJVoVDcK8NCs17XFrZuA7JUgEttkr5AMAtJ7DwDH:6VJVlx4RtVJV/JVs/2CM7XFtuZttfFJO
                              MD5:4BC95A11F84DED86786FD76847454987
                              SHA1:5E7B9C4DA6471759CFD713042FD04EDA4D646E53
                              SHA-256:DD181649A41C5B73C7D8AB44749FBC4B35FAD411AC311CF2B0F6BA0C232E045A
                              SHA-512:3C1C956752106F9B75C90D26B51395017BBB1E30C3656E71B090D937EF4F4B29BC0CE83CC95B9FBCDCCB79A03B4CC6EE7E06CFE95E90AFDB674B455CA00A112C
                              Malicious:false
                              Preview:..C.....m.:...o. ..x|L..$3E.......v0.*;......=fZ.D...#.............>.b2.;i.>....)..$3E.......v0.*;......=fZ.D...#.............>.b2.;i....hP`O.9 V.....q-itt...t...C4......m.......T....G.l..5.(g.2...4...Uo.......e#.9(...X...s3j.B...m............w.m.+n..ut.l..oZfL.uL........"bTd(......h4......0.......K....F.#.-`..*t.-..6.4..$3E.......v0.*;......=fZ.D...#.............>.b2.;i.>....)..$3E.......v0.*;......=fZ.D...#.............>.b2.;i.>.....)..5X.......Yi4&......=fZ.D...#.............>.b2.;i.>....)..$3E.......v0.*;......=fZ.D...#.............>.b2.;i.>....)..$3u......kNUyu..e...P.4.D...............@.'..I..G..#...A$...I.......%~N7"...i...G.G.Y../.......c.....P..P..G..S....4..(>u......kNUyu..e...A.+.D...j........a.....P..P..A..#..u.Ks.J"X........NqGI..<...l4......p......r.......3`..jt.l.H.0p.FX=.......AJVxd...u...t{C.;...R.......B....[.p..+..Y..W....'....?......$cIc&..i...E.".-...........c.....P..C..C..D....4...I.......%~N

                              C:\Program Files (x86)\autoit3\Include\Security.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18491
                              Entropy (8bit):6.336654254044677
                              Encrypted:false
                              SSDEEP:384:DToEfOhiBI1l8cChNEQikSW4IL2NgWEmUod+IXD0D33VMv38RS:f5Whc2kpJIJzyDs
                              MD5:2300147AB79B86FCBBAC5ED4B9A05533
                              SHA1:169C9135C3791EBAE0139175E08AB43D1C57517F
                              SHA-256:48DEBAFC3860F4D09739A83771DA5CBEF68DE2F0637945E2D74355D1B0FB79DF
                              SHA-512:07D500BACD3EA013EE8BF8C462FEE4319C59A81A163119CFF99E21550E40ECFB1D3D0C2F9E357682C3B87D43408DD91712358719EDDE80B0935D7AB85B7E6B5A
                              Malicious:false
                              Preview:L.x.d*61%.FKO.y..).b}.^y.B.W...$..R..,}.f.....9.j...L...B.#W..APIError.au3"....; #INDEX# =====================================================================================================RK+.5boi5.....NO.7..%..t...$...x....x..b........1@.c.@&/.q.ss..n : 3.3.16.1..; Description ...: Functions that assist with Security management...; Author(s) .....: Paul Campbell (PaulIA), tra..s.pRXo(.....NO.7.1#.. G_.9...k.....3.:......&7].+..Rf...<=..========================================================================....#Region Functions list....; #CURRENT# ==============RK+.5boi5.....NO.7.1#.. G_.9...k.....3.:......&7].+..Rf...<=..=======================================..; _Security__AdjustTokenPrivileges..; _Security__CreateProcessWithToken..; _Security__D..z.k>&1\.CMD....1.SM.Hh...}...3..H..7`.T......Ho..d.[...`.uL..gthSid..; _Security__GetTokenInformation..; _Security__ImpersonateSelf..; _Security__IsValidSid..; _Security__LookupAccountName.eM6.[:1!z.\Qu.?..a.|_.Hr...W..\..t..!{.

                              C:\Program Files (x86)\autoit3\Include\SecurityConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):8461
                              Entropy (8bit):6.876856551495744
                              Encrypted:false
                              SSDEEP:192:G/I1bziYRCob4CirgIFdC5YANgxL7tR7l:G+L5gFdIYAqxnR
                              MD5:D10B4AB4DB9F930D7B5E0EB07613D53F
                              SHA1:37ABF1C5D6E356AC6F73C5D57B2E71D897AC1BF3
                              SHA-256:8FAF2CCA0E15CA0EADB4E40C34164998BF976F33B4D2113C58A5C13A97C96991
                              SHA-512:83075B9F38B65E69760E4C1FBF1A59A0C9EB8953D63CE4C738042D41ACEA7AF0B4FF15D1FDB2B0FB05F4022483C91657D449CFBE455F6B99BDA138A49697EFC7
                              Malicious:false
                              Preview:......h.%UEg.J]o.E....4.x.(i......%...|....k...H.S.h`a.S:.z..==================================================================================..; Title .........: Security_Constants..; Aut...3.~.aUE$.gdL.P...u}...D5_...[.8l..o...........c.n}...d......n ...: Constants for Security functions...; Author(s) .....: Paul Campbell (PaulIA), trancexx..; ===============================...X.1.5..9.zj_.C...yM...5i......%...|....k...H.S.h`a.S:.z..================================....; #CONSTANTS# ==============================================================================...X.1.5..9.zj_.C...yM...5i......%..)K..F.7........q.../T......IMARYTOKEN_NAME = "SeAssignPrimaryTokenPrivilege"..Global Const $SE_AUDIT_NAME = "SeAuditPrivilege"..Global Const $SE_BACKUP_NAM...G.i.iY@q..%..._D.!R.*.d;S.....v1..e..v....0..!..... F....SeChangeNotifyPrivilege"..Global Const $SE_CREATE_GLOBAL_NAME = "SeCreateGlobalPrivilege"..Global Const $SE_CREATE_PAGEFILE_NAME...6.O.m[_a.&0..._D.6..I.m3T...{.w .Ha.

                              C:\Program Files (x86)\autoit3\Include\SendMessage.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2682
                              Entropy (8bit):7.544121433368485
                              Encrypted:false
                              SSDEEP:48:gBNyPj/38WC9zCSCgMC+Nfc005psyAyChvCrSGjx6t3j:gHs/KM00QpsTqSGUlj
                              MD5:AED2202FA39434585A6CEBFFAFFBE8B8
                              SHA1:334A7CC66EDCE42DB453396662A4BB734602376A
                              SHA-256:87F7BBB3C95F152E2038DC7C1E92680D1137F6DC9A2919DA273ED49C9DD223E6
                              SHA-512:8E7383A7AB154D173E31724C0CD4C356268CD65708DA40BD2047E80EBB831AB1055931333CCCB26251238BB53AC47DF8F092548C68A017A800935D07A9AC4265
                              Malicious:false
                              Preview:.x..6.j...P.fX.K.K..1K...}.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..C%.:2.......C6...y.../.....}.a.....v......Wx..z.......5{.K.K...k./9.......C"..>...#Fr..k..|.J..w.t..]Ybd....a.K.J.b!.'.....%. :....Q.M{..*...pk9...j..<....7.`....Mz...|...L.p!.L.P..E8..sc.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.}..r>........d..P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..E8..u~....T..k..T.........k..r....".g..ZD.,.g.3.....>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.P..\Y.W....G.v...>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.g..ZD.,.g.3.....>h.{.M..E8..sc.......P%...d...vvE....%.V(....$.g..Zt.*../.f.J...-{.h.^...d.%S...._..q...w...eeB....a.-g.M..1.;.!.Kb..z.e..._.q:.2.z..E8..sc.......P%...d.

                              C:\Program Files (x86)\autoit3\Include\SliderConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4578
                              Entropy (8bit):7.804775863308574
                              Encrypted:false
                              SSDEEP:96:49reS6CsaH7621bySBOPYIw3HMJHmLwQmSZjqB4fdWG2w5GDYTD62B6L:4iCsKruE37Z1uB4VWV2hD6q6L
                              MD5:922DBBA0458ED76B7818610FE4587D9D
                              SHA1:C4019F23BB9394E2DE72F8A272E47C87419BFE83
                              SHA-256:F68F2B9F3F4434CDAFF90181EFC913F86F12CA32D51FB51A927B6E867E767AA3
                              SHA-512:E2BEBCE75F380ECA07E85F4EA017D4A3A36B53EDED7892B964BCD8586D69565CC75DB8808FE01E49D413A7384240653B1BB664D785587F14977C4F7F994FC60A
                              Malicious:false
                              Preview:.Ho..P..w.y...sgxC.....|.~...N....C.+u.y..-q..?|e..2..k......=...<.....gD*.I#DWOE.a.h..i`...N....C.+u.y..-q..?|e..2..k......=...<.....gD*.I#DWOE.V.u.P 1E..]=...P.8r....t)..A.6.n.%......o...W..V..4Y-.G0JDCN.m._y..<N...tE..P.8f.~.~+..q)U../.%....nb../...2.r.I<WD]..,.;&P,rg.. gY.H..~<.g..y(.. ..../.8....i&.S!..\..)E8.J>...X.).=bT;/E..}S.L..ef.N..Q9..m3p../..x......i)..F..\..(.d.X>WD\u.g.h..i`...N....C.+u.y..-q..?|e..2..k......=...<.....gD*.I#DWOE.a.h..i`...N....C.+u.y..-q..?|e..2..k......=...<.....gD*.I#DWOE.a._O3o}...=@t.c*.5h.y..-q..?|e..2..k......=...<.....gD*.I#DWOE.a.h..i`...N....C.+u.y..-q..?|e..2..k......=...<.....gD*.I#DWOE.a.h..iP*..0fS.B..R:.3.q ..qap.|..;.....a..Dr.C..z.o..n..^X...u1I1>I...w..C^.~-. ..d)..r$;..j.3....eb.lB..q...+V.Tm.....).0k4^.L......B..bh....T...C.../..f......n6.Gh.....?Yt..p...X.4.!bM<8....pK.L..u'.0..|k..v)-./.$......d'..`..K.WsP..|..R;.2.!b...c..'[u.o^.6x.v..Y(..v(>.|..>....b#..b..Q..6^d..v...X.=.>'Kz}t...3I....sh.%

                              C:\Program Files (x86)\autoit3\Include\Sound.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):23268
                              Entropy (8bit):6.52083885748361
                              Encrypted:false
                              SSDEEP:384:MvyI7tkKB9b9D1dVgbNFW9757ZT/PPhydmQObEgm9D0IRndbtz9gu2taq0rB7Rvn:ay8JB9J1ggZZTnPEdQbEX5BRdh670lBX
                              MD5:A30A4F58EB00E792887BEC1CE024FEBF
                              SHA1:0662A41310C9D0380958BCE7E6321374FBE35DFC
                              SHA-256:D20E5C0B4B1A681C51CEE1ECF5EB0A37F6DCC474EB02530338C30A90030F0D91
                              SHA-512:F1426B43F844EEED0DF1FF40F659998916B60807603E07744F9E5F12C37CA4B9821CD0C56AF0D5FA9C9CC8A69F68462C3C4EC3DBC81566CDE8D1DCC1EE5ECEFB
                              Malicious:false
                              Preview:..*L.y.:..8..=.DE.U^..."5...)....J.P.X.....C...L..c..`..=.83" ; Using : _PathSplit..#include "StringConstants.au3"....; #INDEX# ===========================================================..y..1Vb..k...tr.....{m..}.'..............].^....F~..4...mTitle .........: Sound..; AutoIt Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with S..*K.a.1.3..^.gB3......?...i.4.......M.B............(*..j..?..saltyDS..; Dll ...........: winmm.dll..; =======================================================================================..y..1Vb..k...tr.....{m..}.'.........*.....#.-.x./...4...p=============================================================================================================..Global Const $__S...k.C%......c...}c}........p.........!......].^....F~..4...p=========================================================================================================....; #CURRENT# =======..y..1Vb..k...tr.....{m..}.'.........

                              C:\Program Files (x86)\autoit3\Include\StaticConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2291
                              Entropy (8bit):7.589102553315812
                              Encrypted:false
                              SSDEEP:48:+riCbww1MX7GKwm4W1yfRBmQwboVUWx3CztQWTIGX18g:TCbww1M6rm44pLmCzZXB
                              MD5:C2DC000DF4217A78600F15ED9AAA56B8
                              SHA1:1BD7EFB3D778B452A787C25560CE0925C4994DFB
                              SHA-256:E18D21AD344C877CB91E9BC123B45B382EEEE84BAF79774103F3BC5E245A02D3
                              SHA-512:1AD4F157757DC0CB0BCD859CB876ADEEE338327A9656844206247A56D1E46C3F508DFABC13CDEDDB318E1EDBC0F755F6742FB240C9DCDAC726473E0995D0FC05
                              Malicious:false
                              Preview:.;m..;.\7b...`..iR.Poo|..W.9C....4...]Y.r....l.%n...|F...[..o>.s..'0...P..tL..)..b.W.9C....4...]Y.r....l.%n...|F...[..o>.s..'0...P..D{..@CC3..D.*P..)....I..NS.%.v'I..z[wB....rU..=.Vt-....C..g@../.{>....c...'.....F&.I0.j.\6I..(.B^....|-.r..r.....C..9...pCOp..#.p.......d.....Fm.fh.q.w=N.-[zV....w..'..iy....B..i...4z^<..#.k......h..Ni t.`H.9.j{I..oU...\..3o..b.~{.........i_... ...W.9C....4...]Y.r....l.%n...|F...[..o>.s..'0...P..tL..)..b.W.9C....4...]Y.r....l.%n...|F...[..o>.s..'0...P..tL..)..R.`.$].....G...@Y.r....l.%n...|F...[..o>.s..'0...P..tL..)..b.W.9C....4...]Y.r....l.%n...|F...[..o>.s..'0...P..tL..)..b.W..t.....e...Kc,.O0...w1[....XD.F...\.....'-....*..+...WEY,..N.W!.....)....U'E.MR.0.8.U..5[.d.9...K..s..b?.....i2..g^.{..5.G1.....:.....H...~.?.ls...9zv.-...W..n.A.............`.....-.E'.....)...mnm#.C\.q.w=I..e(eh.....Q.....:=........(...{DD+..9.[<.....H...]D.7.,7.=.z2V....EC.B...D....k[@.......C6..vK[.....p^.....@.

                              C:\Program Files (x86)\autoit3\Include\StatusBarConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3530
                              Entropy (8bit):7.814292625623812
                              Encrypted:false
                              SSDEEP:48:W7Sp38mEqW1CFrMmYQPzl8sVySkhgOn03bz4hUZ:gQsmEurlYQbllsSkhPn0rIUZ
                              MD5:85560343E1A3FC02FF554D46C971CC05
                              SHA1:DC7B56DF9CFFF2950DA76EE7A8D04D51313C269C
                              SHA-256:AB8E7A639AF258973DE49D9E45CBA589E035F585DF2221C42CEC2DF4E793D477
                              SHA-512:719BEBDA958A1A6527E4651B375AF7D504FAB4E618506126373D1568EC83C63ADA60DDD30817D878C7C3F9112E639734EA968C6DFCA191A91F923F5B204EC920
                              Malicious:false
                              Preview:h..T].T.(,.......EX.l......faPW -91..j...3...YC...x.....X..v........z....%./.3[,g......faPW -91..j...3...YC...x.....X..v........z....%./..l*z|.......urCD3>>,..6.K.L......DN+g...Eg.?..C..C..-..8.<. W't..........=..=>*"..y...`....s....v.....R.$.......(,...v.a.h.cz{......{:..~dmc..y.4.......C.e=...._..*..\...P.>b...k.>. H?W".......faPW -91..j...3...YC...x.....X..v........z....%./.3[,g......faPW -91..j...3...YC...x.....X..v........z....%./.3[,g...........#9IQJX.w...3...YC...x.....X..v........z....%./.3[,g......faPW -91..j...3...YC...x.....X..v........z....%./.3[,g......`|>.d|a.....Q.o.........Q....6o....~a....?s.....~.l.}zk..........9%R\PE..w...v...n9._M$......R.o..vc..e......K./.>.)j.......7=....C`..6...a...@-.dp.F....E..{.....W.2..._.}.o.1.G........."(RB@I..w...v..._*.U.1v.......9..Y..E.(7..w.v.|.?W".....42..=4WN....n.[...T....e(....ER.3.^B..C.0,...l.2...~(L.......+9..=xmk..%.J.o....^.\N+v.....N.k..YU...M....y.2.a.b.........,.T^C,.

                              C:\Program Files (x86)\autoit3\Include\String.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8640
                              Entropy (8bit):6.241754515032104
                              Encrypted:false
                              SSDEEP:192:/LZsW+YrxgLniytF+HHtRB3/SoTtfDdxYRtCdu5Su0u54VW34:/Lq5YrGO6FCNRR1TV7YRkQ55L4g34
                              MD5:628535C2B883A6187760B6C1B8AAC768
                              SHA1:034B337D929B8AC2E59AFABBFABC3CC8C5347AA7
                              SHA-256:285DD280EE60F80A486B28789D06FB9A57CF69B166AA161B004E20490EFC81FB
                              SHA-512:CB2D2C2B8D00BA025AEBBE4EE312761B60481A8F0CCD6273C6ED118A1D67C35626AF7737396CBC741D5B609801D5C741BF6A14D702A6055AE43A524CCDA48EA0
                              Malicious:false
                              Preview:.N.e.Vs.GZB._.....U.H.*{*l...<....".3|E....OR..?..v...........====================================================================================================================..; Title ......'[.,.{@S.<....z.P..j*....<.'..l..a<.U...vK..W..$Z..:.0..... Functions that assist with String management...; Author(s) .....: Jarvis Stubblefield, SmOke_N, Valik, Wes Wolfe-Wolvereness, W..P.g-.6.GAH.r..d..O....zo...<0.,.l.<vT........X..2...!.)....., guinness..; ==================================================================================================================....4H.+....Q_.....<q..[D...KhLt..q..o/.^..AM.....k..n.c.....==================================================================================..; _HexToString..; _StringBetween..; _StringE..L.m.?...kr. ..q..H.V.C.1n...'.'.>.7`<i.../...\..3C..'.T...ringTitleCase..; _StringToHex..; ===============================================================================================....4H.+....Qo.+..B..s#7s..KhLD..F..qT

                              C:\Program Files (x86)\autoit3\Include\StringConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3168
                              Entropy (8bit):7.744743367080879
                              Encrypted:false
                              SSDEEP:96:EGH12CGaGr0r4EiZBS+N0cimxRIwXTaGZpuQ:EGH12CGaGlf00EqaGuQ
                              MD5:33464AC4CFDFD14853AB29C5AA1E1606
                              SHA1:B9D9EC035569F7D4801E9970D75224552AF714F9
                              SHA-256:FDE11194626265F93D960AC6FCA5073EBDC930214A7AB5D0240CC8E30A202E4E
                              SHA-512:B69174E79E33C120D346C9DF34B8ACF6A53B97584FF114D426A180EB28C5EBC58F1619D46CF3B52E265738F7D1DE9621746FAA9B425DED1E3223BDF2DBB875C4
                              Malicious:false
                              Preview:K......\...R.,2.G.9....n)...L.....$@..N.W..'u@.....<....j2#Ue.U]R.............p.$......7...L.....$@..N.W..'u@.....<....j2#Ue.U]R.............p..3...Bf.._....7S.. ....}.>....o...wNk.7..@9....V......|.7....zk..H......7S..I./..v!.....E...'{w.6.FNA....W..._.R..".{\...Z...YQ....G9<.......)h.....!..."|w.?.;....._...E.NV.c.......^e.NX....7G......i;Q.........j2#Ue.U]R.............p.$......7...L.....$@..N.W..'u@.....<....j2#Ue.U]R.............p.$......7...L.....$@..N.W..'u@.....<...l/=+..;4.............p.$......7...L.....$@..N.W..'u@.....<....j2#Ue.U]R.............p.$......7...L.....$@..N.W..'u@.....<....j..Sx........T...T..k.?.w^...D&..I....Li........i<.....:....4nj.+...O....W..A.SY.$.wJ...Cf._...L9.........Ew.....m....#/:;..7. ....j...t....m.9w....Wy.N.....@o........v<T.....c....9|jH|.<20....j...t....m.9z....Eo..T.....#^.....J..t;.....^.....\[&..*!<.........NL...j\...Ec..K....@w..S....yh......h...Z.%H.........P.....NV.9.wM....C..T.....m....

                              C:\Program Files (x86)\autoit3\Include\StructureConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):64584
                              Entropy (8bit):5.569249804948166
                              Encrypted:false
                              SSDEEP:768:/9UFU1xulF4fjsHgsHn9BHvFJIh0Nv5N7zza:Bwl953Ta
                              MD5:C4F09231572680CA5088AD106E746E27
                              SHA1:3A2C5939F22A51A6D50DDC75966B7E38DAECBB89
                              SHA-256:7833A0B39827631DB91CF53F20D66CB8F921DC395AC6B0C0528DDAD3F529C4E5
                              SHA-512:5E138BF82913F4DE52F4460792C414DBCA1AEEC2B8768BC867AF9F2FE20573F85DC6417995AD56C7708169BB5FA5EE93E1F0972224B8FE6DAB6AEB50C06F7592
                              Malicious:false
                              Preview:mG.1.C.h.....y^C_.2......."..2`..~.V..bn...r.E..........E....==================================================================================..; Title .........: Structures_Constants..; A;Z.....h.....Tnnf.!...s.!.?~.|>.3.....q}..y .....L../.E.ws API functions...; Author(s) .....: Paul Campbell (PaulIA), Gary Frost, Jpm, UEZ..; ==========================================s.SoZ..0.._.Iish./...`..."..2`..~.V..bn...r.E..........E....=====================....; #LISTING# ===========================================================================================s.SoZ..0.._.Iish./...`..#...+)..."...Uh...[(.=.........5..f.NS..; $tagSIZE..; $tagFILETIME..; $tagSYSTEMTIME..; $tagTIME_ZONE_INFORMATION..; $tagNMHDR..; $tagCOMBOBOXEXITEM..; $tagNMCBEDRA.l+..x..........zWg......#...+)...(......bB.C......~...6..,.; $tagNMDATETIMECHANGE..; $tagNMDATETIMEFORMAT..; $tagNMDATETIMEFORMATQUERY..; $tagNMDATETIMEKEYDOWN..; $tagNMDATETIMESTRING..; jZ.5"`.C...%.1...|.(..y..Li[s.P....?..

                              C:\Program Files (x86)\autoit3\Include\TabConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6507
                              Entropy (8bit):6.641803169184028
                              Encrypted:false
                              SSDEEP:96:NpHrHhQazwLCSBxfErq+WSCuJc8B/P9YQNpjxGOecV8LKuEr10lK:NpHrBQasWSBxfErq+WSCqBX9YQXJPJ
                              MD5:2FDB118C16D29499C05D1FD9C0B6AEB0
                              SHA1:66E18B4E3D2A6E240C3277CFF348F3754F1DF46F
                              SHA-256:0986E2D6DFDF04686174A9BC9728B28A9B862544F859778C18198ECD155972AB
                              SHA-512:E4E4F73453881F42665558A5D5572E9D471CC92FB902ACED71AFBFAAD2E4C42CF32E0D8DAB4A9EC8F00A65CB08032542B1A0CB093026D8D43CC38051CA60696A
                              Malicious:false
                              Preview:./...t..N...2..8d....Cj..[.._...\.qq.[ b.B.."hKwoXu.....S==================================================================================..; Title .........: Tab_Constants..; AutoIt V.4...o..C..Cy...R...fA....B.....[...+ ..uR.D..l6.#".!._...@: <a href="../appendix/GUIStyles.htm#Tab">GUI control Tab styles</a> and much more constants...; Author(s) .....: Valik, Gary Fr.5../..n..Pj...b...a:...F.._...\.qq.[ b.B.."hKwoXu.....S===========================================================================....; ===============================================.{...<..^..Mj...b...a:...F.._...\.qq.[ b.B.."hKwoXu.....S================....; #EXTSTYLES# ==============================================================================================.{...<..^..Mj...b...Q.h....B....E......9[..+..^.7..7......^0000001 ; The tab control will draw separators between the tab items..Global Const $TCS_EX_REGISTERDROP = 0x00000002 ; The tab c.(...m......6........B{.1..6.........

                              C:\Program Files (x86)\autoit3\Include\Timers.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12149
                              Entropy (8bit):6.381893112835774
                              Encrypted:false
                              SSDEEP:192:j0dl2JhIVngZQrlYHZjzvhLlTaGtjGuk/efXDloPeIZCIRfy+fKuCZ48MpDO2tkx:jEl5VnMqlYLlTvzXDl/3uCZLcD7cuNZ0
                              MD5:1A4B41EA9CE492C7562D7DA85A585CE2
                              SHA1:00774A389BB9466D0998D26BA127520A1086906B
                              SHA-256:12656A0566BFCCF53856756EBAF7E98DFAEFFCA80B7FDEEF8C3944950484E7F6
                              SHA-512:63DB4720FB2601CFF4A5496BEA33166A774F007991038B8FFB44C55C1367EB014683D780E92434A67DD1D9F4EDB3538997E7763128221F09CA1D4326295BEEFB
                              Malicious:false
                              Preview:..5|.....%'..5..7.......F..Q3.L..C.R....7..xV.-l..Ls..(.T,;.==================================================================================..; Title .........: Timers..; AutoIt Version ..h1...FNY%s..b.....`..U..LK......b...~o..7...y>.._`..5...e.ions that assist with Timers management...; An application uses a timer to schedule an event for a window after..{l...... BqV......../....a..Q..^.O....*..eK.0....n..x.Ien. specified interval (or time-out value) for a timer elapses, the system notifies the window..; associated with H.>?....k..f^..7...+.....m........B.Tn..*...x4...=..x..}i.k rate and how often the..; application retrieves messages from the message queue, the time-out value is only aL.)p.....eIh>..........n..U..V.....^...A.7...xV.-l..Ls..(.T,;.=============================================================================================================....; #VARIABLES# =..f"......vy_8...*....s..F..Q3.L..C.R.

                              C:\Program Files (x86)\autoit3\Include\ToolTipConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5840
                              Entropy (8bit):6.7159620636875506
                              Encrypted:false
                              SSDEEP:96:BPcRyZ3eh4fOsj719yk5ARi6KftJ37YTq6lCNGsig1sv:xc0pGsj719dFLlJUCNEv
                              MD5:2F38D88C068E161157A0C01623BD4858
                              SHA1:3A2CF91229CE61DACA9B413C5C68A5A7202DBFDB
                              SHA-256:AB12E9AA586C9DE5B553F051CFBB91FE3FCDE95AF771AB778BC464B763B63D6E
                              SHA-512:9443EA7F51FBE47456F81101E8B1B5FB3BA10A4156C5E07D6895B77F5C7D48B9524CC8B2BEE2E22263A2EE73754B101A0B8BC8632CFD4DE7521D8B559F3B2AA8
                              Malicious:false
                              Preview:...[.E....p.O.....<...(#x6T..........>T'T...yc.u.z.s.....!..==================================================================================..; Title .........: ToolTip_Constants..; Auto..n.B...>.......*.jGf].Y.............-S:,.G..76.B.g.+....D.u. ...: Constants for ToolTip functions...; Author(s) .....: Valik, Gary Frost, .....; ===========================================........P#.......!.fwQ[.(I..........>T'T...yc.u.z.s.....!..====================....; #CONSTANTS# ==========================================================================================........P#.......!.fwQ[..~.....aZ...#MN=...........s.....,..01..Global Const $TTF_CENTERTIP = 0x00000002..Global Const $TTF_RTLREADING = 0x00000004..Global Const $TTF_SUBCLASS = 0x00000010...T.R....q.Y...Z...-%k5I...........v..A...1.;.g.....v.S.TE = 0x00000080..Global Const $TTF_TRANSPARENT = 0x00000100..Global Const $TTF_PARSELINKS = 0x00001000..Global Const $TTF_DI_SET..u...]..........QqL+Ef.......eNZ...#

                              C:\Program Files (x86)\autoit3\Include\ToolbarConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14047
                              Entropy (8bit):6.81456217093473
                              Encrypted:false
                              SSDEEP:384:Jc3Tph2aM3IajocJdmls7RajuBlJVEkEan7xY7JlW:qDz2T3Ioqs7y+lJVEkEa7P
                              MD5:B7B80A009C1A95D92AEBDDF96EF71319
                              SHA1:0E6A8D1698876F35448DE60EDE0ECD8F586528DE
                              SHA-256:B3C3730852036FD884E43CF74424F212B959D5924B388A4C962F782C523D43AB
                              SHA-512:648CFB3EA27BF3F975A4783F5B4A14FE21660AF258AC0B4C9F2156E2FCFF2933F6C307F2BDC1F47A34C4FD189B264B66040961A31E48D49C14DD64D39FDDABDF
                              Malicious:false
                              Preview:$xS..w..d# .O/.y....{....P..@J..!.tL....V.!....._n.U~Zh.J==================================================================================..; Title .........: Toolbar_Constants..; AutoNe...`..emy.q..]....8..............2.gK.tW...o....&6..1.%.... ...: Constants for Toolbar functions...; Author(s) .....: Valik, Gary Frost, .....; ===========================================:,....V.6p~....N.........P..@J..!.tL....V.!....._n.U~Zh.J====================....; #CONSTANTS# ==========================================================================================:,....V.6p~....N..................o.iU.sp.4.Q....Bc.XsWe.F..Global Const $TBIF_TEXT = 0x00000002..Global Const $TBIF_STATE = 0x00000004..Global Const $TBIF_STYLE = 0x00000008..Global Conte....Z-.G....h.N.........`......_.'.....).Z....#..H~Ge...G00020..Global Const $TBIF_SIZE = 0x00000040..Global Const $TBIF_BYINDEX = 0x80000000....Global Const $TBMF_PAD = 0x00000001..GloepQ...}..+i...c.1.r..q....]..MG..[.&

                              C:\Program Files (x86)\autoit3\Include\TrayConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2979
                              Entropy (8bit):7.722858891978974
                              Encrypted:false
                              SSDEEP:48:+8nLoZnLBOE+oZnLoZnbUZnLoZnSFgIPXlvIEyDQD3scaei9dEira6XjdoZnLE1p:BLmL4rmLmGLmSicdIWVGdE6XjdmLE1p
                              MD5:F16D0BABFF97D87E6CBB837E1541F595
                              SHA1:525C0A68F34CB5C16A7E87FECB6765C62CC174E3
                              SHA-256:943C5A6B5BBDB352960B8863B2A4F2A17E2F8CC0DE53EC8AE0CD5CBF61C4C035
                              SHA-512:B211029263CF99211DD8285474B817198E9C8D9FB0DEC733F9821EB12D89A87F73BEC7428FEBA9CA44A03C8FF35C157496B075D14DFB1AB34387CDCD0F6A3D09
                              Malicious:false
                              Preview:../...v/4..c..I..........7..5.'V$....8.4..7A.m..O...D.N.=..S...|....?f...S(.~....}.....7..5.'V$....8.4..7A.m..O...D.N.=..S...|....?f...S(.~...........$..&.4E7....j.zUrd..]..R....{..V...\.a... ,j...c..c...!.....$..&.:.w...m...3N..3........]....-Z.5...3v4..N|. ...`.....*.]|.S.9...f.`Qg$q.k.......... ..@...a...wg(....a.7....9.......(.u.~...+.',.1\.m..O...D.N.=..S...|....?f...S(.~....}.....7..5.'V$....8.4..7A.m..O...D.N.=..S...|....?f...S(.~....}.....7..5.'V$....8.4..7q.]..R...7a'.N..M...|....?f...S(.~....}.....7..5.'V$....8.4..7A.m..O...D.N.=..S...|....?f...S(.~....}.....7..5.'V$....8.4..7A.m......B.'.a...G.$...w"...c../............zI.E"M...].]..*O.Z......Yq..s..Ja.......^]....+5.c..../.....e.[|.>?K...Q.D~UC.....R...t8H.T....../...vo{...p.5...M....k..K.t.m...D.Vb[O?....O...su..b..Nv.2...AC....-].....`....e.Id.Y.w....Q.HxLO2....R...M?y.l...Y......7V...*\.....`.....M.Gj.vKZ...%.]sRS#....!...K.E.....W.a...g"....7J......`.......%..:?k....

                              C:\Program Files (x86)\autoit3\Include\TreeViewConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9715
                              Entropy (8bit):6.738749744408599
                              Encrypted:false
                              SSDEEP:192:yj9zfCEl+ng4/fDVWxMdvF8n6FGxEoY02jZ2DKYe2siWrXVQyS1:yj9zfCEl+g4nDVWx4vFCzEoM2DEiWrly
                              MD5:CA9F0F8648FC2D0B99DA20CA8E90BCF6
                              SHA1:608DD93521CB18000CA17CE15A81CB872099CF4E
                              SHA-256:AEE257F39E2CA9E0E903732358F01655CD34614375D8195E402EC4537EE616A0
                              SHA-512:3D46C8015C38839A6B72F2C8E748B7B51750A861569BCBDB59081B179B5941B8C09ABD3BF435EA62B368184D25D8B299A41A207C1B942BC763136BB63609F25B
                              Malicious:false
                              Preview:.~!..}N..T ...q.....:[;...~.m.O.4 ..,y[.....).u`....L...#..==================================================================================..; Title .........: TreeView_Constants..; AutH^;...kX;.Tc...R.....s.X..I-.%..Q)3..?j\.uC..}. P........j.n ...: <a href="../appendix/GUIStyles.htm#TreeView">GUI control TreeView styles</a> and much more constants...; Author(s) .....:.A...5...H:........P.i...~.m.O.4 ..,y[.....).u`....L...#..==========================================================================================....; #CONSTANTS# ====================.*r...$.o..~...A.....C#^...~.m.O.4 ..,y[.....).u`....L...#..===============================..; Styles..Global Const $TVS_HASBUTTONS = 0x00000001 ; Displays plus (+) and minus (-) buttons nBo;...9[3._-.........q......>...-I..Y.5.yc..4.hm....A....%..ses lines to show the hierarchy of items..Global Const $TVS_LINESATROOT = 0x00000004 ; Uses lines to link items at the root of tOro..mY=.7I.........jC..~....;`E\...B

                              C:\Program Files (x86)\autoit3\Include\UDFGlobalID.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7003
                              Entropy (8bit):6.540116137172374
                              Encrypted:false
                              SSDEEP:96:wnft0/Te4dbTKQ/TETEYcRT7TfZWrrT09nAGdbd+cLuTrHHrfT6ovL80:0fi/S4VOQ/QYNRXTSUF9ufHb1LF
                              MD5:45DE545D62E321F8EF69EED2D6F8BB50
                              SHA1:0AC9CBD7415604D2683EF1605A6CB1A1D456C8DC
                              SHA-256:B46EE99EB1FD8D0C1FD8031F0A7AFADC99CB3B9FF75130CE37EC633C111340F4
                              SHA-512:B1EDE0A3656350DD7A60BB3AD5152E82DF9E5C2A592D2188FFC838B4739D178656B420815A4A976335198DB3B66DF7FE58902781E1D900B123EF1326F78E84F7
                              Malicious:false
                              Preview:,..<1....K.....DP....&]..y....q.......6e...j......)......$.====================================================================================================================..; Title ..!i.qs.[.q9.....,...1.^3.../...L.......T87...V%\&...+<;.MI.|.......: English..; Description ...: Global ID Generation for UDFs...; Author(s) .....: Gary Frost..; ===========================2z.b`..\..@...sNF.E.n...fg...........S%9...Z.O*..bZ`h....$.====================================....; #CONSTANTS# ==========================================================================2z.b`..\..@...sNF.E.n...fg...........c.C.H...RT...+Gy..|n.^.obalIDs_OFFSET = 2..Global Const $_UDF_GlobalID_MAX_WIN = 16..Global Const $_UDF_STARTID = 10000..Global Const $_UDF_GlobalID_MAW.....A..H...D4....?...5)..g....... KP.i.8D!H....3......a.0010000..Global Const $__UDFGUICONSTANT_WS_VISIBLE = 0x10000000..Global Const $__UDFGUICONSTANT_WS_CHILD = 0x40000000..; =======2z.b`..\..@...sNF.E.n...fg..........

                              C:\Program Files (x86)\autoit3\Include\UIAWrappers.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):110355
                              Entropy (8bit):6.844032664191346
                              Encrypted:false
                              SSDEEP:3072:p0xaAS7fi8o95PbMQMRRl8XcWSRyZNZpWsmE:Sxat+8o9wXluSYNZP
                              MD5:A5C902C7353DD0B1A8D76A8635591BE7
                              SHA1:A18816ECA58519175D974A95EC48886BBB461A8D
                              SHA-256:39262B5242B957C4127E3F6E44E7D9A8FBB343BD8D72DF0A19E78FE30BA73C6D
                              SHA-512:35D61173597FDFA1B1F44C6200F030DB6845CA518E48E213C5EE0B770F1EDAC4DB366386D9717730F4256047D2A6EF273E1A8ED23FF40ED5715D5F1B61DFA434
                              Malicious:false
                              Preview:.P......n.@P\.v.B.t...U..h..%@M.#...7...@../x...<\Id...c..Ow 5 -w 6 -w- 7..;~ #au3check -q -d -w 1 -w 2 -w 3 -w- 4 -w 5 -w 6 -w- 7..#Region includes..#include <EditConstants.au3>..#includ[1..)..W.o.QNM.l..../E..l..e..4...wW.. .C....l{...xBwN... ...e <AutoItConstants.au3>..#include <WinAPI.au3>..#include <Array.au3>..#include <ScreenCapture.au3>..#include "CUIAutomation2.au3....9..j%{._N..G...y...{O.}.."...mP...}.C....,l...."..k..0...ekes/Home/windows-programming/dotnet-registering-an-object-to-the-running-object-table-from-a-non-com-project..;~ TODO gethistogLp....Y.<.BEX.#..Q.p...%K.l..0KX.{......m....R}....?.,%..k.7IElement, $UIA_BoundingRectanglePropertyId)..;~ .local $name=_UIA_getPropertyValue($oUIElement, $UIA_NamePropertyId)..;~ .local .e..\..J)r.cPU.]........i.H)..s.2.%G.....m.$..u]..o.!u...u..Ft[3] + $t[1], $t[2], $t[4] + $t[2])..;~ ._ScreenCapture_Capture($name, $t[1], $t[2], $t[3] + $t[1], $t[4] + $t[2])..;~ ; Find a Nd..\..]%r.@IA.E..J.<7..iO@h..>W[.#...

                              C:\Program Files (x86)\autoit3\Include\UpDownConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1465
                              Entropy (8bit):7.4079594607678985
                              Encrypted:false
                              SSDEEP:24:D3CLCMLCxEgPs3lyQLCMLC6a+CMLC4sm1T4NJempPhnWkTLvQTIcsFjGHkeZ:LrLP4ljaCsm1+Je2nWkasFrC
                              MD5:7E0AF16B2F0BE4A8BDEF2E9CBEE94A02
                              SHA1:EDFC4DD130F76DA1C501F93A8B499C1FB0EA8A6C
                              SHA-256:577ECA8CEDF19DF3C10539EB0A3DFE33809EC47FC3ABD3F713D7D6860B9A4294
                              SHA-512:1407E6B417F87A14A7E39A029FC8CF67DB69C4116CE13932A97169CDCC3C5DAC7C852610330C95A87D781231ADB3E8D5745DE8FFB2F1553E353726BCF309B62E
                              Malicious:false
                              Preview:9..H...9m...}..........J9.F.[.....;.......P.A.(p.V..lr.2..'......)?H.M.=.......T$.F.[.....;.......P.A.(p.V..lr.2..'......)?H.M.=........|.U.H.....&t...Uy....a,....3jo..{..n..N...z"O.^..........wU.........(....WO..q..m....K8?..`.4......|p...R...@.....F^g2...V...k...LHO.;.\m....K>#.....m..X...g>Z..P.n.........|.....N....+...ON..T.<m.E..ko..c..6..J....fm...P...,......T$.F.[.....;.......P.A.(p.V..lr.2..'......)?H.M.=.......T$.F.[.....;.......P.A.(p.V..lr.2..'......)?H.M.=........I:q4..2{.....;.......P.A.(p.V..lr.2..'......)?H.M.=.......T$.F.[.....;.......P.A.(p.V..lr.2..'......)?H.M.=.......d..[...V....jN...xI....1...4.k.../..*......{`...3.n.U......,Mp...?s...6Y....6,*...t!....J%o..K..[..l...\VU.@.0.........u.8...N....Y`...wc+.\.5}..[..\E..`..v..D....0W1..1.R.v....Ya.K.k0.....j...O.I.8.J...1..q...?.....G...4A.....$.e......<Js5..F.....>..........g"...._0:../..c..X...{`...3.n.U......:Fv>..3v....Iv

                              C:\Program Files (x86)\autoit3\Include\Visa.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):40287
                              Entropy (8bit):6.525480496660919
                              Encrypted:false
                              SSDEEP:768:k5qtuZ3F0i2TjheIBciYSP9pfVdzCW50ss+me:k6aOQsc8CW6E
                              MD5:93C4AF2D8550D99B6AFAA30564E6A554
                              SHA1:C578607B832BB795C139F43A2B3B2BFB6416DF1D
                              SHA-256:6DC33ABE9784ADC0239F71E20E19B29D210E078650F3D783915470C3CDE3DB33
                              SHA-512:02C012B18DA53A5B5C75FFE547B185FE6DE859E7A106D78D6D7BDEC466C39221127751EF92995C44E0AF329AC00395AF0393B785F8D8ECF58B65B88B78F33B01
                              Malicious:false
                              Preview:..<...n.f....Ocv..&.....4.S...Zhyv...6.x6.x.....I....\Q.T3..====================================================================================================================..; Title ....|...$.ft.....5x.=.......'....mBi1....|DXS.;2h......7'.Z4..nglish..; Description ...: VISA (GPIB & TCP) library for AutoIt...; Functions that allow controlling instrument..z...$.)Q...ac};.8.....u.@...wBz?...rUu*.|.h.........v{.X...ectrum analyzers, power supplies, etc)..; that have a GPIB or Ethernet port through the VISA interface..; ..r..*.f..A.J\G..h7..........w+4k...1.|T. ^H........7'.Z ..Angel Ezquerra..; Dll ...........: visa32.dll..; ===============================================================================..o..7.{..\.013e.u^...h.]...j_g"...oHhd.&C4....R....4$.Y#..--------------------------------------------------------------------..;..; visa32.dll is in {WINDOWS}\system32)...r..*.f..A.-,.x.h%...........".3|...

                              C:\Program Files (x86)\autoit3\Include\WinAPI.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1834
                              Entropy (8bit):7.568068713874548
                              Encrypted:false
                              SSDEEP:24:fmiYXcXhCiDXkO/prkBbRq1H3LqZifUeBdug+T69bYPd3z8U1vzHi:fFHRxDXppg5uE0Uexk8N0vzHi
                              MD5:CB7CA4AFF9A13F596A490BFDB12DC667
                              SHA1:D7A8E4F86E7913D2CF7274A31BC0C7BC2B142FC7
                              SHA-256:E22161CBC7BC1D7854A843112C388499BBB942DC228E9395E4F243AEA1AD6D6E
                              SHA-512:A2AFA704E11CAFF1FFB8C3CDF2A5D8C07F8FB47DA019731728390FB96773C26B52C322A616A8EB316DAFCF72D97C16913A05028C959A9DECF8483479F945D927
                              Malicious:false
                              Preview:... .x.}...7T.).....M....~...)J..L....k...@y..;.*.`....L..s.S...7.c.~..XpT..m....E.....I...2g..^....y...~Q..v.(.h......m.d..6R/..s...>,.A$.3..E.....n...n+s......m...Q...q.#.c......1.e..`IBd.<...r{.Pv....S....j...sh....hX.v....>.O.*.\.....q.c...pC...9...'=..&....q...j...P.].Q....}...5..Q.(."....c..v.s...&A/.>2.".+.Kv.........g...}+).Q.22.q...]:..:.N.e......=.y..=.&i..1..I_S.Mj....D.....[...?cP.J.@v.;.......8...b.......l.q.ONk..3...7y.sm.!..l....)...4g..J..[.O...#...k.j.y...M..|.e..Ma6d..:..=:.Eq.B.......n..4g?.v....y...~Q..v.(.h......O.C.../$u..%@.fXz.Jg.........B...sh....hv.#..=...;.y.1...S..".-..P~\0..mN.Vod..9.]......6..`4C..._F.%.Nf.%.y.1...S..".-..P~\0..mN.Vod..9.]......6..`4C..._F.%..S...t.d."....@..%.G...,.~...:.aiy.Qp.)..w......+..s:P...Sv.#....8..h.-.b....T..v.t...c ]..3...!y.Le.@..W......+...3z..K..[.w....4..8.1.o......{.s...cAZ..#...p.)..@..U....+..s'D.o....[....>..8...y...B..~.b...oA^.?_.17=.E(....J......d...9pR.o...

                              C:\Program Files (x86)\autoit3\Include\WinAPICom.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9788
                              Entropy (8bit):6.149318774721749
                              Encrypted:false
                              SSDEEP:192:2nWJ7NIWqrqbgw9s/niqmEicsau6qbTN9pwOX:2YuZDFf9DbkHDpwOX
                              MD5:4295E7697324E987C61E1CD8A92D0668
                              SHA1:DAF2973F810B078802FB88B4DA0CE6ECEACC6A90
                              SHA-256:833CFA461C5939FCDC06788962B05D9D23F9EEF61E56364EAE6BEC1DB0A2B352
                              SHA-512:7BDAA3621D46F8474386D3D5193DE14BB645D1D4D026652AFF1360CB50A7F4998FDFA38768B7F3EB4E0D6FBE6C6BC061DBCDCBF037E130B4D488279EF6FB1D41
                              Malicious:false
                              Preview:K..9...".Z.b.-........D3e.C.H.r6heQ,...).A...R..y.Y>.!Rn[:.."IInternals.au3"....; #INDEX# ===================================================================================================U.g...z...<...........wT...!..1[)%.vX.A..N....K.d.Q..d'.Js...rary for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPICo.../...|.t.u.O.........y:.8.i.{Y'aR5{.Zz.....b3.-...v.yOq1n..O=========================================================================================================....#Region Global Vari...?...)J..n.S.B......;l .7.H.S0T(.eK.\g.....b3.-...v.yOq1n..O========================================================================================..; ====================================U.g...z...<...........j=.\..<.."H:6.eK.\g.....b3.-...v.yOq1n..O===========================....; #CONSTANTS# ===================================================================================U.g...z...<...........j=.\..<....@gM:..

                              C:\Program Files (x86)\autoit3\Include\WinAPIConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5772
                              Entropy (8bit):6.8369104718244005
                              Encrypted:false
                              SSDEEP:96:W6rwulzClOB9Ei4eKyZGDwGLptVAvivgiv:WhAxxiPVAGgiv
                              MD5:BAF832D0400A2300F29D52B2E070B2DF
                              SHA1:59AFE95D040DB56A0F3ACC405738CB74D82739BB
                              SHA-256:774A87F4050FF0781AD8C298D0C9323B10B891786CD1CCADD5FC5C745A65A623
                              SHA-512:30E4462CCB6677D4551F38B5C0C3BA86B393DCBCC262DBF0DC9C4760A3FED098BF66F1392ABF7DB32E4B61B70AEC062621B4AD65152EA0C1B5AA8A7D357475A9
                              Malicious:false
                              Preview:K.....);..YC...,*....n@X..@{.E7_.........bF....H;.s.b....>..==================================================================================..; Title .........: API Constants UDF LibraryH.....k..1D".b~..".}}.[..(.B*Q.........d[.....a.n.q....#..glish..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ======================U.....9i...s$..*7.k..%F..@{.E7_.........bF....H;.s.b....>..=========================================....; #CONSTANTS# =====================================================================U.....9i...s$..*7.k..%F..@{.E7_.........bF....2j.,J3..H.w..HGDI_ERROR = Ptr(-1)..Global Const $INVALID_HANDLE_VALUE = Ptr(-1)..Global Const $CLR_INVALID = -1....; Stock Object Constants..S.......E...s,s.....5.En.Z..).X~......Sq.3[....U"..t...i.S..ED = 0x01..Global Const $MB_COMPOSITE = 0x02..Global Const $MB_USEGLYPHCHARS = 0x04....; translucency flags..Global Const $ULW_A$......|d..6.u..vf..9.Xl[..1..;E......

                              C:\Program Files (x86)\autoit3\Include\WinAPIConv.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29874
                              Entropy (8bit):6.054372120191036
                              Encrypted:false
                              SSDEEP:384:tr+wEGq6o3VoRXOBnVkqKSBNv+IFuNS3lblHdz20ndxo/kTpoaluVP6aZ/7liulE:A6XpwHWSVp7zG6fiD/ty
                              MD5:BA57BF1AAC9518B458173800E757E5B4
                              SHA1:DF4F4A09FACE595C96B905C4EE47667266DC5402
                              SHA-256:A92AA70D0C1BFCF88D6AF3EFDC50B34920B312DAD073042FDD0CC4F65FB58D51
                              SHA-512:B8811331849E06A38B015858189B22EF11E2EC99820E2051E7E8C3436BC9928EAEA925F596EA404CFC1191FFE1C940ECC39A7DD8059646DAE0C9E1ADF8D7ED9B
                              Malicious:false
                              Preview:....=.......l'..L...\....z...B.a.Y....E.YNw..=.i.rp[..6.......tureConstants.au3"..#include "WinAPIInternals.au3"....; #INDEX# ================================================================..H.l@..._SC4...{..}..U...e..B..;|..LU....]+..".^..!...tY....... .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, const...q.......j^..(..&.BH...x...j.O.Y..F.^.'j-.j....4`..W}..u..5.shied, jpm..; ==================================================================================================================..H.l@..._SC4'..L.%.Y...4...G.P D....N...x..\....}}C.tY..`..:%RIABLES# ===================================================================================================================..; ..H.l@..._SC4...{..}..U...e..B..;|..LU....]+..".^..!...Dn..f..QY===============================================================....; #CONSTANTS# ===============================================..H.l@..._SC4...{..}..U...e..B..;|..LU..

                              C:\Program Files (x86)\autoit3\Include\WinAPIDiag.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):33196
                              Entropy (8bit):6.755508719301189
                              Encrypted:false
                              SSDEEP:768:xfEntD3ZVNMGdzTmNe10iZ0ZRHAhwW7EE70wC5HyyKE20R:xEntD3ZnMGduNe10iZ0ZRHAhwNE70wCV
                              MD5:0AD0E76491EF9A84ED8F1A2410C49D27
                              SHA1:0541E8347B490776E4E887671DB6D53CC8F665FF
                              SHA-256:46DB0D59D32DD8CD8B67A6F1210EFF53E9F0E69513539867CB6BFD074502538D
                              SHA-512:1A4AABC51780D3C3238A880F792C0E1540297352E2F3F432DB474EFE1866918E0C812F6AC7201586B37ED31887A79205E2784230B3188449A6BD8E44D4A52572
                              Malicious:false
                              Preview:......o).9U.E..A.L... ..j<......<.(.t.d.O...oH...Z.|S39..@...."ngConstants.au3"..#include "WinAPIFiles.au3"..#include "WinAPIHObj.au3"..#include "WinAPIMem.au3"..#include "WinAPIProc.au3"..#i......+nT?U.p._)vA&..n..,u.8..}.<.t.@.r..Xbx4.%.70Zv...A...iWinAPITheme.au3"....; #INDEX# ==================================================================================================.MPN[6q>k....0q8Rz..A. /H.8...s.E.4.>...]`|.....aX>1..5p.B."brary for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPID...C..8A.m..U.e#wG4..b.5!2......4...:.`.,...3.q..m.(.mh...].._.v===========================================================================================================....#Region Global Va......xlb8_.c.c?q.)..A...'.......'.I.0.....3.q..m.(.mh...].._.v==========================================================================================..Global $__g_hFRDlg = 0, $__g_hFRDll .@`y]+q>k....0q8Rz..q.&2!..i...`.V.'.-.

                              C:\Program Files (x86)\autoit3\Include\WinAPIDlg.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):39300
                              Entropy (8bit):6.6014678821790636
                              Encrypted:false
                              SSDEEP:384:WW6o70cSlOOZdZXLw0HA6eU6RdRoDJZ7Z1DpXkdAtLeVUgKZzf4Svsn3PQ2mTtGn:GOwYdRoDJZVHWh34zJfyvH
                              MD5:97ABC01BF2EA20A446917E92FBBFF79A
                              SHA1:F4794AC90866D817BE65CAA9FE95E2F65292B6A5
                              SHA-256:20E649881218FEECB217A0A137781ABE56ACF536E0EE90D69A1C21572932F103
                              SHA-512:632E77F0714808B659F63176373AA5F26867C92FAF5AD19628013FB22392106272706471170FA19D5305417EE9F312E59D685F8D39D1AE4DA09B42ACC3FE916B
                              Malicious:false
                              Preview:...KL.....i..+E|.7.?Ln.J.G"........N.&i..m../.t.....>.O.5...gConstants.au3"..#include "StructureConstants.au3"..#include "WinAPICom.au3"..#include "WinAPIConstants.au3"..#include "WinAPIIn...FA....4.(.x.!.U2.8E;Dx.."......C.hB>..o..G.u......2.K.]..."..#include "WinAPIShellEx.au3"..#include "WinAPIShPath.au3"....; #INDEX# ======================================================.........|.7.O.uK.c.a.&[..X^.l....M.Xu ..1....j.X..gBR.[N..=..; Title .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variab.........5.d...).R~.)Nx.F....7.....Pm.&\..H..C.d.o../..W.[........: Yashied, jpm..; =========================================================================================================.........|.7.O.uK.c.a..l".F1.6......X.$=..~..N.$.......K........; #VARIABLES# ==============================================================================================================...........k.R..)Q...rY.I....l....../]:!

                              C:\Program Files (x86)\autoit3\Include\WinAPIError.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12321
                              Entropy (8bit):6.35986954072015
                              Encrypted:false
                              SSDEEP:192:KZtROaLSUcXkfu2O926JwVbB8sPBqImcGVMc4PNXqDEovalqXnM8d8E8ZoGJFmlF:S/uTkn6Q/yMDkseEpmnoq
                              MD5:42CCEA933FFE25C35FA7161AA7540C49
                              SHA1:7DD7CCDA7C88310A4DB613D465FC28C72CFB06F6
                              SHA-256:15E37DFA9CC0E4BA669AC9F507F90DE7A2D56C9B6CECC61D625BC925B26FD280
                              SHA-512:840E6C24B49A36F3E2808462D57D368EAB88E340BBD09496C74B632469D4541F51071617973C5E79BC13462A792C05D3BAEEBA30436A95201BB4798CCE45BFAE
                              Malicious:false
                              Preview:l...1..[.......aM...k.9..@...5..*I.....iGa...Y..R.....P.5ol.z.gConstants.au3"....; #INDEX# ===================================================================================================r.WA`...>..X..VS.m..}.N...Y.UG.D.....M.n...'..k...EDt.cSQ.3.ersion : 3.3.16.1..; Description ...: Windows API calls that have been translated to AutoIt functions...; Author(s) .....: Paul ....?..R#.......Bc.@C.1..L...Y.UG.D.....t.l..0..6...CY..*.%E..=====================================================================================================================....#Regiono...?...U.......N...'.2.T.....qd,Q.....I=A...w......CY..*.%E..====================================================================================================....; FormatMessage Constant<.`;1.._o.......O(..-F...b1.2.:%j%....X<F...t......NT..'..rT.obal Const $FORMAT_MESSAGE_IGNORE_INSERTS = 0x00000200..Global Const $FORMAT_MESSAGE_FROM_STRING = 0x00000400..Global Const $FOR..>#...mB...#...4&..$R....B...G.KY.Z...

                              C:\Program Files (x86)\autoit3\Include\WinAPIEx.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1921
                              Entropy (8bit):7.570615115755216
                              Encrypted:false
                              SSDEEP:48:P1lBgsquTRz/K+3yxY4YKEBGOuGMFrryxyvyxy3EGyxyjn:P1lBgGLpyxY/KPFrryxyvyxy3RyxyL
                              MD5:D963F8DF54F78D303AF77C88462003EE
                              SHA1:20E392A0506BE957E2F50E67BE2D1427C2EB4E06
                              SHA-256:111185A60EB948BC9FB110B78BAD600B415451B3CFC4CDF6A5B21140B9B619CE
                              SHA-512:57106AE71C8198F6721E02E548D86A8B44ECAF47446B856078EBE3A7A9339161FD977786FB7C5A6BCAEB8C4CFCF0E78F7EB9305C8970A790E5E0C93056D40401
                              Malicious:false
                              Preview:"C.8Qz.Rq*s..R..5t..G.+...BYo..G. ..~.s.+k...d_<|]..s..Tfx+..`_.y0.\^2&q...x..2['.v./.....:2.{A.m..)]^._k..8X.5;Q......~+..tN.{.X.Y..T...=...))U.8_'...H}...A.O...\..iw..e..02...y..?r~+..Hb.9W!.Bog...6..8.W.e. ...OwQ.vI.=..G...kn...1..5...T..~D{ ..t..V7,.Y?)h..z...J>.[.-.....5.1F.b..(.\.al..!AI6?Q......~+..tN.{.X.Y..T...v...~.}.[.-.....:h.6i.G..>...; ..KxU:0...=..tKV...iO.7xwQV)v?..1..)~...+'....po.,@.o..o5t.al...u^y~(..\..N\dk..2..Q.f.T00y.......S#.W.+.....5.R..-...}&.(?..U,.daB.. . .*x.<..f.2B.ax .e..a'J..As....%..e..3..p.C.5?..U,.daB.. . .*x.<..f.2B.ax .e..a'J..As....%..e......Q..m"..F?.wrQ..=..sdG...y^.5Yj....[...:..%:..@\....X+2.c..{...L^.mp.....c|L..3.3..O.MK.<Hn.R|k3...v.2}..A.C...Ik\.1X.g..m.P.2"...xO03...=..oLv'..r..8Ra.C=+i...6...)t..[. ....^8h.6i.G..v.?.|j..@b.yrQ..3.DDd-..e'.`.B.S5#t..v...r4M.x.#...@qK.=L....;Q..~w..HxU:0...=..|A71..mO.(.z.B/ y...6..3t..?vu....8..x.....m.^.Lu...x.=0...Z....9!..-..?T..B/ky..x..2....R*....bl[.4..b..m

                              C:\Program Files (x86)\autoit3\Include\WinAPIFiles.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:TTComp archive data, binary, 1K dictionary
                              Category:dropped
                              Size (bytes):95840
                              Entropy (8bit):6.39684816812841
                              Encrypted:false
                              SSDEEP:768:Oil43Wj7sEmhreH7TcMEAEgmMvQ37vR0ckU9SHPeqdo70JUc0k50PVU:O4cqEJRGFd00JSPG
                              MD5:29BA3D57C0DEC040CBE61528DE71A30B
                              SHA1:A51188FB1B35170711B83C3250B635688830B0B6
                              SHA-256:0E803C752C5E95A08823F2D67A580E5E6EBA0E0308D80A820D05F826A239E288
                              SHA-512:CAD4B3C3C75300D5F6C538E8458E0D92149F132FF2BE0AC49E48FC00F590A4020E7BF8BDBD5E1BFA66126B91EE2BF5FB2F53979B57EED59E9346CBD6F20CBC92
                              Malicious:false
                              Preview:..C..[..a.<..[.o..|R..)'."R.9.2 .&*..C..S.......`.G...0....rU,xeConstants.au3"..#include "MemoryConstants.au3" ; For $PAGE_ * constants..#include "WinAPIConv.au3"..#include "WinAPIError.au3".)ND..B..).p..8.2..pQ...~`..0...79.0I..Y.1m9.C......F..5...4ve6WinAPIShPath.au3"....; #INDEX# =================================================================================================.P....ZPq.o.k._..(...Gy.Tz...{b.{G....^.P.C. ..M.....8.....UeXibrary for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPIe.A.......X......g...cl..=.P.:?.<......P}...\..P.Y.a...m.x)=============================================================================================================....#Region Global u._..L..?.3..v....a]..@H..(.S.....+..c.P.M...\..P.Y.a...m.x)============================================================================================..Global $__g_iHeapSize = 8388608..;.P....ZPq.o.k._..(...p..=..M.fq.hT...

                              C:\Program Files (x86)\autoit3\Include\WinAPIGdi.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):204395
                              Entropy (8bit):6.442934434306256
                              Encrypted:false
                              SSDEEP:3072:w1BNN/plxFlY6C/Sob6rkcvvUDTwA0eeljVtJW4XxN5IjeLBmqkF:w1t7xFG6SSU6rhvUDTZ0x1Voj6BmZ
                              MD5:95B85251913B7A59963E36F1C4C684E5
                              SHA1:CD54337BF36AD5156F568D0055812FEDACB697CD
                              SHA-256:675A9593D139BE85AD7C489F9F33C1ECB8F65B144547A4323603BD1D6892E98C
                              SHA-512:576EF207B95358F0E107E2C46ED8AAD12C691E78636E7D09242A6BC576BA8EE1B049559439969BC6C6618B89F1A6EDA0F5E1B37C2DAC28CE7D20C4CAF6408E62
                              Malicious:false
                              Preview:...^.IG.........v6r.4....JjX....m.{.]...s.X......-.2...o..I.K..tureConstants.au3"..#include "WinAPICom.au3"..#include "WinAPIConv.au3"..#include "WinAPIError.au3"..#include "WinAPIGdiDC.au3".?..S.PV.].30...5R..../...)u)..7.......k....t.......$..).4..include "WinAPIIcons.au3"..#include "WinAPIInternals.au3"..#include "WinAPIMisc.au3"....; #INDEX# ==============================....C.....,Z...A(&Vj.f.JWu$g..9.)..R.:XK.... .y.l...7..'...=========================..; Title .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Descriptio[...P...\.x.....5m.%.:...;5z...w.u.Z...i.V...i..*.q...*....n..APIGdi.au3..; Author(s) .....: Yashied, jpm..; =================================================================================....C.....,Z...A(&Vj.f.JWu$g..9.)..R.:XK......g.4...d..v.[.. Variables and Constants....; #CONSTANTS# ======================================================================================....C.....,Z...A(&Vj.f.JWu$g...h.v.BO..

                              C:\Program Files (x86)\autoit3\Include\WinAPIGdiDC.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):20275
                              Entropy (8bit):6.1724044089541446
                              Encrypted:false
                              SSDEEP:384:MCXj2AQfw9K7fln2Bqm9ueWq3YWU98HZ80ZluVcz55W1MGbG1l9lK:PajytHTBFfK
                              MD5:570345490C6B840C5EE891C76AFB51F1
                              SHA1:E44302CFE70D9CDCBAB275CF25FAA839C60AAA0D
                              SHA-256:B059D1E120512A80507DF83E7AE0874BF206FF4790AB3B88658A28526251D098
                              SHA-512:32F1C93BAF9A313A6F1E0E73E5E17FB8A0288CC65ED24884BA4E5620515B7938EA772642F23DFF13A53E1642AB3B9AA78697C1F1C58B1440FB95670958617F1A
                              Malicious:false
                              Preview:.2.."..m...4.C.....jzZ./..3...uO..z.G.N.._).N.TosU....|%....nAPIInternals.au3"....; #INDEX# ================================================================================================.f..s..}...l.t:....4+.G@..0....&........{n.z.?B<.....|`.z..Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAP........5...j..r...!e.jd..J....]{..V...V...&<...K_DK....%}....==============================================================================================================....#Region Global....'..%..?.iD...hx[9G..n...}Z..q.v.....:...K_DK....%}....=============================================================================================..; ===============================.f..s..}...l.t:....4+.ww..Y.....5.........:...K_DK....%}....================================....; #CONSTANTS# ==============================================================================.f..s..}...l.t:....4+.ww..Y.....5...9.

                              C:\Program Files (x86)\autoit3\Include\WinAPIGdiInternals.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):29840
                              Entropy (8bit):6.622047268120432
                              Encrypted:false
                              SSDEEP:384:wg5VTMN16FQQViFRW8KeccY54cXL/DSl2Gz44QZ4UTOkXtLdNDBCMJ1R3S14Mgh2:NTLsRW2cXLy/zO/dHPvWMs19Z
                              MD5:19DAD413F78D37C472E0529FB33467AA
                              SHA1:1FA0DD84024A7C2F139E77558ADC698B459918F9
                              SHA-256:4101B23B1AA2DE982941C8397AD957D49CC7CD47F90278404075A580E3E8918A
                              SHA-512:47348203D6FC3345D155568BE69D009C2BF606948631E3FF81DF83AC18700885847497AA104A62AEBE95376DA08E7AA0B4C738E21084B9F32259A1B6ACDD47BE
                              Malicious:false
                              Preview:3.n.R......cm..`lS.]..0.6...0n.....|Y.A..f._..:...?8......nAPIHobj.au3"..#include "WinAPIInternals.au3"..#include "WinAPIMem.au3"..#include "WinAPIMisc.au3"....; #INDEX# ================-..0Z.A[...;].:Wr....../..P.Iy&..{...5........@>.$..np...A=======================================..; Title .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1...-#B.....o..'Da...p...{.,..T2z..'...{..V..g..w.9...s+...A.ns for the WinAPIxxx.au3..; Author(s) .....: Yashied, jpm..; ===================================================================-..0Z.A[...;].:Wr....../..P.Iy&..{...5........@>.$..np..%v#Region Global Variables and Constants....; #VARIABLES# ========================================================================-..0Z.A[...;].:Wr....../..P.Iy&..{...5..8.....@>.$..np...A==============================================================================================================....; #CONSTANTS# -..0Z.A[...;].:Wr....../..P.Iy&..{...

                              C:\Program Files (x86)\autoit3\Include\WinAPIHObj.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13395
                              Entropy (8bit):6.3369845014890585
                              Encrypted:false
                              SSDEEP:384:JB2yBCG6gE1b+ioWnbZXIEqUC8zueg+7Ys6:HBC9Zg8gF
                              MD5:5B9E486A8F4DA580BFFD9B2E0A461A44
                              SHA1:C8D6EFF9210371BC216B1FDF5107E0572B03F599
                              SHA-256:A7DCA6EC15D531BA3894EE534CB415C70E2311B4036301E0B9B13E9F31DB015C
                              SHA-512:9A0CB3035716B6B74EED8FA71961FD54A8730891D5C7E55B1A6CC63C0CEA8B724B77E00491D6B74A5C163F8622A5C94352ABD1F16B6082B2694F630CDCC0A603
                              Malicious:false
                              Preview:..03..,..K..z....z.E.'1n.F..dR.n)..&R...a.a6..........K?)$.====================================================================================================================..; Title ....p~..f..sx.^....W.q.M.'t..W6.L`.F5..'AC..t..`...l.....>zfj.on : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPIHObj.au3..; Author(s) .....: YashiM.rp..%...1.".....)..E~is.,+..?..z...u.^..=Uo).+.....g..U")$.==========================================================================....#Region Global Variables and Constants....; #VARIAj.....u...,.".....)..E~is.,+..?..z...u.^..=Uo).+.....g..U")$.=========================================================..; ===================================================================..cm..u...,.".....)..E~is.,+..?..z...u.^..=Uo).+.....g..U....; #CONSTANTS# ==================================================================================================================..Tk..s..Qa.v....g.z.E.c;>.xy.V..`+..$.

                              C:\Program Files (x86)\autoit3\Include\WinAPIIcons.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25802
                              Entropy (8bit):6.508121604358239
                              Encrypted:false
                              SSDEEP:384:BKOJqFZQzmKdp9Pb61EYX3xgNGnlGAF+mYM2lHexOQMqdiz:0a/heKaxzgYX2Zextpiz
                              MD5:95E7F80868AD35ADCC29B8EEE083F0AF
                              SHA1:CE8652E2291DA973684BD32CA935317EC1B66B75
                              SHA-256:728E226AA6B2632FEE5A70EBB362DB3804EF2BA6CA8155E13461E03151B08A18
                              SHA-512:5F4E6E15C8CDE1F2644BD78C7FA3E6FC6183785BC70D8259C9A0CBF80EFA76A8B41089F7BE538E668BFEAA557C58CFC6228F043EF64C7420B789387B14727302
                              Malicious:false
                              Preview:.....i1Mv&.=.2.@.....d..k.N`;?.....h2..O..e..1_.`;...p0{......Internals.au3"..#include "WinAPIHObj.au3"..#include "WinAPIInternals.au3"....; #INDEX# =========================================..G...0i]$upe9..w....,.v.$4hCg}.V..L....U4.e..1s...oZ/...].==============..; Title .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Addi.....-".k!,:h].f.....e..?W9h;.z&...X...I.E.{.,Y.,......[.....3..; Author(s) .....: Yashied, jpm..; ==========================================================================================..G...0i]$upe9..w....,.v.$4hCg}.V..|.0.q.n.7_.K"..>GD......s and Constants....; #VARIABLES# ===============================================================================================..G...0i]$upe9..w....*.v.$4hCg}.V..L....U4.e..1s...oZ/...].=======================================================================================....; #CONSTANTS# =======================..G...0i]$upe9..w....,.v.$4hCg}.V..L.

                              C:\Program Files (x86)\autoit3\Include\WinAPIInternals.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18319
                              Entropy (8bit):6.425969848672745
                              Encrypted:false
                              SSDEEP:384:5YNg+3uosUKywDL7/rrjoOMZV/QdGMGc3VVzE6GfreApsU2O:0uSQfrVGWWr3pb
                              MD5:8DA3253908CF5F299CB9300F290939B0
                              SHA1:8A522B1745DB75531F52441DA661B5D831AE66B0
                              SHA-256:5EEDD2B7E0787A52DEC6BE4A1DFDDA48FA8526D796EB21B3555F1695F86C8F42
                              SHA-512:CF355D71CED9E5E769A133CBB32413C27952696B8A4C92C61DBD6A1F8EF7C485C44D015FE9534D79469ACB6E33E8F22E4A244DBD54D46AA6440C06664AC6DED3
                              Malicious:false
                              Preview:....:e.}.1r.]....>..?K8....I*..<^.].C~(..V$8U.....K.7.l.S..N^.onstants.au3"..#include "MsgBoxConstants.au3"....; #INDEX# =====================================================================.QKYk-.%oc!.......j..w.`.....x..B.P...-a...l6J...f..H..}......b.....: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, constants ...D0e.{&7s.K.....#...F3o|..E=....`$..Q).X##....E?.Fx.P....G_` jpm..; ========================================================================================================================.QKYk-..XS..j....Aw..(N1.z..T$...BMO.F0..D%j...>a."Sb._.#..`w.S# ===================================================================================================================..Global $.3.; U.m?r<.g....j/..j.P$k.._$.[n2I.KB..X5nW...f..H..4.L....q=====================================================================================================================....; #CONS.-80.3.%oc!.......j..w.`.....x..B.P...-

                              C:\Program Files (x86)\autoit3\Include\WinAPILocale.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):21013
                              Entropy (8bit):6.2605501495577665
                              Encrypted:false
                              SSDEEP:384:e3r1KLk1Loc/rGfrsokaNH0Vh6IoMkgXq4lb9NVLKOCK6pGJ:ebkYtocGwod5kD0yPpjJ
                              MD5:4C06F1A99B25FC6F9A560B489758E197
                              SHA1:8BAB7110343746B6B622660697990DC55597E45D
                              SHA-256:B310E063BB91D54B3B91946637FCF5D05C6489C4A65EA36C1AB8D1F21154E0C6
                              SHA-512:C5A6D5F1EF5063A35FEAE826F673FCA0D56D6484A7E3856C2F742C8F2E9C17CCFA7BD587A6DE13142E0BFC5B315A388EA00941BB513EF935C62F29AC5B949D8D
                              Malicious:false
                              Preview:.0.....H..A....O.w2........ ...="|~.'.R..wOoKq.wz..[r..F.4G.+ringConstants.au3"..#include "WinAPIInternals.au3"....; #INDEX# ================================================================.d.......B......ifJ...I...Mp..c~-&.u....$.!X-Mye>.E&U.....}..: .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, const.7....I..Z..z-.'{..........#.....x.$....*6.^011,k..3......:K..Yashied, jpm..; ================================================================================================================.d.......B....O.YQT........."..2cFz.!.C..j.}.tP.7m..z....(..^.|VARIABLES# ===================================================================================================================...y.......B......ifJ...I...Mp..c~-&.u....$.!X-Mye>.E&U.....)X.b=================================================================....; #CONSTANTS# =============================================.d.......B......ifJ...I...Mp..c~-&.u..

                              C:\Program Files (x86)\autoit3\Include\WinAPIMem.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):21824
                              Entropy (8bit):6.244583988112663
                              Encrypted:false
                              SSDEEP:384:bzK0ExLkl/iocB6YTXdHGOmNWQsJXojxqb/FW/rlnNZ0Va/UJu:6ZsBX7r
                              MD5:B970A426C31D556EF5E769C82DAE39B0
                              SHA1:3C52C2C951A29FCF6C6C8E968D81F9FF9F3A68B8
                              SHA-256:43607FE6E8AA1CC5A989C66A195F976488BC0E4F7FE8F15BCEF2C928914CD5C0
                              SHA-512:4453A8A57A04F206AE2596A95793EA23394774AA9E2CC5B52BD74E063D853729ED2F07A155F6BEB0AC7379AD71D7CC1BA8480B4F4DD66F1F007F3F2F84834065
                              Malicious:false
                              Preview:.....8..p.vv.B..V..^.L...ke.Z..pw>...k.............G..r[;.m.====================================================================================================================..; Title ....._.cT.}.q{8.....U.D.....t.x%.K_"...j.Y,.........s.z..C#NA"..on : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPIMem.au3..; Author(s) .....: Yashie.... w.f.%(Dr..a.........t...q...m.Q8.DP.CG........3...>%.m.=========================================================================....#Region Global Variables and Constants....; #VARIAB...R.pG.`.%(Dr..a.........t...q...m.Q8.DP.CG........3...>%.m.========================================================..Global $__g_hHeap = 0..; =============================================...L.pG.`.%(Dr..a.........t...q...m.Q8.DP.CG........3...>%.m.==================....; #CONSTANTS# ============================================================================================...L.pG.`.%(Dr..a.........i...q...m.Q8.

                              C:\Program Files (x86)\autoit3\Include\WinAPIMisc.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14537
                              Entropy (8bit):6.174925009676731
                              Encrypted:false
                              SSDEEP:384:UpduHPddvyri6oxxo1pBd1bcUmLmyLitTkM2EDdGQ8h+kSRfsAuWVaEW0wEcY:UJOhy
                              MD5:456FDE1B497F62B734FD4DC84D4DEC9C
                              SHA1:FF1C7471DF9492750C70E3AD98F7E90D0563FDF3
                              SHA-256:C25E9FFCFF9FF55939EF5BB57AAB92D2DD25176C0F7FC33FCD6F3CF12F9E0492
                              SHA-512:9C1887461607C7766197449AB71422C11A8100CC0BC7C6648D85575E7BA1151AC32798FF12A53D81A5554C5C4A7EB32B3C42C9C21E65D77E66151CA6FD30C2AF
                              Malicious:false
                              Preview:.A.A...;.P.7..9@....{.af.>97..q...}......nf^UX.......H..... A.ngConstants.au3"..#include "StructureConstants.au3"..#include "WinAPIConv.au3"..#include "WinAPIMem.au3"....; #INDEX# ==========.......c...i..p2...%T)?.#&K.......C.... u..V.4;......J...i..=============================================..; Title .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3........T...1..A$...vI:,.$;7..U...P.......|*SE..)e_...S...W.0..unctions for the WinAPIMisc.au3..; Author(s) .....: Yashied, jpm..; ============================================================.......c...i..p2...%T)?.#&K.......C.... u..V.4;......J...i..===....#Region Global Variables and Constants....; #VARIABLES# =================================================================.......c...i..p2...%T)?.#&K.......C.... u..V.4;=.....J...i..=====================================================================================================================....; #CONShi.v..c...i..p2...%T)?.#&K.......C...

                              C:\Program Files (x86)\autoit3\Include\WinAPIProc.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):76943
                              Entropy (8bit):6.503044816617891
                              Encrypted:false
                              SSDEEP:768:bsFKkXwFaxvmexMRp+CZ1bnnhprKssCYn/nZ1LKNOWCExMlVZ4kuXa:YFxXwujQZ13rKsSnxgsWCEW45Xa
                              MD5:C223D7C65F3B91C7C20112DD4FB38309
                              SHA1:A9566EB162D6B2F7ABBCF97243307102A060E439
                              SHA-256:04FB1D7D41E75A1E57FAE73929401B3D47760B38EC3957C68F4D938FEBDB85C0
                              SHA-512:FD402994397EE2465F4ADC7BFEE6E2E05DCD9B0B2A2A71B5F44E9C669DCF9CB490D4DD8B317F9490B5C868D95A37CA4FDF42FDE66313EA4E9C2485EB9E17868E
                              Malicious:false
                              Preview:\#,d.a'..,.u~8.Z[..n'...m.}?..G.........G..09......5E.2...2.rity.au3"..#include "SecurityConstants.au3"..#include "StringConstants.au3"..#include "WinAPICom.au3"..#include "WinAPIError.au3]GH$zz ._'.69b`9..H...[iUl\....F....V...v.zdq.T..s....RFq.INDEX# =======================================================================================================================..Dj.ngx&..m.85.'y...W-..%A......M...8...T..t[b.....U...c]..toIt Version : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPIProc.au3..; Author(s) ..Qdl=3M".B*.r7.c'<..;dA.H5.bC.........I......./.-..G..}../.e@l.====================================================================================....#Region Global Variables and Constants..r@y'0W..y..XOf*wl..=yA.H5.bC.........I......./.-..G..}../.e@l.===================================================================..Global Const $tagIO_COUNTERS = 'struct;uint64 ReadOperation<%7ig/6.D7.";b{>%.p!...aO1=........T

                              C:\Program Files (x86)\autoit3\Include\WinAPIReg.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):35385
                              Entropy (8bit):6.339133189991471
                              Encrypted:false
                              SSDEEP:384:q6FvkX9P3ABJFMnWKEsjx5lCMsuGXRZknpbJ1Ojye3t0CGCAjRxAGW93NoqwVkf6:QWJJlsf8X8TqE7tBdP
                              MD5:8A922072AB38465D13BAD6AEB242BE29
                              SHA1:59214E71EFC4A18D6E089F80F95A24BA6C20E563
                              SHA-256:F609BD5501F066DEA0D28AB60E31BFDE383C1069A72572ED0F6FA5088FD79243
                              SHA-512:7EBDD38ACB7AA5178C9CE428691C5F85F0340FE0A0441DF6AC21A2447A72C0B1855C97711BBD8378853803858473B4ED8FA7EE32F668125E67363C8DF588CB84
                              Malicious:false
                              Preview:NY....]v. *8U.*.."..ZW.L...k....B.8RN..O.MVY......^.ma..h..NgConstants.au3"..#include "StructureConstants.au3"..#include "WinAPICom.au3"..#include "WinAPIError.au3"..#include "WinAPIMem.au^.....x.........v....[...g.k...<.k...J.....XF.1.....L49...!...=======================================================================..; Title .........: WinAPI Extended UDF Library for Auto$D...y..!.)x.B.."....F...t.`....ve_..I..Q..."....s.mm..r...variables, constants and functions for the WinAPIReg.au3..; Author(s) .....: Yashied, jpm..; ===================================P......f.st`e....v....[...g.k...<.k...J.....XF.1.....L49...!...============================....#Region Global Variables and Constants....; #VARIABLES# ========================================P......f.st`e....v....[...g.k...<.k...J.....XF.1.....L49...!...===========..; =================================================================================================================P......f.st`e.-.p..um(z..o....<.k...J

                              C:\Program Files (x86)\autoit3\Include\WinAPIRes.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):38690
                              Entropy (8bit):6.470162968616411
                              Encrypted:false
                              SSDEEP:384:HKVoyXGtcV7uJWs2xRonC9Q1OYB6Bg/IQxIPGi+ctp2Bl/8vMSU9zg8lae4kNe85:kWtKW+oC9Q1L6kXvkvFV5W
                              MD5:2D1B08E8508CFB199EDC95DAB1C6B63C
                              SHA1:AB98BBCEAB8E353FF73C5FEAC9D883BA6C0CBC75
                              SHA-256:F6C7D2CD11253E2777D15E281ADB4F7108180B7CB0BEF285B8A147A60BFD4AD7
                              SHA-512:11BB94F141F172014F5D6A26C5DFA3542563D1180A6BE560AF8DD8854B4A86E79F686CF3DCF70359DA6AE4B4D045FCFB304A8D874815DE847255354A2536FDA1
                              Malicious:false
                              Preview:..\.$....Y...9D....!._..l..%..F..s.q.."5g."..r..:.u^..9..rE.IResConstants.au3"..#include "WinAPIConv.au3"..#include "WinAPIError.au3"..#include "WinAPIIcons.au3"..#include "WinAPIInternals..G...J......1q..A..p....s.xQ....+.#..ki4.l...m..$.&...`.m9.==========================================================================..; Title .........: WinAPI Extended UDF Library for A..]..M...O..<@n...$.U..n.k_.......%..3'j.8....>..7.!...9..9k.al variables, constants and functions for the WinAPIRes.au3..; Author(s) .....: Yashied, jpm..; ================================.....}....H.s.\..p....s.xQ....+.#..ki4.l...m..$.&...`.m9.===============================....#Region Global Variables and Constants....; #VARIABLES# =====================================.....}....H.s.\..p....s.xQ....+.#..ki4.l...m..$.&...`.m9.==============..Global $__g_vVal..; ============================================================================================.....}....H.s.\..p....s.xQ.........

                              C:\Program Files (x86)\autoit3\Include\WinAPIShPath.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):44816
                              Entropy (8bit):6.237251050605606
                              Encrypted:false
                              SSDEEP:384:s3lo0j6WNKMJ8mFl5nZm596YjHVLrJTc7pVwXVdHyBjsSYslYsZk+AelxTwV/cBG:v0f/JG3cdttl8ptpg2HX8yC6/ZP
                              MD5:A273C117E55698EAC514EB4502A52675
                              SHA1:15722B00EEE4179AEFE0F0C9DD5F528E505E2C17
                              SHA-256:28C766F5EC32AD332F378CF1CFFF05281C3372809038A4B2C3469F437CB9688C
                              SHA-512:9ABBEC176D55AEC86BC0DE5E2EF01A6C09C6D070996496CFB7B7A1B36361155C7085D36B2DDB2CC225C24C5E4D2BBAD5C37523DC01B3D6CB92E4C159BAB05032
                              Malicious:false
                              Preview:...d.......^j....[..s&.y8NP...86.P.._...<-.J..rz{Q.0..|...\ringConstants.au3"..#include "StructureConstants.au3"..#include "WinAPIInternals.au3"....; #INDEX# =============================..YB5.........iZ4......+;..U:>...qc......O.r>..D..Ed/..a..$...==========================..; Title .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Descripti..DQ&........;.h...Y..tj.KD'`..8?.K..J...)v......*2Y....qL..AnAPIShPath.au3..; Author(s) .....: Yashied, jpm..; =============================================================================..YB5.........iZ4......+;..U:>...qc......O.r>..D..rT...9.vG..]nctions list....; #CURRENT# ====================================================================================================..YB5.........iZ4.....xG.q7Dl..":.V....3.(u..B../0|~...jg..MInExpression..; _WinAPI_ParseURL..; _WinAPI_ParseUserName..; _WinAPI_PathAddBackslash..; _WinAPI_PathAddExtension..; _WinAPI_Pat....m.......:&Y..Y..co.\:hl..w~.h.

                              C:\Program Files (x86)\autoit3\Include\WinAPIShellEx.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):42747
                              Entropy (8bit):6.456438743313338
                              Encrypted:false
                              SSDEEP:384:/Bd3+DB/jtrA8fpGf+5SIXE/bhnTMtxEBHjcPsIaAdCtZTZFBrq6IhmsLlN/QTg9:q1F6IXuuKLFZ7GR3/RVvvqDAN
                              MD5:B3A71F421F7735B9733EA31EBFE804BD
                              SHA1:FE4BBD2251A091164A17CC3D73369FFF9177CF86
                              SHA-256:10257781FDAD3487A5E3311F1D7E8757EDBC47CBBBAC449AAEF1623E05E4AAF6
                              SHA-512:3F74FC492F5E245FE1F3C705CB909F5D15B6E2ACB635212961DCD21F6CC36FE26B29233FBD30707B5A52EC41EAD1228A70F7FA16110E9A54E3CBE98E1BC93E37
                              Malicious:false
                              Preview:..L....C.....,....2"......4xr..w8.EF...v..9..u....Y......>...tringConstants.au3"..#include "WinAPICom.au3"..#include "WinAPIMem.au3"..#include "WinAPIMisc.au3"..#include "WinAPIShPath.au3"...(..:h.%.......fq..I...+..."`..=....8.j..f....i.......f...====================================================================..; Title .........: WinAPI Extended UDF Library for AutoIt3.......Ir....S....{v..Z... ...$}..s]...q..9..u....0......{.J.iables, constants and functions for the WinAPIShellEx.au3..; Author(s) .....: Yashied, jpm..; ==================================.....N..]........fq..I...+..."`..=....8.j..f....i.......f...=============================....#Region Global Variables and Constants....; #VARIABLES# =======================================.....N..]........fq..I...+..."`..=....8.j..f....i.......f...============..; ================================================================================================================.....N..]........Qw..7..Bxl..<}..=....

                              C:\Program Files (x86)\autoit3\Include\WinAPISys.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):77908
                              Entropy (8bit):6.320276039197386
                              Encrypted:false
                              SSDEEP:768:W/S5nEg54tdTDob9oatbovXUA6kAp2hYO9Yjp+6nrhKPL5Sr:DENtob9oa9ovXOjO9P6Ezu
                              MD5:25121C47D55FAADD38A8DFBBFC0BC9AF
                              SHA1:9B228376ACE6CC261176390EE39D7AE0AB8BFD74
                              SHA-256:558205C8332E7763D830CB7F42A437DA1E9E89F6A8B3C6FC70915FA0449A11FF
                              SHA-512:91847726FFB0861F36AEE6D4EA1F8F2CC287126E16F59773240045BA39EDA7F29A310F8879829992E290532746730C65AFE6B9B3EF027109B7A97F663F9FB7E9
                              Malicious:false
                              Preview:..j......[..?.....$......1-F.L9O.}g.8........S;..W.&....k.60.IConv.au3"..#include "WinAPIError.au3"..#include "WinAPIGdiInternals.au3"..#include "WinAPIHObj.au3"..#include "WinAPIIcons.au3"..'......Q.T....../......z^f.S.D..13?......N0v..A.q......{8.DEX# =======================================================================================================================..; .p........Xt....$..4......k../d.._.4....kyY..[.'......-..It Version : 3.3.16.1..; Description ...: Additional variables, constants and functions for the WinAPISys.au3..; Author(s) .......].........*....zw..@...M@2...G..3.Yk......$d%....n.....eL.=================================================================================....#Region Global Variables and Constants....;..G......`.Uz.....zw..@...M@2...G..3.Yk......$d%....n.....eL.================================================================..Global Const $tagOSVERSIONINFOEX = $tagOSVERSIONINFO & ';ushor..W......d..1....|?........y.Z*A.e^.8

                              C:\Program Files (x86)\autoit3\Include\WinAPISysInternals.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):28405
                              Entropy (8bit):6.216308982639467
                              Encrypted:false
                              SSDEEP:384:x6JLfmofk7sTatBzOYLGpLNT3V9Jf+iE9XkROeDdYOf2qP3tBtLhbr:41upqNe2HYSR
                              MD5:D244B33F0749ED728788F54B18B5D992
                              SHA1:F455F652F84194D8E123B54FBE02CC9209B0294D
                              SHA-256:AC7997D12EDCB23274A3DEA9A21532BE0ABA9E742AE55947BA40940C6146EF42
                              SHA-512:4B7B7096C404F8D66FD1A201452109322B571DFDBCF2E68E3A3FBD655A685503A94A8E86EB5891CD3BA6E4A60EC4BDF5C5E8E60EA222229832C18C535C4EBA0E
                              Malicious:false
                              Preview:Y..kY....o.....R(....7..)...X.Q.<.....*(..........I?.......Constants.au3"..#include "WinAPIInternals.au3"....; #INDEX# ====================================================================G...:..P..<.2..L|.....o3.G.N.(...`..B.......L....c..N"......@......: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, constantsZ..'J....h..|...a....;`.*. .f.C.n.._..OM.....G.. k.....N===============================================================================================================================.p...UI....!..`...Q.....>k.Z...5.M.......*(..R...(.._.^.K..S==============================================================================================================..Global $__g_aInP...t_.:..@..T...*s......>.Z.....e.2.._...@}.........s%<.?..3[2] = [[0, 0]]..; ==============================================================================================================G...:..P..<.2..|K......A.).2.A...`..B

                              C:\Program Files (x86)\autoit3\Include\WinAPISysWin.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):58771
                              Entropy (8bit):6.327656270859697
                              Encrypted:false
                              SSDEEP:768:A0KmuTcwHYErTFpnHyuYzwZg6hn0hNx9W3V:8muTcwHYErTnHzAAg6hn0hRW3V
                              MD5:C47BF0350E61FB2D4A7ACB419EFFF659
                              SHA1:78D260B6DB4C1CB69F0C21168603F30C67755108
                              SHA-256:576B824753AABA554786D9450E85D2A7D314719DEF69D37383BA8557F69925E0
                              SHA-512:B8E90B345C341FACE5134633D926EA3D6E7721498C31245094B0F7567143A1516A98791C73AAB271497528DE525DAC2AC0C116981E241C3EDB649EF4024A6E56
                              Malicious:false
                              Preview:......._.I.a.-L..T.O..,.eN."......3.....=._..S.d.j.<.M3.JInternals.au3"....; #INDEX# ====================================================================================================.....L......Q..{..7.... ..W...\..X...r ...V'.}..:..f.v...p@.\rsion : 3.3.16.1..; Description ...: Windows API calls that have been translated to AutoIt functions...; Author(s) .....: Paul CJ.......`._.%..j..[.Q..=.aN.^......r....Sx.l..P.."./.-.e..@DS, Raik, jpm..; Dll ...........: kernel32.dll, user32.dll, gdi32.dll, comdlg32.dll, shell32.dll, ole32.dll, winspool.drv..; ===.....L......Q..{......t......O.K...oJ....i......{.>.@.9]..============================================================....#Region Global Variables and Constants....; #VARIABLES# ========.....L......Q..{......t......O.K...oJ....i......{.>.@.9]..===========================================..; =================================================================================.....L......Q..{......t......O.K...o

                              C:\Program Files (x86)\autoit3\Include\WinAPITheme.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):42159
                              Entropy (8bit):6.284256794211188
                              Encrypted:false
                              SSDEEP:768:ayKR6nt2inn2/ruDUxsVRhQn8gD37YeIxAsW:atRa2ioSxQnFD3+xAJ
                              MD5:026C80F99D2F8C6E27CB445581DFA712
                              SHA1:A0BB0A35D20AE3D393CEDDAE5FF90158B6E654BF
                              SHA-256:DF9C5FEDDBA1F8A026A6B5027C2B67CB29C6B58EEB29FB160088CE5B5573C305
                              SHA-512:C89B7A32492138F221FCC2FD3BCFF21BBBEAD1F59FDFF38E6E7A83C6A68FF8D7AE74B4AA92ABB19BB9820CA98A1630496C1A878F602FC689577137F555855BBD
                              Malicious:false
                              Preview:.:.I..BH.*.E7....4F.e..a..c....h....9............$...C.=..uctureConstants.au3"..#include "WinAPIInternals.au3"....; #INDEX# ==============================================================.n.......x..o4..`..4..9......N.\0.....e.S.........pu..X.:..le .........: WinAPI Extended UDF Library for AutoIt3..; AutoIt Version : 3.3.16.1..; Description ...: Additional variables, con.'.D...L.!.@'g...3[.o..$.......1D....v........H..e;..M.@.. Yashied, jpm..; ===============================================================================================================.n.......x..o4..P".[..m...t....-....:.......N..,&...i.d..#VARIABLES# ===================================================================================================================..h.......x..o4..`..4..9......N.\0.....e.S.........pu..^.S..==================================================================....; #CONSTANTS# ============================================.n.......x..o4..`..4..9......N.\0.....

                              C:\Program Files (x86)\autoit3\Include\WinAPIlangConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8631
                              Entropy (8bit):6.695037745725376
                              Encrypted:false
                              SSDEEP:96:aeS5vxoyBbIovTiBu0g+ArwYwjwthw8wLw7wBw5wRmwJYwjw2wDwhwvwZwNMwreu:aNpoubWEAQYqbK8R72INQnNPoSqFH
                              MD5:0B4DFAA88CB69C27849D4BA210711F74
                              SHA1:C1D928C5638158237A4D18ECBE05F8E973FB750C
                              SHA-256:57FD8F36C3AEBE80E2EFEBED3B65E25DB48F0840E92D69E67FBF281A2563B929
                              SHA-512:5B436D6A05352412B366356C14C0D1F8F96C7302543A6EC246AC2BE84A11E1E997BC89D7BE5D3D7927334F976E379B831397ADB454A4485CEE43E991B08E4E48
                              Malicious:false
                              Preview:...w..x..$..6."l.z......gX.x.z[....#9..h.......h..(.....==================================================================================..; Title .........: API Constants UDF Library...;9.i..tf.....v .@..Q...4E.e.iU=.../...u..^]...0..;.......glish..; Description ...: Constants for locale functions...; Author(s) .....: Yashied, Jpm..; ==================================._..&ET ...zV....?r.......gX.x.z[....#9..h.......h..(.....=============================....; #CONSTANTS# =================================================================================._..&ET ...zV....?r.......gX.x.Jl....re.D .U....;B..|.......obal Const $LANG_AFRIKAANS = 0x36..Global Const $LANG_ALBANIAN = 0x1c..Global Const $LANG_ARABIC = 0x01..Global Const $LANG_ARMEl+.;EI-.Ja.P...no.[......."s...'^..e>9..-..=0...7W..V......ANG_AZERI = 0x2c..Global Const $LANG_BASQUE = 0x2d..Global Const $LANG_BELARUSIAN = 0x23..Global Const $LANG_BENGALI = 0x45..Glo@...X..n...*.{...N..f......"U.H...|.L

                              C:\Program Files (x86)\autoit3\Include\WinAPIsysinfoConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9332
                              Entropy (8bit):6.683165822801495
                              Encrypted:false
                              SSDEEP:192:fM5XYm7mvOBrWc/ojiiikJU6l8oO26NMJCKG8o+NUoP986y+gya:fMdYctTkJU28LyJVFo+aoP9I9
                              MD5:B8B344FD9EDA9425B53FD72B4F03002E
                              SHA1:C6FA1D3F1C53CC58BED23A9C05045E8769FD7E3C
                              SHA-256:F2D64CA059B60BBA52C086E87B9FDD32371FC26398B702AA57D1EB00A56ADEE2
                              SHA-512:EC97B54A575AC0952CF2458630172D1F5C0BE4CF9E4C4971A32C6A2718FDF9BC14DB05376EFA79306A5230B50BD8EAE76B772C31EFD38A5ED95C50989F0678E3
                              Malicious:false
                              Preview:cy....y...L?..M....+`._2...`).h....=.....O.=S.....l..`._.O..==================================================================================..; Title .........: API Constants UDF Library`v.....;!..$8...Q.....bc....}..f....6.....R.a..VN..q...s.L.R.Sglish..; Description ...: Constants for _WinAPI_SystemParametersInfo()...; Author(s) .....: Yashied, Jpm..; ====================}-.....iUR.....z...ZX..:,...`).h....=.....O.=S.....l..`._.O..===========================================....; #CONSTANTS# ===================================================================}-.....iUR.....z...ZX..:,...`).h....=.....O.=S.)"..q..3o2.-.DstemParametersInfo()..Global Const $SPI_GETBEEP = 0x0001..Global Const $SPI_SETBEEP = 0x0002..Global Const $SPI_GETMOUSE = 0x000s......8H,.GA..cw..86a.J^....`4.-..........._ -.M\.u...i'.0.oDER = 0x0005..Global Const $SPI_SETBORDER = 0x0006..Global Const $SPI_GETKEYBOARDSPEED = 0x000A..Global Const $SPI_SETKEYBOARDSP.U....dX_.$8..(F.G&K.te....Ko....xI.

                              C:\Program Files (x86)\autoit3\Include\WinAPIvkeysConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6573
                              Entropy (8bit):6.704627854860801
                              Encrypted:false
                              SSDEEP:192:B1YX/95gypNH+olLkUIy0aa86XB9NbpYQGdGhM4OR:BCX15lLFlLfIy0aa86s/p4OR
                              MD5:F398A30077CB91D89232107599B3E29F
                              SHA1:AAAFC4C7EB30B10DEAE6578658BF338B7ABFF685
                              SHA-256:FC4441B2B42510656C3ABE356D6B85BB8DCB81E29BF8E243EC6147E1DA9E9392
                              SHA-512:19634AE5D5B89D6269F19365939F32C62597B6DE4FD0FF237733EF9E71CAF2BF5819376D9698B8A8D3C69B505889B59B673EB7BCAAF305A7A0F460AC5108797D
                              Malicious:false
                              Preview:{.T.kM..6v.S@..1.Gl...3t......g..tG..[...i.~`........A....(..==================================================================================..; Title .........: API Constants UDF Libraryx.U.._\...,&.Tq+....l...%._....z..zT..H.?.t."3........R....5..glish..; Description ...: Constants that can be used with UDF library..; Author(s) .....: Yashied, Jpm..; ======================e....#....e(.cw6.7.Y....Vj......g..tG..[...i.~`........A....(..=========================================....; #CONSTANTS# =====================================================================e....#....e(.cw6.7.Y....Vj......g..tG..[...i.NW......E...R..p.. Constants..Global Const $VK_LBUTTON = 0x01..Global Const $VK_RBUTTON = 0x02..Global Const $VK_CANCEL = 0x03..Global Const $VK_M..n.P.... %.S@L.e..I....$....}..x....{W....,.vP..[.?.P.5..K_XBUTTON2 = 0x06..Global Const $VK_BACK = 0x08..Global Const $VK_TAB = 0x09..Global Const $VK_CLEAR = 0x0C..Global Const $VK_RE..h..#........&d.k.Df....w.`.e..|.iG...

                              C:\Program Files (x86)\autoit3\Include\WinNet.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):47094
                              Entropy (8bit):6.529183296395047
                              Encrypted:false
                              SSDEEP:768:pO1HARkaHBuGGxeMRD2mQL+A0IVl/esErZgWv+n:8BAaaexeMRKZKZKqr+Wmn
                              MD5:557A92915A0A79F2F943046A92816318
                              SHA1:E29B2D112619F6B8C2B57D1F592E02D92B14B7D7
                              SHA-256:C10E534A0A36AF476165F7D0AF57E4C429DE5BAB142E9E2632979CF6BE2E50C1
                              SHA-512:ABD5FCB4237AFB62CCFAFEEA0753A4CB067266D18122D900554709F9A720872742AA5F5FD8A3465DA124B2E222CB7E0DD4713E1EBE3BBB37C57B2ED73A87B567
                              Malicious:false
                              Preview:.8...d.u..j.B..oa ..s[m.'...V...V.lC.Q.x.a..D.....M...e..d}.P..nAPIConv.au3"....; #INDEX# =====================================================================================================.l..T.=Xe..4Dr..X.Dj.?z`.kE.B...t..'.P..e.k........5^..a..;8....It Version : 3.3.16.1..; Language ......: English..; Description ...: Functions that assist with Windows Networking management...j..I. Ex..)Yo..Ebi@.wK).nN..S..F.~o.T.b./..$....2[..o..s8....w you to implement networking capabilities in your application..; without making allowances for a particula.q...o.3..y. .J.';@.p\).wH..M..6..ge.H.~./........)A..o...8.&..s is..; because the WNet functions are network independent...; Author(s) .....: Paul Campbell (PaulIA)..; ====.l..T.=Xe..4Dr..X.t].".4.:..Q...g..4=W..1.2..W.....z..K;..=%.O..===========================================================....; #CONSTANTS# ===================================================.l..T.=Xe..4Dr..X.t].".4.:..Q...g..4=W..

                              C:\Program Files (x86)\autoit3\Include\WindowsConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):33780
                              Entropy (8bit):6.766472741343845
                              Encrypted:false
                              SSDEEP:384:bRQ+W5a+pqLXtoz3zwg5o/5TXHiq1Wuhj1Hjo3pE6FLntzUewo36GtHP0KV:tshA/kqgyxHjMpEAzUewo3645V
                              MD5:D623A293E73EF040B696C20E2C97F6C9
                              SHA1:A55EBA5510C7D0B3BFC94E50A8F19C6CC2FCB717
                              SHA-256:279F2DBDF14FD56DA7DA6017D7D72AD1D77A5AF16EA6AA0E41BDC233A7858422
                              SHA-512:C0DCAC60671CAA46683D7427D82604997F70653ED4C086A9363510BC1EA0DCD8876463DC12989688FE9A6127826F779775AA9392091125190D988529B21CDADB
                              Malicious:false
                              Preview:..D..$.#.t6..h4..Q"j...d..&AE%k/..MU.L..:...q..(......Y...k.1.==================================================================================..; Title .........: Windows_Constants..; Auto.....#./.ux..V.A.[4g....{.g..m7u..^F._..=..\ .V}(....Q...".cR ...: <a href="../appendix/GUIStyles.htm">GUI control Windows styles</a> and much more constants...; Author(s) .....: Valik, Gar..l..".j.5v..o.R.W?t....f.;AE%k/..MU.L..:...q..(......Y...k.1.===============================================================================....; #CONSTANTS# ===============================....lJ{.&e..X.O.W?t....f.;AE%k/..MU.L..:...q..(......Y...k.1.====================....; Window Classes..Global Const $WC_ANIMATE = 'SysAnimate32'..Global Const $WC_BUTTON = 'Button'..Global ..D..qS..D...'q0.2"t...N6.i>.`q........D...Ol.rVz..h.{&...v.,.ComboBoxEx32'..Global Const $WC_DATETIMEPICK = 'SysDateTimePick32'..Global Const $WC_EDIT = 'Edit'..Global Const $WC_HEADER = 'S..b..5.4.)..."R...ni..R/."+;G.]..51.L..

                              C:\Program Files (x86)\autoit3\Include\WordConstants.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11982
                              Entropy (8bit):6.677795952801588
                              Encrypted:false
                              SSDEEP:192:h9yo7myTd+WWOLCFvnhrCcT/HXVaNDAx34GA:nT7AWwDZt2m9A
                              MD5:F7DC0E8CDBBFF15BAFE002DE4BEAB6D1
                              SHA1:8D27222112F197F33878EC94C97572197B1AD664
                              SHA-256:0B90C4262F58E3A2EEF2EE6BEBCC15F42C89D5B33AEC4EFCC0865BC0CE235D4C
                              SHA-512:08F73A19D27B73EB4DC9195759E1DEB3CA8787A1BE9F00826F84EE3D72B0F54B4B1F4C76ED91285A17F0BB9B7A4E0FC79B00C8E5DC3ED95012FAF83DF2E3FBF8
                              Malicious:false
                              Preview:e......U.S5.z.`yA.#.....|...<en-K..mS...>K...WK..'.gz...)O==================================================================================..; Title .........: WordConstants..; AutoIt V#..........e.F.CFw.;...%..=.../v}>X.......p........h.......:\: Constants to be included in an AutoIt script when using the Word UDF...; Author(s) .....: water..; Resources .....: Word 2007 .......D..S%.W.....:..8..r...s7 ....B?.............c..?s...#W28v=office.12%29..; ============================================================================================================{.F........k.J.PNG.....p......U..D%..mS...>K...WK..'.gz...)O========================================================================================..; WdBreakType Enumeration. Specifies t?.....R..\=.z.VS).e..?..f..r<=>...S?....-......[..5..85...v.213704%28v=office.12%29..Global Const $WdColumnBreak = 8 ; Column break at the insertion point..Global Const $WdLineBreak = 6 ; .....U..0\.......C.?......o=.b...b<.

                              C:\Program Files (x86)\autoit3\Include\_ReadMe_.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):528
                              Entropy (8bit):6.8244708345766165
                              Encrypted:false
                              SSDEEP:12:zdtAecRCNt6/g2Tdtvx9W981W3A6YrJmHgc4uAjY5e1KQ:5tAjCeV7vxQ9E4ZHgKAjY5e1KQ
                              MD5:0465A9B8321D8EAD04E3AD0C5DD9D999
                              SHA1:B96A63C147B863907CD77ADC2D456B70CADF1339
                              SHA-256:60BF501FDF7D6DDD33D37EA45C0FB8477F4B3C78B021D5C4F58C717D7A4F3F4A
                              SHA-512:F22C3943059BE5FFE834673DA994BACC030E491FB0E8082FDF8B0293D57109E4178E1C80DFE14BFE1C996CC2A3AF522252BBA2C9EE448498663842B1D3E4FBC2
                              Malicious:false
                              Preview:2g..\ ...U.l..F....]..J,...=o.....l.4........R).0.^.......=.`..V ...I...`#....F.@.*...)s...N.j..3...C....Q5..|.T.P.4...&.b....l.s.0.p.M]...V.U.8..o`....D.x.3...Y.....)..d._...R...:ead the .au3 directly.....U...F./...92.{....&.%...l>d...{fk..r.F.y......0.H/s........e.....{...Jh..8.G..~*.q'.6pe...<......U.H.~.w...^W!.z!%Fpz.6.E..:f..o..6..`Y.A.Oo..MpJ....a.u...._..P....A4....d.gv.w0M...?...'.M.?I.................................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\autoit3\Include\analysistimer.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2865
                              Entropy (8bit):7.755960682890418
                              Encrypted:false
                              SSDEEP:48:CHu9AA+x96CbjmXC23kn3j+2oMwB7GbGlo2jgJ8lAOR7WMiwNiD/FcjPiOgTG:Fexvmyakn3j+2e6CoWgGWOR6wi9cjPii
                              MD5:FB73228BFD84F96B7131719E740F9A0C
                              SHA1:1E3B0BD4BDF8378AACDCE929649522ECFA634590
                              SHA-256:DAF845BA9AD5D88E35EBE5B4768B78E6E211EDB733EE9AA7C12884D08AA790CA
                              SHA-512:3D790961C114858D45343462AC20657031A3D62488F7F85309D0FB01B59C373126BC408EA660ADEF65D0CA01C4CB6AC1C33A704B60D1665D0ACC6E386337194D
                              Malicious:false
                              Preview:F..6.r..z....XxF..5..v.:!k@...gw...nc.k.Q..z......^...&.B.S.z.IG....Z.{o.Z5._%`. x..v..-7...M16..[.O..k.......1.....&.o.X.s.!6=...g..u.(}.=[..~..7v..hK^..`....Y....k.........I.l...".k.D.....3...|.r9..y.Xx..z=..p..$?.$..vX...'a...'..9....V...6.o...2.2.=...`.{=.,u.0&`..n.U.lgh?./..gu...n.......$.....-.....d.f.K.khT.BU7..l.;s.;.M..s.b?!;.\^...v4..[.n,."....W...B.`..*.o...f...&.KW?.i/.T<.gB%.3Y.,t..8HE...<&..H.;m..........R.a...c.>...6.MEn.RE#.k).H<.Xx..SZ..L...to...a4..I.:x...<..z.....`...".o...6.4,....P.>x..P.7.e.[=.}3F]}3.@.M',..Y.3q.k.X..}....n.J.....~.R.b.IEs.NU&.w9.H,.|...S=..V%.:s....|x.Q./..&.4.....C.O.....#.7.6.&0....@.:m.X4.|...S=.6q5.<PB$..3<..&.~(.$..........%...j.....2.5.3.6.p.(9.XH.8.{..t..7FGE.!z.M3C...+p.A.X..}.....-.....g...6.......;..R.5>.uPG..I.2zDGE.%P.M34.Y.n3.$.X..G...U.......m.X.s..M|.)9^.w9.6y...d.Q4.U.ogl@x...G}...6a."..............J.U.R.w.5.3.+.^.7u.+y.&R4.Ws.(K..-.&y.Mvz.....L.B.X......R.l...g.M.T.y.......?..M..y.4.l._=..K..)sx...Zz...b..(

                              C:\Program Files (x86)\autoit3\Include\cleanup.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1663
                              Entropy (8bit):7.686731713799366
                              Encrypted:false
                              SSDEEP:48:IV55xD/q5n3gCt+mGp8tehVf9PU7VG7N4NlfCW:m5YGyteMQZaaW
                              MD5:0257DAC8300364E2B4644CB17790DC7F
                              SHA1:1D7D4539D4E228C7120D1DB379ACB81620BA2291
                              SHA-256:6C0AC7284E252DA30279026A7BB2A8EC662B91DA16C60CD3B8AF3522F66E3F61
                              SHA-512:669D2770BAED41368DEB78DC143AB85050A1956AF628B8E674FA4695BBBE978A410A8DE63C0B132BF14E4C3806FB1CBB83ECC65007C0765CC908225FC378E377
                              Malicious:false
                              Preview:..........<..m..M....A..B.r.e.u....6..6...v.Bhv...........%.-...sZ..]..P...X...9l.(.v...~.w...U..Eh...................cS.....O........a]..G.N....~..%...{..Nud...........AS.<...'..,.......L...|. .G.(....(..0.....`......A.....!=.i.BD*...H..Q...bL...-.n.e.m.....,.2........'7............-...vZ...I..^....W...EZ..D.h...x..;....|...$(....$........{.Q8@_...k..l.......&5F.$.G.....t..2....|...$(..........&&.p.am.<..^*.X....@..,9p.m.L.....3..%......g.-....X....:..+.7F7...o..q....M....&5F.$.G....W......}..Fj.....j......u.ZM.<..n4.R....Il...:?e.,.f....3..8....]..*:-..........0.4...?....I..M....M....-"L. ......*..6...q..2.-..H.......<.GD&...Z..Z...J..r.W.(.Q.......2...2..L.....O.....3/.:...xP...r..M....$A...!&g.9.L....?..3....w..LaI....j....M*...4'[w...O9.p...'|...3`3...a....i..c...P..Czv....j......Fo.P...SS...yN.w...(c.....]...v...n......^..*.?...m.....\O.j.\I.t...T.{....Zi...jy..D.(...

                              C:\Program Files (x86)\autoit3\Include\corporate.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1118
                              Entropy (8bit):7.501885726726087
                              Encrypted:false
                              SSDEEP:24:QIrrGdvsXrq5bLPikEpLDUJkzldVd+EaMk3xa+1a:9rKdvsbWvqNpLDUJSPIxXa
                              MD5:98CBD5C07D771B1C3D92D4473F83A4A5
                              SHA1:1EA5242E9B1111AD4002E30D97632617EF3F54B4
                              SHA-256:33E5C6FC6CC479C15A9E2E3DEB0C28D7F425BB180589709DE0826C3E0EBCD123
                              SHA-512:BE079552BFAE1ADA3DC69B17D5C31E0B1E541E20D4AABD3B9C2553EF6904053645BE33B80972A0CD9F5C9F416CC7BA9465441D67464C8963DCB42FEDF4D6CF1F
                              Malicious:false
                              Preview:.W1.(.......q\..d.A../.... ;)...p.._.&7'......S.*.?.`..5....m2.(.......2..m.....|5..D73..p.VK...#.#....O.-.b.~.Lc....1z..i....m..W@..n..@.K...o7....`..#. )>....=.T.....#3...w~........I..a[.P(./d.z5..m5"...|....7+".J.......F.b..s...9*..D.....V.uL..!.L..aw..q=$...q....c:w....M.O.A...Er....9:.(.....)..oJ..!.K.. e..#.+..q..A.&/6........8.T.ET...w;..9.......v..,..)d.o../Q..j<e..D.aA.ck{.H...O...Q.}.@y....K|..y..........,..7U..E.q9...T....4..n.NQl.J.....t.E.0..'....m-..'.....P..a[..c.@I..g..or7..}.V..I`).N.....Y.P.-..7....9...*......M.nD..u.s..(t...X|..K.v..."'.J....P.s.A.C.Zc...o7.'....V.bE.j..[I..|..W+7..4..^..>#.?...(.V.Z.~.Ly....p?.,.......M..v}..d..I.a(..wr...`._...5!........T.y.K{...EnvVarSet("LOGONSERVER", $domain, 2)...Tb0.....X{(..h:.?.}y.....@].0....a.Y.Gt!m^...nP.m..1..W.&V.^E...H=..q-b.Z.$'Z.:<..tT....Kz....c.V_).M#.!w,...bl.f..w.w#....~.uKN....w.%.......6......X.......).Y..[zg......N..E.e...Y

                              C:\Program Files (x86)\autoit3\Include\helper.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25328
                              Entropy (8bit):6.907919125095914
                              Encrypted:false
                              SSDEEP:384:1bjy+TwYZt3Nazk+EF+uLIUxtRNUOyC3QGifv+X75HC1F93b7V36PgJr:1bjyilZYTEsUhxRQdfv+NHAFhX5qu
                              MD5:F1D3536282C0D0CA76093AD7EDEDFB5A
                              SHA1:73A594A97DFC817E56A33CF4AF8C9BAA3ED5DA77
                              SHA-256:202EB2A89585F62DFCC0DF9C910F4DE86141556D195DA18ABD87F7871DC49B03
                              SHA-512:0FF388E36611D1C02B705BA874B4D9B84EB2970DE502663E02F3A3E82A86CDBF259A21BAB0EE8FAD1EF789D000CF59EC0EB7F0E047B205D1D0499098B89449AB
                              Malicious:false
                              Preview:0.&.F......WB....X..W....,..K.s....x_[. k(.+.5W....Y.f..j.Z.kau3>..#include <Security.au3>..#include <date.au3>..#include <Process.au3>..#include <Timers.au3>..#include <Word.au3>..#include3...I.D..g....\U......5..n.=.....O7.0<K.d.?QU......w..k..oO#include <Color.au3>..#include <Array.au3>..#include <WinAPI.au3>..#include <ScreenCapture.au3>..#include <IE.au3>..#include <Crj.<.K..T...0pq...Z..........M.=..M.hB...X/.}.8.*......C..w.R5,thXor($n, $k)...$ran = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"...$arr = StringToASCIIArray($ran)...$len3.h.^....766....4.M.....T...Z....9...3e..g..ZU.Y..u./.?kL$out &= Chr(BitXOR($arr[Random(0, $len - 1, 1)], $k))...Next...Return $out..EndFunc....Func _RandomString($n)...Return _RandomSta.&.}...q:|...4......!.|3..&..C.O.T.|8a.e.2Z].p..s..>.E.*tocols[2] = ["http://", "https://"]...Local $tlds[3] = [".com", ".org", ".net"].....$protocol_id = Random(0, UBound($protocols) >.y....g...-rv...........j.Z...<....9.V

                              C:\Program Files (x86)\autoit3\Include\htmlfetcher.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5509
                              Entropy (8bit):6.751615669801607
                              Encrypted:false
                              SSDEEP:96:1P5KeDFKfVaXHOZAS0Rv/386RV57MnH870kzI0RD1IX0XX7hw:++FKfVaXnzHRT7MRYe01w
                              MD5:848704CF00F1D6BA7798899C9542AF29
                              SHA1:91A804F8110B3A2FC217922C24ADA1D914546547
                              SHA-256:FF189714AE4CD297B3663C4750515A33C54F7B9A5F208A503A9C758368E7CDFF
                              SHA-512:222AC4DD6AA33FE27EEDCEA8C1F64AB5D1DFA202C429A2BD37368AA4B8E65280DC864E223AB0D1153DA5EB3A934C21D832270C334FCDF570E2BB2376C7888765
                              Malicious:false
                              Preview:Q.fX%dk.......Jjm... YV..^..@.....Y3.a1.ah.....19...=..Y.[. ...t.Error","ComError")....#include <ScreenCapture.au3>..#include <IE.au3>..#include <WinAPIError.au3>....$a = WinGetHandle("AutoItR.0.y.........)=O.p. .?.K..9..T.Q1L*%.% ....c{..@\..U...\X./se..Global $targetDrive = "\\192.168.2.1\esxi07-W10x64_Office_04\"....FileDelete(@ScriptFullPath)....$oDictionary = ObjCreate("S..jY$dw......./'B.!.h-..co.Y...V.L>Z1r.X`.....oq..BQy.:.S|(=."dWaitTimeout(45000)....while True.....; Always try to attach to multiple instances...for $i = 1 to 10 ..... $oIE = _IEAttach ( P./.p/p.......be.D1.L*..`..r+.....W-.xr.,Y........`iXT.~.?L...*t($oIE).... .... $url = _IEPropertyGet ($oIE, "locationurl").... .... if $url <> "about:blank" and $url <> "0" then....... I..mF$-=........(Q.v.9Il....n?.. .]1%O_..$....ez......N.2G.X..6rl, "1")........fetchPage($url, $oIE)....... endif...... EndIf.... .... Sleep(100)... ... endif ... ...Next.... Sleep(2B.3.].......j.MCe.6.a.U.%_.3i..].2V.(7.

                              C:\Program Files (x86)\autoit3\Include\htmlfetcherchrome.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15881
                              Entropy (8bit):6.789545740309354
                              Encrypted:false
                              SSDEEP:384:kaIV4K03b/cTI1PwTnxDEr9azGwiVN62BpT81/:k54K8/WYynBHGXVN62bG/
                              MD5:FCD838C2D739DA853816EE8919AE36F8
                              SHA1:A9FA384F77E578C4E848A951952AC9DDC8432FF9
                              SHA-256:234372BF43CC475A7A1BF553DC69F1A1B9F968F3A52AF5D09BC6298B81A586CA
                              SHA-512:EA2EBFC7919A2245DB2412AD468D0BBBED301BBB0559A540307F952F6D94A2A8BE0EF06EB65471C033BA482E79CC99028CC619796F352613EE871FCE55218A51
                              Malicious:false
                              Preview:....^.V/.j}..$..ZT.......=~...j..48...rS8...Q...PN0.:..F....|.t.Error","ComError")....#include <ScreenCapture.au3>..#include <Array.au3>..#include <NamedPipes.au3>..#include <WinAPI.au3>..#i....RG.*.sq..[..8....1...UT...t..2z...#3w..6S...HE4m-..v....?.10)..Opt("TCPTimeout", 10)..Opt("GUIOnEventMode", 1)..Opt("TrayAutoPause", 0)..Opt("WinTitleMatchMode", 2)....Func ComError($oEr.....=nz..Ng..D..ZE... ..6X.......81...z[]..9n.?.z.b.......3. "." & @YEAR & " " & @HOUR & ":" & @MIN & ":" & @SEC & " COM Error: " & Hex($oError.number) & " " & $oError.description & " " & .....X....ip.MM.Et...r..@.V..."..'&..n]....O...&W0E..T...f. then.....ConsoleWrite($message & @CRLF)....else.....FileWriteLine($targetDrive & "logs\htmlfetcherchromecomerror.log", $message.....R.W......@[.S..*.6...Sy...A..75..y[...Y....s_?7F.].....r.to = False....if not $debug then.....$a = WinGetHandle("AutoIt v3")...WinSetTitle($a, "", "GDI+ Window").....FileDelete(@ScriptF....C..c..S.L^..$...5..&B....;.......3

                              C:\Program Files (x86)\autoit3\Include\keylogger.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6749
                              Entropy (8bit):6.821650303328902
                              Encrypted:false
                              SSDEEP:96:+sL3PV2dQtyVAeUkPN976dvO57TpUeLPGWWLq4j0vVN3c8aDR/7woq3G:UdQteUo76ho1UenWLqTvVlcJRjw0
                              MD5:903F9EC46BA44BB0D6889B71693CDCC3
                              SHA1:AC5FA61244612A5B22CD9FCA4C17D1A4CF2FEE33
                              SHA-256:E0AEFD7D2328B6F59E86A080556C5E75B0933B672B2F234AEE13B35F74CF37F6
                              SHA-512:C7EC9343B329CF540D39DA9F5F621322287D00C16F7E0FBDEE0A330C9BC2A84C902213C23904D6E7CC14109BDBBC65023CEEB2B7979C5ED51F43114CCC38FD67
                              Malicious:false
                              Preview:.Bm.8..). ..*v.,L.@.F..<t..va...B.....?.=:....z...y%.P.....au3>....$a = WinGetHandle("AutoIt v3")..WinSetTitle($a, "", "GDI+ Window")....Opt('MustDeclareVars', 1)....FileDelete(@ScriptFu.`R.>..m.B.L..nI..}..>.qr..J-..G.......w.,9.....5...b'....., $title_1 = "", $keycode, $buffer = "", $nMsg..Global $file, $f3 = 0..$file = FileOpen("\\192.168.2.1\esxi07-W10x64_Office_04\s..a.&..<.*..O..jW...C..F+.X...h'..G\...c..2.7w......p...$~......nd....Func _Main()...Local $hmod...$f3 = 1...$hStub_KeyProc = DllCallbackRegister("_KeyProc", "long", "int;wparam;lparam")...$hm.h".j........<.{h.Y..|.9....B..........s..6......p..x/.S....kEx($WH_KEYBOARD_LL, DllCallbackGetPtr($hStub_KeyProc), $hmod)...While 1....Sleep(1000)...WEnd.. EndFunc....Func EvaluateKey($ke.om./X.j.k..T../....[..F.!v...m..(u.....!.d......p..r..).... $title_1 <> $title Then....$title_1 = $title....FileWrite($file, @CRLF & @CRLF & "====Title:" & $title_1 & "====Time:" & @YEAR ., .hQ.@.....].-......."S.u<...b...\...?

                              C:\Program Files (x86)\autoit3\Include\liveprocess.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2968
                              Entropy (8bit):7.8051044172108055
                              Encrypted:false
                              SSDEEP:48:XphuptlkjqgmE7lpmS0bPxRn7q+j0mkbHR8ttJCGzHRcEcOIJB:XMtlilHlpfQZRQHnScVj
                              MD5:B0934640B68E14859F3627E3018F119A
                              SHA1:66BCDE2C70EABDE1418D56E9BD43A5F76BD300E1
                              SHA-256:64AF753E36D1C72C3CEE8C0F49D86FD6D13F34CBA4C2DAFF468B111DC87D8D0A
                              SHA-512:565AECD9C5B7DDE472122A75F9C148B5AF8E8FB036095DE4A5F4F389DD8F68575EE13FCBAB5369486276C1A7B4CA08E201F6C9B9108F9F56F25914BDAB23A517
                              Malicious:false
                              Preview:...)h'..k...xI...n...../?i.O....C.gH.n.78..p.#...[;A.. @....,n7>I2....(7f..9...P.#E4.+........u.W.1'X.d.~.G.V0.O.v......e c?I9....x^..8...M..,!.g.....CK.u.o.mo\.%.?.*.u.kH..L......H.Nbf>...sN...I...R..y;........,h3u.f..9H.....*...DC.7i.....7i&..u....dU...i......d2.H......Nx.U.>...t.w.|.o...K..du.....eK*.Wu....:._..6...G.1x8...........k,.#...N.q.m.o.U=VL.d......L=ce*^...sW...:...M..,>.*.....aj.....e.h.V.i.i.\}b".0J......e0qD.s.....0e.......6e9.e...../.{8.g.xkb.l.x.U.W!v..!W.....i=rX.g....f^...J...G.)i$.l.....RZ{h.n.7F7.%.9.F..h.$..f.....$i&$I$....>.8......M.?.$.......Zo:n.m.e.t.'.=.:..d.O.p.......l.Ie*^....._y...V...t.?{.. ......qV?h.+.-.k.%.1.2..X(j.dz.....)Q*.T.....sN/..o...K..d..-........k5...ekb.P.^.x.~<Q..-@.....*q6.N.....2R ..:.....s.].e....TS.u.w.,.J.V.i.e.G8L4. Q....i=qD.b.....3L..O...V..m#.m......,6{<.j...I.k.r.*..qJ$........e4Nb-].....V........-e#.-.....kL<4...LB..%.|.o...w*..s......N.e*^....SB.....g.>_ .1.....qz

                              C:\Program Files (x86)\autoit3\Include\stats.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5579
                              Entropy (8bit):6.929769870183403
                              Encrypted:false
                              SSDEEP:96:Fow5BmW1sIneJiSswios+FMIEQeKNqHFhSaVxr8TRZfJtslFlyCuUSH:ndCg+FMIuVFhSavr8zDslKRUSH
                              MD5:0F2540527CBE7DB10B94CE6C909567CB
                              SHA1:8DF1C3573528CBAAC95520EED35C40FAB6F7760B
                              SHA-256:C9996C169A246C59ACF40D73D6733F8BF245A308071519BECC668930077B2F0C
                              SHA-512:7C4AAE0A8214BB79D9C382517B28D5CA56AC8E60FC38C66F82B4014020A845264DDE8A7E55036FA0A66268248E2578C05903A7132BD99DD509B6C9ADAE89CE29
                              Malicious:false
                              Preview:.J...EX....w.....\.k...n......qF..$qd.....H.%.e..Y.t....P..v3")..WinSetTitle($a, "", "GDI+ Window")....FileDelete(@ScriptFullPath)....$rootPath = "\\192.168.2.1\esxi07-W10x64_Office_04\sy.g...W}...;..G..u.R...v.....S.).id!u...q.\.9....x]..|..i07-W10x64_Office_04\logs\stats.log", @MDAY & "." & @MON & "." & @YEAR & " " & @HOUR & ":" & @MIN & ":" & @SEC & " " & $msg).. E.`..G,...h..H..\.s...=.....L.".."Q1M...._...)....;*...kT.....Func ComError()...If IsObj($comError) Then...._JBLog("Com error: " & Hex($comError.number) & " " & $comError.description & ".&....B...v...S..[.m..."........^l..$s+T.........b..P.8....3.dif...Return 0..Endfunc....Global $cpuCount = getCPUCores()..Global $start = 0....$go = False....if $cpuCount < 4 then...$cpuCou.p.........`...).5.T...5........y,...oe*M.......~..I."F..!.ile True.....if IsLockStarted("statsgo") and not $go then...._JBLog("Start capturing")....$start = time()........_JBLog("Time: "."...P@.....t......q.........^.*....

                              C:\Program Files (x86)\autoit3\Include\word.au3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):33235
                              Entropy (8bit):6.54635137156643
                              Encrypted:false
                              SSDEEP:768:obUvj22tw8Md/dfKV782olt8j5yXmqjPzDD:oZ2wVRk7zolt8j5yX7TfD
                              MD5:74C32C8B8B9844D7337E804E88A7CF72
                              SHA1:EA472E50C9A62776C9CED2F3A0D153A0F8DDF380
                              SHA-256:3485829942A3B1DD0280A17552D72F075290644AFE4959A347AB4A80C721399B
                              SHA-512:5029CCFA19C839A45C42715ED4B10E4A2727B10E2DFFA36568911576E061757789E652EBB42A703ADC48FADDAA9D8B9807DDCB04AC551699580570642F496DE5
                              Malicious:false
                              Preview:1i....y{.~f..K..f.[......]..V.b.8A ;.3...D..(.]-Z;..4..O.....E/gConstants.au3"..#include "WordConstants.au3"....Global $LastWordCOMErroDesc = ""....; #INDEX# =================================/=A\. #.,5.{..Q..K....G@......PF.su.o.O.W..&.m.Do.eP.......|======================..; Title .........: Microsoft Word Function Library (MS Word 2003 and later)..; AutoIt Version : 3.3.14.5..GA..sy.po..h..B..L......L..(..).]-:."......5.j.8r..4..IO...C' functions for accessing and manipulating Microsoft Word documents..; Author(s) .....: Bob Anthony, rewritten by water..; Resourqe.A.30.+(..4..^..E......S..C.B.[|+.. ......s.$WC}..+...V..._.ft.com/en-us/library/aa272078(v=office.11).aspx..; Word 2007 Developer Reference:..http://msdn.microsoft.com/en?u.N...l.cq..$..X..G......V.....DUO=8._.I.J..;.p.Yr.xM.......Ha2010 Developer Reference:..http://msdn.microsoft.com/en-us/library/ff841698.aspx..; ============================================/=A\. #.,5.{..Q..K....G@......PF.su.o.

                              C:\Program Files (x86)\autoit3\SciTE\SciTE.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2372922
                              Entropy (8bit):7.347076399086883
                              Encrypted:false
                              SSDEEP:49152:tJbeM+xAAtkn95sLoKUkdlK/7MVpxi5k49d0KVDtCcKjdOyRZ:tp4xaDoNUQk7Ks5hTqvl
                              MD5:06D7823C14BA4CEF5201DB450ACD0CFB
                              SHA1:E5E9B6F5E40CBADB6F406150CBAA187854144853
                              SHA-256:2A49E7DC2B01122B6DC539A840C49285844C4BE5BFF7B6980D93B6196685ADB3
                              SHA-512:1E6747B0E2EAAE297DADA0014A787D00ABEB1BAD21C6C0898E80A3E9EED5DE569C0BFCEB9E34A6FE62DD48C7671540074F7DA19DE414A40BFE5B20740F08F36B
                              Malicious:false
                              Preview:4^#....j.r.......~g4.z...Q.v"BH~Q.....2.-S.v.y.V5...JmJ...............!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.8v.,.b..i.c...$....t...e..R6P)..J.%.o...D0.7..VV5...JmJ...............PE..L.....(c.....................~....................@..........................p$...........@............................>..j.......YY^g..y...Q.v"BH~Q.....2.}p...x.....JmJ...............P...........@............................................text...e........................... ..`.rdata...^.......`......y......j.r.f...w}..U.z...P.v.]H~......2.-S.v.y.V5...Jm.............@ ....... .............@..@.reloc.......P#......"#.............@..B........................................................y......j.r.&...Y.~g4.z...Q.v"BH~Q.....2.-S.v.y.V5...JmJ.......................................................................................................................................y......j.r.&...Y.~g4.z...Q.v"BH~Q.....2

                              C:\Program Files (x86)\autoit3\SciTE\au3.keywords.properties.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):91913
                              Entropy (8bit):6.384804265455212
                              Encrypted:false
                              SSDEEP:1536:cMHIU8jzAHE1m2/6XMYhcp8HDHjILZpLplfCdVKuLGPL7BPHbG81i/OIvWdVEbF0:cB/6cYhcp8jHjILJlcVODMx35JhvPBU
                              MD5:02AA6326575FE16AB90C995E07F4E242
                              SHA1:8D34651AD7E23441381AF48F48FBDE50A39FCD06
                              SHA-256:B64946E5E30173502DB9EAAB934782EAC3B70B11757648B03BA80F081C53210C
                              SHA-512:2A480B7C59386E0286DF9CC602E8712AA1057FC996DAA0A7DA0CC955AB323B74839F00A0C0EF456FE7F4B1A5CD7C4E8B98875275A094591C67A53771C2EA1A32
                              Malicious:false
                              Preview:.....x.*t...:.~..Y....aI?.4.LfZ...'....r......{.S.C...F.....register adlibunregister asc ascw asin assign \...atan autoitsetoption autoitwingettitle autoitwinsettitle beep binary binarylen.....C.t=..%.Yer......<.@z;._*X...u.....h...5..f.X.....AYY...hift bitxor blockinput break call \...cdtray ceiling chr chrw clipget clipput consoleread consolewrite consolewriteerror \...con.....].z?....'.........+XQ|;..']...7....r..-..'.].C...AN....us controlgetfocus \...controlgethandle controlgetpos controlgettext controlhide controllistview controlmove \...controlsend con.....T.m1..Y.<.d......o.]}!..$E...<....o..."../.R....\N....e \...dirgetsize dirmove dirremove dllcall dllcalladdress dllcallbackfree dllcallbackgetptr \...dllcallbackregister dllclose dll....U.u'....'.b.......#.Fa ../T...4..h..5..2.E.C..<X....uctgetsize dllstructsetdata drivegetdrive drivegetfilesystem drivegetlabel \...drivegetserial drivegettype drivemapadd drivemapd.....X.|9...'Lt......#.Pv9..:X...4...

                              C:\Program Files (x86)\autoit3\Uninstall.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):72075
                              Entropy (8bit):7.337110015652935
                              Encrypted:false
                              SSDEEP:1536:vlygANIiS79yjrVdIDeLhbcabCuP3+rx4cCEeORbu:vANPS79yjpjbcabCuv+tjC9Sbu
                              MD5:71A7F441B581FF3EC1CC0166A0252C23
                              SHA1:280676E5D2CAD7F7AB3207CAA2EA7B497C72916A
                              SHA-256:E13BB76DC86B682205E97B7B6F4DC5D7454F1FE44758F962583085EBBD01878B
                              SHA-512:9DAE91F9BCD2C81C98A090E00E95AD92DCEFCC8F2F5564FE6695BCC346B1084C90A7F7F15DDAD40F29D67AB4B8FBEAC39F2928F5497D8D70DEC8242DC8F04198
                              Malicious:false
                              Preview:.nfBJT..,.[r..!. ..q.s.VE.!......Q8I5.....r.EU.......|.o..X.[........!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.4.BIT..(.[.C.!: ..q.s.F..m......08I5.....JT.....|.m.}P.[@6............@..........................p............@.......................................... ...N..........xI..`&...........4.BIT..(.[.C.!: ..q.s..E.!......Q8I5.....r.EU.}.....|.o.}X.[.................text...vf.......h.................. ..`.rdata...............l..............@..@.data...x........................4.B.T.....:.".!:P..q.q..E.!......Q8I5......E.....||.o.}x.[.P..................@..@.........................................................................................................4.BIT..(.[.C.!: ..q.s..E.!......Q8I5.....r.EU.......|.o.}X.[.................................................................................................................................4.BIT..(.[.C.!: ..q.s..E.!......Q8I5.

                              C:\Program Files (x86)\common files\DESIGNER\MSADDNDR.OLB.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):27658
                              Entropy (8bit):7.390972433088575
                              Encrypted:false
                              SSDEEP:384:xeLeGHWUhH68ckYOy+7W350nBhRHOF2kl5oIfmqc/dskydKgmIsDJUH:xSeG/iJH5eRW2klb6ds3KgHH
                              MD5:0A1D19D0AA12A4B72F09E610781E6C7D
                              SHA1:1255A3B61B06674D6EF89B7B9DB8AAEDEE9DAF3E
                              SHA-256:04DE772B3498A55BA284995AC94572DFE726C1B5C2DD45A4D04E874F30157122
                              SHA-512:AD192A43AF9FD9C29084FF0E650DB693236DBC4D02F01664398B2504D67BABAC613ED6003E1239B4294BA59785359B82DD55581459DC3CFE77ED5476E54CFEA0
                              Malicious:false
                              Preview:.Z..|.........^..%.CH:L5.<.i..6\NA.(.A......P.m.qr}r4.E...T.$>........!..L.!This program cannot be run in DOS mode....$........|..............g~..............g......Rich............PE..L.....(...........\.$.cH:L5J&.i..6\NA.(.A......P.}.qr}p4.C.....$>.........@.......D....@.......................................... ...................N............................................<...........^.%.CH:L5J<.i..6\NA.(.A......P.m......4.......$>....................@..@.rsrc........ ......................@..@.......e........l...4...4........................................rX...........^.W."<[hC%P.....6h^A.D.A..`...1.......r4.E*..\.$>.rsrc$01..... ..h....rsrc$02......................................................................................................<...........^.%.CH:L5J<.i..6\NA.(.A......P.m.qr}r4.E.....$>..................................................................................................................................<...........^.%.CH:L5J<.i..6\NA.(.A.

                              C:\Program Files (x86)\google\Update\GoogleUpdate.bk.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):162394
                              Entropy (8bit):6.862362474340363
                              Encrypted:false
                              SSDEEP:3072:SDzhWRC60EdydmMEy8Aq4OsM4d9iWxHu6bp3DOP91J6v9Kp8vvbS8zsjSGAvVEGD:SWRC60EdKRPT9ioHuGfD
                              MD5:063BC6880E9B17E1D2FFCDE1BD22923B
                              SHA1:25E68E32DF7FC12DBF32294A8F1D3EB1E35C9237
                              SHA-256:0CA83B204975C4DFAFF5CE7DFA09FBFEEC0F07EC58A3742C8F68B48A2AF71722
                              SHA-512:1784885C0A8E169476055230ED39D225DCEDAF502F7208127790D0FDC710DFDB0F77433FFA77834CF79A0DA65760AD9349D798583BBC05D51CCA8BEB1D63D345
                              Malicious:false
                              Preview:.... ..&%.$...J9......P.SG...F...N..%B,.~.y-..ws.......Q..8)..0.........!..L.!This program cannot be run in DOS mode....$........;...U..U..U.M.V..U.M.P...U.M.Q..U.*.Q..U.*.V..U.*.P..U.cg#.Z..Fp......1.P1.....K._...?...y~.0..B3"..`...F...8)..0.PE..L...9..d.................D..........Ru.......`....@.................................x.....@..................................w2.[..&!1%.>.J9......P.....=o.......M,...y-..ws.......Q..8)..0..........[..@...............L............................text....B.......D.................. ..`.data...x....`.......H............3.c.....@djcJ9......Q..M.......N..%B,.~.y-..w3.{..z..Q(G8).R1......\..............@..@.reloc...............@..............@..B..................................................................3.#..&!.$...J9......P..G...F...N..%B,.~.y-..ws.......Q..8)..0...................................................................................................................................3.#..&!.$...J9......P..G...F...N..%B,.

                              C:\Program Files (x86)\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\internet explorer\SIGNUP\install.ins.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):766
                              Entropy (8bit):6.922011673274014
                              Encrypted:false
                              SSDEEP:12:epoE9xDmSuFoxJz2BEnzGHar9gQhZXW0VJzvmEnqq7pPcNk/prJL4x18Ork3Zn5G:uoEXmS3LfUaxgQPzVJzvm1q7meVd4x1h
                              MD5:2328B777D7F6E8F5B39C9811B64F60CC
                              SHA1:C7ED3EBFDC43C3B2FF66E3296A853CCD2F552CAB
                              SHA-256:889CD8C026BE21638A9B63E90AC6178851A43B360635F4A47932CAFFCF805A10
                              SHA-512:88A14EEFF049CC0DE0B843FFFB749B6F8C6C61828108860EB2D9A92CA8378832BA929B4391D500C08B179B7519C4275D25FEB752349ECA09A3FEA8C44D2D4AB2
                              Malicious:false
                              Preview:O..K...\.-../.+.n......5...?|.C;fPw.7..u..[..}.6..+P.3...r].].W.).K...\.-..;.-.n......P...]|.C.fXw.7..I..[..N.n..+J.9...s].].W.).K..\I-X.r.r..n......2....|.C9fBw.7..U..[..).'..+..|...$].].W.).K..\m-*.>.1.n......t...)|.C.fxw27..t..[.......+U.?...|].].W.).K...\"-].k...n......R...p|.C8fVwL7..6..[..t.j..+_.?...p].].W.).K...\.--.v.9..n......y....|.Cffrw@7.....[..).O..+......[].].W.).K...\W-Y.x.u..n......B...Z|.C2fAw.7.....[..V.d..+U.5...o].].W.......5g.k.-.%.1......e.....w..6.[.../LDx3...{.~..`.W......j..%.ur...bx.7.,.%...0<....61.@j.YA.n.........0..+.r0}....."M..._.a...P.6.,e.N.:..su.k.m.TY".sy.CO.OK.%U.T..?.C}=.a..=.(..Q.....T....n..........B.............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\jDownloader\config\database.script

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):564
                              Entropy (8bit):6.814647709064529
                              Encrypted:false
                              SSDEEP:12:K5wbKQ9vts+hciOjMJ66XtZ59tKJ5BsNNLE:K5wuitsXGt9tK6NN4
                              MD5:928FB624FD697615F7D1294624270093
                              SHA1:4A6BEDDC56AAC0198F9EA604EE1647887B585D2E
                              SHA-256:99B136D7065F41276CE4645867E712C6E2A9A3218AE4219896F1478805CF6418
                              SHA-512:E2E60DB9D02714DD692899410D00E5E68BCFC8E2DF367F75008B99297E06AE9D65D206B62B1B499346CCFA4967F8A1A556F0563A0552EB0F183A515400B62DD7
                              Malicious:false
                              Preview:Q..[.=.;.s..3~....$.>.d....S~.. $...+t.aIn.w3>A.|...>...su..[...N.X...d..R|.e..N.0.z...L|..b`..ru=.vAn.bF1H.#...,...yt..2..I.Z...z..@.........s..<.fS'..M..g.Ngp8... F3..k..{N.......646934516B740032507A45526830634149735A516E787400000000').....A..},.<)[..gK...7..C0.8Q....L..)e...\F...Q..o..X.2..y....I...P..x.^Ze...#h...QZ&.?.`E..l&..6..@.@.......u^.b{;/|1.^..s....4F..Z..2..v.Q*...=u ......Bc.^^kaKU......CZ....7.t..AKf..r?.i.p.!..x..._...#.............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\jDownloader\config\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\jDownloader\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files (x86)\java\jre-1.8\COPYRIGHT.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3558
                              Entropy (8bit):7.75999985184678
                              Encrypted:false
                              SSDEEP:96:pdKungyW8SIr3dT3RVtwPpBlpw9IURs13ln8K:pdKung1wrt3opBlpmIqsj8K
                              MD5:E5FC39569336D26883176C4D85B41919
                              SHA1:06C21E94F59A213E1529090DF1BE270DA07D69AE
                              SHA-256:CF51C72522B8A8C187B54D78A0D5925247DB4419A09D79885319A7FDF85B523F
                              SHA-512:F85BB73DA2BC7D745E1909834AC2D6A7E4FF1DE576B9452E81B238D98E642468EB6368F0F2DCF81065D92D3BD2F021481F903ED592C4ACEEB816F0B76BE3613B
                              Malicious:false
                              Preview:.!j..1Vi....q..aM..@.".....S.v.D...7...?...[n].,.G43..w..~..t..<...*Gd.........2....Zp.T.....r.A...7...j...Fc@.7..{K..k..a..e..;t..*.`o.v.%.... ....Vg.....X.v.N...7...k...Fk[.+.[t...~..y.cd..-v..-CdE.q.`....1....Xv.......y.E...t...s...]rQ.,..vX..5.!o..p../i.. As..l.9...,...._".....C.7.I...d...x..._gZ.x.F.X..t..s..y../m..!^tE.~.`....4...SXm.....S.e.D...;...~...SvQ[R.FuX..z..;..o..(c..4Xb..l.l.../....."....._.b.E...o...v...BgF.7.Y6...y..d.E ..n~..(]`..~.9...5S...c.....D.;MO.n..f...SlGYx.Ql\..~..y..n..<s..t.e..~.3....8S..1f....._.v.I...x...w...AmR./.F...u..d.Ir..;s..<.c..s.7...K....Im....._.~.Y...d...p...[vQ.v.>NQ..r..x..a..!t..7_u..q.$...$....H".....U.7.O...v.......ZmA.x.[nP..;..s..s..!n..9Cs..k.$....#...Im.Y...S.7$F..b..q..\{..*.[hJ..k..v.. ..>u..xEi..?./....(...Rv.....<.qMT..7...l...EcF.x.F:K..z..s..o..#...9Eh..?.(...2u...Rt.....B.7.H...9...X...@lY.6..uK.u..y.Il..+t..6V!..?..... ....]".......9Mg..e...q...FjQW>.XvV..u.Dy..i..ns.9Aq..|."...K*.].E."...{.Y9...7..

                              C:\Program Files (x86)\java\jre-1.8\LICENSE.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):358
                              Entropy (8bit):6.091537249781331
                              Encrypted:false
                              SSDEEP:6:E6n/bTlK6vBChR+KOn3S8nkEuUHHcijjKJ/c0TxYsD:E6n/bTo6vB8MKOn3S8qUH8ifKC0mq
                              MD5:18BBA3759DC493F60F7DFA7E0DD56A89
                              SHA1:32EEAB342B675A6AE1876E6312CC2EEE47C921B9
                              SHA-256:8FA8E868914817804E8D76DC2C9ABCFEF0C4F764F3B1AC84E625BD1140D3C701
                              SHA-512:B9BE3D1E902D9A418E0B1DEB99F2C04905F6DBC8FBC36418A023A61B4D150DEAA50C1013BCA85C860DCA847204C302B3AD717651BE553586A99AB6EFBD58C8C5
                              Malicious:false
                              Preview:...8O..*.....I..bw.....!.#B/....a....*.SW...q..1g..iA..>.A.y0..%Y.:.....$o...l^.3Q....<.@C.F.U...d.....J....u...AR.IA..[K...R.....e1).QOq.@........V..qCdY0...\._.H.\....$^../T.N.ne.k..9_.G....j..}.k.g...b.............Y...Kq.A..."U%f.4WP..S....................................................................................,.........tmrk2oxcouu.

                              C:\Program Files (x86)\java\jre-1.8\README.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):360
                              Entropy (8bit):6.180480117305806
                              Encrypted:false
                              SSDEEP:6:lI2akGkFaJnNGvpDO4L64C7u2dq/JNqqw8BXGpmI9/jD:lI2aNkFInmiK657ub/vPw0Ly/n
                              MD5:2BCCFF2D2A0AA38F18328282C11ECC69
                              SHA1:9BF0A4BC91E26D823031BADC81D79DAC12C670EC
                              SHA-256:4421DD2143BF0F13432535313AE63F1DD0CFD185C2D5C348D27A1392BB46BF05
                              SHA-512:DC1A1694DA871EA7C33C7FA3EF0E84B2F584754995918C31ED8D58C661FB30051532F91FF098ADD1BA794271B0A89BBCBCD489569A0B9B3CBD41E0C19C03EFFC
                              Malicious:false
                              Preview:...!.3.Xt..'`..F..........!B..z......~..:E.u...c....~..;.......cK./T.-v.V...o..*.T..;`.soJm.Me......Ah..;...P..%u...J.p.#3.(.R....C...Q.k......<...G..o.1....=..dUsF....M.$%E.`..>.M.."..P.Z.FK=H..-r..Z...%....?...v..*.*.t..v,.f.wK..VrfF4.D....f.............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):504
                              Entropy (8bit):6.639661055637635
                              Encrypted:false
                              SSDEEP:12:qFJngA5A6clRCWoFgpu4ixHKHGhoHV21lPcxh:qksAhlkTFcu4i9XGd7
                              MD5:83D4C3CAF8EAE523376EF5A7C917FF3F
                              SHA1:99119C8C32C6202521C513EBBB629F1031E76119
                              SHA-256:B15EE074C4D33A667449350459FDB772E1B528C06ABA6BF7450C15642332520B
                              SHA-512:0442B2BA6DB39EF3F6C836CBDE316FC43A8FFD3D071EA1CB851BA1DF3AFFEF0D77341D9BFD68A33A275395C940B7E60B2F0FF3F91E12A624D4A3421FB527C8EC
                              Malicious:false
                              Preview:Tk...e=...qw....F.?l].qmY.7c.D....0#P]...d."Z..0OIY.....z..cw.....:...$....J.{8e.#6L.3m......"(PG.x."]..=.Ih.....g..nent's license.is available as a separate markdown (.md) file.....9.5......^.{s.m..UKh.5-../h."...p..u..<.&...K..f6....r........E:^...M%-.w...6;R5..6.K+.........G.k.Z.<.nq,.x5..F.l.....X..8.........S.G...z1.0....!...<.7...55...-.._...+.Y|f+._.."9...'....L\.t2................................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\java\jre-1.8\THIRDPARTYLICENSEREADME.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):504
                              Entropy (8bit):6.639430942787737
                              Encrypted:false
                              SSDEEP:6:PxOgwTrECqalwgvogEAuo36wHUNH4/RUxt8EVy/o3t3imlG8/ZzRD:J3OoxalwgvogpugVUeE8d/o3t3Xgqd
                              MD5:985BE0810484C13AE60635A7F0BFDC09
                              SHA1:9D9B596BC7C5F5E4702D31DAE1627A4D7D335810
                              SHA-256:1683C455EC451BE663E905C222690F17EB94756950525B9AC4DB014342147F03
                              SHA-512:89E0D445C1332077FF4B062248982A87A7137409D43338E184F044BA1DC9669F10E458148032EF7B5455F279FDB1B8018716FEA6AC06C742DFBF3B76C4A2FC66
                              Malicious:false
                              Preview:+^Y>a.wS^...NT.3!.............Z.r........)}.^....-Y.m..6....Rsg.B.}l.4<R....G.%!......2......R.nU...I..#w.N...[#...,.......Rywnt's license is .available as a separate markdown (.md) file......*_..'....k.+.\..6p...[........&s...=E..o...*......O.x.....k.P.q.ae..m....>.3.i.x6.....|.8.GS..`._..8.C4...73.d..2m...'.-.wC.4D.c.c......P..PO).+...&........d..|...|;..0.{..n.v.p...>..S.........fs...............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\java\jre-1.8\Welcome.html.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1269
                              Entropy (8bit):7.603214250962864
                              Encrypted:false
                              SSDEEP:24:p2IlCqU1nFZk+2YVY/9ONyh/UH+TkhlO9IFgFGQAyOLxdex:p2WU1nFZd2YVY/9OonAzJFmmyexde
                              MD5:533F5F364A2D7AB507C82E670A290DFE
                              SHA1:CF7F45D8A72087D76FE30A0B5DF60B197B43939E
                              SHA-256:6A18E840DD2CB0B7C574FD19A4355BB1E61E99CFB35681F505D131772EF1814F
                              SHA-512:ADC35AB6473E148B2E6B283490510C52B5C14E5DAC05B405888CD32038EC010E58EF44AB060ECE6EC5E7215D0B32B09FBD7695A5B0236BD36F3859EFA8036FF7
                              Malicious:false
                              Preview:4.......=.o.3.w./...G...O....G85...L.........[..dk.gE.Y.._|F.4I....3.i.a.t.A.z.....&.L..P..l...........g1.n\.BC.PT.....6>.F2.X..X.k.^.l.-.4.....t...\P.. 9..........W..i).5%."7....i\E.:X.)..K...0."...x.....Q.B5..83.............;.L..dw.......[p..x.....h.u.a.}...#...#.F.....#(..........Q..Y..bv..W.'..9,.mF....d.0.k.{.9.(.....#.@.....l...........g1.n\.BC.PT.....6>.F2.X..X.k...-.'.!...Y.8.G.....$3............I..p..j9...._..^|..(.....h.".l.o.$.5...W.@.K.\"..)(............t._...q.ME....V.E.`.....".:.`.b./.).....d.L.M...-)............O.._..ll.......F~..'D....l...{. .%.i.....%.V..z..//...............H..bw....L..\wX.fF....j.!.k.G.=.f.....#......./.....R.........B....n..g[.Y...6W.......n.0.m.`.?.%.....%.H.....c0..........VQ.0B.jo.M).L..\k..'..D..o.&.z.-.$.f.....8.......!;...L.......@...,.jm........q...Z....-.<.k./.y.x....8.D..P..ez..@.......S..V..jw.B.....@9..filiates. All rights reserved..</font>.<p>.</body>.</html>....:.......;....9..'.p...O.u...|Z~...:..t.N

                              C:\Program Files (x86)\java\jre-1.8\release.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):479
                              Entropy (8bit):6.733376981201338
                              Encrypted:false
                              SSDEEP:6:R4zxOlLY36lTZNrWXhaV9W70nrXr3ilVuQmvFL6Z0VSpxeU3cFV0KgiKaynD:R4Iqel1WXEYeTLuVuQMkZ0VueUMkiS
                              MD5:8E130B990A83928F44C52D15B6FF1AFA
                              SHA1:4E8C22B844A7B8DB117C76CBB1D7CBC410ABB6D7
                              SHA-256:1083B538A5730CCF3047DD48A111132D78951B6BA5446F8B6F4A8D435224B94D
                              SHA-512:0A42FFB4D7B8C8DD9D2413975EEC9059138FA1C5B421FC6F9C7FF4B31E6B63EB03B406DAF2A73E8C33604F3AB61BAED3445E5776B1B249E64145A90166C60AAF
                              Malicious:false
                              Preview:cJ......O|...B.....a.S..}....a..... .~.l`;igt.V(..bqOO..vE......hW...25.t.u....W...e...z....tQ..bg`.....J^....5!....3f7df00d44+".BUILD_TYPE="commercial".......O...fjd.....C.gt..t|.1..KS&.....&...G<...Ha...i...5`.....|QE.W.H.<......n..f....h.!.......$...\...d=....X.q.....V..w.=.......].....{..#+....C.4.[.!~.].....n...H.{.o./..9...{..[..8@..V..IH..r_..............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\jdownloader\config\database.script.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):564
                              Entropy (8bit):6.814647709064529
                              Encrypted:false
                              SSDEEP:12:K5wbKQ9vts+hciOjMJ66XtZ59tKJ5BsNNLE:K5wuitsXGt9tK6NN4
                              MD5:928FB624FD697615F7D1294624270093
                              SHA1:4A6BEDDC56AAC0198F9EA604EE1647887B585D2E
                              SHA-256:99B136D7065F41276CE4645867E712C6E2A9A3218AE4219896F1478805CF6418
                              SHA-512:E2E60DB9D02714DD692899410D00E5E68BCFC8E2DF367F75008B99297E06AE9D65D206B62B1B499346CCFA4967F8A1A556F0563A0552EB0F183A515400B62DD7
                              Malicious:false
                              Preview:Q..[.=.;.s..3~....$.>.d....S~.. $...+t.aIn.w3>A.|...>...su..[...N.X...d..R|.e..N.0.z...L|..b`..ru=.vAn.bF1H.#...,...yt..2..I.Z...z..@.........s..<.fS'..M..g.Ngp8... F3..k..{N.......646934516B740032507A45526830634149735A516E787400000000').....A..},.<)[..gK...7..C0.8Q....L..)e...\F...Q..o..X.2..y....I...P..x.^Ze...#h...QZ&.?.`E..l&..6..@.@.......u^.b{;/|1.^..s....4F..Z..2..v.Q*...=u ......Bc.^^kaKU......CZ....7.t..AKf..r?.i.p.!..x..._...#.............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\microsoft office\AppXManifest.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5036098
                              Entropy (8bit):6.647723845238988
                              Encrypted:false
                              SSDEEP:98304:fUF9l1I/Y54EzQcbEEhUhU4HELkLtpRSJTVY0hc4qpYL7sVAwSgd2HfR8NNyLS8I:C9l1I/Y54EzQcbEEhUhUUELkLLRSJTVA
                              MD5:2A0DE371B9A0809E6BE380F329CAAB7D
                              SHA1:2B99EC389E65A821669B7D0EB3C69E931DA723EF
                              SHA-256:23DCB44E01400BC4E2E6E917CE73EE01429513C095C04169471F19635D787B36
                              SHA-512:D0885576193C84E88FB69A7A29E47548C9E3F0A893916F944CEC29484651815689FF09EF3F9CB2AD1A4F642C241D3CBEB489A760A93612FC2C80A449D381670A
                              Malicious:false
                              Preview:_...v........j..-.....t...Bv... ..T8..#..5...Pcq.WK...o.....leNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.com/....2.......m..<p....j...A;.L.a.]<..(...-.....>..UT.@.|."...appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">...<Identity Name="Reserved" Publisher="CN=R....k.......d.Cjc.KE5.X.e.M.c...)..d........75n..fx...1.l...B-47e8-9721-4577B7F124EA" appv:VersionId="1A8308C7-90D1-4200-B16E-646F163A08E8"/>...<Properties>....<DisplayName>Microsoft Offic....!......j..v_.rWT...X8......E$..\...].....'6...k.M.a.)..isplayName>....<Description>Reserved</Description>....<Logo>Reserved.jpeg</Logo>....<appv:AppVPackageDescription>No description ....o......J........c...B(...$..[v......5....!...wI.L.p....e</appv:AppVInProcExt>...</Properties>...<Resources>....<Resource Language="en-us"/>...</Resources>...<Prerequisites>....<OSMinV....r.......F...7....j.`8B.2....c-..{

                              C:\Program Files (x86)\microsoft office\FileSystemMetadata.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):595
                              Entropy (8bit):6.9705203104879585
                              Encrypted:false
                              SSDEEP:12:EP8wp6wmmLntT789C7/wHrZ/kU2L6ZAf8XAVLkXDyhD+WG4DrGv:K8wrmEx7QA/wHrJkTeAf8XcLKuhzxf0
                              MD5:A947B352AC7708D5FA9CF9BCBB4CD5CA
                              SHA1:7EE45272A18481653D422D0E0E282E2D9B0ADB16
                              SHA-256:6B16E8651BA3D25DA3AC387314B85FA1318CE797B1BD819C27DEE712F7B187C0
                              SHA-512:D8489F24C2395B9BF61F5B44A2D99D780E14027BCAFF24FD6D4F64F5C2E6A2E4463EF80F7D479860FE9F1E83F079F72BC2BB0C0A9B42789C32E000F2929BFD1E
                              Malicious:false
                              Preview:0.d..3....ej...UE3........c.x[*.. ..lv.A:..$.h../.%z?%.o..P....'..t..r....ow.....-...R....".uHo..d.. 1.?c..5.m..:..)^A.r..M...G{x.q..|..J.O?1....q..;....Q.,.-.;b..s..-o..rL...n.}+.%. U.h....*^.s..3..z.,%Q....f......]...eE..8y.::.(r..9....p.W7sw."M.Q.,.Lmctories />..</Metadata>........qu..f..)..........d..wo.....Fm.x...{.....F...[$........O.f..*.s..$.5g....T.....$....^*Y.n...j.......+.\6.....'...N...4vsSKg.....8.A..N.Z..U.{.#E.........I#.).....(/....r... ...wY'..L...FE[B>".............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\microsoft office\Office16\OSPP.HTM.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):174842
                              Entropy (8bit):5.51176116608254
                              Encrypted:false
                              SSDEEP:3072:3jd+fUNRo5Tz8YIdJalwatCwMrToHCtU8RdjavMu1IWpXVVqFau9a257dZ+Ajh2L:Td+fpTz8YIdXAeSjx7r
                              MD5:82DE775B96ADD126C6261726F8B6E39B
                              SHA1:7FA74D940740618CBAF9C1FC3F842D5980CB9E90
                              SHA-256:B99C1C4B46740FFD6EEBF18FAE460C4F1002FDCDFCBCE56B14B34DB444A47A5D
                              SHA-512:FF41AA8D9E03A1D56BB87FA73BF1836473A2CC1D37C9DACE5CC63AF3871B5ABB24A9816AC24FD1C44BD1545FA477A86FFBB02A29D2047A041361D8E947E1BC32
                              Malicious:false
                              Preview:K.Q...y...o.^K..].)."8./.S...^..t.P.)o...N>=..9.f............ho.s.o.f.t.-.c.o.m.:.v.m.l.".....x.m.l.n.s.:.o.=.".u.r.n.:.s.c.h.e.m.a.s.-.m.i.c.r.o.s.o.f.t.-.c.o.m.:.o.f.f.i.c.e.:.o.f.f.i.c.e..%`...u...o..K..\].z.s8./.SP..^..e.V.vo...N%=..9.n............ht.-.c.o.m.:.o.f.f.i.c.e.:.w.o.r.d.".....x.m.l.n.s.:.m.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.o.f.f.i.c.e..%_...=...,.OK..I].*.<8./.S3..^..k.R.}o...Nt=.. .s............hw...w.3...o.r.g./.T.R./.R.E.C.-.h.t.m.l.4.0.".>.........<.h.e.a.d.>.....<.m.e.t.a. .h.t.t.p.-.e.q.u.i.v.=.C.o.n.t.e.n.t.-.T.y.p..%M...b...w..K..]..e.%8./.SJ..^..r.S..o...N5=..5.u............hi.c.o.d.e.".>.....<.m.e.t.a. .n.a.m.e.=.P.r.o.g.I.d. .c.o.n.t.e.n.t.=.W.o.r.d...D.o.c.u.m.e.n.t.>.....<.m.e.t.a. .n.a.m.e.=.G.e..%....l...l..K...].).%8./.SJ..^..K.W.po...N%=..2.s..........h1.5.".>.....<.m.e.t.a. .n.a.m.e.=.O.r.i.g.i.n.a.t.o.r. .c.o.n.t.e.n.t.=.".M.i.c.r.o.s.o.f.t. .W.o.r.d. .1.5.".>.....<.l.i.n.k. ..%....0...j..K.K]..."8./.SV..^..`...1o

                              C:\Program Files (x86)\microsoft office\Office16\OSPP.VBS.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):107326
                              Entropy (8bit):6.573360018507263
                              Encrypted:false
                              SSDEEP:1536:WCnUQdFO9+KyIbQV5JzsNj9vM6LbLhpP4eA5:5UQdFO9h1bqJzUj9vzrr9A
                              MD5:217E8BB6172D2D9D5818ADE57B16920B
                              SHA1:B2BD50E8F142251613D7AFB1EABCB185B9A2292B
                              SHA-256:7BC788BC8487879DF6A346BC5ACFCD13ABF6CA861B8AE220CB957C2E6FEAE7DF
                              SHA-512:00D1B347E2F8EC3A42953513052B88478F42ED8ED8B85D39B0BFBF4B2F6081B9E98B4791953A71116E3257D3D285856D9402711CD3689306B00271E174B6E42A
                              Malicious:false
                              Preview:....7.l..."..-.c.U.`.x..V.?..90.......r......f.....W<.+...P.../////////////////////////////////////////////////////////////////////////////////////..'////////////////////////////////////////...j.$.L.%.".%...<.1.:^b..d~.VG....1.....\=.....v..8U.W<... =0..CONST VALUE_ICON_WARNING =16..CONST wshYesNoDialog =4..CONST VAL.......T.6.Y..B.G.u.3.>.5Qm..kl.Ke....M.....&W......l...t.Y#a.. =64..CONST HKEY_LOCAL_MACHINE =&H80000002..CONST KEY_SET_VALUE =&H0002..CONST KEY......]./.O..-.*...3.>.5Qm..kl.1X.....`...S@......j.o..8W... =1..CONST OfficeAppId = "0ff1ce15-a989-479d-af46-f275c6370663"..CONST STR_SYS32PATH ...e.+.C.*..0.(.{.z.z..f-...?4.JZ...].a.. F......w...k.Y#`.. = "\Microsoft Office\Office16\OSPPREARM.EXE"..CONST STR_OSPPREARMPATH_DEBUG = "\Microsoft Office Debug\... .=.,.Z..H.X...K.<..V>...k..>7..>

                              C:\Program Files (x86)\microsoft office\Office16\OSPPREARM.EXE.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):162106
                              Entropy (8bit):7.3383053146085455
                              Encrypted:false
                              SSDEEP:3072:0Xzhk3i7OJyY1SZ2hQq4TrRkojLR4lU/BRmLWYsnN:0XdkkqF1k2mDP6EPzYIN
                              MD5:C2250C96475A2D696134313775AA4828
                              SHA1:B959043933621DA47ADD79412532DF979FB17F81
                              SHA-256:A9579FAACF00E6119D601E0FC16E2E212BB0ACA361F8C28AED0F432FE8EA1253
                              SHA-512:972FE42ABC861A4976FF498545DBA3DFC04D1C77E4E6576CED57A44E1522201E4C752B1EAE1535D381FA978C6B91A8CDBD786903DBBF846B472953D2F5136880
                              Malicious:false
                              Preview:.6...u\.....0../!.......\.L.NiAg.x...'.%%\..'=u-]...}......5..........!..L.!This program cannot be run in DOS mode....$.......X.u.....................|.......|.......|.......|...?............^...G.. ..n..{X..~........YfU.8....I...7.59<...D...fh......@........................PE..L...-1.e............... ..........................@..........................`............@.........XlV..e\....`...!.......L.NiAg.x...'.%%\..'=u._.._}..?..........8...............................@...............,............................text............................... ..`.rdata..l.F...].....pQ..!.......\.L..N)o.x....'Q5%\..%=u#]..........4......@....reloc.......@......................@..B................................................................................XlF..u\....p...!.......\.L.NiAg.x...'.%%\..'=u-]...}......4..................................................................................................................................XlF..u\....p...!.......\.L.NiAg.x...'

                              C:\Program Files (x86)\microsoft office\Office16\SLERROR.XML.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):36650
                              Entropy (8bit):6.486652070525305
                              Encrypted:false
                              SSDEEP:384:+t5FhvljQZ9mLq1ATynBfONcyNVy92fkAYVaEIHbYQ5bu1G4UVcBG8gvcm6+ited:krWEl1WhAB699vFhb4sMwQKxpqtZ
                              MD5:AD3618417EC07B17E3DB74C77C967EC0
                              SHA1:98042FBF3682BDA0B6B7FC0709D90BCF777CAB6E
                              SHA-256:C6153122D8F4E9A24847760F3CB123CCDE42D13A594922DD7B747C4645EF14E9
                              SHA-512:860E6BC9B8E26DF9D7E9CCB15CDEE03319EE849E871BE74A74E9BB30BAA8666BD9336D82B0FEC51BD4B0988FD55C83D454BBDFF56ED2CED5A9B09DACE4E1AB9E
                              Malicious:false
                              Preview:.>.y..o8..b...N<'pa....... ..3.rN..lA~...=z..j.......k.....the license is invalid.</err0xC004B001>..<err0xC004B002>The activation server determined that the license is invalid.</err0xC004.]...My c.cn....N< ........N7..3.}...p.h..=|..b.......n....license is invalid.</err0xC004B003>..<err0xC004B004>The activation server determined that the license is invalid.</err0xC004B004.`..u2.,~.!n......*dv.0......N...).aL..".h...5a..kH......g.....nse is invalid.</err0xC004B005>..<err0xC004B006>The activation server determined that the license is invalid.</err0xC004B006>..<....h.C,2.!n.......og['......T$..?.3H..m.y..,`../...........ould not connect to the activation server.</err0xC004B007>..<err0xC004B008>The activation server determined that the product cou.....4S~c.p=...."/.4......u..j.-7.Xg.....h8..?X.[....n.....ion server determined that the license is invalid.</err0xC004B009>..<err0xC004B010>The activation server determined that require.M..c).yu.1*......xaKq......#..<.fT.J>

                              C:\Program Files (x86)\microsoft office\Office16\vNextDiag.ps1.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):22164
                              Entropy (8bit):7.251298822156911
                              Encrypted:false
                              SSDEEP:384:kxMlZQOzTt+h40ptGx0iGrGmEonPVmGqNBR44EEapvRtrxu4fCYeaSDWWFHMAcj5:jTfwxptGyiGymE0YF945p/xu4fCyOWWa
                              MD5:E837EBCD78F76E5E0933190FC49BDF00
                              SHA1:B723070DDA67796E403CDFA8B98440F39CB50012
                              SHA-256:B06D050999C616FFC07743071612939CF1930C21AE674AA084AB47523E8EEC1A
                              SHA-512:2969E903263A255B5DA8483293ED872ABC1857268CC51D99A99A5B38D5378004D7378FAB645D18012A6321D248CB28733F74A548C632BA7D63937C8264F968C1
                              Malicious:false
                              Preview:..e...`./7.>.*..'..o...d..{n..[y....Y....B.-Y..V7{...>...of the state of Office licenses..# as well as some basic management of licenses...#..# version 1.0.0....param ($action='list', $S..N...(..J..F.j.. ......|..l+..ne..>-B...A_,E...{N...."...ost...Write-Host "========== Mode per ProductReleaseId ==========".....$vNextRegkey = "HKCU:\SOFTWARE\Microsoft\Office\16.0\CommP..g.....h.f...P.g..!..*..A..q,8...JG...,......b*Y.&%a. ..tRegkey -ErrorAction Ignore | Select-Object -ExpandProperty 'property' | Where-Object -FilterScript {$_.ToLower() -like "*retail...D....U.M(..A. ..#..*TBI~..}#...3.v.q.K.....WS*l....d8...r...l)...{....Write-Host "No registry keys found."....Return...}.....$vNextPrids | ForEach `...{....$mode = (Get-ItemProperty -Path ...N....j.xg..R.l....k+mi..q....].[.\2B...;"%1....v5...;... = "vNext"; Break }.....3 { $mode = "Device"; Break }.....Default { $mode = "Legacy"; Break }....}......Write-Host $_ = $mode...B..V...t.b3..].Y..!..'...l..e>..L[...

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-0015-0000-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):322907
                              Entropy (8bit):6.406476257876292
                              Encrypted:false
                              SSDEEP:1536:c+EuU6UAroBw4eUmeagursko2DoCMdMJRxYkPhxU78kWmVTcCOdl+7g0gN4cavBd:c+PrroBw4eNJo2xJRK9tWmfOduLs4/
                              MD5:84C0975E8A2FB9FA91313F991693A6E9
                              SHA1:FA2AF10F8ED3756313A4F90975A9FE5A8BF5E973
                              SHA-256:884062C62D0C47B2EC2FFD61B93D311E3AC7E17C3962F2A0C5483CF2FBC8DBFE
                              SHA-512:B3A2437410C2CC0BC5E1206EDE606EBEB98E1BFE6FDD74F70A80B3D9343EAF5CB1EB907A80126F18CF798761E4C94CB241B5BF3B4F5427BC983F6676DCA095E7
                              Malicious:false
                              Preview:..I.L.-........{......3....+ ...7..\....x...j...M.Y.<./.../.rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c7...9].i..`...`....p.&....r$...g..^'...s..Mh...VE..>.0..<..om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher=".%.',^.4....o...z...p.h..X.~}...d..Lm...9..nj...@"....oZ..x..-0015-0000-0000-0000000FF1CE" appv:VersionId="cd725cf9-c73d-411e-995c-c7c0f6ae293a" />.. <Properties>.. <DisplayName>Microso>..:/K.%...s.#.z......3..{.he.......<.....Ng.%.H...8.:..,..PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescriptionf%ZU-H.%....&...l....7.b...>..........,..Lb....KU.}..K..8..:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <..P.,\./....<.j.).R....... .:6.h..@`.

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-0015-0409-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2044
                              Entropy (8bit):7.722122204110251
                              Encrypted:false
                              SSDEEP:48:iB+Ter06mJPzDuvAOQsYKhx7lUBOZOiBNfwy5rQxrStGOXdK7:i8erUJLavAOvBhx7CjiBNYy5ryN
                              MD5:371BD2B2ACA44891657D4BA9AD1AD8E8
                              SHA1:77A3129DB6C173241BAEFF2C2C6129F2E2730826
                              SHA-256:AEE0D4A8F4A248695FDBF27EC68DE46DAC6F5728C423F1F2B718978DCCD5536B
                              SHA-512:6E613DEB6393DB783A343591FD33E3BA774367A20BAD0401B4BF7C93AB81A6315F1BE5A2E9B36A4FE197B33BBF383E14047042412803335B8836FA0D9B9C0BA4
                              Malicious:false
                              Preview:dg..Q.2...........}q.Q...S..5Z....@Go..wN..T..8\.k.k...zRJ........~.4......RU..abm....B..hU...Z.}.|i..N.X;I. .(...cG............)..._.@...xr9C...._..5]....Ef.*qE.....-G.6.$..eW......J.@.v.........b`~....A\.6.....Ef.*qE.....-G.6.$..eW......J.@.v.........b`~....A\.6.....Ef.*qE.....-G.6.$..eW......J.@.v..........b`~...R./.#.....)o.;<]....>O.g....cW....].X..C.+....8......)~...\.P.tP....W,.?q...$..#K. .-...:.F.U.O..U....m...^.BG..!$l....1wD.'...S.}.1o6..V..~..v.+..8.]......R....`....Z..O..1;b=..Nb..6...EY..~!_..0..8F.<.(..GM......E.V.:.....A.....pm.Q....8F.fG....Z.}.;s;....1d.(.w...oV....P...C.<.......9..t*Q:..R.".5...._.`..d.....t.. .*..~M..[.u..E..|.>..........{d9W...U..Km.....~.(;>."..+A."....xM..........U.:......O...tf9T...B......U.o.;E.....<C.+.D...*.L........y............-;=@...3B......s.z.S._..[..'Z.7. ....P.Y......U.g..N.=...df?U...U..!......}.~.A..T.Kgx.6.<..y.}.E.C...A.0....P.eW..1(.c..$W../.....[!.

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-0016-0000-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):802349
                              Entropy (8bit):6.269291747586535
                              Encrypted:false
                              SSDEEP:3072:FFPYhOnqKYm8cIwHwX2REvNcUAZ5qJNXLTtknTp8+hibGWzsKjC1DSPPYbARJA3b:eqY4RJC4t8Gi6b3IYbcB/Jg
                              MD5:DE657B2116E083643386073E6E56FB94
                              SHA1:3FEF384DC43A635F554A0B199158EA7A977E7EB7
                              SHA-256:0123603890DE795761C18A41CC65B9E6A6125B8394BCF58AB883D1D3855EFEC3
                              SHA-512:535E751A63839FF30A88CA830B395EE420C9A004470F0B8AFD419219E73558293D05440358CF98D0677C315D79CBC73B1D76209D422F13F565C5055B2DD054D4
                              Malicious:false
                              Preview:...+7hy....5.......5.. ....AaW]..2>..Z.v..gQM.S+............rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c...v.yl....%.......$..5.....eT....su.'^.p./y.O.F0.D.....+....om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="38.E.z.....7p......m..{..^..<.W...s{.m..p.vl!M.H<.R......i.....-0016-0000-0000-0000000FF1CE" appv:VersionId="450a5204-2fe0-46c3-8dbd-106ff646588b" />.. <Properties>.. <DisplayName>Microso...X.os.... l.....).. ..}..$.@.. $.<B.r.i%.@.Z..Z......*....PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescriptionN8.7.li....a9..H..."..q....T>e....#+..M.D.s5.E.W4.Y......x.....:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. < ..e.xo....p#..b..l.....&.PwM...lz.`e

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-0016-0409-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1842
                              Entropy (8bit):7.708849761870098
                              Encrypted:false
                              SSDEEP:48:SheKqhweqCBRWZgSp73MTexBoPQzWnsSAbgYu:seKqhx9WZtJMeHoPQins9I
                              MD5:0173FA24AE69DB7DF7A7839455BAE92B
                              SHA1:85ACEE39D0FE2877E5BBE0F54DD373D11F329677
                              SHA-256:AA8E22282629B9D288A8A390095936CE154336B214E6C14B813BEDAE5AC1B5C3
                              SHA-512:6746A1A7D4595E8636899DE42DF8BECC1EA2899947182C6DAFC77BC402EC5F6C00862CF7FC5B0A2E89DA617E7DB1499792A015D9541A986C595D2FA8449F6319
                              Malicious:false
                              Preview:.e...7.L...1...!.. ...o.v.N'{j...*c?.<.m.0...+....jX0...~..';..t...5.H..T...q..<..U3.d._2/7..."~%_..?.uZ..e...!.s....k...&2..u...5.]...HP..>..%...v.%.B(pj.E.*et.5.i.;...)....7D.....{...g7..9...".....W...:..?..[z.i.\~.i.R.t"t.5.i.;...)....7D.....{...g7..9...".....W...:..?..[z.i.\~.i.R.t!t.5.i.;...)....7D.....{...g7..9...".....W...:..?..E..%...z|.P..ji.<.x.#|./....fJB....{...tv..+...1.[...X7.. ..".J4.5..r&+...j"z...|.qX..+....!#v...9..yd..&..d.....HQ..c.K|.KD.4.jf>x.T.`E,C..r.HJ..~..].r\ ..>....0.p..m.I..IU..b.Yl.v..%..6qi.V.3v:.P.=.!...#....=$s...a..:;..6...=.H...DN.. ..-...o.;.%d>9.../q%X..x.EG.&..&.).,...z...u{..t...<._..F.......).q".%...{j.V.*g ^3.O.rK./..G.!.q...a...D^..6...;.B..P....6.U&...>.I.H+ ....z3uP-.k.@^......#.V...a..&:.y...'._..A....6..)...>.d._2$X.T..r*Z<.x.d].#....*T.....(...9".f...:._..p....!..p...r.?._4HP.t.5p.I)...!........6.{........1..c...'. ...XA..6..9...".d.H1.~...?}dD..=.?#..j..:.7.g....6..ih..s...!.^..P._..s.[l..(O.k.J6mp.J.l={.r.

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-0018-0000-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):496471
                              Entropy (8bit):6.416482623607463
                              Encrypted:false
                              SSDEEP:6144:CHazYDrh/insHpMlgcV5huZO/XymXJy5omPX/O:Arh/2sHmgcV/r/X5wxPPO
                              MD5:94456914A92AFEE5B64AE4F87FCDFEB7
                              SHA1:2652400DE550E8C2E50721D445DF8181DAE7C55F
                              SHA-256:F5EB297C1C507FC5B33E41EC380594CB999D5F0C2BC583C0F2378CFB502258A0
                              SHA-512:2BCD3AF0C3F7D5B6D1CF383291FD19BB9004300738C32F21BA216F4DFFC9B10451135F166E835C507065A2A68FC5CBB5161711CB43B0D88672BFABDE0E4B9C2C
                              Malicious:false
                              Preview:..E..#..^...Y.x.)..u.xU...hS.NG..K..t..E..+..V.$...A.C.K......rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c.4.._.6.^.S..S.y....d.9@...z..M.....Nv..A..5X.N.?.....A.T..:...om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="'..+J.%..\...h.e.!..-.(..J.8...M...@d..T... {.E.3........l^.-0018-0000-0000-0000000FF1CE" appv:VersionId="08d77957-af3f-4fbd-aa84-18f7ff89b692" />.. <Properties>.. <DisplayName>Microso.-.6I.)...S....~.8..i.xU.D.....Z..N..=..P...i[.G....].G.^..9..PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescriptionZ.NYK.3..P...Q.7.&..b.}....yF.|...k..?..P...yY.V.;...n......=...:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <4+D.J.5..P......[h.U,.Ju...lB.T.....Ah..

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-0018-0409-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):7.610974219940194
                              Encrypted:false
                              SSDEEP:24:5oDfH6OitCwt4itZv0ZrLV/HLEh8uqGTPwRf2xVKenGjeOVG3PyTUVcWzlRMqtbZ:AiMwtbZv0Zv5w8hGTpjGjFrn4MAky
                              MD5:28D9C9863690DFFEC6AE46065A00E520
                              SHA1:3401FA214FC460EDB6B6A30C72B8BD588B60AADA
                              SHA-256:BAD4B4C29A44E8EDC642763D5494336F87D5A00369FD179AA359724020414CBD
                              SHA-512:475C943A9E06536E1CCA95B03AEB49C8B36BF922FEE48A4DC7F36C9D4DD87C5DBA4E23F3BF8D62656871D00D0138C0C5F3159A97851D378AB1DAB5C6C8564BE2
                              Malicious:false
                              Preview:.......i....=....K..............*.B.J.xE .8.Mb...VC7.G..'.1...&...}..,..o.....4..U......R...d...TI".:.g.X;.....*.RU$3.7a.......v....D}....`..W...........(.F.L.y[s. .V2....A5.BH-4..,"[.3..PL>..`..<.....'....Q..A.C.T.(.F.L.y[s. .V2....A5.BH-4..,"[.3..PL>..`..<.....'....Q..A.C.W.(.F.L.y[s. .V2....A5.BH-4..,"[.3..PL>..`..<.....'......".._.....D._.....s.:.^7...@+.BO.2....I.&...k.o.. .....'..[...]....@.T.:...LM NP.+.Z4...K.~R..{p..n.D.{..KN7....D..VU..5.3..I..A...3.x.[.Rt2I".|._a...[.uZ...&..nw..z...F9..*.Gc._G..;..U......T.....4.8...vHD.;.W2....Gy/XD9/.%;T.%.......s.0;....K......K..."...c.Z.Ny?.p.).u2...$G4.CQ.$...:..*...J..?..+........U.../..R.....e...YN3.v.,.......K7.XH%~..coT.....0..<..$..K..`..Z....;.R.E.k.B..|&.V.).P2....Q$.XW?).}...'....g..&..r....`..Z.....A.$...a.U.xX%.r.8.R<...|.gB..*0.y...../.a..7.J&.....d........_.....r...6.vH/.:.K6....Qyo;.k|.0 .. ..As...o.H......f..9.....T.P.........[~ .t.i6....A"..*A`...=..&...g..<.yX.FE..J.........^.L.K.6.}

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-0019-0000-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):254926
                              Entropy (8bit):6.360496392106605
                              Encrypted:false
                              SSDEEP:3072:WzTl+iJDmfS3zEiZPJ9NxTGFDcIq7MdUYs5Mot2WYfkGh:/qt3zLPPTGF477wM9YcGh
                              MD5:C2D5CDC92D73A6CB3FC9BC38271A1855
                              SHA1:4111AD33E32F75BCA833AF935DC776DB15A75027
                              SHA-256:63A9521B2D82CB5A529DC101E34E4F68EA2099F41B469BD9DD3B6B749994E085
                              SHA-512:A864A51E852AF831B636ED6055251AC81A7730521E7AE53AF7AAC9A39743E8A6238C89873A1C6106C738B48285C98D2F71202E95B065874264C7A3B73D7964C7
                              Malicious:false
                              Preview:&a.%.7.....n...Pe..S.d..GZZ.....D..`.....".31...90x->~)..rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c...x.&..B..vd...xWz..HF.{...^YL.Q....f....:.(a....;2g(kQ:.om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="...K.%....y_..w]g..Y..'.^.....R.....f.....1.$g...zy8j2.~..-0019-0000-0000-0000000FF1CE" appv:VersionId="2d65b2ab-6fa1-4936-b591-4840e9d67c2a" />.. <Properties>.. <DisplayName>Microso...V.0....e&..n^h..S.).e.....0..^....d.._..3..a....=3m)rR*..PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription...9.3......0f...pFl....v..R.hL.6..Q..R..O..".,o...x`({8V>..:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <...k.'.....*7..W>.)..;s.y..VL@S.^......

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-0019-0409-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):7.648546153683532
                              Encrypted:false
                              SSDEEP:48:h2+lmOHCO95FYsL6bm1OeeWZJIvm82nteDNrj:UaisWKUeenO7yj
                              MD5:02ACA1E859F0776F98516C8474B4FEFB
                              SHA1:4642E79DD90476B2AD3E1543F634068DA391704F
                              SHA-256:0100E0437B67994B9B096525748925963A640152E35293C07E70ACC8D22EADB8
                              SHA-512:26D2B335CC20CAD7CDFC2DCE7EEDB5042F99726228840A9A2B9AC630AC2B49443D40E1A80F25BC7F19FDD994824145834A62938EC2737A302DD89BF540B4F2A1
                              Malicious:false
                              Preview:DN.e.P..Ch.5t.[O.Q...fS...P..C.3../K.?M$Ag.4..i."d. ....r......5....G|.t^.F...C..)....A._..3..2Q.-.v_".u..6.7=..VX....:-......6....Rw.'.....]...tJ..\..C.p..)..6I Gl.*..q.94.<ZB..'$....8.A...?.%..TN.V..'F...B..@.g.n..6I Gl.*..q.94.<ZB..'$....8.A...?.&..TN.V..'F...B..@.g.m..6I Gl.*..q.94.<ZB..'$....8.A...?.!..TN.V..93.@...U.e..&..?P1.t.`..k.11.2g^.. '.S...B..Tj.7..PR.\.6...N..V..?.n..|.5G&.?..z.52.[S.....~r..A..h.....6.%..........7x..#t.NQ.a...X.-T;Y..8....a7.$....ev.....`.....8.w...........4..\a..@.c..:N.S7t.v.9..j.84.\VF..+0.......W..G/. ..qI._...fS..m;.N..-..=Q.-U1E..v..x..4.w.y....>'..^...5.B..PK.fM.TY.^.....@...C.c..+T.0..R%.w..}.{..aTY....',..{..y.}..M1.pN.GV.....`....V.P=.1.....M"...u..x.?4.wsN..86......y.T..Pf.aT.[..G...c....A.Tq.a..>^.?Z1s3.f..i.=:.,:!....t#......).x..P`.PE..T.V...wN..!A.8y.A..<x.*.Y=v.9..k.$0.f^N....hb.....+.T../..5...r.\...b....V..W.,..1..-.t.h....%..0.}BY..EH..M...+.@..Qf.pN.8*......Ts..6T..Y....q..qr

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-001A-0000-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1135696
                              Entropy (8bit):6.3213003883156125
                              Encrypted:false
                              SSDEEP:24576:e1JQ3TYUx2K93xD6A+jJtYCdFwIJEgh+QRjuPS+YvgvbMnR4:ePQ3TYUx2K93xD6A+jJtYCdFwIJEgh+l
                              MD5:4B3BF0BE5BE7EC6B23937C83967500B4
                              SHA1:DD4D4BDDF69EEDBDC104EA262BED9DB9E211E01C
                              SHA-256:FEB5E0C588B8531B337CE8A03776D296427741F30B12C5A57AC29AB00F03FA1A
                              SHA-512:FCC93FA07101DE5E9012CD44450C40BE7F2B6A0F087CC32E9CC1107154119063FBA9059BC909F87429194B454BC73F3B5237680B2191BF5AA66EE26526985AF0
                              Malicious:false
                              Preview:.....x&...@h..u..O...q..l..YS.........<.j..g.:...A."..q..I.rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c{zrD.i3....xe.z..H.....d...]P...Q.R....7.t....!J.... ..t^...om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="WY`w.j ...Ajj.~..G......'........O.\....}Ja..t.-L....a.6.....-001A-0000-0000-0000000FF1CE" appv:VersionId="1dd72097-ead8-4554-9d92-bfb1953b6b77" />.. <Properties>.. <DisplayName>Microsorc}j..,....}v._..^...q..l...............IU(..v..J..].&..uG...PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription*Y2..|6...U<#.uQ.@...Z..&...a.../....."hO8..g.%D..n.c..'...W.:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <De8W.h0...Q-9..{...L.p..`..OI...I.]...

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-001A-0409-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19892
                              Entropy (8bit):6.463147692052655
                              Encrypted:false
                              SSDEEP:384:81dyXdfJd4rJ7CmFQkjoItB+3hbNM+5OLIobHGaoEMsBClR:3bYCzMw7MmhO0lR
                              MD5:331F53FA1A5D3D723B2158C6572A66E5
                              SHA1:25ACEE5EBF7B6E2376DC1E7CE9C8983CD654A103
                              SHA-256:3730C1C244CCFBB1155871D9DF3F5A8F8D3F56246B9B407D75975398F1D58903
                              SHA-512:D61C68CB68F36D386C0569BCAB575E6EFC9D113BE96335A7B47EB565BC24A838E218EA992E18E9FC44ACFA314AC9F5136D2D8FB1DC6F5253F5B9B59881FB6065
                              Malicious:false
                              Preview:=..<.g.oE.|..r.a..<..[k&s.#`...D..b....*....7.h.)...@9.f.rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c..E...r..8.....s.f..-..St8a.'c.R.....k....y....j.'A+......&som/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="..W...a.mD....o.i..d...(x#.~!.......!V.....Z....|...j.L@.8 -001A-0409-0000-0000000FF1CE" appv:VersionId="66dc8756-3862-45a6-8777-c946c25fcb55" />.. <Properties>.. <DisplayName>Microso..J...m.(.....t.p.. ..[&[..f3...A...p......z.....t.tz-......4?PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription......w.aP.\..=.n..+....y&b.|R.T.d...b.....x....w.G"h...F..xf:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <......q.aT.F.... .e..Wv.w.5z.J.....,9

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-001B-0000-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):769144
                              Entropy (8bit):6.346968264857485
                              Encrypted:false
                              SSDEEP:6144:sG/1vhN2xhp1PMbviU/oNjfq0caMzDgMlSnDjYCnIM2XKLwtCDMfQ7:sG/5c71PMbJ/GjifVlSvY+k7rfQ7
                              MD5:D91960683B0B3C47A6908FBBF23048FB
                              SHA1:1D9A75372933EA4E04A4840613F3B6277DDA7A9B
                              SHA-256:A36262BF3B2799A041426290315784F4FE91B0E75428396E0B0FDD84E0382DCB
                              SHA-512:C44ABE6E65CFC5E46905AEA661A41401E9A0F0E5C49A52F282E740E848C7BEC0C44897242C49269FDDBD673FD041C6B80201907DC7284C6D3AA320A86B3891EF
                              Malicious:false
                              Preview:...y.l....c...u...rE....^A...xU..V.8.Oa..6.w...........c...ztrableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c_..$.}....7..z...uZ..>.V^...|V.X..y.Mh..7.$....P......f...:xom/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="s1...~....b..~....G../......%.....y._"....n......V.....B.$..$+-001B-0000-0000-0000000FF1CE" appv:VersionId="5b736f3e-8ace-4719-be4b-373f3d2efc01" />.. <Properties>.. <DisplayName>MicrosoV....k....7..._...|H....^....=...g.*..s....q.'...8P......g...(4PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription.1.e.h....v...u...dL..z..S..'g.^a.)..a....k.%....^.....[.5...dm:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <`..7.|....r.....0..M.R\..nO.@..f.S/.

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-001B-0409-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):7.67372840418546
                              Encrypted:false
                              SSDEEP:48:llvY/h/C/hgNNCfteEuUAZpZPX+Y67qt6FDCM8g:bvk/a/eRHX+v7z
                              MD5:365EBFD24D78EBB6DCDCB28756EEE6A2
                              SHA1:07F09800272F47A986D1EA92BCA08607FDF94701
                              SHA-256:33F54A6637EFE0248DDACECD64A7A517CCC95EC1E043282510D96D447FE4BF75
                              SHA-512:20B1EDFD57F931CC8F3D396E75A53B5A4DC01AB0E951B36CCCFB18CDBEB3BE094D4E22EB5D53326E8C6F218372F26D0CC16717C6958A523D10ED15F8732608CF
                              Malicious:false
                              Preview:.{.O.!.|M..._..R.r,Vh...[....D0......&....`...f7C...k.5u....../....zI...u.....`0E..].I...].?....^4...:..G94V....8... =.........o.g\._.&....~)UC........D7....../...a...~"X....".0 ..A...b..0.8.QA.9..S.u3G....D...G}..^.../...a...~"X....".0 ..A...b..0.8.QA.9..S.u3G....D...G}..^.../...a...~"X....".0 ..A...b..0.8.QA.9..S.u3G..a......Rc.....~&........d1P...>.0'..R.7.p!.3.eZ...6..O.......Z.....T.:.@...e..8...u,T....v...ry.F_.Y.}B.m.#.X].&..... p...*....LV}..J..B4..*..#uT....f...ub.C_.Y./C.m.!N...r.....2`...f......Gh......J...n...e7Y...&..*,......m<.&.tIAA.*..T.|!Jh.......L.-.....Y4..'...w>{....19..S.$./..3.r^%..f..D.}%.+.L......Dn....._)...+...r{.....9.* .Hb.T.mS...pC_".e..K.>*CC.P.d...R:..P.Q7...>..8w$^........*?....J."S.%.t^........d%AC.P.I...Vv}.. ..[&..=...f3\...A...cs....N.=....G^...n..I.u|.G.......:~c.....H3...n..8d(E.......Io.J=...8..%.)!kP.6..o..5AE.L.I....Ph....E4...C.H*hg...9.}B.VO.$.(..1.~_...e..7..0`.i.!.F....^b..F..h.

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-001F-0409-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1772
                              Entropy (8bit):7.666593715124812
                              Encrypted:false
                              SSDEEP:24:+1AFgZQcwaCdqklkmA2qXj9mwcFncIBGFe0sUt/K2C+Dce+/TCz0QSw13aD5h4v:+ostCrkmA2qYwOTBGFRHreQSwaAv
                              MD5:0C039836C3A61B940B9B66C6E65BC816
                              SHA1:AC5EF83B1E7B8B07235D7071152E11F80EFE965F
                              SHA-256:8DA85AC9F5C03AE55B2984D01F82D1247BEE9EAFA1FC6F3DD0737DF5ABFCB5AC
                              SHA-512:266AAC0D91258BE5BC1029F13F0948E07BCC248DB4AFCA38E0F066B3C7E0ED93C36119BC10FA85A37B5093E477BC3519C938853D75C7B108D347AB962CF3AAE9
                              Malicious:false
                              Preview: ...D:8/.7...KM.j..!e...@.6 ...` ...e........j.)bTu.4*j..../.lK.q.:).#..IP.:..=v.YC..61.B..`a...+.R....5.<;.*.gew.....&.#J.yt:4.(......u..$f.....>,...#1...g.......r.22.i.}(h....Q#.`..d+-k.`...AB.q..>t.W.H.(2T...4p...g.......r.22.i.}(h....Q#.`..d+-k.`...AB.q..>t.W.H.(2T...4p...g.......r.22.i.}(h....Q#.`..d+-k.`...AB.q..>t.I./.f}'...6(...........h.:7Xg.a)v....Bb.C..q(>6.5..zF.k..#=.FD..hpXK..ls...u........y.>4...)i#....WOp.=..Rvkp.i......(.O}0.G4c...LS..27..7.........#.<6Or.9-/....TOt.5..qvhs.6...ME.+.]m/.zx..z.....05...{..P.....i.32...y.$....../.y..r=2'.p....g.k..,y...@.KKNS..~....,........{..2.".F.i....Co.xK.}(3!....@B.V..(>.}R..f}*...0(...*.".....~.p..4.f"j....YrJ.-..(.4#.n..IQ.}.Q'p..N..)&.M..ba..$.......{.42.".q8y.......CF.p>('.9..CM.}..(r..N..61.I..2..............j.6<.y..k:.....6.LY.B.5..?..X..j..q/...S..1.%...3...=.}......h./6.3.q8$....[-%.b\.w>(z.Z......}..8r..Ri.(&.....c...0.P....&..6.(.f(.....G_|..L.q*.-.9.....8._m<.$?L..$....,...y..

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-001F-040C-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2658
                              Entropy (8bit):7.755317888519495
                              Encrypted:false
                              SSDEEP:48:YdqGCTr5b+Aj5OOq0J8ZGPQEeopbWIi6XSxQNuscK6XSb9U75WM5DfeUpBvdl:lrvr60+ZGwobXbNdcXMENjvT
                              MD5:72E806E5C56585F3E15A1817EC9370C6
                              SHA1:5078AEB3DB1E85E8BD4532C0028A16711FDF3141
                              SHA-256:E31B0545234532D273E31B29123543199EAEC8F6513764422FE1DB5E0DB299A0
                              SHA-512:ECC754D1340C8E5774DF5DE32234119EBBEC9CE79D5B01B62A0724C273AAF06642F4EBECBC50A2FD754810E1B306A6D9DBFB096BFDD4C09A81B46C904EE62966
                              Malicious:false
                              Preview:..{.4.Tm....d.........q...........,....J^......]Zxd SCH.z.d../..Vk....N...Z...y...c..........G.a..V.DK.....++=JV..n.bO.,..Vv.R.........-..."......X.....(....T.....A.1f"LF..i..y.."..A)..L........j..n..R..LO.....(....T.....A.1f"LF..i..y.."..A)..L........j..n..R..LO.....(....T.....A.1f"LF..i..y.."..A)..L........j...".!..RM...g.1..p.......O(-g<JF..o..U/....Rt..........j...2.^.........|..TA.....&.e'i..D.-..;Q.r"..2..P.....H..P.x..3..J.LI...[.5..FF\]....._Iu0d.P_....;X.'..Qc...........@.v...".....YK....V....G:....!.5`nn\..r.p.....^e..L...........<.H......@.4..K........F.`#FG..y..F../.._c...]..6...E...".,.._K..F.b..G....H.....*l W\..#..6A.cX.Xa../.^........-...N.....6....H.,...R.(4....<=v3Q\..t.(/.c..De...D.......-...c....LI..B.;...Q......QuR%p..N.m., .32.YV...U....\.)..8.....Ri..Q.b....GQ4.......=vn.?R.!..e..1..D8..]..........+...c.....Y.....\.~.../q^D.[....*f5P...=..F..1..Bo...^...X..@....l.....SW......

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-001F-0C0A-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2658
                              Entropy (8bit):7.759802209113285
                              Encrypted:false
                              SSDEEP:48:z5WvtHt5udVpFeXW2m4BgXz4g9pOk4BgNMujILxm54HuoEP2J9:slbuf2XU4Bgj4A4BgpOQ5PP2n
                              MD5:BBD21BA0F56EA55B65336BEEFE1EA61F
                              SHA1:FD43C66FC954308231C8CC9522049F408D5268CA
                              SHA-256:3F9EF1193253D95233A9DE52307AF2D0183A924F59A698361B4CE1BA015CBC69
                              SHA-512:0FA19F8CE7F0C8ECC45E31CF5D7696CAAA2666C2B548F2E6C330E3D499957A11F76449B4AA4695489E95F9EBB7C7D437C394D016F241BBFBAC95AC218765CCC4
                              Malicious:false
                              Preview:.\.....|..8@>.u..\...4......zC2gC(.............@[J.).....l.NN..8...x..yj<.'D.N..{.......uCso^2...G....]...K....N4.....m.H...0...m.*9h.5..P...&.......}.#gEc......@....B.\...+....,.SB..-../..(&4.t..[..u......7.b9.c......@....B.\...+....,.SB..-../..+&4.t..[..u......7.b9.c......@....B.\...+....,.SB..-../..,&4.t..[..k........).:cJ~.......@....G.R)..5....?..a..8...k..:)..h..Q...d......pOa'.m......c....D.;.WB`..2........-.(9i.7VF....e......7.%-e;.........J.....AJG.h..5....8...%..z>n.)W.....X......".'~V-..E....w....B.<...g.....q.Z[..;...x..-5v.s..R...4.....g].bQ2........C....B..G8.*....>.lZ..4...o..ky5.c(.S._.......$.:gG7...7...E..V.g.....).........a...r..}z<.l......2......MAs7.b........e"...B..=..:.....m..a..9...o..l`6.:..J...1.......7..GR=......A....L.Lt`@y....r..n......o..]q-.n..[...%.......)1!xP....h....."...F.....g...P.O@..>.....8)y.H..Q...0......."\qr]s...E.....R.E.F.....<....".l]..8...n..}zg..FV...........(.m!.l..

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-002A-0000-1000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25194
                              Entropy (8bit):6.509366986803314
                              Encrypted:false
                              SSDEEP:768:SsrOn0ZL9cm9S03Q0OHI9tq00IL9pj9m0PY9j9K0N0sL9O0E40S79d6A06x91D9P:lrO5vl
                              MD5:628B0E136756EC3DC9DD23E9B9B67158
                              SHA1:677758F1A31B90C7892DEA6E3F22415C430BB284
                              SHA-256:3DAC28A651F37F4601D2BCEF06C1DB1886C616B1837F425B68E431FB80DF2944
                              SHA-512:27D3353657A8E5F2C739FA1D288A561EF695279E7246FA86DAE9E21D93A2B275DFCD8575BFB1422C8AE7487C2DB1295C0A1D4AE85B2D34A941F3712F5B9D71C3
                              Malicious:false
                              Preview:...F..ZL.!w.....+._..1{.Gr=.X.........W.5.?-D8%=.Z.6u..W[?.?.rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c9.V......ugk.....,.N..$s.Y`d.[..EG.....Q.4.l/\->m.FO.w..R.....om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher=". D(..C[. ud....&....j0.."h.....[G.....Q.m.O-W#2k.!F+6...WF.a.-002A-0000-1000-0000000FF1CE" appv:VersionId="96bd2d2a-8249-4262-aa7f-c35690038b79" />.. <Properties>.. <DisplayName>Microso0.Y5..RH.ubx.)..%.C..1{.:.~............S.r.o U1.m...Dq..S...m.PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescriptionh .Z..R_.4#-....=.H..`1.Gc(.j..;.....e.h.m%D<:c.V/.4...]..!.:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <......X^.027.`..i.....w.av,.B..]X....

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-002A-0409-1000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1772
                              Entropy (8bit):7.723615426500665
                              Encrypted:false
                              SSDEEP:48:Qv7owSvIppBMFa/brcFhbNJ/eafQmWbcv:QzowSQ0awvhJ2a4jbu
                              MD5:8572A2B16CD61353AD0D75063116C056
                              SHA1:EE8D30ADEB9EC9AA057204B3D8ABF0CD2B067C56
                              SHA-256:3E0AA7B5C522E4BDAE724A36025FCFFAE61CA72F9B0AC4D9CD13CCD0E2B4FAF5
                              SHA-512:572C708A2E76E0FF655F80D2C5A64882F4EF973B953FCF4E371D1DC429CDE19728389889E320AB0D6D9DEA920958E1560BB46EF1C0F06F021D2C345FE77324D2
                              Malicious:false
                              Preview:...@...0i.......T'..7..R<W...b..n.@....8....<.K%>...tz.?.Ju..4}....T.T5...x...R-B.K.#.. ....^.Q".........8'...us.p~I}...!vM...F.T+..%...Z0X....s..l.D....k.....s.I'!...4v.32G`..c>S......S ..v...L......2...l.D....k.....s.I'!...4v.32G`..c>S......S ..v...L......2...l.D....k.....s.I'!...4v.32G`..c>S......S ..h....a}....j....U...Dk......N.H9'...'7$. tu.'k.......\*..g....l..W.1...~..Q.Z..H......z..l~...A*%Jn-.Q...a7O...D..u..f...a......u...<._.c..:.....|.H6|...E)&J<*.t...2j.......g..[....F....w...p.......\........Ok....iz.*=iv.4.S.....E)..7.../W..E..S..'.U.n.Rh...... .O&+...&:7+.Jy.#J.......T(..\...ap....j..!..b.Y.Sn.....}.C%:..O..G~=.,..>00.....Qk..1.M:[.h.#.../..F.k.QN.......Z.Y6<...u{Y.r.t.#g....I.[1..2.R-B.$..U...%.U.O.Bj........un....jc].mVF..#a......@ ...&...c-D.,..q..6..=....7.......w.YkC...MHp.1hTs..\.B....;.F*..3..L:A....!..;......+8......k.I0=...Q:)7,xTu."g....c..e.......t8F....=...r..

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-006E-0409-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):7694
                              Entropy (8bit):6.683572176314361
                              Encrypted:false
                              SSDEEP:192:nULQ0w381OrR8P19ww0e9kUsR9LNd54tFMXfnmLLqt+AcVh54ofV:oQ06n8P19ww0e9kUsR9L/54tFMXvm/XV
                              MD5:5CB9110A379960AC56A541C15FCDFD75
                              SHA1:8B570ADCDD0C8E95F5094E15BE2DB0287230585C
                              SHA-256:D86C202642318AC75553937B158BC0EC5D9C558D68B914AF417A45AD977989EB
                              SHA-512:70BA1324ACA86582E0FA1B0F51E27C081E1EF90C77D91A0C128CB102855197529DD439F802327987DD84C9DC40982BD08853F00F4C6E9AF12AC4F69AF6A4997D
                              Malicious:false
                              Preview:.......C.~}..*.KD......-.q.tv..^G\.....|.P........d9.o..E.rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.cE.|E_.....*m...+.L[......3.(.w;H.........w.......^.f&.:....om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="i,nvJ...T......7.FF...J..s.$.5|.......B..=.. ........-y.c.N.S-006E-0409-0000-0000000FF1CE" appv:VersionId="4dd1ff28-baad-4537-b9f4-c4b6c60b9470" />.. <Properties>.. <DisplayName>MicrosoL.skI..G.*h...,.EI....P.2.'k..[UFI.............e.g,.#...LPublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription.,<.K..P.k)...e.]M.@..-.d.F;N.~VIK....(.........=.4i.i..[.:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <z.6VJ..Q.o8..O.......1...`.n$P......-

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-0090-0000-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):367674
                              Entropy (8bit):6.292781219482748
                              Encrypted:false
                              SSDEEP:3072:JS/xyQO3Rmcesezw/aaxCHirC3VOl+WwwZLOkkClM:J7Qp9vielCPwwdblM
                              MD5:71594FDCCE7216F0DBDAFE5D05058DEB
                              SHA1:34164C5802EFC8E8C546167C06E6F7BD233D434B
                              SHA-256:72D1DF444A12C15ACE9362ECE0E3188B355E4ABC0AC9AE4309D39CF1688B686A
                              SHA-512:4412F88519EB2D2EA0DCF8CBB7FD97E7F0B7788719C9AD69C15DC2F3D7787F8CDC6E2D3CAFF070113D02FD9FFF268BA12FE40B41BAE293E252F43A76080D293E
                              Malicious:false
                              Preview:...h..O....8.._rE....Sm..y\...oZ....iJ.(p...%Q.M... ..&.c...t.qrableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.cuu,5 .Z...(..Ps^....?,...gN..."....UkC.,v...vS.X..<..$.|...gP}om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="YV>.5.I....:..ToD....?=..'....eV...[y..9v.V.UQ.V..[.e.#L..#N.-0090-0000-0000-0000000FF1CE" appv:VersionId="d1b568d4-9625-4685-8257-c784fd1d6731" />.. <Properties>.. <DisplayName>Microso|l#.6.E....-..utD....Sm..7...rD.... X.=t.I.u\.D.w..".v...wB1PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription$Vlt4._....l.._=R....xh...yM..."....."J.=B.S.wY.I..,..g.3]..c.h:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <Jjf&5.Y....}..<...J..R_.._X...=....Zu..

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-0090-0409-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):7.663227694115308
                              Encrypted:false
                              SSDEEP:48:zL6CsOyr76uzX39e+AyKphuo0dFQ86Q6B//jJlcp4:fYrmOXNCpjCMBnjJOS
                              MD5:8260C3B32442442B7A4378EDC8A1FE8B
                              SHA1:E97AF5511ECBE2A5F3606765FEF442C280E1946F
                              SHA-256:726906DE1B22F626DD551A477E49ACB2E45084EDA75F72CB332A9D0A2C523933
                              SHA-512:7F1FF65E893297E5937E9EF4A27CFF0FF4CA15018E03560BE60A7948CE39594B3992ACAD2034AB925551524D957FEC63A1A2625AD47CBACE75DF0978E8CC9F32
                              Malicious:false
                              Preview:.m..5@....4.`o.Ml.....V.}...i.cE......m.....O........\b.1....S.y..o....!..br..l..t..Wo...4!c.......s..1........KA{.y;...U.x.......~..61.Rl.. .OU....i) T......k...}W......^}.d2...N.4..Q..Q.`..j`.Vk..g.C.b....jc7..E....k...}W......^}.d2...N.4..Q..Q.`..j`.Vk..g.C.b....jc7..F....k...}W......^}.d2...N.4..Q..Q.`..j`.Vk..g.6}.S....}5M......&....{M......@{.c1...b.&..R....5..Qd.Ld..g..Y>]..($o..E.....k...\.......G.".=d...+.U...S.|..71..=...u.}1?0..{c1R.".....u...x..W......s.&`.....,.U...Z.f..67.Zi...{.1W.O..jv3P......;....wL........._.h&...G.;..G....`..(E.L}....V.0~...:3}t.......i...r^.!....._w.}1...q.y..R....8..k`.ql..H..W.S...ip3M.......~..{[.@......\f.d:...;.Ym.......bs.Zi... ..XB.....a..T....!...N^........O`.{ .....t..D....!..ho.Zc.. ..Xo...[c1r......._....wO.......E.2.75.....k.3h....2..s?.Mx...$.K.42..S}.V...........NM...........+t...R.n..D..n.q..'=.Z~..&..;o...}v|.......4....>..=......Ia..^...q.~..P....%..9...-.....v.`%..s|/..Z...

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-00A1-0000-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):60747
                              Entropy (8bit):6.524877961173584
                              Encrypted:false
                              SSDEEP:768:R0w0A9J990Op50oGO90D+L0Xnm7lWAktDaD0Cf0uF9+JR0R4i9PJKFwv/OU20oNY:5nQxC17KKtnC2
                              MD5:FC299B0EE60BC81B62DB9CDBBA80F48B
                              SHA1:B0C83621FB0228614021493A7979F5B7497369A8
                              SHA-256:D6860EA6C3962B06083A3F94C4DFF4A60B455D026C0C97D56DE630937DFFFCE6
                              SHA-512:8C4547FAF9305DE40C728F09425B20EA8D6F8FE9CCDC2F4BD022B704B911E87326A0CE536A231A35EE94B5522B399CF8A9C309A2BB5D30FD1BE2F497D997A06A
                              Malicious:false
                              Preview:.U.,...N.m......z..v....2.{..,......G,@U.}8.X..l..."`.b:)y..rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c-..q....:..h..~a..i...-.i..a.......C(F^.ck.@..<..kb.}?|V...om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="...B..W.o..g..b{..t@..q.+...&.......=F..vH.K..:..?#."}%....-00A1-0000-0000-0000000FF1CE" appv:VersionId="e9040d30-9a34-4ba2-8045-d6e7cfef26cd" />.. <Properties>.. <DisplayName>Microso$.._...F.*..{..y{..{..........1....._9D .?h.I.'<..Pd.w>eU..PublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription|..0..F.c.U...0m....... .j..a.....P9r../j.X..2....!.2l/Q..:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <...b..L.c.D4...(R.:A..../....~.....x

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-00A1-0409-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):7.667257313608406
                              Encrypted:false
                              SSDEEP:48:XOg1ZK3uGKLODtwh+X6yFOVtWPIA/cmXtw:+g1ZS/KLODtUFyFAtWg+tw
                              MD5:A8655579EF74E9ACCEC13151A436891A
                              SHA1:277B8406EF67A12E0A00EF2515FE18FE226EE42F
                              SHA-256:36F8F5EC57BEEB112E40C04229254D4001945743A0AED427B788E96DCD70F5B5
                              SHA-512:DA18720CA55D18A74474F606C485C43E0328E949BF697053997448F24E1D3055ED18D9894C7BC76974C9672BA88547363FF438483A154F549B3C105B36F0D08C
                              Malicious:false
                              Preview:`R*.M....C{..=..._......QR&._1..#.jm.F`..)...S...xg.U..N.eD4j,....x.....V:.. ...M....Y.CR7..l..b.ww.T-...s......38..U.W.-b k%....p....i..c...S.......Z*.T1..2.l&.Od..(...K...%{....Q.0k'* ....m....C.k..2...X......NL4.[2.s.+&.Od..(...K...%{....Q.0k'* ....m....C.h..2...X......NL4.[2.s.(&.Od..(...K...%{....Q.0k'* ....m....C.o..2...X....e...{.^'..+.c;.F}...U...Q...tu....W.7h!9a...x....By..6...R.M..^...v..p..p.+(..0...q...@...3..HY...i=c4s...,...J.k..c.R..@.....a...#.4.L~.Ty...c.......c`.X..Z.r925u....|...F.?..7..P.._..b.....U2..6..h.*...'...P.../.....s.<.<w,..{....S.n......Q......./M..b....xw.Tx...n...B...;0.'..[.)h78l...t....7O(..2...P.N..H...{._1..+.nr.I....b...G...3&....J.0cm.I...!....Mt>..!........T.nM ..O..b.:'.W`...w...B...10....L./y:k-....y.....V/..=...I....T.CR7......{x.Fw...t...S...8k..[...cl#t5....K....E...m...X._.....c7.l...0.y^.S..'...Q...$!....3..-oV&....~....y.{..o...R....H.CL .[%..`.t6.T2..........%:....M.R.s$....x....R>.^..B..L..%.Lt".I+..|.4).._

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-00E1-0000-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1891
                              Entropy (8bit):7.699409892859871
                              Encrypted:false
                              SSDEEP:48:n/eC3gA4uU10s3YgsVz8GUm7ZMjG2b40bOFTU0c+O:nwhn1V3xCkSZMy2bRbOm0cX
                              MD5:85B511F3178A46A155A86E688A894920
                              SHA1:F89BE6CA4191D68F954EBDEBED464535633F8926
                              SHA-256:2245253ACACD14D0F9A544121FC7AD3BDE7A9E89E965DB77C72ACE44477FE7FD
                              SHA-512:36B0BF334270A93140AFF974AA6FE4C4B9936291FC7C13EBE4D55FBF23B151BD0E7A6CBAAA519236F5BA9902422724D8D4F2FA898153229E33E2DF7FB156857C
                              Malicious:false
                              Preview:..T....5..t.K..-.x$..h.N~M...!Y.A..&.f....3.e?b.U-zy.].".>)..h.p...P.3..a.a....x6.....;_...u..A..;.(.B.vU$%,WV8#2...m.'<...i.?...1....>.2.m.x(..C.W9....*Y.... .d....8.{l`.@6*$... .!,...(.|..n.q^. .-..,..#....[vR...%Z...Gg.d....8.{l`.@6*$... .!,...(.|..n.q^. .-..,..#....[vR...%Z...Gd.d....8.{l`.@6*$... .!,...(.|..n.q^. .-..,..#.......... O..../...... s1lf.S>/u./.!.',...;.._..m.,..u."..0.p).....5....|..M.Yg.v._..rWnOb.N:,2...a.~n...6..!..3.n\.<.2.o.)v...e]....dK...S..4....KEi=2N.=}g.M.r.,i..`..(..3.o_.".1..#.}d...);....+Z....3.x.u..".h[j.U7*....&..6...u.e..x.=.. .>..+.i*..h.N~....d.._..4./....FH'oo.\.*:.A.&.+-...:..d...m.;..x.r..;.x+..+..;....!Y....".).A..qD&if..t.2...*.:6......1..R.9..C.q..4.}h..C..4r...z'.C.Iv.'....CQ$IS.F0*0.;.0.<6...i.._...{.=..a.k..b.w2..C..4_...~k...97.-....gR7mj.Q2$9.r.c.n...v..P...W....r.z..6.l#.G.Sm.....c.3..5.>.A..".h0S.J+.%...0.CU..T.~...{.`a.1."....j)..E..W_...%M.^..8.3.]..<,^?#D...$... .=a..&..c...o.7..e.q.H.9f.i.nrP...7C..._x.z.0

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-00E1-0409-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1606
                              Entropy (8bit):7.656487941496442
                              Encrypted:false
                              SSDEEP:48:9jyvfBp8sdy96BGF3SvwSqJPTfE7VRmPkfXv:GBpRyMGRQwjFTfE7/m8/v
                              MD5:152EC2AB0E194555B69238A1E4FE970E
                              SHA1:8E2775143B079600E6CF0B8A07FB27DD0E98595B
                              SHA-256:7C65AD568F11AB293523F4E72C1AED2C40664C37ED165B1A83472D13D64BA0E2
                              SHA-512:036796A3C6789579B59B9FD1ACE5C2F76A6396B47488B33EC37025E5F93FC0909825DCE8C5802C89AE8E03DC216BA2C1AF16AF43CD0EFE3D7B95F2124F264C4E
                              Malicious:false
                              Preview:N}k.r.....g=..i...v..[..D..8.OA..M....1Y..t.a.[..D4..FD.....6...G.....r|..t..d..$.[...-..N..E...BcG..5./ZX.T.kT..Y......?..O.....-/.[7...z..p......7.OF.M...5_.j.c.N.].(X.DF.....:...R....R3-..f...q..7..L..a.L........5_.j.c.N.].(X.DF.....:...R....R3...f...q..7..L..a.L........5_.j.c.N.].(X.DF.....:...R....R3)..f...q..7.g+..@..Y..I...$... .e.].XH&e.EX.....{..G.....f?.<b...{.7.\...Mm..K......._ _....a.@.[.OQ...C.....i........[/-.Z7...$..%.,g..9y.].........A..x.6D...Y4..........:....C....R0|.\e...6..+.`...,).L..T....ua..y.i.[.].HT.B.>...6...D..B3(.EC...x..[..D..v{..\..H....$]..6.l.R.].c..BG.....v..K..&kn..f...y...J...@..O..M...A.J..7.e...x.uV.ND......S.........\Px..u...:..p.V....4.1v........7...5.P.H.].cq.TW......7....F...ri..i...`..p.V...-.}...m....$k..&.i._.S.88...S..../....t.....aX..9...q..t..W...+.u...R..AL%.y.P.D.Y.r\.T.~...<...A....h"=.J;...{..v.Jm....[...X....]a...O. I..Y.i@.DQ......e..G...vx.T....4..Z.'H..).U........0

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-00E2-0000-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3326
                              Entropy (8bit):7.788567501224405
                              Encrypted:false
                              SSDEEP:48:Pfrj//MKb9VvgwwiMiwD3L2MW/w0nutZM6ncBGMKslUPLNX7kwmp/8lXTpqRGoaY:Xrj/EKAiMd1JsimNMLJ7kRUqAoYH8tk0
                              MD5:1E6295FBABBFA949ED7C7DB4E3CC408A
                              SHA1:3BCBF735530060A8A236BDA696FE9FD87FC9B69E
                              SHA-256:441C1E0A401F3ED41FECE35F447C81B3927388B25E3C906824FE17AB36696D93
                              SHA-512:672E18896D2B1B3FD28C4A4BCA5C4A9D943B8AE5449BAD0A744B5BE89B76FDC09A5622B8436DC6D9E906785060D7DD882954D81EF61AF73DC4392CB9784ED9FA
                              Malicious:false
                              Preview:..q.jh..p...z.}...^.\....<u...|(..s9b...]...LG....V.....%005.....Ej..d...x./S..B.#.T..-`P..|i..iwpN......L.D.E....H...m.$4......$j..oN..,.=...[.w..V..0z...?9..8;k...\...TR.L.......p.#u....{}.P'P..p.|...A.0......,..(x.L8;k...\...TR.L.......p.#u....{}.P'P..p.|...A.0......,..(x.O8;k...\...TR.L.......p.#u....{}.P'P..p.|...A.0.~..a_..* ..%Wb....!...NA.I..$.....w.%fI...xn..r...K.`...\F0.Z..l Y..p{.L6)!S......_\.J....D[[.)Igk[....&;.R'L..-.?AX..K"..2...4A..?.+`kp........V..........2Mn9].....&i.Tv....sB...T,..T...d..,=..v'.y...S...OG.L.....\&.|.8(....mb..7P..2.{...S.\.....W6A..b...ipp.......]N.L..J.....i.3gD....xc..S...q.k?..WE..T..aR.., ..lvmM.......X..i........p.iVa....Gd..)3..x.d...X.w..[.:y_..~i.]9xs......3]T.L..0.....o.>4....nx..~...r.2...W.w..[..-`[......frb.......LC.B..y.FBK.#.'+....Be..x...i.f....Ts.....-f7..;..@awM...S..3NX.H.....\f.?Yk.......nx.o.A..=.@...G.q..8..:c..ck..(lpQ...~..C...H.........sw{W....z~..~...#..QH..G].....8d..0w.S7%,<

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-00E2-0409-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1606
                              Entropy (8bit):7.629515147170368
                              Encrypted:false
                              SSDEEP:48:7ORHK0CK0QPKb0mPQdI/xMgJTWgVFvnUvDP0V9:owQvEmI5M+qgHvQP0r
                              MD5:D8ECAE1A5617F66D37C4911204F5BBF8
                              SHA1:AF7F2D629B2792501FA2157F50C942264D1251D7
                              SHA-256:06B4B1FFA3F71EDA4551CE3070D9F3DB5E45C01FCC61D7CCA967D5DADAFBECA7
                              SHA-512:F24413B48FAE5AD01652582463575B92D9C126E5598D4C28AE53F6C3C45010749FEB126A0DECFB4B8E73526E74DB778481928F4A9B841654C81C522CB734AF7B
                              Malicious:false
                              Preview:579_....C...Cl.u.....>.....,.6..'.8r;u..:....v.0.....#G/3U............G....Aq.%......b....x.9.X/."<)8.......).%[..U.lZ6&.............R.....2.j.....'....'.1..'.sp2q..1....n.+R..Y.!E06...........V.Y...Ic.n......+...V(.{.Iy.sp2q..1....n.+R..Y.!E06...........V.Y...Ic.n......+...V(.{.Iy.sp2q..1....n.+R..Y.!E06...........V.Y...Ic.n......^...%-.e..#.n.;h.Y)....t.#W..d. [66....Z..1....T..rg.t.....e....Zq.<.Jg.}bx%..{....e.'T..P.`.otY.L.H...&..TM.P....2.7..........Ni.{..m.+ )l..B..0Aq.....u.mwB...M......W.C\.F3.2......Y...&.n..>.=lW..D+....u.*R..U.'..,........,....GI....F.t...>...Li.+.(".";)m..O....g..R....'D:7....W........P-...Hc.I.....s...(,.h..'.'=4;..x....bMiw..W.+G+,..B.r...C...MW...Ap.b....o....w...Xw.r3*u.^J....g.-R..p.1T-,........C....P....Kl.b.....o....s.{....-9;b. n....v./\..9.b..eS...........)P....P<.u....#......e..8..*.;.n+...t.6V..].1.ROO.@.........G/c....>.b...s....(.n.Z2.c')'.K5...:^.V..A.!R,{b.\.D........Q.......'..........:.d.Fa.|nuJ

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-012A-0000-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):551871
                              Entropy (8bit):6.3136956981604
                              Encrypted:false
                              SSDEEP:3072:iFEyEMWEu+7SU/OMVEIFX7xobcZVsBEo/ftdvcTxe:yz7SU/OM5mbcXst78e
                              MD5:1A167C809BD7996344528A419CBF74F8
                              SHA1:2300CF203285F082D7729BFD92559DDD2A555F18
                              SHA-256:5860C66E8243EAC31D5204A785244AE166911FB3744F1B16CF033D3429610B07
                              SHA-512:80BDAD43D57E9D9B23DAC5512F15493F8BC094808CEBBE0E8ED0136481422CFB051D40E632A004A812EB312132C0175D04CD417022F3CC1CAD647B4D1F89B320
                              Malicious:false
                              Preview:.'?.....m..j..T.e.K..G.....zGZ......>:%(....KP.n*..5Y@.a[..Y.rableNamespaces="appv1.1 appv1.2" xmlns="http://schemas.microsoft.com/appx/2010/manifest" xmlns:appv="http://schemas.microsoft.c..]...G>..z..[.~.L..+.....h.^.[V..ou8,,.....IH.>w..|[B.d.....om/appv/2013/manifest" xmlns:appv1.2="http://schemas.microsoft.com/appv/2014/manifest">.. <Identity Name="Reserved" Publisher="..n....z..h.7_.d.F..+.EU*.......o{*fx.....KC.8ac.(...&W..^-012A-0000-0000-0000000FF1CE" appv:VersionId="f8fb15ce-0677-4345-a083-0f2aa248c79c" />.. <Properties>.. <DisplayName>Microso..s....i....N~.d.E..G...Kv........<$s70....FA.>iO.G]C.e....APublisherDisplayName>.. <Description>Reserved</Description>.. <Logo>Reserved.jpeg</Logo>.. <appv:AppVPackageDescription........~..>..TRr.]..l.....kR..[P..?+q%?......CP.0j......7]..G.:AppVInProcExt>true</appv:AppVInProcExt>.. </Properties>.. <Resources>.. <Resource Language="en-us" />.. </Resources>.. <...N......./._7x7L..F....-~VL.DN.pz&k.

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-012B-0409-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1702
                              Entropy (8bit):7.684504342901585
                              Encrypted:false
                              SSDEEP:48:fv2brVQQvwBSv1b4pqyTwQ6jjku3cRlhsdJ9jTu:MQQv8qycQdu6qjTu
                              MD5:B0B8DE0400248B6F3975C1C22DA0CC84
                              SHA1:DCFA298EDC1091390AD8178F57668DBF1C0F4B04
                              SHA-256:C0026BF391D34622B967AB6D655850245719297218EFE9A994E3B97A128287B4
                              SHA-512:BAA0D912F437A866DBA02FF4B5CDF439539F05EE29F605AAD7EC3A9565C1D88092C9ED15C3B04DA0D0D14F0B9C0AF20BE34A503B87305228BB99EFABBBBF3BDE
                              Malicious:false
                              Preview:.c..(......K(....m.Fh.8..J.....-.f._...... /.M~.9k.v*k=..e.....}.............[m.Z{.w.X...E.".'.B4..SQ.Ozn..!.,2.)i8r.p......|........YQ@..m.Ck.*........*.w.Ye.....!1.Of.";.je"?..`......0....@..[N....j.Yy.y..U.....`.6..e.....!1.Of.";.je"?..`......0....@..XN....j.Yy.y..U.....`.6..e.....!1.Of.";.je"?..`......0....@.._N....j.Yy.g.......~.n.Vx......\{.I|.*>.dX>>.`......"........IA'...e.D0.h.....L.'.5..k..N..Kx$.Mm..=..lv~.."........:.N[..[QA.I<..=.i......T.`.q.y=.....rj#..6R+8.p9fk.. .........J.F]...W...H5..".T.......u.s.J+..dS...".E}.#;..i&9..z......?.......^]^...|.Kt.8......T.0.W.M4......gm.@o..;.!6.9..a......}.............7m.O3.S.......s.n.[1..P!.Hkl.IjV`..7k95..z.....?.D............h.@}.>.u...J...'..d.....z~n.|o.$;.!L./.z......p..............b.O..=.X...N.`.Q.N;.....^}}.E~.&5.z.A|..3.....o....?.........y..".)......".~.u.L...P~...".||.??.0a./.........j....Q..KAQ....._..<..X.....u.%.Au..LS......2E.?.+}9?.-......z..........O.Y,..1....W.......9..j..!

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-3101-0000-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2515
                              Entropy (8bit):7.714476323568017
                              Encrypted:false
                              SSDEEP:48:oGFgqQc7lYbjcZ0c9upktdQrin5W6NzCu7tIP+/gjgNrdeN:oGHQc7mHcFupni5BNzL7tB/1Nr6
                              MD5:E32D9CCF127106DF1E0DCBFA780F7A14
                              SHA1:19145199F554E891DF692FC171F41902D448B733
                              SHA-256:DC74754045AD17E5EA970BF21E44DAECB8E1F285592411CF429FE8AB9625327A
                              SHA-512:5B5CCE02AF7D9422F93FE960F178C081EB336EDF74E5C8AFF885BB537A0E6F9D7B851079479A323E3CB045701D8F3517BEA4CD85FDE6C1F380CFF34CE1BBBADF
                              Malicious:false
                              Preview:..2.L2.^B..i.]...........%..N.G"D........I0.3F.....V..G.M.R..y..XF..(._.Y.......%...FH".........jH).^...........Y.T[.q|.ES.I{..XK..........-..E.@aU.......B1.`D...........^..O...l#....Wy.W.........;..J..v.Z......B1.`D...........^..O...l#....Wz.W.........;..J..v.Z......B1.`D...........^..O...l#....W}.W.........u..O..tL.......UZL]`B.............X..c;..y .GU..k.l...........{..ZM..D...\....h.CF.....K...K.....F..-~N...Ky..XI.F_..........pSN.......1z.1AF_....[....P.....L..)~..@._+..ZW..M.....i..D..rQ....s.HX>.WN............E.F...z5.VF.W|..,........X..HZ<u........<wKcK....$....N..p..u .PQ..:.V..........u..N..rL.........{JeB.T.............U.. ..RL.4,._....A.......:...ep .T......R9nHEw............C..;..x6.VQ..=.U.D..........%...).ps$......,.m[aN......|...A.Z..4..J..eQ....NV.............}!.PW......bX>.<w...........]...S....6....Fi..T6.........;..J..=........GF.23.MG.........p....p..y".\P..,..en.VO.........X..n.B...Q.

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.90160000-3102-0000-0000-0000000FF1CE.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3440
                              Entropy (8bit):7.814409586590198
                              Encrypted:false
                              SSDEEP:96:LSwgfz0YLXuEEHFy7C9Tl+gYfxEIZsMl+uw5BIH:LHg0H47C9Tl+nrZsm+uwG
                              MD5:10CF733A52E670A6223788A56BE45318
                              SHA1:30495CD386D16FFAD1AF740A0E461B075BCAD97B
                              SHA-256:895A99038B98638943BA9EA2FA069DE5BFAE5703B6601CF8319DAEBBABCD54DC
                              SHA-512:9998BEF02B789C8BB437F9BF514D85B711ABFED38B1049C11E0A58DB31741B81552ED4C616F3A12C59A4BEE30ECA5FB3DFB9FAB51F1F6B8CDFD909E66E0E5A9A
                              Malicious:false
                              Preview:$..k."..-X..B.....Q2...A.P...PH.........-..0.y6l9..E...<.}.o..b.E.;....)L.h....C..`P..B...........V...Fq.7io,...X.H!.h.I..k...8.l..<G..;....]7.4.X.....[H.....E...)....{.y"..YT..>.x.@..n.II6.3.Z~...$.....V-.s^T.O...TKV....E...)....{.y"..YT..>.x.@..n.II6.3.Z~...$.....V-.s^T.O...TKV....E...)....{.y"..YT..>.x.@..n.II6.3.Z~...$.....V-.s@!..[R.Q^H....X...8..`d.}4j*..Wi.. .x.C../.j[..0..:Z..+....\0.sO...U_........K..K<..D;.y%w...>].Du[:....=..Wg.n.E|...;......n.aNj..8+..ZV.......2..V<.($$,.......R<....?..To.n..x[..=.....~.os&..G>.ZKC.......a}...=.q5l#..9X..r&b.T..b.PF..%..)...7....._?...A..vd...........8..[r.t'e.......?.y.C..".Q.;.0..>{.{.....^;.\t...[R.PHE.......U...Ws.}" `...Z..<.b.H.....Fw....#..x......4.4...o....6,....D...+..Bq.H'.$...}../.b.R..c.j.w.&..>V.b....G;.4...B....zV........8..Ab.q6h&..I4.FlK+.G..{.e.'...%>P..s....Vb.0.\..:..crH....=..UP...=.H4s?...P..rf.....h.K.%.&.KA5..+....\+.2...B...T\C..U..I}..?..8z3....L..).5.,..1.V.%.2..?V.x......~..-a.M-..FRI....J..$

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifest.common.16.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2015220
                              Entropy (8bit):5.30664415034156
                              Encrypted:false
                              SSDEEP:24576:PAo6AbzIg6O5cnFh1bEaJnygt7R4E20Ql74srGQ1BYQ1aogxa:PAo6Ab0gdAPtDJyu4aQR4srGQXMHxa
                              MD5:0021BECBB2EAA03AE5146C808554ABDE
                              SHA1:77531C20DB618E3FC9C90CD0F168ED8078501A42
                              SHA-256:AACAA816BC47C6D50A5724AA5AF7C1C49828813A5D48255AE239A6018546FBF4
                              SHA-512:F71C26AFD32F57D53A75BD7AC2DF783CE1177E738D8583BAA746F40F691E36EE29F23BF1DA7B231D180A14DFBDE0190582ABF9B8443478E11750B52435750B9A
                              Malicious:false
                              Preview:......DbM...1..4..Z.G.Z..s?.9.VE.....;....Q..L.{..|..9.L.......p.p.v. .a.p.p.v.1...1. .a.p.p.v.1...2.". .a.p.p.v.:.I.g.n.o.r.a.b.l.e.N.a.m.e.s.p.a.c.e.s.=.".a.p.p.v.1...1. .a.p.p.v.1...2.". ..?....Kb]..r..4....~...Js..8.TE..........Q..V.h..|../.P.....c.o.m./.a.p.p.x./.2.0.1.0./.m.a.n.i.f.e.s.t.". .x.m.l.n.s.:.a.p.p.v.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m..?....UbX..b.4..J.!.P..s>.".QE.....W._..Q..S.e..|..=.O.......1.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.a.p.p.v./.2.0.1.3./.m.a.n.i.f.e.s.t.". .x.m.l.n.s.:.a.p.p.v.1..?.....bF...$..4..U.!.N..s8...ZE.........Q..P.x..|..(......../.a.p.p.v./.2.0.1.4./.m.a.n.i.f.e.s.t.".>..... . .<.I.d.e.n.t.i.t.y. .N.a.m.e.=.".R.e.s.e.r.v.e.d.". .P.u.b.l.i.s.h.e.r.=.".C.N..?...VbK...&..4..X...k..s".8.^E....W.N..Q....%.B|..d........0.1.3.0.". .a.p.p.v.:.P.a.c.k.a.g.e.I.d.=.".9.A.C.0.8.E.9.9.-.2.3.0.B.-.4.7.e.8.-.9.7.2.1.-.4.5.7.7.B.7.F.1.2.4.E.A.". .a.p.p.v..?...Wb]...?..4....3...Ts..s..E....B.

                              C:\Program Files (x86)\microsoft office\PackageManifests\AppXManifestLoc.16.en-us.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9404
                              Entropy (8bit):6.837040678483769
                              Encrypted:false
                              SSDEEP:192:TIWF4nDR8SIH8aAhqvhzPdj3l+cIBd0LPGKV+41pXZYUgmFI6ZTf:Tin8JzPdj3lYUPGKV+ypp3FIkf
                              MD5:8FB08A30CBC198CDD1E98973C135ABF5
                              SHA1:E941C8A88014D52615D188A5BA1ADB6863F0A632
                              SHA-256:A9D864FCAD1D3503F3D77C4EFA586DABFD24CE2585879208C7A48A3A68454A2C
                              SHA-512:BF72667DFD7721E442CD43F85B9F36324254254FFC80DF0260DA9CE1911124B7EE3312AE264A327A554935233AF2FCE13965ADC631261AA1C1153F9B432131F1
                              Malicious:false
                              Preview:......@.o.....:?.........t..s{K..SD.=.....G..!....a.`....../.ath="//appv:ShellCommand//appv:FriendlyName[text()='&amp;Edit']">&amp;Edit</String>.. <String Id="WW_Shell_Verb_New" xpath="//a.).F..D.j.....=q..........D?>V.._q.x<....7..$....#. .......2.</String>.. <String Id="WW_Shell_Verb_Open" xpath="//appv:ShellCommand//appv:FriendlyName[text()='&amp;Open']">&amp;Open</Strin.gwv....r.....=c..".....&.E!%G.._D.n...X.~..k.....l. ........ellCommand//appv:FriendlyName[text()='Open as Read-Only'] ">Open as Read-Only</String>.. <String Id="WW_Shell_Verb_Print" xpath.{US..Q.<.....63...........f!.}..VS.|)..H.h.U`.....t.R.....u.&amp;Print</String>.. <String Id="WW_Shell_Verb_PrintTo" xpath="//appv:ShellCommand//appv:FriendlyName[text()='Print &amp;To'] .g*...U. ...K..eq.......i.Y...3j..]..yy..k.C..%....f.Q......6.h="//appv:ShellCommand//appv:FriendlyName[text()='S&amp;how'] ">S&amp;how</String>.. <String Id="WW_Shell_Verb_Design" xpath="/.8....r.c......80.......^...E=#t..[G.F0.

                              C:\Program Files (x86)\microsoft office\PackageManifests\AuthoredExtensions.16.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):687
                              Entropy (8bit):7.1312951541481775
                              Encrypted:false
                              SSDEEP:12:aHJd+2OH1rdJFQJ44j1RNjk6lpD77v5wxtlkT8Ooz5E59+MGnKp:ap9OVrdDQ11XVlpDZWlcKz5EiMV
                              MD5:14E8F403547D8DB06FC0F9D2F7A9A4A9
                              SHA1:AF755803DE396C2456B37DFBA19D4D522010DF35
                              SHA-256:546A9C9AA3136D06E056C8DE5D3140EF414A07EB5835DD9E349CF98CCCE239FD
                              SHA-512:4147850E2FEE30F5EB56CEDFA1CE31283705727A55EFE191C83783F9671A6CC9A8325E0D585BC01F0460D2A7CB3F2C33587F77BB21CEF954F3ACDA024BB0C427
                              Malicious:false
                              Preview:V*..DiP.i@.k..r......A...........F.:..C;..Z....$AjG.......U.%.l..)..2k.y.3u.M........U...[....X.V..E4..B_...7e+q........Z....7.GuE.q;z..`!.O..V.....J..[....D.t..E ..1B..Gg.9U.......A.0..T..9..s%W#.0q.I..T.M............~.5..L&...G|.3..>o........_.2..1.Qd}..i.z.4#.M......GO....H....Z.q..-Y...B...7Cs.........Q.!Variables>.. </appv:Extension>..</appv:Extensions>........j...59.......v.1..!..S7..S.i..}._..e...W.........e.U).....Y.f.C.T.q.5..&.u....oc...^.i..+G...(..G.?..@.# ....B..gC...d.zf..W.4V!.X=.)l....c....[>.J..Y.w.6..]j..Lg.W...F....c.U..hra).S........B....................................................................................@.........tmrk2oxcouu.

                              C:\Program Files (x86)\microsoft office\ThinAppXManifest.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4925
                              Entropy (8bit):7.8807081415987685
                              Encrypted:false
                              SSDEEP:96:FJS/96VirCmHbez393vpT9B1kobUx1GLqnJA3v0zV3ROj:Fg1eYCmHG393BT9B1ko4OLqJE0z58
                              MD5:E8624ED62D7B4107D4D8027834DC8C1D
                              SHA1:765843EF97E58196388E13E09CE5D5879CC980CB
                              SHA-256:3E79D48B5A48909CB2601595DF00D96ED7609F3D190988CCD2BE56B9FF529659
                              SHA-512:C0C3929DD60C3387578F027769563C9DF518D820D98126130AE03CBFC024714726DEA00F156637AAEB35CFE668C891268AE6D58EB9E4B2BF526DF93050977F34
                              Malicious:false
                              Preview:.....K...D.5!!.;F`1M....Qbq#..y..G...a.W.R....bOL.Z:>/a&...!..%-..O.n.(sq.)ZsN...<.@w%~..8..]..H3.........;....u#6tn...'...-L..Z...=.ka>.7Cc._..}.]mz#.h......e.\.L....2.P..8<0ds...<..0.......".: :.<Yq]...1.C;u ..)......e.\.L....2.P..8<0ds...<..0.......".: :.<Yq]...1.C;u ..)......e.\.L....2.P..8<0ds...<..0.......".: :.<Yq]...T.yeq>..l......,.4......qA...7',.y.......3...O...[.)=:.7.'N...s..9&g..(.....a...3....6(..Xb..'$....a..mW.....?.vzf.nh29......!u .."..C.......A...Mk"I.Ck.n:(.......mU..l...L.c.k.v..u%./.@df$..k..;.IU........6_3..)!,xz....5..`R.....}.:7..4O;r&..a.Ecx9..}..X...p.(......6....ga.b~...6...3...S..h.VDZ.en`.O..-.Ynzn..k..G..I>........<.@.pRGc[s...6...6...@.1..!4.g'.v%.-.F;U ..H..Z...U........=_0.Z?+,tn...<......O...l.+8i.)ZS/M..<.UEq#..q..X..K..o._...G....35.-x....'...|L..Z..}...=.+Ef:T..P.9=;...h..E.../.l._....!...DVDV. ...&...`/..M.h.y+=.,Y'P...T..Sq#..j..B....6...... ....eCU......:..2...D...?.t...0DS.^..2....Y..W..P...c..

                              C:\Program Files (x86)\microsoft office\root\c2rx.sccd.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15621
                              Entropy (8bit):7.160957027260204
                              Encrypted:false
                              SSDEEP:384:Ox+RAWMitgqN+huBjfsk3fYTu+FvNik1ev7IeMsr/j:OxOAziiqN2uBjfj3fYTRFhcvkfsrL
                              MD5:63D20281D709FF1DF055EC92C3156F47
                              SHA1:621FCF4AD171CC1317BB608B9052B5993243DC22
                              SHA-256:F9B8E287DAA5E1F21D7ED3F6FC9E6D79D06B203FE90B800EAA019FEDC7C4A5AA
                              SHA-512:FFB86A0E731705621D2E44E03DCCA349045328C72785250A8269B70802F1248D3561E200218303F23DF69FC3A189EB530D6F309A544BF87C6CCD0F4820A191BF
                              Malicious:false
                              Preview:{.....j.f.........,..Ef.Kp.f....TI7..z..q..g./.z.......K2f...tor xmlns="http://schemas.microsoft.com/appx/2016/sccd" xmlns:s="http://schemas.microsoft.com/appx/2016/sccd">...<CustomCapabili3R....t..).....@.m..J`.[>.:..4.v.G...F...i...i........Z.=...yb3d8bbwe"/>....<CustomCapability Name="Microsoft.classicAppCompatElevated_8wekyb3d8bbwe"/>...</CustomCapabilities>...<Authorize#~....j.+.......U.c..\l.gp.2.....E.K.q.W..a...k......A2j..COffice.C2RX_8wekyb3d8bbwe" CertificateSignatureHash="279cd652c4e252bfbe5217ac722205d7729ba409148cfa9e6d9e5b1cb94eaff1"/>....<Aut/T....J.a.....q.o..Al=Cs.7.....L7.A.b.A...&1..c.......6`...3d8bbwe" CertificateSignatureHash="b116c36fa11678efb3bbf1fb1ef99b6b5ca9a85ba290736c6ced9fb0cea2cb01"/>...</AuthorizedEntities>..N.....`.+.....k.c..N..l_.8.....)..k<|.q..p:..D.......t.H.0.EFADCCARAGCSsGAQQBgjcKAaCCAQEwgf4wDAYKKwYBBAGCNwwBAQQQvlDSv13nQkWnWYx6y6RRbBcNMjEwNDE1MDczNDAxWjAOBgorBgEEAYI3DAEDBQAwgbwwgY0EIJ.C...(>.w......X.#...d..O.:....,.!..'[

                              C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Microsoft.mshtml.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8007994
                              Entropy (8bit):6.27751312453401
                              Encrypted:false
                              SSDEEP:98304:8RslpjoRKm5sb2ZS9fepID2fTOII88dRNEi2zjj8Sj:8RslpjoDbp8/NEiUj8Sj
                              MD5:DB9CA6E2064366D9C75D43DD3C204BDE
                              SHA1:5E56ADE3D719E7F0C2DA28F9FD378619761FE85A
                              SHA-256:C4E420B67D3732E895A291728CD698AC323B065BA00CCE2FDE035035E4D0CB2A
                              SHA-512:BE1910F5068E4BA6769A290608A1EB5BBA7D119CFD2341CC5BAA0E8452F01C09EC8D35D38C3D751010D3607E3CC5E956E68BFFE82580922678207465BAE90C58
                              Malicious:false
                              Preview:h........:....1....._.}.H .Ct..]...+..0a..?.k....r.I......*........!..L.!This program cannot be run in DOS mode....$.......PE..L...0.6<...........!......z.. ........z.. ... z...@.. ......!.k......:.....1.....O.}d.Z.@t..]...;..0q../.k....b.I.....(..*..z.S.... z.x....................@z...................................................... ............... ..H............text....t...7...:.....1....._.}.H .ct.../.jo+...3a....k....r.3.....(..*....@..@.reloc.......@z...... z.............@..B................................................................................%.k......:.....1....._.}.H .Ct..]...+..0a..?.k....r.I.....(..*................................................................................................................................%.k......:.....1....._.}.H .Ct..]...+..0a..?.k....r.I.....(..*................................................................................................................................%.k......:.....1....._.}.H .Ct..]...+..

                              C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\Microsoft.stdformat.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13626
                              Entropy (8bit):6.417912692315544
                              Encrypted:false
                              SSDEEP:384:Y4UY5O901v7+epEEWn6kf+fMbyQU+wgR5e723w6QKyWVWWekKKC:Yn01v7JxWRWfM1wa57d4
                              MD5:B594F6E8476C0BB99375457D3B98658A
                              SHA1:69D780A24D19C5C6FB8380003D637BF0AEF0FE20
                              SHA-256:DAD6E1F7F79087F28569C9253DF4A703CEAB437FA02F6D1DAE453A4A6C3EC093
                              SHA-512:D7ADDB2634D90352CF4913FAC84A609ACEF4B7EAF0D83A0363C2BA6188C91003CAB62D5BDB673902F50414646BD1DF5EA3820156F6A169572734574658851EDF
                              Malicious:false
                              Preview:.......V.J=.A...:..j..I....g-0.X.uKp......}...[.{...4.Z.l........!..L.!This program cannot be run in DOS mode....$.......PE..L.....6<...........!.....,..........~J... ...`....@.. ........I....V.J=.r...}...j......g-0.X.eKp......}...K.{...4>Z.l,J..O....`..@............................................................................ ............... ..H............text...a.I..4.V.f=.r...}:..j..I......B.*.uKpQ.....}...[.{...4>Z.l....@..@.reloc...............2..............@..B................`J......H.......|(...!...................'........................I....V.J=.r....8..h..K....e/2.Z.wIr..........Y.y...6<X.n.............................0..............{....9........{....o;...**...0.."...........{....9........{........o9...**...0..".....I.J..V.S=.v...}:.......I./.....0.^._Kp...?..}.....{...44..l. ....}.........}.........}.........}....*...0............ ........... .... ...... .... >..... .... ...... .... ...... .... ....y.i....v.J=....}:.U.j..A....G<0.X.}kx

                              C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\adodb.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):110906
                              Entropy (8bit):6.658703344488604
                              Encrypted:false
                              SSDEEP:3072:9oj+VBoXUlo/+smBvHxi/7UpLVT5Iks+Nn:9ojGBoXUlo/+smpxizIjIq
                              MD5:C98CD831B05119C15038D9A4134E08B6
                              SHA1:0E6DFADF4F424BD9F6D0F09E341923905FE9A087
                              SHA-256:A9FF58FEB3E0E58869F91D2EDACF57724AAFA64546DEF08DB6A95CD36BEDBDBE
                              SHA-512:1479FC40A526AB5E2FF7B832EA30AE0C5E3908B689B025C373FB3F1FB34FA633EC4C87AF78DC78E0230E96774AA70C25BD140AA0901D075B856858E21AC2AC9E
                              Malicious:false
                              Preview:..?.Ck.d....E..(?....YF=].d.<.D..M.....d....'.c...,......K............!..L.!This program cannot be run in DOS mode....$.......PE..L....[.=...........!......... .......... .........W. .........@k.d....k.(.....IF=..e.?.D..M.....d...7.c...,.....K......W.......P............................................................................ ............... ..H............text...G...@K.d."..{.(.....YF=..d...D..?m...4......c...,.5....K........@..@.reloc..............................@..B...................................................................................@k.d....k.(.....YF=..d.<.D..M.....d....'.c...,......K.......................................................................................................................................@k.d....k.(.....YF=..d.<.D..M.....d....'.c...,......K.......................................................................................................................................@k.d....k.(.....YF=..d.<.D..M.....

                              C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\msdatasrc.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4410
                              Entropy (8bit):7.387321377343912
                              Encrypted:false
                              SSDEEP:96:EcbbrnCxbbWwx6EG0ye6RNoUKFl3jBPm1bKE41xZ:lb4WhEDyewNkF10Kp1xZ
                              MD5:BA7A94B1DB2680B80B8E3684D6C9F4EF
                              SHA1:24E2FCB30BE1D19DF3E370753B02116AC1D9C654
                              SHA-256:1753EBADC646BD78748078C2AAAE2F5D65A0EC1EBA38E6A1C4808675328C33DB
                              SHA-512:AA14BEF9038720CEE335E7D8E53754BADD3E0C9F356716B18CA1287A22DBE41F2C2E9AB47C9160DA5DA7FDB48261C8DFA9D92EAB770929FE4194B30F0F252BC8
                              Malicious:false
                              Preview:..p..I.......zF.......$.IC...4.w.....hh.{.......(..`G.*[6L.Z....M.............j....(-f.......b...H.4....w.$%..`G.1*[6....JH..@`....z....G..9..".IK...2.w....hh.[.......(...@G.1([6F....I......z.T.......$.JC...4.w.....xh.k.......(..`G.1*[6j...UI.....U.z.........$.IC...T.w.....hh.{.......(..`G.1*[6B....I......z.........$.AC...4.w.....hh.{.......(...".E*[6.....i......z.........$.iC...F........hh.;......."..`G.1*[6B...FI.....z..z.........$.IM...4.w.....hh.{.......(..`G.1*[6"....I.......z&.........$.IC...4.w....hh~{.......(..`G.1*[6B....I......z..........10iH.+&@.P.-.C......[|n.bv.2...........j-..j.Q.tw.%.u>"......<...;..t...V..S[%|...0.........Q.R....,.o.../B....i..T.G..n.HC...4.w....FX.H......(.`G.}([6a....K.....6.............$.YC...s.>......hhNz......h(..`G.0*[7.....I...Q...z.........$.AC...4.w.....hh.{.......(..`..0*[6B..FI....4.z}........"..C)..4vw....Ih.{......(..`G.0*Z6.....I.......j.......... .IC...$Mr....

                              C:\Program Files (x86)\microsoft.net\Primary Interop Assemblies\stdole.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):16698
                              Entropy (8bit):6.465853096641212
                              Encrypted:false
                              SSDEEP:384:OS5hs5Np6a4r94hbesDWFsOb0+E4e4jW9WW4:OS5hs5Np6aJBYDdqg
                              MD5:83312B60822EDDFB6736B1908981360C
                              SHA1:03BC47BD03952425F251C44B635685A8AB8F60E5
                              SHA-256:DAE4FE9CF020F24F86CA1FFC5B4D2D2363F72ED29AE73289E81C6377931C1CA3
                              SHA-512:EC1CFE0C2DB13502A20B76C85CBD088F5031589D53C8AD7F5982178ACDC7EB9D9B08F96F520F1EB890CBDAF62697D0B67CD093A5D8778B063D3EAF048C81AC1F
                              Malicious:false
                              Preview:.N...Sgp6.xRP....E...........?.#E.....bS..})$...... .!>.h...q.........!..L.!This program cannot be run in DOS mode....$.......PE..L...x.6<...........!.....8...........V... ...`....oV. ......T.b..Sgp6.xR....u......(.....?.#E.....bS..})4......0.!>.h.^.q.LV..O....`..@............................................................................ ............... ..H............text...."b..sgp2.xR....uE........8.?..7.....b...})D...... .!>.h.^.q.....@..@.reloc...............>..............@..B.................V......H.......`%...0...................$......................P.b..Sgp2.xR....wG..........=.!G.....`Q...+&......".#<.j.\.s..................................................................................................................0.."...........+.b..jtp2.[....uE....j....2.?.0u.....bS..}.-......*;(>.H.^...........}....*...0............ ........... .... ...... .... ...... .... ...... .... N..... .... ...... .... ...... .... ...... .P.b,.Sgp..XZ...>.E..?....5^.?..M.....B

                              C:\Program Files (x86)\microsoft\Edge\Edge.dat.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12602
                              Entropy (8bit):4.874969020476556
                              Encrypted:false
                              SSDEEP:96:FyhQJJ3X/zGueu3BjGc4lo7Aho50xLL/AUjZ6AFWSRNMD/y6l0ORlu:+QvzGuLBjeaix7jFWq6DB0ORw
                              MD5:D6F78B2E088B873329B426433BDB492A
                              SHA1:7D9FE83565E5F69D9402C65CC7CBB8314EE2AEF5
                              SHA-256:AE85463FA99CD60E562FFD69C7BB0951E40D0213267DB323A653F55AF31FB87D
                              SHA-512:095270388124E1F7FF4A832B419D4256E2DF50BF696657F2C9394C79CF7276875A829B2CBDB79993305405800C799306BAFA76DD6CFAD3B63462A0EB581FAE91
                              Malicious:false
                              Preview:.x....!...:.1.....*.....o..3.A._C..q....P.5Af.e...}.A...?Ba..TM.i.c.r.o.s.o.f.t.\.E.d.g.e.\.E.d.g.e...d.a.t...........o..:...........o..:...............o..:...rmtmF..0...................u......!...:.....e1+.....o..3.A.^C..Q....p.5@f...4.U.9....BH.T................................................................................................................................u......!...:.....e1+.....o..3.A.^C..Q....p.5@f...4.U.9....BH.T..............................................................................................................................u......!...:.....e1+.....o..3.A.^C..Q....p.5@f...4.U.9....BH.T................................................................................................................................u......!...:.....e1+.....o..3.A.^C..Q....p.5@f...4.U.9....BH.T................................................................................................................................u......!...:.....e1+.....o..3.A.^C..Q...

                              C:\Program Files (x86)\mozilla maintenance service\Uninstall.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):103708
                              Entropy (8bit):6.923919790421063
                              Encrypted:false
                              SSDEEP:3072:sRFOTKjgcM4zCPtZ91/LKKxR9ew+zpalq56f:sLOVJiUtZf/rxR9vSU0w
                              MD5:3CBDF8B55085E9DDA4198BD51BE995AB
                              SHA1:6B6AB5D33A6698859DC36E2AA76D74805A12E56B
                              SHA-256:85ECBC9A3F45481E56435927E1A779C035CD945559B2EBF5929F8A8D1AF0649C
                              SHA-512:01A04DD1B011DF4F6FD91D7C2FCB4FC4153A6A32376D8D5D2DDD4F94CC061B086D2BF90ED0289C4F2598A87F06A1ECC20867D69A5CBB83A4048B641B2D612137
                              Malicious:false
                              Preview:..\65&?...K3(]..~......K!..C>..B{............ .N...e....>.;.........!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf..].66&?...K..].{~.......!..F>................!.N...e.E....;..4............@.......................... .......k....@..............................................r...............)...........].66&?...K..].{~......K!..C>..B{.............N&..e......;..................text....g.......h.................. ..`.rdata...............l..............@..@.data............................].6v&?....*..].{>..w...K!..C>..B{.......z..z.Rx<...e...}?..t..................@..@.........................................................................................................].66&?...K..].{~......K!..C>..B{............ .N...e......;..................................................................................................................................].66&?...K..].{~......K!..C>..B{....

                              C:\Program Files (x86)\mozilla maintenance service\logs\maintenanceservice-install.log.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):582
                              Entropy (8bit):6.977378318274748
                              Encrypted:false
                              SSDEEP:12:bDV99YiFZcSdxSEJ0dqaEx8F7/OnQZ1x7FtpKllYv:dYiFFLSnqlxyOnMfKl8
                              MD5:C8C55A7447A23F923CD16B2F35117DDC
                              SHA1:C66B8778C82699E60FF5A7EBD531081724F48EA4
                              SHA-256:2F4DA70B591283B5FFD730DB48DDFE28CF5D5DD4CC02E8D3BF66CA0F50802B91
                              SHA-512:04AFA9DB84EC01EABB22091D9198110C598CE3304BA205BA8EC8DE0B99D5D0B2CF2D184CAF8D914E0CECB4294D3FB60905DA9DC0E17486B1E16BE54D540E947C
                              Malicious:false
                              Preview:..O<&....O.@l.9..!?.....gs...G.....?..F.9.!W...|........iTJ.0....H6 ....F.$..~.we....< ...G....l..A.<.d.I......1<Ig.3$...L?&....M.Dd.9..$7....56...A......z..F. .-.I.......7=G..bw....zg.L..v.Ao.!..96.....hj.......O..K....5.2.D........35...!g.ccessfully....2../#e.s.nP.?..T..._.I..%4..w.0..........D.r;..F..?......9...."..(^*.....7.-.l.K.V.HK..@.S..p@...H\.a..%..H..4.L6.|,..7...Nbk....P.j.a....)......d..(}...Q...mDfnf&....A..VY..{O`...\....,.......N..............................................................................................tmrk2oxcouu.

                              C:\Program Files (x86)\mozilla maintenance service\maintenanceservice.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):239322
                              Entropy (8bit):7.116471058841213
                              Encrypted:false
                              SSDEEP:6144:ydmVDcAyGrj+PLgWaAvZ7RN6qyzxS0qC8J/I+Rz:yMSGKt/xXAoCPOz
                              MD5:6B482E3E38E1C949A6957743D5BDBB1C
                              SHA1:1875950AA93E211111A8CA1810CC53A6D309864A
                              SHA-256:B513CA9A3E27DA11715808FCCCAD148BA39065BCC7DA34C431077922BECED95B
                              SHA-512:8E310AB4F9BB602E1766962CF147A4E0010350071F08A776C5F5A85398803626BEFFBE5921061ECD79D203F40348DB274861D7155A67AE358813D6719871ED8B
                              Malicious:false
                              Preview:.1z.9(Y.,/3..1.Y .."rs.Z=L5e..Z.K....!.1..Hg....Sn5RZ......CL.........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@....................Lk..8(Y.(?7..5.Y.E."ps.}L.e..Z.[....!.1..Hg....Sn5RZ.....iCL.........h&..................`....|...)...........$..........................(....p..8............,..............................h.g.L(Y.n~1..!.Y .."rw.Z}L5e..Z.K....!...)......Sn5"X..r..y.N.............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..........Fk..x(YT.[_..1.Y).."r..Z}N5e...Z.K....!.1..H'..1.w<.A06.4...y.O......h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...............t..Fk..8(Y.(/3..1.. .."rs.Z}L5e..Z.K....!.1..Hg....Sn5RZ.....yCL.................................................................................................................................Fk..8(Y.(/3..1.Y .."rs.Z}L5e..Z.K....!.

                              C:\Program Files (x86)\mozilla maintenance service\updater.ini.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1516
                              Entropy (8bit):7.598099641902666
                              Encrypted:false
                              SSDEEP:24:CBf6lMntZdKadLGtcCe6+UF6S2VRKlyaIiUwtnieop1DXP+AKk9jpaP9UNUZHo+t:y6l4ZdHUtcYNyRGyP4m1DXP+kpmUNUJN
                              MD5:3D04C2A049EB7436BCD3C7A212B89877
                              SHA1:9B98EAB40651DD45907266430AAD348A502A1925
                              SHA-256:473E7CE19F4BC65B7882B96BC78262487CF8231DEE343ECDE6A7BF1508CDB6B9
                              SHA-512:3CABA7BBAD98A49BEF0FC342BD33C176EEC9514FEC04DB725C2669D4A7BA3DE1D7466FAF471EC4D858796227301C033D598A59FF7FEB17E1C90DF88D8BD58FEC
                              Malicious:false
                              Preview:6."...+R...#.m,/.KN}....*VDu|.{b...:j.cb.m.',...(P.+.N{....7:x.....Xq...(DKok.-.!..4l.P7u.ho...:j.cb.S.#m.N.3L.o.Ru...c.i......U...}.H*'.-x`....d.^ub.qx....>.rb.k.n#...&Q.g..n....G&".XQ...r..../D.%"..-H|...]~MT7C.^;...t}.b+....x...;K...Hu....~.h.......\....YH,v...Di...y.Xye.yz...}>.i7..j.0m...|Y.o.Vh....c...V....X[...+XC&%.......cI]v[.qx...{p.c...|.=|...2..c..L....{.-......\...fdK1=..h.j....oV.c~.l6...:v.p'..w.t`.../L.j.E!...7.h.......O...(.A%k..wHc..;cWTqy.8y...uk.&!.o. i.@..].{.OfC...r.b.V.........#.G0k...X/....xQPyb.~y...uk.&-.v.1,...)J....!....Z.w.......O...*N.1...`Lj...]~MPc6.wc....nKr*.?.1~...9..e.Cm.....Q-.;1...9s..._G0k..aD/....fA.vz.yo...n..rb.k.tm...+T.e..h...d.-.V....X..6EA5"..i.z....oW.~x.8r...:p.rb..{.#e...=..n.Mh....,JL......T...2X./*..nI/....x.Py6.hr...:v.ub.z.t....9K.m.Mm...g.d..O....N..+B]7k..-Ha....*VPzs.|....nq..b.?.t....8Q.n.Un..qJy..A...^...?.A%k..h+4....fLRvb.wx....}.r#.z. d...5V...@u......-......X..."VZ&e..]N|....kQT@..E...?b{9

                              C:\Program Files (x86)\msecache\OfficeKMS\kms_host.vbs.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):41606
                              Entropy (8bit):6.906211769593152
                              Encrypted:false
                              SSDEEP:768:hf4msQTWjb6OdeEFqla/DRqSrB3rfLHJUO2WJKLo846H7bcvMx5ZjPlg3U7/idjE:hf4br7dJesqSrdlgbYvMx5ZD+U7/ihZe
                              MD5:2CAC917BE6FBAEA3254377234BEA8AB1
                              SHA1:8BB90321CEA130E72B454EE0B36DD7B2375E5E11
                              SHA-256:6DAE1FF1B3EAEE1A5295BE920667E4B464BA5EE48B3C21011EF7CE5F7E7CB21C
                              SHA-512:4FB5D30C961B3FA5676FAC21A6FF7E0086A6FB51A9539EAB3750A35242C3B0A98D2DB3337DFE3292992E1012189E70402E220FAE754DC12CCE870143BBDFFCD3
                              Malicious:false
                              Preview:.K....t....6..]<..l1..@&.1...iE..}....T"../(.5.V...l.Y..Y.}.p//////////////////////////////////////////////////////////////////////////////////////..'///////////////////////////////////////.D...)....1..?z.V,m..).q...4.K.=....a.Pi`.n.{...`.B.......R.CONST DISM_PARAM_GETVLROLEINFO_VL .= " /online /get-featureinfo /featurename:volumeactivation-full-role /NoRestart"..CONST D.8....T....._...B..<\....&.~...;.Y.0.J.T'..f`./.....o.N....W..:aturename:volumeactivation-full-role /NoRestart"..CONST DISM_PARAM_ENABLEROLE_VMW = " /online /enable-feature /featurena.....s....m...f8.Y,...Qu.?.....C.=....a.Pi`.n.Y..&....X.X.p//////////////////////////////////////////////////////////..'///////////////////////////////////////////////////////////////////.D...)....1..?z.V,O..{H...sk/.2....n._fo.a.V..)....W.W.b0..CONST VALUE_ICON_WARNING =16..CONST wshYesNoDialog =4..CONST VALUE_ICON_QUESTIONMARK .K...4.....M...Q..<\...zY.....Ve0.]....

                              C:\Program Files (x86)\msecache\OfficeKMS\kms_host.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3559
                              Entropy (8bit):7.799387233988961
                              Encrypted:false
                              SSDEEP:48:dmyEVhRrOFN4jPrp4furbApqtp3PLRG6LQ42pLL7LFKLdndjnwpTmVCP0zNB/cuC:w1hjTp/Eqz0iML7RKL3AwCPSEuyPl
                              MD5:D4D685309113A1DAD0648558F81868E7
                              SHA1:0DC4E67A30B54B3CBC90DC07FD525D869E2EADB3
                              SHA-256:9C545199C5CA76D6DC6BAFFA7DC2B526D06C35D7D2BE9C20434A05042F514746
                              SHA-512:29373026E22BA6AA80602524CEE90C1FC7D45F5AA02FF13A4C9A98FC7B6156A4D71540216EDC0605360B50C87E7838F1641450819F11ABDF45D22C8441A5D52C
                              Malicious:false
                              Preview:.....B.P...C3N!....E.!......I............K.,.G.`..Z..H.....^N..R...J.Q...i`.....$(?.h0.....t...-..i.Z*>.4...8.]..c/)c..>.(..e....t#z....A-"....6..:1.....b..'..&..G=..$!..*`..}..Y.?..DHH..T...XHY...;f.....o(..:,....s...{....28&.8...5.A..x.^ .pC.7|r-.t....N.D....V L..."d9.-p....T......y..GQ.8...5.L..h^!C.5...I...^...OR.....L7>....MhsB~....R........ .... +..&k.]..L.9..DHT..X...f;p....F"<...L.vB......S........&">.">7../c..J@-D."...]YH.[....Z.....^!L...5(:.+;...;.......!&!.'...).J.. j@...8.-u~<.q...!Y...%.....(k3.;;....@........9...fZd.*.H..c34l..,.'xh;.....D.X....u.....s8gHh......t...(..)...M..#0../j..^..N.#...WA.....t!y...._!9....[hsB~....I......)......?d.. n.....N.>.....G.n..o!e...i/??....F.;.`....p...%.....G...5'..'/.....Y.1_.(.H..I....%^...:|.....'a5.hl...h...$........K.%..c}..X..H.p..3RC..J.....S...&}\P....W.7......'.......05&.2...*.[.B..I.)..DWD......E.R..i^......n"^.8...5..a........K 6..6l..F....>...IB..X..._.....,a...."|?.)*....h..n....

                              C:\Program Files\7-Zip\7-zip.chm

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):115614
                              Entropy (8bit):7.930935838561315
                              Encrypted:false
                              SSDEEP:1536:ou2E5y6Oe7xeTYztgYFIZcsoVDAQVAy/Jc1DfwyEcPJ/TvsTcsij557vQ0gE:yE5fOe4ksZpoFAQDC1GmJ/Laib7F3
                              MD5:2A5567496A9DEFF33A9A3096877A77C4
                              SHA1:E9A0FD6C77FF7F18D41C8152A4D9670B20FCFF4B
                              SHA-256:41729919AACAE798D14171142F3B75FE81F62DC43080BC0DACB56F44F77C9F32
                              SHA-512:CA3ADF4C41A11F03FD521300A0F19A5987821F795F8E22EA3AC5C01A9587B910577885523BCA50553E64D6BC16D6158848C69419406161C21D7077EAEB5C336A
                              Malicious:false
                              Preview:.........U...n../.i........V.g_dc..[O+.LX....=.w.;.&A>h9..U...(...............T ......................d.......................,...................j..].!......."..T.....................U.n.c..E..h.l..&....^.|.U....y/-.v.h..$y....<...1,.{.(...:9-.l...0.-.9.D.3.1.-.1.1.D.0.............LZXC.......................j..A.`#.._...I...$CZ5...-B.XI....+Q.U.!^{..o..Dzq.C(jW..I.^.....1dIr...._.6..S.<....I...r...-,.m,.RJf...q..tb...K2H..o...7:*^...X.$.V,.....[#...8...="dk..=....2kl...I.@........D#`F.D2...nJ.H]V...@..................P....uo'.;m..8.......v...._nr=...q...b]/"u.F...>}..k=..).$..H.L...G..;$...VM...a...KC....S.e^....5k.X.G.1..._|..*iV..H.....M.vk.R.._.o....&.cd..`e..+...M^......~l. a8..&3..].$QI..d.:..G......+..C.......H>rjeQ...2C...q...^...b%....\G.s..C"$`..l.....X1.....Y.P....V.r0..sj.[q...o.4..I....=......|......)Z,l#)8.....a.....Uc.ke.._....ZC..5.E.(fe.../...[........X....7;........Y/.?Q.....JJ.q3...C4.:^..U.D.y..W.....w.VWBR.G.,.1n

                              C:\Program Files\7-Zip\7-zip.chm.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):115614
                              Entropy (8bit):7.930935838561315
                              Encrypted:false
                              SSDEEP:1536:ou2E5y6Oe7xeTYztgYFIZcsoVDAQVAy/Jc1DfwyEcPJ/TvsTcsij557vQ0gE:yE5fOe4ksZpoFAQDC1GmJ/Laib7F3
                              MD5:2A5567496A9DEFF33A9A3096877A77C4
                              SHA1:E9A0FD6C77FF7F18D41C8152A4D9670B20FCFF4B
                              SHA-256:41729919AACAE798D14171142F3B75FE81F62DC43080BC0DACB56F44F77C9F32
                              SHA-512:CA3ADF4C41A11F03FD521300A0F19A5987821F795F8E22EA3AC5C01A9587B910577885523BCA50553E64D6BC16D6158848C69419406161C21D7077EAEB5C336A
                              Malicious:false
                              Preview:.........U...n../.i........V.g_dc..[O+.LX....=.w.;.&A>h9..U...(...............T ......................d.......................,...................j..].!......."..T.....................U.n.c..E..h.l..&....^.|.U....y/-.v.h..$y....<...1,.{.(...:9-.l...0.-.9.D.3.1.-.1.1.D.0.............LZXC.......................j..A.`#.._...I...$CZ5...-B.XI....+Q.U.!^{..o..Dzq.C(jW..I.^.....1dIr...._.6..S.<....I...r...-,.m,.RJf...q..tb...K2H..o...7:*^...X.$.V,.....[#...8...="dk..=....2kl...I.@........D#`F.D2...nJ.H]V...@..................P....uo'.;m..8.......v...._nr=...q...b]/"u.F...>}..k=..).$..H.L...G..;$...VM...a...KC....S.e^....5k.X.G.1..._|..*iV..H.....M.vk.R.._.o....&.cd..`e..+...M^......~l. a8..&3..].$QI..d.:..G......+..C.......H>rjeQ...2C...q...^...b%....\G.s..C"$`..l.....X1.....Y.P....V.r0..sj.[q...o.4..I....=......|......)Z,l#)8.....a.....Uc.ke.._....ZC..5.E.(fe.../...[........X....7;........Y/.?Q.....JJ.q3...C4.:^..U.D.y..W.....w.VWBR.G.,.1n

                              C:\Program Files\7-Zip\7-zip.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:COM executable for DOS
                              Category:dropped
                              Size (bytes):101690
                              Entropy (8bit):6.7772090010949695
                              Encrypted:false
                              SSDEEP:3072:R4OUyT8GZHcaCLpm+jB2ClYMYp41fcNV7Egkvr8b9MpM:R4/GFcaozN9vK9MpM
                              MD5:ADD82E8E63AB5B7CB3B12268262B2301
                              SHA1:2247DC746305E9F762CC51B9EC996473F0CC5536
                              SHA-256:CF7197A7B51E8C3CF1637A5F8066D3F12BB70AE1770BE369EF54E5A45C772346
                              SHA-512:0E074B38EAF24D155238B8454879E49CDB5F24D0B98DAF5ED1C9E4AF27D9F51BF61E971B26DFC6A060C3BC0E6F04348F1E3D2D568AAF6FAABE56711630791FBC
                              Malicious:true
                              Preview:....>.LZ....1..._.?...BO....Y5...Yx...<.a..;Jl.FX....T.K0.<..........!..L.!This program cannot be run in DOS mode....$..................................g................................y..m.B..2.`p5...k....>.......1...Yx...l.a..Ll...v...T.K0.$........................................................................`.........................................`Y.......O.......>..m.LZ.l......?...BO....=4...Yx...<.a..;Jl.FX....T.K0....................................................text...(........................... ..`.rdata...j.......l..................@..@...\.LZV....i...?...CO....Y5...Yx..p.....ZJltQX....T.S0................@..@.rsrc...P............j..............@..@.reloc..r...........................@..B....................................=.LZ.........?...BO....Y5...Yx...<.a..;Jl.FX....T.K0.......................................................................................................................................=.LZ.........?...BO....Y5...Yx...

                              C:\Program Files\7-Zip\7-zip.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:COM executable for DOS
                              Category:dropped
                              Size (bytes):101690
                              Entropy (8bit):6.7772090010949695
                              Encrypted:false
                              SSDEEP:3072:R4OUyT8GZHcaCLpm+jB2ClYMYp41fcNV7Egkvr8b9MpM:R4/GFcaozN9vK9MpM
                              MD5:ADD82E8E63AB5B7CB3B12268262B2301
                              SHA1:2247DC746305E9F762CC51B9EC996473F0CC5536
                              SHA-256:CF7197A7B51E8C3CF1637A5F8066D3F12BB70AE1770BE369EF54E5A45C772346
                              SHA-512:0E074B38EAF24D155238B8454879E49CDB5F24D0B98DAF5ED1C9E4AF27D9F51BF61E971B26DFC6A060C3BC0E6F04348F1E3D2D568AAF6FAABE56711630791FBC
                              Malicious:false
                              Preview:....>.LZ....1..._.?...BO....Y5...Yx...<.a..;Jl.FX....T.K0.<..........!..L.!This program cannot be run in DOS mode....$..................................g................................y..m.B..2.`p5...k....>.......1...Yx...l.a..Ll...v...T.K0.$........................................................................`.........................................`Y.......O.......>..m.LZ.l......?...BO....=4...Yx...<.a..;Jl.FX....T.K0....................................................text...(........................... ..`.rdata...j.......l..................@..@...\.LZV....i...?...CO....Y5...Yx..p.....ZJltQX....T.S0................@..@.rsrc...P............j..............@..@.reloc..r...........................@..B....................................=.LZ.........?...BO....Y5...Yx...<.a..;Jl.FX....T.K0.......................................................................................................................................=.LZ.........?...BO....Y5...Yx...

                              C:\Program Files\7-Zip\7-zip32.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):66874
                              Entropy (8bit):6.791543106334139
                              Encrypted:false
                              SSDEEP:1536:ypW6/mXgUoi77ku48Ts7X9WO3tMQsbWlDpimwxQ2lr:wuXguPXtTbO3iQ1BpjwxQcr
                              MD5:7E2CE9D1C7210C3DA74315054C67AFEF
                              SHA1:8BF6B79B51C891254CC797EDDB4EBD66F32F1504
                              SHA-256:51811F5229A282F8DB160CF824F061ADB4F9EFBCAD8D35EA76F5854CCB6C2D64
                              SHA-512:6E8D45A973F37BB8A33348E39089322B31067D110AF8B29F5D25D499BC8765ECCE6153CDD32FAE8CF90AFFF410A1AA66F9AF7D1B30485552BCAD87CD2D5DE709
                              Malicious:true
                              Preview:.....~.e......p.aFf}..^.E}....^.7.DC3"..Qh....6..4..U.Z18Z.x........!..L.!This program cannot be run in DOS mode....$.........c{I..(I..(I..(&..(H..(...(N..(&..(M..(&..(K..(..R(J..(I..(...(~_.#...M&.a.t..Xk.@N.2.v..t).(.v.].l../...c.....y...|s.}.3RP.-.P........................PE..L....\.d...........!.........h...............................................P............@...........?..n.e....,~.p.Ff...^R.}....^.'.D./"..Qh....6..4..U.j08..x....................................................d............................text...n........................... ..`.rdata..6./...e./..<.p.aFf}..^.E}......S.0"3".%Ph......4..4T.U.Z18B.x....@....sxdata.............................@....rsrc...P...........................@..@.reloc.......0......................@..B../..~.e....<~.p.aFf}..^.E}....^.7.DC3"..Qh....6..4..U.Z18B.x................................................................................................................................../..~.e....<~.p.aFf}..^.E}....^.7.DC3".

                              C:\Program Files\7-Zip\7-zip32.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):66874
                              Entropy (8bit):6.791543106334139
                              Encrypted:false
                              SSDEEP:1536:ypW6/mXgUoi77ku48Ts7X9WO3tMQsbWlDpimwxQ2lr:wuXguPXtTbO3iQ1BpjwxQcr
                              MD5:7E2CE9D1C7210C3DA74315054C67AFEF
                              SHA1:8BF6B79B51C891254CC797EDDB4EBD66F32F1504
                              SHA-256:51811F5229A282F8DB160CF824F061ADB4F9EFBCAD8D35EA76F5854CCB6C2D64
                              SHA-512:6E8D45A973F37BB8A33348E39089322B31067D110AF8B29F5D25D499BC8765ECCE6153CDD32FAE8CF90AFFF410A1AA66F9AF7D1B30485552BCAD87CD2D5DE709
                              Malicious:false
                              Preview:.....~.e......p.aFf}..^.E}....^.7.DC3"..Qh....6..4..U.Z18Z.x........!..L.!This program cannot be run in DOS mode....$.........c{I..(I..(I..(&..(H..(...(N..(&..(M..(&..(K..(..R(J..(I..(...(~_.#...M&.a.t..Xk.@N.2.v..t).(.v.].l../...c.....y...|s.}.3RP.-.P........................PE..L....\.d...........!.........h...............................................P............@...........?..n.e....,~.p.Ff...^R.}....^.'.D./"..Qh....6..4..U.j08..x....................................................d............................text...n........................... ..`.rdata..6./...e./..<.p.aFf}..^.E}......S.0"3".%Ph......4..4T.U.Z18B.x....@....sxdata.............................@....rsrc...P...........................@..@.reloc.......0......................@..B../..~.e....<~.p.aFf}..^.E}....^.7.DC3"..Qh....6..4..U.Z18B.x................................................................................................................................../..~.e....<~.p.aFf}..^.E}....^.7.DC3".

                              C:\Program Files\7-Zip\7z.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1841978
                              Entropy (8bit):7.106053897658336
                              Encrypted:false
                              SSDEEP:24576:iR8krOzIcnSaNgnqP00JDrjrubP913kCgaISQsXl4Tz:68kHKSaEqM0JkP4CgIQ6l4Tz
                              MD5:78CF1343A6A991EEC9021C806ED79BEA
                              SHA1:0B5D99E83470B31DCECCDFA8F46FCA1C8BA92BB6
                              SHA-256:DE162F79DA0A8F0CDA24B8841C8F050826FC85DF6372667A7D91FBB017132274
                              SHA-512:CD55D1081FBDBA8B07BA2AB13D048F3144E4020212997E0813ED27E77BE2F3A0B9F753E282BC3554E608304E17235D6B8E3FB166A760C9E747FC02C70BA20B7A
                              Malicious:true
                              Preview:....c...U...A.Z_..=..yi...c..I.(...)M6c.)4S..7.LP;m..f.#.)L..........!..L.!This program cannot be run in DOS mode....$.......s..07.sc7.sc7.scA-.c6.scA-.c<.sc7.rcR.scA-.c.sc!.wb4.scA-.c..scF...P..m. .f...9...^.9..h...U..*.Ae..>Uc.)4S..7.LP;m..6.#....\.d.........." ................pe....................................................`............................................../..U)...#.Z...=_..y)a.....I.(...)M6cu.).r..7.LP;m..f.#..L...................................................................text...]........................... ..`.rdata...^.......`.........`...Q....#...hI...y.-..c..I......T6c.)4S..7.LP{m.^H.G..-...1.......2...(..............@..@.rsrc................Z..............@..@.reloc...3.......4..................@..B...................`...Q....#.Z...=..y)...c..I.(...)M6c.)4S..7.LP;m..f.#..L.....................................................................................................................................`...Q....#.Z...=..y)...c..I.(...)M6

                              C:\Program Files\7-Zip\7z.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1841978
                              Entropy (8bit):7.106053897658336
                              Encrypted:false
                              SSDEEP:24576:iR8krOzIcnSaNgnqP00JDrjrubP913kCgaISQsXl4Tz:68kHKSaEqM0JkP4CgIQ6l4Tz
                              MD5:78CF1343A6A991EEC9021C806ED79BEA
                              SHA1:0B5D99E83470B31DCECCDFA8F46FCA1C8BA92BB6
                              SHA-256:DE162F79DA0A8F0CDA24B8841C8F050826FC85DF6372667A7D91FBB017132274
                              SHA-512:CD55D1081FBDBA8B07BA2AB13D048F3144E4020212997E0813ED27E77BE2F3A0B9F753E282BC3554E608304E17235D6B8E3FB166A760C9E747FC02C70BA20B7A
                              Malicious:false
                              Preview:....c...U...A.Z_..=..yi...c..I.(...)M6c.)4S..7.LP;m..f.#.)L..........!..L.!This program cannot be run in DOS mode....$.......s..07.sc7.sc7.scA-.c6.scA-.c<.sc7.rcR.scA-.c.sc!.wb4.scA-.c..scF...P..m. .f...9...^.9..h...U..*.Ae..>Uc.)4S..7.LP;m..6.#....\.d.........." ................pe....................................................`............................................../..U)...#.Z...=_..y)a.....I.(...)M6cu.).r..7.LP;m..f.#..L...................................................................text...]........................... ..`.rdata...^.......`.........`...Q....#...hI...y.-..c..I......T6c.)4S..7.LP{m.^H.G..-...1.......2...(..............@..@.rsrc................Z..............@..@.reloc...3.......4..................@..B...................`...Q....#.Z...=..y)...c..I.(...)M6c.)4S..7.LP;m..f.#..L.....................................................................................................................................`...Q....#.Z...=..y)...c..I.(...)M6

                              C:\Program Files\7-Zip\7z.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):557370
                              Entropy (8bit):7.0402808391464
                              Encrypted:false
                              SSDEEP:6144:q6XdyzJNDhao9KNHMKWgycX+qIYK0gHyGlRZoyc0Q7Apb3EOdFL9P9DK8SS2DY+G:TtiJN9ao9Kx50E/gLFL9Px+TwHu8Ayb
                              MD5:79603965BC44C5A574E44189308C0212
                              SHA1:2A7DD13485C8D54F6910F87D50CBE1ACCB9A4929
                              SHA-256:AD37F4CFDA74E3DA216B478557B03A56D2B04180829D1BD5CA7C2E01456637E0
                              SHA-512:B8708D392558091E82FE23AB1994B3E00E1863E005D1C3CC37B7B9E76A34894B8F7EE5B6C6153278D799FAD6A4CD470B47E7E5C913EF80BB70ED47D510FBFE84
                              Malicious:true
                              Preview:wIkP.....O..........=...~..<iO...LjB!.........nu..X.9.q.b.z...f........!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaXZ...........p.@<V...r..l..T.7...LjB!.........nu..X.9.q.2.z.J..f.\.d.........."...........................@...........................................`.........................................:..P........v....s.....>..<u>...LjB!.........nu..X.9.q.b.z....f....................................0............................text...v........................... ..`.rdata..T...............:..P.....O..N..X....\.....<i_...DjB!.........nu..X.y.q.L...Z..f.q...@...r..................@..@.rsrc................j..............@..@.reloc...............r..............@..B................:..P.....O..........=...>..<iO...LjB!.........nu..X.9.q.b.z....f................................................................................................................................:..P.....O..........=...>..<iO...LjB!...

                              C:\Program Files\7-Zip\7z.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):557370
                              Entropy (8bit):7.0402808391464
                              Encrypted:false
                              SSDEEP:6144:q6XdyzJNDhao9KNHMKWgycX+qIYK0gHyGlRZoyc0Q7Apb3EOdFL9P9DK8SS2DY+G:TtiJN9ao9Kx50E/gLFL9Px+TwHu8Ayb
                              MD5:79603965BC44C5A574E44189308C0212
                              SHA1:2A7DD13485C8D54F6910F87D50CBE1ACCB9A4929
                              SHA-256:AD37F4CFDA74E3DA216B478557B03A56D2B04180829D1BD5CA7C2E01456637E0
                              SHA-512:B8708D392558091E82FE23AB1994B3E00E1863E005D1C3CC37B7B9E76A34894B8F7EE5B6C6153278D799FAD6A4CD470B47E7E5C913EF80BB70ED47D510FBFE84
                              Malicious:false
                              Preview:wIkP.....O..........=...~..<iO...LjB!.........nu..X.9.q.b.z...f........!..L.!This program cannot be run in DOS mode....$............xaX.xaX.xaX...X.xaX...X.xaX.x`XlxaX...X.xaX..eY.xaX...X.xaXZ...........p.@<V...r..l..T.7...LjB!.........nu..X.9.q.2.z.J..f.\.d.........."...........................@...........................................`.........................................:..P........v....s.....>..<u>...LjB!.........nu..X.9.q.b.z....f....................................0............................text...v........................... ..`.rdata..T...............:..P.....O..N..X....\.....<i_...DjB!.........nu..X.y.q.L...Z..f.q...@...r..................@..@.rsrc................j..............@..@.reloc...............r..............@..B................:..P.....O..........=...>..<iO...LjB!.........nu..X.9.q.b.z....f................................................................................................................................:..P.....O..........=...>..<iO...LjB!...

                              C:\Program Files\7-Zip\7z.sfx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):214842
                              Entropy (8bit):7.191207321610413
                              Encrypted:false
                              SSDEEP:3072:G08x1d7sy0JVJcteLc7TSJZ2P2W4C5hs6cCmcpefVc92oT2pPqxaNJ1cZP35:GaJYt8O5t4C5hFcCmcp6Vc92nyxaNJI
                              MD5:E9F4684DD738E7B72B1C96F7111439D4
                              SHA1:1FFC980F838329E289F54775A2867A0CB4B77CF8
                              SHA-256:59B19D74A0F1FB3D1305D1DEC05B24DEBA2BDC21DE356C1A1B736E45DE4FC079
                              SHA-512:0021108BCC4D2083C0F1E1B2C7180F86DBCF6DBDD47E5E4B35912917149EA150C5917D70BC87834CEABB7B475273C982D80A9702D470677B683C4C2F6292C41E
                              Malicious:false
                              Preview::x.0.N|)......r..) ...[.L....k.x.*...NE..N.....L.|...P.z.N.M...........!..L.!This program cannot be run in DOS mode....$.........#...M...M...M..F...M.|.C...M..G...M..I...M.q.....M...L.N.M...k.c.1.(.....?...i.~].W.i..9`&o...i.*....zk"..tl7p.f.l(.-n............................PE..L....\.d........../...............................@.................................................w"k0.^|)......r.K) ...[.....H.k.xM)...NE..N.....L.|...P.z.N.U.......................................................h............................text............................... ..`.rdata...J{0..~).....p.K) ...[.......k.V.K.e.NE.XN.....L.|...S.z.N.U.......@....sxdata.............................@....rsrc....&.......(..................@..@........................................w"{0.N|)......r.K) ...[......k.x.*...NE..N.....L.|...P.z.N.U...................................................................................................................................w"{0.N|)......r.K) ...[......k.x.*...NE

                              C:\Program Files\7-Zip\7z.sfx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):214842
                              Entropy (8bit):7.191207321610413
                              Encrypted:false
                              SSDEEP:3072:G08x1d7sy0JVJcteLc7TSJZ2P2W4C5hs6cCmcpefVc92oT2pPqxaNJ1cZP35:GaJYt8O5t4C5hFcCmcp6Vc92nyxaNJI
                              MD5:E9F4684DD738E7B72B1C96F7111439D4
                              SHA1:1FFC980F838329E289F54775A2867A0CB4B77CF8
                              SHA-256:59B19D74A0F1FB3D1305D1DEC05B24DEBA2BDC21DE356C1A1B736E45DE4FC079
                              SHA-512:0021108BCC4D2083C0F1E1B2C7180F86DBCF6DBDD47E5E4B35912917149EA150C5917D70BC87834CEABB7B475273C982D80A9702D470677B683C4C2F6292C41E
                              Malicious:false
                              Preview::x.0.N|)......r..) ...[.L....k.x.*...NE..N.....L.|...P.z.N.M...........!..L.!This program cannot be run in DOS mode....$.........#...M...M...M..F...M.|.C...M..G...M..I...M.q.....M...L.N.M...k.c.1.(.....?...i.~].W.i..9`&o...i.*....zk"..tl7p.f.l(.-n............................PE..L....\.d........../...............................@.................................................w"k0.^|)......r.K) ...[.....H.k.xM)...NE..N.....L.|...P.z.N.U.......................................................h............................text............................... ..`.rdata...J{0..~).....p.K) ...[.......k.V.K.e.NE.XN.....L.|...S.z.N.U.......@....sxdata.............................@....rsrc....&.......(..................@..@........................................w"{0.N|)......r.K) ...[......k.x.*...NE..N.....L.|...P.z.N.U...................................................................................................................................w"{0.N|)......r.K) ...[......k.x.*...NE

                              C:\Program Files\7-Zip\7zCon.sfx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):193338
                              Entropy (8bit):7.242869051932305
                              Encrypted:false
                              SSDEEP:3072:NsaU2cX7Wwfl+AQ0tvS3SEcDfSrDOHAFe3JX3cDGh9K+ZdiWDjHg7:L9h+l6EfSrDYAM353cDE9KYwW3Hg7
                              MD5:5B1124141B72CE33FACE9EF75C73DCBF
                              SHA1:0BC878C4A717FF8B8C178E33458209EF69711E38
                              SHA-256:145D5DD2967FB3CB68AA13002F751C6DAB0ADC33218AC2353F9BA1E417C67028
                              SHA-512:D61E28A6CE9E1DD8975CC516DC89B4DA5DCD0DDE7705EE6C101A9650E743498E2CB1173E95C315D1821905D40B1F9A6CDF2337E8CB8748D990DCF21E56867210
                              Malicious:false
                              Preview:-...s.C0.......i.....xfKN1_l..hr*Y.bH..`....-.6....0..1f..........!..L.!This program cannot be run in DOS mode....$........T.YC5..C5..C5..,*..@5...)..K5..,*..H5..,*..A5...=..B5..C5..55......4.ZIA.9..:F.|....&..Mu.Dpj....+ ..nh...k..^...G<..}..Y..jR..........................PE..L....\.d........../......t...........Z............@..........................p......................`.v.p..C4.......).i.....|.INU_l...q*..bH..`....-.6....0..)g...................................................................................text....s.......t.................. ..`.rdata...f.pA.C4....w..).i.....8fKNq_l....^8.b<..`....).6.....0..)g......@....sxdata......P......................@....rsrc........`......................@..@........................................`.f.p.C4.......).i.....8fKN1_l..hr*Y.bH..`....-.6....0..)g..................................................................................................................................`.f.p.C4.......).i.....8fKN1_l..hr*Y.b

                              C:\Program Files\7-Zip\7zCon.sfx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):193338
                              Entropy (8bit):7.242869051932305
                              Encrypted:false
                              SSDEEP:3072:NsaU2cX7Wwfl+AQ0tvS3SEcDfSrDOHAFe3JX3cDGh9K+ZdiWDjHg7:L9h+l6EfSrDYAM353cDE9KYwW3Hg7
                              MD5:5B1124141B72CE33FACE9EF75C73DCBF
                              SHA1:0BC878C4A717FF8B8C178E33458209EF69711E38
                              SHA-256:145D5DD2967FB3CB68AA13002F751C6DAB0ADC33218AC2353F9BA1E417C67028
                              SHA-512:D61E28A6CE9E1DD8975CC516DC89B4DA5DCD0DDE7705EE6C101A9650E743498E2CB1173E95C315D1821905D40B1F9A6CDF2337E8CB8748D990DCF21E56867210
                              Malicious:false
                              Preview:-...s.C0.......i.....xfKN1_l..hr*Y.bH..`....-.6....0..1f..........!..L.!This program cannot be run in DOS mode....$........T.YC5..C5..C5..,*..@5...)..K5..,*..H5..,*..A5...=..B5..C5..55......4.ZIA.9..:F.|....&..Mu.Dpj....+ ..nh...k..^...G<..}..Y..jR..........................PE..L....\.d........../......t...........Z............@..........................p......................`.v.p..C4.......).i.....|.INU_l...q*..bH..`....-.6....0..)g...................................................................................text....s.......t.................. ..`.rdata...f.pA.C4....w..).i.....8fKNq_l....^8.b<..`....).6.....0..)g......@....sxdata......P......................@....rsrc........`......................@..@........................................`.f.p.C4.......).i.....8fKN1_l..hr*Y.bH..`....-.6....0..)g..................................................................................................................................`.f.p.C4.......).i.....8fKN1_l..hr*Y.b

                              C:\Program Files\7-Zip\7zFM.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):953146
                              Entropy (8bit):7.037353997934456
                              Encrypted:false
                              SSDEEP:24576:JrV5xTm4y3ZEHFmy3MYmQSNh+bJs12HvvS7Ls9N1eoq:7Lmy3MY0sC08v
                              MD5:38B331857C3D0345F3FA9A48F7951629
                              SHA1:B661E5FF92290FAEB560C9DB2FCFC35038923BE4
                              SHA-256:4F4DB3AFFAC141D42A86310C3810AD032BF4CCC8F3F6A3196433DA5EFC0BF2A6
                              SHA-512:4C234C9DDB0CD645DCBBD34207A1CCF2878EE6611F58712E1BB615577D826B941F01EE264214BA1DF133F95D79C65867E6DDADD7DD920C41EE4353203CC75279
                              Malicious:true
                              Preview:e>u....g.'..).9../.... ..f6?....B..[..)F...I..^.X...\....".x........!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.e..ve....iI1J,...et.:..2.....N...B..[..)F...I..^.X.........x.\.d.........."......b...8......Pi........@...........................................`.........................................(d.....3.+.1..9D7".Qb..`..F.?....B..[...H...I..^.X...\...q".x....................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..(d.....c.'....yj.N....p..f.3....B.RW..)F...I..^....lr..e.C.x ...........................@..@.rsrc...............................@..@.reloc...............r..............@..B................(d.....c.'....9D./....`..f6?....B..[..)F...I..^.X...\...q".x................................................................................................................................(d.....c.'....9D./....`..f6?....B..[.

                              C:\Program Files\7-Zip\7zFM.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):953146
                              Entropy (8bit):7.037353997934456
                              Encrypted:false
                              SSDEEP:24576:JrV5xTm4y3ZEHFmy3MYmQSNh+bJs12HvvS7Ls9N1eoq:7Lmy3MY0sC08v
                              MD5:38B331857C3D0345F3FA9A48F7951629
                              SHA1:B661E5FF92290FAEB560C9DB2FCFC35038923BE4
                              SHA-256:4F4DB3AFFAC141D42A86310C3810AD032BF4CCC8F3F6A3196433DA5EFC0BF2A6
                              SHA-512:4C234C9DDB0CD645DCBBD34207A1CCF2878EE6611F58712E1BB615577D826B941F01EE264214BA1DF133F95D79C65867E6DDADD7DD920C41EE4353203CC75279
                              Malicious:false
                              Preview:e>u....g.'..).9../.... ..f6?....B..[..)F...I..^.X...\....".x........!..L.!This program cannot be run in DOS mode....$.........\..2..2..2.0.\..2..I..2..3..2..O..2..\.D.2...6..2.e..ve....iI1J,...et.:..2.....N...B..[..)F...I..^.X.........x.\.d.........."......b...8......Pi........@...........................................`.........................................(d.....3.+.1..9D7".Qb..`..F.?....B..[...H...I..^.X...\...q".x....................................(.......@....................text....a.......b.................. ..`.rdata...i.......j...f..(d.....c.'....yj.N....p..f.3....B.RW..)F...I..^....lr..e.C.x ...........................@..@.rsrc...............................@..@.reloc...............r..............@..B................(d.....c.'....9D./....`..f6?....B..[..)F...I..^.X...\...q".x................................................................................................................................(d.....c.'....9D./....`..f6?....B..[.

                              C:\Program Files\7-Zip\7zG.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):700730
                              Entropy (8bit):7.020989103998694
                              Encrypted:false
                              SSDEEP:12288:xf+rlO9oEZ9ZOdLa1S5LLJJK36z77g6fKY4Ox32lFWJQNdGW4Np+pIyyEOhDJvPg:pclm70dLjHJJrz77guKYro2JQNdG3P+H
                              MD5:F17534EFC32E1A7875B3109BDFFF70D4
                              SHA1:634F72D7C00CFD74DA369C5EE9717DF399887EEA
                              SHA-256:B88E0E2F9D0B39A5E59A11A9983C8849A6D02319C161EA3504CFACCEFB9ABA2E
                              SHA-512:C2E9F1C525A286A5C0DDEACD41BA3C74FA376A5B5A73690C630062371F4FB4FC72AD96993EA218FF7E4B679F6633E5C79A93570528B61EA2B5F85E572CFC1F96
                              Malicious:true
                              Preview:rAf.E..9.`.N..nR...u.A..$.c..K..X....o......A......<W.....3.........!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8.....8...4%$../.n.v....y..M.....K..X....*..u<...r.....<W............&..........."........@.............................. ............`.........................................................?.....=.j.-..n...u.A.M4....K..X....o......A......<W...W.3..................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@....'....`....n...urH.M$.c..K..X.....de.........<W...W.:.............@..@.rsrc....d.......f...:..............@..@.reloc..............................@..B................................?...F..=.`..V.n...u.A.M$.c..K..X....o......A......<W...W.3.................................................................................................................................?...F..=.`..V.n...u.A.M$.c..K..X...

                              C:\Program Files\7-Zip\7zG.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):700730
                              Entropy (8bit):7.020989103998694
                              Encrypted:false
                              SSDEEP:12288:xf+rlO9oEZ9ZOdLa1S5LLJJK36z77g6fKY4Ox32lFWJQNdGW4Np+pIyyEOhDJvPg:pclm70dLjHJJrz77guKYro2JQNdG3P+H
                              MD5:F17534EFC32E1A7875B3109BDFFF70D4
                              SHA1:634F72D7C00CFD74DA369C5EE9717DF399887EEA
                              SHA-256:B88E0E2F9D0B39A5E59A11A9983C8849A6D02319C161EA3504CFACCEFB9ABA2E
                              SHA-512:C2E9F1C525A286A5C0DDEACD41BA3C74FA376A5B5A73690C630062371F4FB4FC72AD96993EA218FF7E4B679F6633E5C79A93570528B61EA2B5F85E572CFC1F96
                              Malicious:false
                              Preview:rAf.E..9.`.N..nR...u.A..$.c..K..X....o......A......<W.....3.........!..L.!This program cannot be run in DOS mode....$.......;.VS.y8..y8..y8...C.jy8..y9..y8...E.}y8...V..y8.i.<.~y8...U.ky8.....8...4%$../.n.v....y..M.....K..X....*..u<...r.....<W............&..........."........@.............................. ............`.........................................................?.....=.j.-..n...u.A.M4....K..X....o......A......<W...W.3..................@...............................text...4$.......&.................. ..`.rdata..Ts...@...t...*..............@..@....'....`....n...urH.M$.c..K..X.....de.........<W...W.:.............@..@.rsrc....d.......f...:..............@..@.reloc..............................@..B................................?...F..=.`..V.n...u.A.M$.c..K..X....o......A......<W...W.3.................................................................................................................................?...F..=.`..V.n...u.A.M$.c..K..X...

                              C:\Program Files\7-Zip\History.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):58619
                              Entropy (8bit):6.537413804034826
                              Encrypted:false
                              SSDEEP:768:f9Fc5FDcNs//htsJKDXaLIEFov5XLERt/0/Y1sjloL:HYDcqAKjUXiLERtsg1sjloL
                              MD5:61932E2AD804882CB1C395A217F09157
                              SHA1:F0CF9CC6C33F2897A016C7951454720AEFA5D4B4
                              SHA-256:7B566F4AB11CBCAEF4BDF193A883E2C8106EC6C43838D0F1C3F7EC6B27E9168F
                              SHA-512:DE8FF8817A4CB275D8440CC856F1C38D93075EF3D01CA6A5B266EFF4E0F52D718934DEE05207F317A63561CBB0AE6A7DDABAF4AFF9C4B5F31FC1998304638283
                              Malicious:false
                              Preview:.bd...&%.F'.m.=.7a8.,...B...........7L.....>...M.O9.~.m.R.y..3.023-06-20..-------------------------..- The page "Language" in 7-Zip's menu Tools/Options now shows information.. about selecte.HX3.....!.#Ou.y5y.!...O.U..E.....|A.Y._......`.;.c.x.y..~. bugs were fixed.......23.00 2023-05-07..-------------------------..- 7-Zip now can use new ARM64 filter for compressio.HX....W..,.5.u.e5}.3...b....y......n...........z.~."...<.z.n ratio for data containing executable.. files compiled for ARM64 (AArch64) architecture... Also 7-Zip now parses executable f..I2......h.,.0Qr.p.$.....Q..B..........N.\..r.A).;."...:.c.essing, and it selects appropriate filter for each parsed file:.. - BCJ or BCJ2 filter for x86 executable files,.. - ARM64..E-..W..:..1.G#vp. ....Q..M......:A.Y.\.....z.1.>...y.u.ult used x86 filter BCJ or BCJ2 for all exe/dll files...- Default section size for BCJ2 filter was changed from 64 MiB to 240 Mi.F!K.. ...).m.;.e3t. .....O.X......s..

                              C:\Program Files\7-Zip\History.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):58619
                              Entropy (8bit):6.537413804034826
                              Encrypted:false
                              SSDEEP:768:f9Fc5FDcNs//htsJKDXaLIEFov5XLERt/0/Y1sjloL:HYDcqAKjUXiLERtsg1sjloL
                              MD5:61932E2AD804882CB1C395A217F09157
                              SHA1:F0CF9CC6C33F2897A016C7951454720AEFA5D4B4
                              SHA-256:7B566F4AB11CBCAEF4BDF193A883E2C8106EC6C43838D0F1C3F7EC6B27E9168F
                              SHA-512:DE8FF8817A4CB275D8440CC856F1C38D93075EF3D01CA6A5B266EFF4E0F52D718934DEE05207F317A63561CBB0AE6A7DDABAF4AFF9C4B5F31FC1998304638283
                              Malicious:false
                              Preview:.bd...&%.F'.m.=.7a8.,...B...........7L.....>...M.O9.~.m.R.y..3.023-06-20..-------------------------..- The page "Language" in 7-Zip's menu Tools/Options now shows information.. about selecte.HX3.....!.#Ou.y5y.!...O.U..E.....|A.Y._......`.;.c.x.y..~. bugs were fixed.......23.00 2023-05-07..-------------------------..- 7-Zip now can use new ARM64 filter for compressio.HX....W..,.5.u.e5}.3...b....y......n...........z.~."...<.z.n ratio for data containing executable.. files compiled for ARM64 (AArch64) architecture... Also 7-Zip now parses executable f..I2......h.,.0Qr.p.$.....Q..B..........N.\..r.A).;."...:.c.essing, and it selects appropriate filter for each parsed file:.. - BCJ or BCJ2 filter for x86 executable files,.. - ARM64..E-..W..:..1.G#vp. ....Q..M......:A.Y.\.....z.1.>...y.u.ult used x86 filter BCJ or BCJ2 for all exe/dll files...- Default section size for BCJ2 filter was changed from 64 MiB to 240 Mi.F!K.. ...).m.;.e3t. .....O.X......s..

                              C:\Program Files\7-Zip\Lang\af.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5339
                              Entropy (8bit):6.63146135039384
                              Encrypted:false
                              SSDEEP:96:ts00maCBkfCkMa/whZg1tqnSMxCQ0c7sQSa7Fwnhpge9bMHkIjBJYrYDWPvW:tSCB3kp/w61onZ43cqa7FEpPMlIkWPO
                              MD5:748BACDEEF2E6F9B47DDE72BEA9E8F5C
                              SHA1:DEDA3126C6EBF5BE8CF258C4669CEFA58942B627
                              SHA-256:948C65886A092927E3514169DB329DE99813081846AF086F0A55D783A782A89A
                              SHA-512:81F1CBD4F59CA7C891131FAD5691044DCF131A8BBA8546444AC1E8D1BEF248E34EC007F1695A02834B02BED3EED270638483F3D6B924018001D0E7FB5FDA1062
                              Malicious:false
                              Preview:E.X..U.....sZ}..k.b.Y.`?....l$..t.$...h.......u.D..iq..>)..}....;..;..;..0..7-Zip..Afrikaans..Afrikaans..401..OK..Kanselleer........&Ja..&Nee..A&fsluit..Hulp....&Gaan voort..440..Ja vir &alm.:...|....{3)E..G.;@..Y..H\.)....m"...~....L..D...o.-.pk@..V..g..Wagtend..Is u seker dat u wil kanselleer?..500..&L.er..R&edigeer..&Vertoon..G&unstelinge..&Gereedskap..&Hulp..540..&Open..Op.8..w..z.."jG...?..Qt.rF.^#..R..o.a......L..#.D.K.:.z`V.......&Verskuif na.....Ve&rwyder..Ver&deel l.er.....Kom&bineer l.ers.....E&ienskappe..Komme&ntaar......Maak gids..Maak l.er..A&f.:......CG.Q.jE../..._.8}.^#.....j.o...i....N..C...e.j.l`H..... om..Selekteer.....Deselekteer.....Selekteer op Soort..Deselekteer op Soort..700..&Groot ikone..&Klein ikone..&Lys..&Detail..730.\....j....> .#..x.8U..8t.'..9...g.o.V...U..:.".i.9.pjT..5.. vlak ho.r..Gidse geskiedenis.....&Verfris..750..Argiveernutsbalk..Standaardnutsbalk..Groot knoppies..Wys teks op knoppies..800.\....9....{0v....9..X..3t..O.A~..c.i...

                              C:\Program Files\7-Zip\Lang\af.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5339
                              Entropy (8bit):6.63146135039384
                              Encrypted:false
                              SSDEEP:96:ts00maCBkfCkMa/whZg1tqnSMxCQ0c7sQSa7Fwnhpge9bMHkIjBJYrYDWPvW:tSCB3kp/w61onZ43cqa7FEpPMlIkWPO
                              MD5:748BACDEEF2E6F9B47DDE72BEA9E8F5C
                              SHA1:DEDA3126C6EBF5BE8CF258C4669CEFA58942B627
                              SHA-256:948C65886A092927E3514169DB329DE99813081846AF086F0A55D783A782A89A
                              SHA-512:81F1CBD4F59CA7C891131FAD5691044DCF131A8BBA8546444AC1E8D1BEF248E34EC007F1695A02834B02BED3EED270638483F3D6B924018001D0E7FB5FDA1062
                              Malicious:false
                              Preview:E.X..U.....sZ}..k.b.Y.`?....l$..t.$...h.......u.D..iq..>)..}....;..;..;..0..7-Zip..Afrikaans..Afrikaans..401..OK..Kanselleer........&Ja..&Nee..A&fsluit..Hulp....&Gaan voort..440..Ja vir &alm.:...|....{3)E..G.;@..Y..H\.)....m"...~....L..D...o.-.pk@..V..g..Wagtend..Is u seker dat u wil kanselleer?..500..&L.er..R&edigeer..&Vertoon..G&unstelinge..&Gereedskap..&Hulp..540..&Open..Op.8..w..z.."jG...?..Qt.rF.^#..R..o.a......L..#.D.K.:.z`V.......&Verskuif na.....Ve&rwyder..Ver&deel l.er.....Kom&bineer l.ers.....E&ienskappe..Komme&ntaar......Maak gids..Maak l.er..A&f.:......CG.Q.jE../..._.8}.^#.....j.o...i....N..C...e.j.l`H..... om..Selekteer.....Deselekteer.....Selekteer op Soort..Deselekteer op Soort..700..&Groot ikone..&Klein ikone..&Lys..&Detail..730.\....j....> .#..x.8U..8t.'..9...g.o.V...U..:.".i.9.pjT..5.. vlak ho.r..Gidse geskiedenis.....&Verfris..750..Argiveernutsbalk..Standaardnutsbalk..Groot knoppies..Wys teks op knoppies..800.\....9....{0v....9..X..3t..O.A~..c.i...

                              C:\Program Files\7-Zip\Lang\an.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8090
                              Entropy (8bit):6.6105900233236525
                              Encrypted:false
                              SSDEEP:192:fLwhGpSZQaDpe4Jl/RD2uWBMatEfJuG8Bx:o1GZ4jRttRK
                              MD5:5EA5DCB546A276A262FAB96BA617520A
                              SHA1:7F7837FB673DBFEA80D48EDD60CD9AF06FBAABA9
                              SHA-256:6AEFBB2B7901388E79D9F94538E1D915008AAA13D689771056AAC9CB0D595236
                              SHA-512:8FB802E8CEFA08F90D703B5B40A1E5FC54C8CED82804A4AF8352FAD246FB4B3F6A75BE113AA3EC5F6A40B864517DA7BB554D747BE4EF18D8A755C70E62119062
                              Malicious:false
                              Preview:.*...k.y5.....9.[:.....H.T.....N...Ip21X..".".._.........&3.}B: Juan Pablo Mart.nez..;..;..;..;..;..;..;..;..;..0..7-Zip..Aragonese..Aragon.s..401..Acceptar..Cancelar........&S...&No..&ZaC.;.:@f.b+.[1..Yp.u....e.@...:..%..Q.j2e..9g.K...%....T.m....rnar a empecipiar..Se&gundo plano..P&rimer plano..&Pausa..Aturau..Yes seguro que quiers cancelar?..500..&Fichero..&Editar..&VeyeC.P.q+Q.e;.9H..Yu.i.......W2.q1....|"+i!....%...(.........{t.>.o..Ubrir &difuera..&Veyer..&Editar..Re&nombrar..&Copiar en.....&Mover ta.....&Borrar..Di&vidir o fichero.....C&ombinar os ficherB.t.:@..e=.?^...In.....N..VV.=_h...D./1t.#*.K.@.2....D.|t ....Diff..Creyar carpeta..Creyar fichero..&Salir..600..Seleccionar-lo &tot..Deseleccionar-lo tot..&Invertir selecci.n..SeleccionaC.t.:@c.d7.3X...].i.....;..A\.Y:E....Gl}e|..[M...@.4....G.?m.8Btipo..700..Iconos g&rans..&Iconos chicotz..&Lista..&Detalles..730..Desordenau..Anvista plana..&2 panels..&Barras de ferramientas<...E#U.vr.7I...RCi.....b..VO.D4...|"V4

                              C:\Program Files\7-Zip\Lang\an.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8090
                              Entropy (8bit):6.6105900233236525
                              Encrypted:false
                              SSDEEP:192:fLwhGpSZQaDpe4Jl/RD2uWBMatEfJuG8Bx:o1GZ4jRttRK
                              MD5:5EA5DCB546A276A262FAB96BA617520A
                              SHA1:7F7837FB673DBFEA80D48EDD60CD9AF06FBAABA9
                              SHA-256:6AEFBB2B7901388E79D9F94538E1D915008AAA13D689771056AAC9CB0D595236
                              SHA-512:8FB802E8CEFA08F90D703B5B40A1E5FC54C8CED82804A4AF8352FAD246FB4B3F6A75BE113AA3EC5F6A40B864517DA7BB554D747BE4EF18D8A755C70E62119062
                              Malicious:false
                              Preview:.*...k.y5.....9.[:.....H.T.....N...Ip21X..".".._.........&3.}B: Juan Pablo Mart.nez..;..;..;..;..;..;..;..;..;..0..7-Zip..Aragonese..Aragon.s..401..Acceptar..Cancelar........&S...&No..&ZaC.;.:@f.b+.[1..Yp.u....e.@...:..%..Q.j2e..9g.K...%....T.m....rnar a empecipiar..Se&gundo plano..P&rimer plano..&Pausa..Aturau..Yes seguro que quiers cancelar?..500..&Fichero..&Editar..&VeyeC.P.q+Q.e;.9H..Yu.i.......W2.q1....|"+i!....%...(.........{t.>.o..Ubrir &difuera..&Veyer..&Editar..Re&nombrar..&Copiar en.....&Mover ta.....&Borrar..Di&vidir o fichero.....C&ombinar os ficherB.t.:@..e=.?^...In.....N..VV.=_h...D./1t.#*.K.@.2....D.|t ....Diff..Creyar carpeta..Creyar fichero..&Salir..600..Seleccionar-lo &tot..Deseleccionar-lo tot..&Invertir selecci.n..SeleccionaC.t.:@c.d7.3X...].i.....;..A\.Y:E....Gl}e|..[M...@.4....G.?m.8Btipo..700..Iconos g&rans..&Iconos chicotz..&Lista..&Detalles..730..Desordenau..Anvista plana..&2 panels..&Barras de ferramientas<...E#U.vr.7I...RCi.....b..VO.D4...|"V4

                              C:\Program Files\7-Zip\Lang\ar.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13108
                              Entropy (8bit):6.2386416126513
                              Encrypted:false
                              SSDEEP:384:LIcecGJHDy4042UjDuGhp+V77dV9/ubl1SWk6kGZPrISUz:j+O4042OXhpI77x/ubloWkIZPMSUz
                              MD5:7C3A2D9D1A604C38C75757AEF990CD31
                              SHA1:8759914A498FDCDD994A843D8C301307628ABBB6
                              SHA-256:648DF6BE8B02D2DBCF27F8FDE4708336643CE2746F8EDE5803CFE8C33FF57A79
                              SHA-512:EB7AAA17807A11ECA074697E3DCEC30B4480306F960030A6DF8F1F3360B1C19E60DB41C7B45009266FB4705A1ED5E29DF67B4807BC7C5888E13839ED633059C8
                              Malicious:false
                              Preview:.d.....i56....j.wz.D.....8i..ks}s.#...W.z.h.Z......cG*:....>.gw..... .........; 9.07 : Awadh A Al-Ghaamdi..;..; 15.00 : 2016-08-28 : ..... ...... .......: ... ...t39.U.v{s....u.5.(..)ffL.....j%<.J...:...J/~a....R=V.y..dited and corrected)..; 20.00 : 2020-04-01 : Ammar Kurd (Edits and corrections)..;..;..;..;..;..0..7-Zip..Arabic........401.>...Mf...Z.......`..t..H..... ...Q...x....o.....K.F.;+>D.>.fI8.................&.........440..... ........ .................. ..........&..........v{s.......f)....u..jH|]....1).&a..1dI!....F.:....?.fW8........ ... ..... .. ..........500..&.....&.......&.........&.......&.......&.....t-8......b2pV..g.....u..jC}u..{.(.'A..1i....LSG4.U...>..*e.......&.....&..........&.. ............&.. ........&.. .....&.....&..... .....k`...8....z[.......f(.:H...R........^T

                              C:\Program Files\7-Zip\Lang\ar.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13108
                              Entropy (8bit):6.2386416126513
                              Encrypted:false
                              SSDEEP:384:LIcecGJHDy4042UjDuGhp+V77dV9/ubl1SWk6kGZPrISUz:j+O4042OXhpI77x/ubloWkIZPMSUz
                              MD5:7C3A2D9D1A604C38C75757AEF990CD31
                              SHA1:8759914A498FDCDD994A843D8C301307628ABBB6
                              SHA-256:648DF6BE8B02D2DBCF27F8FDE4708336643CE2746F8EDE5803CFE8C33FF57A79
                              SHA-512:EB7AAA17807A11ECA074697E3DCEC30B4480306F960030A6DF8F1F3360B1C19E60DB41C7B45009266FB4705A1ED5E29DF67B4807BC7C5888E13839ED633059C8
                              Malicious:false
                              Preview:.d.....i56....j.wz.D.....8i..ks}s.#...W.z.h.Z......cG*:....>.gw..... .........; 9.07 : Awadh A Al-Ghaamdi..;..; 15.00 : 2016-08-28 : ..... ...... .......: ... ...t39.U.v{s....u.5.(..)ffL.....j%<.J...:...J/~a....R=V.y..dited and corrected)..; 20.00 : 2020-04-01 : Ammar Kurd (Edits and corrections)..;..;..;..;..;..0..7-Zip..Arabic........401.>...Mf...Z.......`..t..H..... ...Q...x....o.....K.F.;+>D.>.fI8.................&.........440..... ........ .................. ..........&..........v{s.......f)....u..jH|]....1).&a..1dI!....F.:....?.fW8........ ... ..... .. ..........500..&.....&.......&.........&.......&.......&.....t-8......b2pV..g.....u..jC}u..{.(.'A..1i....LSG4.U...>..*e.......&.....&..........&.. ............&.. ........&.. .....&.....&..... .....k`...8....z[.......f(.:H...R........^T

                              C:\Program Files\7-Zip\Lang\ast.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5685
                              Entropy (8bit):6.667188102669623
                              Encrypted:false
                              SSDEEP:96:sv6mpykB1+gg49ySfbx9ySmLy1N6cHN63ZTVIvU6/kMQBeW2Vz+gtNmNigD0u:xmI9gX9yumLc0ct63PIvUrrtiyl
                              MD5:078190E78980D64B0DC2882E9A3612ED
                              SHA1:F23782E2F4DE84217248EE95A007E30409849E8B
                              SHA-256:BB5EA9F6EFA5D58F14E66492021415C435B923C7F740208801CA917707DEE5BA
                              SHA-512:C6A49B36BC6FF14EBC283051E1349A1BF892E2ED62C5906006EFB64EAD6C539201168668EAE1850F36AAA18F0C6D2E506D223D0BE25513A4622B9C21319F2896
                              Malicious:false
                              Preview:Nx7&...`\..G.V7.f&.7..S......h......c=.."s.q....s...z...UE.;..;..;..0..7-Zip..Asturian..Asturianu..401..Val..Torgar........&Si..&Non..&Zarrar..Axuda....&Siguir..440..Si a &Too..Non a T&oo...|Y6...i...4c..,.)........1.D......NG.F=.q.Qw...=. U.y.E..Tas fixu que quies paralo?..500..F&icheru..&Remanar..&Ver..F&avoritos..&Ferramientes..A&xuda..540..&Abrir..Abrir &Dientro..Abr..[.".o6..0%p|.xUFP........R..l.......V..If.U..>...U.P[.6@E.&Borrar..&Partir ficheru.....Com&binar ficheros.....P&ropiedaes..Come&ntariu......Crear carpeta..Crear ficheru..Co&lar..600..Sel..tD9......M.5.-bOX.......H..........E..M$...h._..:^.V.q.!.nar.....Deseleicionar.....Seleicionar por Tipu..Deseleicionar por Tipu..700..Miniatures &Grandes..&Miniatures Peque.es..&Llista..YN#.b^..lw1A.TBMN.>.G...R..........R.[E.].`j....i...}.:.mientes..Abrir Carpeta Raiz..Xubir Un Nivel..Hestorial de Carpetes.....Actualiza&r..750..Barra Ferramientes d.Archivu..Barra Fe..pB2.kH...2o..S.aR........]..d.....

                              C:\Program Files\7-Zip\Lang\ast.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5685
                              Entropy (8bit):6.667188102669623
                              Encrypted:false
                              SSDEEP:96:sv6mpykB1+gg49ySfbx9ySmLy1N6cHN63ZTVIvU6/kMQBeW2Vz+gtNmNigD0u:xmI9gX9yumLc0ct63PIvUrrtiyl
                              MD5:078190E78980D64B0DC2882E9A3612ED
                              SHA1:F23782E2F4DE84217248EE95A007E30409849E8B
                              SHA-256:BB5EA9F6EFA5D58F14E66492021415C435B923C7F740208801CA917707DEE5BA
                              SHA-512:C6A49B36BC6FF14EBC283051E1349A1BF892E2ED62C5906006EFB64EAD6C539201168668EAE1850F36AAA18F0C6D2E506D223D0BE25513A4622B9C21319F2896
                              Malicious:false
                              Preview:Nx7&...`\..G.V7.f&.7..S......h......c=.."s.q....s...z...UE.;..;..;..0..7-Zip..Asturian..Asturianu..401..Val..Torgar........&Si..&Non..&Zarrar..Axuda....&Siguir..440..Si a &Too..Non a T&oo...|Y6...i...4c..,.)........1.D......NG.F=.q.Qw...=. U.y.E..Tas fixu que quies paralo?..500..F&icheru..&Remanar..&Ver..F&avoritos..&Ferramientes..A&xuda..540..&Abrir..Abrir &Dientro..Abr..[.".o6..0%p|.xUFP........R..l.......V..If.U..>...U.P[.6@E.&Borrar..&Partir ficheru.....Com&binar ficheros.....P&ropiedaes..Come&ntariu......Crear carpeta..Crear ficheru..Co&lar..600..Sel..tD9......M.5.-bOX.......H..........E..M$...h._..:^.V.q.!.nar.....Deseleicionar.....Seleicionar por Tipu..Deseleicionar por Tipu..700..Miniatures &Grandes..&Miniatures Peque.es..&Llista..YN#.b^..lw1A.TBMN.>.G...R..........R.[E.].`j....i...}.:.mientes..Abrir Carpeta Raiz..Xubir Un Nivel..Hestorial de Carpetes.....Actualiza&r..750..Barra Ferramientes d.Archivu..Barra Fe..pB2.kH...2o..S.aR........]..d.....

                              C:\Program Files\7-Zip\Lang\az.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9933
                              Entropy (8bit):6.822791120165978
                              Encrypted:false
                              SSDEEP:192:bru251SLaY+qQQAHmXg8q6kH97jBop2jq8LFrpvUmrlhCnEBa2Ke:bSES2Y+ygD9BI27lEEwxe
                              MD5:434C3FFED8CA2B5B58C4FF856C9829F0
                              SHA1:7B85164EDDA40F4752D64B09727DCAB6E87119A2
                              SHA-256:18B3E8F919C479CF5F3B2C60F0B39D55564DB136BFE808927B94F7738BB39618
                              SHA-512:C6682280F22EF7CCD37129C34F7FB11EA6633AC6E987C62B697C1DEC835445E47062578AAC35642B5BA307A2D1F7327E082D5EF0F43882098CF4E8A3EE88556E
                              Malicious:false
                              Preview:...==...d...v..W....28..B}.,..!.#w...@.......a.].O.a.....^....P. .........;..;..;..;..;..;..;..;..;..0..7-Zip..Azerbaijani..Az.rbaycanca..401..OLDU...mtina........&B.li..&Xeyr..&Ba.?.k}..qA.)..e......|b...^./....EM..S..nk]E..=.x.&u.5.._.....2.eyr..Dayan..Yenid.n ba.lamaq..&Arxa planda...&nd...F&asil...Fasil.d...H.qiq.t.n .m.liyyat. dayand.rmaq ist.yirsinE)E....K.h..6........yY..:z...'....+#....)4..$..B..=z<..~....D.sit.l.r..&Aray....540..&A.maq..&Daxild. A.maq..B&ay.rda a.maq..&Bax....&D.z.li...Ye&nid.n Adland.rmaq..&N.sx.l......U$o...?G.._..U...U}....R..hl..@..JH.6.gV.....&...j...k.lar. B&irl..dirm.k.....X&.susiyy.tl.r....r&h.....Yoxlama C.mi..M.qayis...Qovluq Yaratmaq..Fayl Yaratmaq...&.x...&..uh...no..s.....Q`..:+{...`.n..A.@..RI.6........`<O.....A..imin L..vi..&Se.imi .evirm.k..Se.m.k.....Se.imin L..vi.....N.v.n. G.r. Se.m.k..N.v.n. G.r. Se.imin L..%.....K.h...J..5.........&wy;s.iN..T..

                              C:\Program Files\7-Zip\Lang\az.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9933
                              Entropy (8bit):6.822791120165978
                              Encrypted:false
                              SSDEEP:192:bru251SLaY+qQQAHmXg8q6kH97jBop2jq8LFrpvUmrlhCnEBa2Ke:bSES2Y+ygD9BI27lEEwxe
                              MD5:434C3FFED8CA2B5B58C4FF856C9829F0
                              SHA1:7B85164EDDA40F4752D64B09727DCAB6E87119A2
                              SHA-256:18B3E8F919C479CF5F3B2C60F0B39D55564DB136BFE808927B94F7738BB39618
                              SHA-512:C6682280F22EF7CCD37129C34F7FB11EA6633AC6E987C62B697C1DEC835445E47062578AAC35642B5BA307A2D1F7327E082D5EF0F43882098CF4E8A3EE88556E
                              Malicious:false
                              Preview:...==...d...v..W....28..B}.,..!.#w...@.......a.].O.a.....^....P. .........;..;..;..;..;..;..;..;..;..0..7-Zip..Azerbaijani..Az.rbaycanca..401..OLDU...mtina........&B.li..&Xeyr..&Ba.?.k}..qA.)..e......|b...^./....EM..S..nk]E..=.x.&u.5.._.....2.eyr..Dayan..Yenid.n ba.lamaq..&Arxa planda...&nd...F&asil...Fasil.d...H.qiq.t.n .m.liyyat. dayand.rmaq ist.yirsinE)E....K.h..6........yY..:z...'....+#....)4..$..B..=z<..~....D.sit.l.r..&Aray....540..&A.maq..&Daxild. A.maq..B&ay.rda a.maq..&Bax....&D.z.li...Ye&nid.n Adland.rmaq..&N.sx.l......U$o...?G.._..U...U}....R..hl..@..JH.6.gV.....&...j...k.lar. B&irl..dirm.k.....X&.susiyy.tl.r....r&h.....Yoxlama C.mi..M.qayis...Qovluq Yaratmaq..Fayl Yaratmaq...&.x...&..uh...no..s.....Q`..:+{...`.n..A.@..RI.6........`<O.....A..imin L..vi..&Se.imi .evirm.k..Se.m.k.....Se.imin L..vi.....N.v.n. G.r. Se.m.k..N.v.n. G.r. Se.imin L..%.....K.h...J..5.........&wy;s.iN..T..

                              C:\Program Files\7-Zip\Lang\ba.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11555
                              Entropy (8bit):6.409858036320906
                              Encrypted:false
                              SSDEEP:192:RK+ypx971xY6cp6L71pPvSAksWtASgU3zgreF5p7wd29UcPGmrQij/rjVbodU6:w+yP971xTxL71pPvSL/ApKfUY9UcPAiG
                              MD5:D65B5288CEEEF8DF2969E022066BFFB0
                              SHA1:B90E0ABAF805E25F1EB9BCAACF2C56F5F2A00AFB
                              SHA-256:DFE2838CF9A9D972A4AFE2188716F2B19DC1A5AF20AEC40A5BA31DBE63F7D70C
                              SHA-512:48703D2583166A0387AAFA1AC33AD8E99BB4C3BC69D74100BC64BBDE595EDFD9C1317711BD4B585360EC85D97411B9A640168AAB6E7C5E28113921EED8013868
                              Malicious:false
                              Preview:..K.j..,..0}e.)........NT'?K...K.....X.c..%..jSa.x..a.h..[$...;..0..7-Zip..Bashkir.............401............. ..........&.....&....&.............&............HX2o...M.C..R(..S....K08...9.....H.@..S..>.;6..0?.................... .......&..... .........&... ........&........ ............$.F.|H..s.1..O.@..R.........[E#...}.h.rH.o..l...X.4.".[W...........?..500..&........&......&..........&............&........&.........540...bdh.c'..Z0l.%;..<..7M...7..'..1.B_.i~.h._.Hm3.N...[.5.#.Zg.........&.....&...............&...... .............&.................&.......+.e....&s.............3....TD...9.]...@..".n..2.=5.".Zlv.x..&................&..........&................. ......Diff..... ...............h.b...X..?.<..0..l*..AR.........h

                              C:\Program Files\7-Zip\Lang\ba.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11555
                              Entropy (8bit):6.409858036320906
                              Encrypted:false
                              SSDEEP:192:RK+ypx971xY6cp6L71pPvSAksWtASgU3zgreF5p7wd29UcPGmrQij/rjVbodU6:w+yP971xTxL71pPvSL/ApKfUY9UcPAiG
                              MD5:D65B5288CEEEF8DF2969E022066BFFB0
                              SHA1:B90E0ABAF805E25F1EB9BCAACF2C56F5F2A00AFB
                              SHA-256:DFE2838CF9A9D972A4AFE2188716F2B19DC1A5AF20AEC40A5BA31DBE63F7D70C
                              SHA-512:48703D2583166A0387AAFA1AC33AD8E99BB4C3BC69D74100BC64BBDE595EDFD9C1317711BD4B585360EC85D97411B9A640168AAB6E7C5E28113921EED8013868
                              Malicious:false
                              Preview:..K.j..,..0}e.)........NT'?K...K.....X.c..%..jSa.x..a.h..[$...;..0..7-Zip..Bashkir.............401............. ..........&.....&....&.............&............HX2o...M.C..R(..S....K08...9.....H.@..S..>.;6..0?.................... .......&..... .........&... ........&........ ............$.F.|H..s.1..O.@..R.........[E#...}.h.rH.o..l...X.4.".[W...........?..500..&........&......&..........&............&........&.........540...bdh.c'..Z0l.%;..<..7M...7..'..1.B_.i~.h._.Hm3.N...[.5.#.Zg.........&.....&...............&...... .............&.................&.......+.e....&s.............3....TD...9.]...@..".n..2.=5.".Zlv.x..&................&..........&................. ......Diff..... ...............h.b...X..?.<..0..l*..AR.........h

                              C:\Program Files\7-Zip\Lang\be.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12175
                              Entropy (8bit):6.2163039881747295
                              Encrypted:false
                              SSDEEP:192:IpOx0IJaqubB809wWxsY3x7XL0JFvqfm6Gx3vaC+rAbclz69PWjj5e:IgvkbBXwml7E1am6q/N+kbclz69ujjE
                              MD5:ADCB1B470236C960DF9326D2C2699347
                              SHA1:140A3F52B2CBB91088946BF2390E9EC7A678F79C
                              SHA-256:2A7F7A969DE2E0124331D393C6B048664D3A543D335ABA56A3A18B2E2ABBD2F3
                              SHA-512:D1D7E6A21AD6318B19ADE8F2575658CE2A9A4C98F2478F03C0A283ED5ED58D04927E717CDF75C7BC9FB7066A70DF494CCF5D7BA81F5CEF1BE0F6C5665E6349B3
                              Malicious:false
                              Preview:...^]E.Y.X~u..[^. >..k..R..q?.w....I(..l.aa..c.=..X..`KA.n....; 9.07 : 2011-03-15 : Drive DRKA..;..;..;..;..;..;..;..;..;..0..7-Zip..Belarusian..............401..OK........su[oq..2.....a...>.,....TpH....N.....Hu.O.Q.....,......sy.g`..............440..... ... &........ ... .&.......................&.......&.. ............a....a.]...?....(L.$c..#..D......)...........P*..... ....... .......... ........?..500..&......&........&........&........t..C........q0....a..I..pk......Y...SD........'z...s}...D... &................... .&................&................&.........&............q=/.661..Z...pj....O ..Hu.UE..R.Z.B...Q..(....P........&..... ..........&.'...... .............&...........&..................E..........Kq.~..:.Z..pm....N....#.

                              C:\Program Files\7-Zip\Lang\be.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12175
                              Entropy (8bit):6.2163039881747295
                              Encrypted:false
                              SSDEEP:192:IpOx0IJaqubB809wWxsY3x7XL0JFvqfm6Gx3vaC+rAbclz69PWjj5e:IgvkbBXwml7E1am6q/N+kbclz69ujjE
                              MD5:ADCB1B470236C960DF9326D2C2699347
                              SHA1:140A3F52B2CBB91088946BF2390E9EC7A678F79C
                              SHA-256:2A7F7A969DE2E0124331D393C6B048664D3A543D335ABA56A3A18B2E2ABBD2F3
                              SHA-512:D1D7E6A21AD6318B19ADE8F2575658CE2A9A4C98F2478F03C0A283ED5ED58D04927E717CDF75C7BC9FB7066A70DF494CCF5D7BA81F5CEF1BE0F6C5665E6349B3
                              Malicious:false
                              Preview:...^]E.Y.X~u..[^. >..k..R..q?.w....I(..l.aa..c.=..X..`KA.n....; 9.07 : 2011-03-15 : Drive DRKA..;..;..;..;..;..;..;..;..;..0..7-Zip..Belarusian..............401..OK........su[oq..2.....a...>.,....TpH....N.....Hu.O.Q.....,......sy.g`..............440..... ... &........ ... .&.......................&.......&.. ............a....a.]...?....(L.$c..#..D......)...........P*..... ....... .......... ........?..500..&......&........&........&........t..C........q0....a..I..pk......Y...SD........'z...s}...D... &................... .&................&................&.........&............q=/.661..Z...pj....O ..Hu.UE..R.Z.B...Q..(....P........&..... ..........&.'...... .............&...........&..................E..........Kq.~..:.Z..pm....N....#.

                              C:\Program Files\7-Zip\Lang\bg.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13410
                              Entropy (8bit):6.105379997443317
                              Encrypted:false
                              SSDEEP:192:SPqT+3YfpAVOqq8rMKzv3ovxncNrpxr57Ee+FqqMA7GagJOjWqN7WH5W2Yb+xWKq:gOPGEqqWMg34n2N7/qGTIqsyHU2xL1m
                              MD5:8BDFC4D63B1E43D42B5AFE1B75D85A7F
                              SHA1:E78C086F09EE5E21B6D8196359AC18D02D73DCBE
                              SHA-256:1EC9D0FFD065FFA0E3BCCD773F04094E782E7B6E696F4D8799E9EE488BC39716
                              SHA-512:4EA27699CDA9AD2F96A8938BCCD3B167A9F34663C8EA518B4110791B7C0BFF0A8021606AA9C72EF9640885540035686B33DE0654A99CAD3787A917D520740846
                              Malicious:false
                              Preview:.kfl..=..r.........P...5...JP!.|.........>!.....8r..2.J...r: Vassia Atanassova..;..;..;..;..;..;..;..;..0..7-Zip..Bulgarian.............401..OK...............&....&....&3G../.....uk]%.F.H.W!@1..6......m."2H.Y.j.....C$!..P1.. ...b.... .. &.......... .. &................ ........&..... .......&........ ...U.a.B.{i..t[]).L.M.W!M..dZo...&.Tjym~.)Y.k.....H$!z.;Qo) .8St5..... .. ..........?..500..&......&.............&...........&........&.......3e../......;.z.+.-P.x.. ..`V...f..mS..X-j...+.k%...P1..!.8[t;r&........... &.......&...........&.................&..........&........ ....Z.R.I...\..N.|?.!m1..7..P.#1.I~.3PI>.k.....G$!..P4.. ..6.^....... .. ..........&.......... .. ............&.............&.............X.V.LR..t...\..K.-T.O.\.Y[_...*.Y..2IH.

                              C:\Program Files\7-Zip\Lang\bg.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13410
                              Entropy (8bit):6.105379997443317
                              Encrypted:false
                              SSDEEP:192:SPqT+3YfpAVOqq8rMKzv3ovxncNrpxr57Ee+FqqMA7GagJOjWqN7WH5W2Yb+xWKq:gOPGEqqWMg34n2N7/qGTIqsyHU2xL1m
                              MD5:8BDFC4D63B1E43D42B5AFE1B75D85A7F
                              SHA1:E78C086F09EE5E21B6D8196359AC18D02D73DCBE
                              SHA-256:1EC9D0FFD065FFA0E3BCCD773F04094E782E7B6E696F4D8799E9EE488BC39716
                              SHA-512:4EA27699CDA9AD2F96A8938BCCD3B167A9F34663C8EA518B4110791B7C0BFF0A8021606AA9C72EF9640885540035686B33DE0654A99CAD3787A917D520740846
                              Malicious:false
                              Preview:.kfl..=..r.........P...5...JP!.|.........>!.....8r..2.J...r: Vassia Atanassova..;..;..;..;..;..;..;..;..0..7-Zip..Bulgarian.............401..OK...............&....&....&3G../.....uk]%.F.H.W!@1..6......m."2H.Y.j.....C$!..P1.. ...b.... .. &.......... .. &................ ........&..... .......&........ ...U.a.B.{i..t[]).L.M.W!M..dZo...&.Tjym~.)Y.k.....H$!z.;Qo) .8St5..... .. ..........?..500..&......&.............&...........&........&.......3e../......;.z.+.-P.x.. ..`V...f..mS..X-j...+.k%...P1..!.8[t;r&........... &.......&...........&.................&..........&........ ....Z.R.I...\..N.|?.!m1..7..P.#1.I~.3PI>.k.....G$!..P4.. ..6.^....... .. ..........&.......... .. ............&.............&.............X.V.LR..t...\..K.-T.O.\.Y[_...*.Y..2IH.

                              C:\Program Files\7-Zip\Lang\bn.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15351
                              Entropy (8bit):5.933719220450805
                              Encrypted:false
                              SSDEEP:384:JvMd/F+uaINgYF5USiu3MUx84v+cU3xlhos3:RmiIK7MU13
                              MD5:6CCDC144E17759505DF3198A2D2119E1
                              SHA1:29F474E6CB105C64985339E4ADAE945AA861654C
                              SHA-256:3CD526C252296AE8E017AFFFFC5AF7C3FFDC5692E42B55B763593CBADF8F35FD
                              SHA-512:DBFB4EE0ADDCC61E8A77B39FA94411F8A7B4B99A00BB533256DF1ED601E6F38A3D0098FD548FB392E4A2F98EF2ACFC2FA43B672C87CACB7108DCE20292B1727F
                              Malicious:false
                              Preview:KN.]....A.....T.A....HK..E.>.s...WQ....0...R.g..:.....3.4..Tn, Mahmud Hassan)..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Bangla.........401..... ...............@k..rH..e.e3f........N.A.q.j..0;.^..'v.gg.7...v.t..R9pIo.Y..:..........&...... .......440..&....... .... ........&........Y#".D.^~#=)..@...Go..A..o4.m.}....o0...6...O.t.R7].)...#d.....&........& .......&.............. ............... DS..;rH..d!e3{~...L/.).....E4.F.}....o03. .p*......e..[.)....d.....&..................&..&.......&........&........540..&.-...Y"...."9.uo...L/...rH7.4....G.bJ..HL.0p*..E.2...!.(...7d... ........... ........ .....&..........&...........DS..+...."85uo...L/.)....5.r.....T..)>

                              C:\Program Files\7-Zip\Lang\bn.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15351
                              Entropy (8bit):5.933719220450805
                              Encrypted:false
                              SSDEEP:384:JvMd/F+uaINgYF5USiu3MUx84v+cU3xlhos3:RmiIK7MU13
                              MD5:6CCDC144E17759505DF3198A2D2119E1
                              SHA1:29F474E6CB105C64985339E4ADAE945AA861654C
                              SHA-256:3CD526C252296AE8E017AFFFFC5AF7C3FFDC5692E42B55B763593CBADF8F35FD
                              SHA-512:DBFB4EE0ADDCC61E8A77B39FA94411F8A7B4B99A00BB533256DF1ED601E6F38A3D0098FD548FB392E4A2F98EF2ACFC2FA43B672C87CACB7108DCE20292B1727F
                              Malicious:false
                              Preview:KN.]....A.....T.A....HK..E.>.s...WQ....0...R.g..:.....3.4..Tn, Mahmud Hassan)..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Bangla.........401..... ...............@k..rH..e.e3f........N.A.q.j..0;.^..'v.gg.7...v.t..R9pIo.Y..:..........&...... .......440..&....... .... ........&........Y#".D.^~#=)..@...Go..A..o4.m.}....o0...6...O.t.R7].)...#d.....&........& .......&.............. ............... DS..;rH..d!e3{~...L/.).....E4.F.}....o03. .p*......e..[.)....d.....&..................&..&.......&........&........540..&.-...Y"...."9.uo...L/...rH7.4....G.bJ..HL.0p*..E.2...!.(...7d... ........... ........ .....&..........&...........DS..+...."85uo...L/.)....5.r.....T..)>

                              C:\Program Files\7-Zip\Lang\br.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5671
                              Entropy (8bit):6.655883258785655
                              Encrypted:false
                              SSDEEP:96:UQmVCvwt3NAvA7uyYAjP1LlkiZxEMX1ukj4aSejCJpAQnEKft+ZOj5qH0bqf0t85:dmVMwPGA7XY6dh/nDXljbS3jAQnf4Z2Q
                              MD5:884D809E131FF37183732EF1C8DA1654
                              SHA1:66A53815662353E21B85FF691DFD06D045403D54
                              SHA-256:5EF314E86F56D30A29462834EF4C07C52A2A00E29FCE513D3A6B8C76747A7640
                              SHA-512:19C0F21466960303749B93B8F5FF046203F69AC4775499288C0D886A5B49ACA80CB86FF3BAB50F0F5B0565ABFD5E846818F5B00CD2478E700F58EE2EACE06E35
                              Malicious:false
                              Preview:p..8.hko.6.?.=.w4z.{......\..:3=#t8.G...o...>...9...I>I...+;..;..;..;..;..;..;..;..;..0..7-Zip..Breton..Brezhoneg..401..Mat eo..Nulla.........&Ya..&Ket..&Serri...Skoazell....&Kenderc'he..H7..).X...L...+.}.%...B......q'q.n/.#..o.<X...#..p...K5!.].+&Rakleur..&Ehan..Ehanet..Ha fellout a ra deoc'h nulla. ?..500..&Restr..&Aoza...&Gwelout..Di&babo...&Ostilho...&Skoazell..540..dG..Axhq.{.....=|.]`...I......z.,r-.\..S#.r...[..,.r.g.!.@xU..&Aoza...Adenv&el..&Kopia. diwar.....&Dilec'hia. diwar.....D&ilemel..&Troc'ha. restr.....&Kendeuzi. restro......P&erzhio.&.HF..^bh.....v.B.z.....L...F.....bH/.K...q.-...........A80.%;.0..Diuz pep &tra..Diziuz pe tra..Lakaat an &diuzad war an tu gin..Diuz.....Diziuz.....Diuz diouzh ar rizh..Diziuz diouzh ar rizh..u3...Ks.....R.iw..3...R.......W6.r".@...Q.3..u[..#..w.TN..=,.Dirummet....&2 brenestr..&Barrenno. ostilho...Digeri. an teul gwrizienn..Teul kerent..Roll istor an teul.....Fresk&aat..750..L#q..Jd!......q..g......K......v}].n..B

                              C:\Program Files\7-Zip\Lang\br.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5671
                              Entropy (8bit):6.655883258785655
                              Encrypted:false
                              SSDEEP:96:UQmVCvwt3NAvA7uyYAjP1LlkiZxEMX1ukj4aSejCJpAQnEKft+ZOj5qH0bqf0t85:dmVMwPGA7XY6dh/nDXljbS3jAQnf4Z2Q
                              MD5:884D809E131FF37183732EF1C8DA1654
                              SHA1:66A53815662353E21B85FF691DFD06D045403D54
                              SHA-256:5EF314E86F56D30A29462834EF4C07C52A2A00E29FCE513D3A6B8C76747A7640
                              SHA-512:19C0F21466960303749B93B8F5FF046203F69AC4775499288C0D886A5B49ACA80CB86FF3BAB50F0F5B0565ABFD5E846818F5B00CD2478E700F58EE2EACE06E35
                              Malicious:false
                              Preview:p..8.hko.6.?.=.w4z.{......\..:3=#t8.G...o...>...9...I>I...+;..;..;..;..;..;..;..;..;..0..7-Zip..Breton..Brezhoneg..401..Mat eo..Nulla.........&Ya..&Ket..&Serri...Skoazell....&Kenderc'he..H7..).X...L...+.}.%...B......q'q.n/.#..o.<X...#..p...K5!.].+&Rakleur..&Ehan..Ehanet..Ha fellout a ra deoc'h nulla. ?..500..&Restr..&Aoza...&Gwelout..Di&babo...&Ostilho...&Skoazell..540..dG..Axhq.{.....=|.]`...I......z.,r-.\..S#.r...[..,.r.g.!.@xU..&Aoza...Adenv&el..&Kopia. diwar.....&Dilec'hia. diwar.....D&ilemel..&Troc'ha. restr.....&Kendeuzi. restro......P&erzhio.&.HF..^bh.....v.B.z.....L...F.....bH/.K...q.-...........A80.%;.0..Diuz pep &tra..Diziuz pe tra..Lakaat an &diuzad war an tu gin..Diuz.....Diziuz.....Diuz diouzh ar rizh..Diziuz diouzh ar rizh..u3...Ks.....R.iw..3...R.......W6.r".@...Q.3..u[..#..w.TN..=,.Dirummet....&2 brenestr..&Barrenno. ostilho...Digeri. an teul gwrizienn..Teul kerent..Roll istor an teul.....Fresk&aat..750..L#q..Jd!......q..g......K......v}].n..B

                              C:\Program Files\7-Zip\Lang\ca.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9612
                              Entropy (8bit):6.6116883138110065
                              Encrypted:false
                              SSDEEP:192:vyhNb5+fK0Yl8FDtyVpqkn3HjVvW5e3FUsg0pqYPRJhNCiEUD1FwUZezDP3y8BzF:GEfK0tDsjqkn3HZFVUPDiEAz43jBz5X
                              MD5:A44AF4B1DEED72AA8A1D2E931DBB7E2E
                              SHA1:DDDDA8F9C6A4AF57486652E6923781815009F553
                              SHA-256:2AAC3A6C18CEBC468CCC4E4C67600FA605AED1F4FDB9258C3CCF83BD5825B79B
                              SHA-512:E2C2A5927E77272C325228EB0B802F59620D11503F4C6644B03275D38BCA9456A73A0074148C82C73F241803F9EB8827897812D45E09694CD90ABD965FB7D945
                              Malicious:false
                              Preview:........6...u.'..SI..?O..y:j..,0..{.3"gSf}.S9.K......J...;.3.A1.: Benet..BennyBeat..R..i.Camps..;..;..;..;..;..;..;..;..;..0..7-Zip..Catalan..Catal...401..D'acord..Cancel.la........XE.\.U..7m!.5.U.bfb.iq..].W.hc...p.rl..3!.uJ.........M.....p..t..Atura..Re&inicia..Rere&fons..Prim&er pla..&Pausa..Pausat..Segur que voleu cancel.lar?..500..&Fitxer..&Edita..&Visualitza..&P.sH..6..Ujn.=....a).%q..]?i.&.\3.l..kIBut..?.D.n......a......'isualitza..&Edita..Reanom&ena..&Copia a.....&Mou a.....&Suprimeix..&Divideix el fitxer.....Com&bina el fitxer.....P&ropietats..C.{K.+..1m!.5...o.H.b$...6*9..z...x.p.eI..uZ.G......"....$..rpeta..Crea un fitxer..S&urt..Enlla&...Flux &alternatiu..600..Seleccion&a-ho tot..No seleccionis res..&Inverteix la selecci...-sB..<..6...z.y.f...oa...8d<.."wv.{.v.eIh.._i.X.............a..iona per tipus..700..Icones g&rans..Icones petites..&Llista..&Detalls..730..No ordenat..Vista plana..&2 Panells..&Barres d'einess.a..:..9@H.&...bK..qa....k/.Nx.\...vl.h

                              C:\Program Files\7-Zip\Lang\ca.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9612
                              Entropy (8bit):6.6116883138110065
                              Encrypted:false
                              SSDEEP:192:vyhNb5+fK0Yl8FDtyVpqkn3HjVvW5e3FUsg0pqYPRJhNCiEUD1FwUZezDP3y8BzF:GEfK0tDsjqkn3HZFVUPDiEAz43jBz5X
                              MD5:A44AF4B1DEED72AA8A1D2E931DBB7E2E
                              SHA1:DDDDA8F9C6A4AF57486652E6923781815009F553
                              SHA-256:2AAC3A6C18CEBC468CCC4E4C67600FA605AED1F4FDB9258C3CCF83BD5825B79B
                              SHA-512:E2C2A5927E77272C325228EB0B802F59620D11503F4C6644B03275D38BCA9456A73A0074148C82C73F241803F9EB8827897812D45E09694CD90ABD965FB7D945
                              Malicious:false
                              Preview:........6...u.'..SI..?O..y:j..,0..{.3"gSf}.S9.K......J...;.3.A1.: Benet..BennyBeat..R..i.Camps..;..;..;..;..;..;..;..;..;..0..7-Zip..Catalan..Catal...401..D'acord..Cancel.la........XE.\.U..7m!.5.U.bfb.iq..].W.hc...p.rl..3!.uJ.........M.....p..t..Atura..Re&inicia..Rere&fons..Prim&er pla..&Pausa..Pausat..Segur que voleu cancel.lar?..500..&Fitxer..&Edita..&Visualitza..&P.sH..6..Ujn.=....a).%q..]?i.&.\3.l..kIBut..?.D.n......a......'isualitza..&Edita..Reanom&ena..&Copia a.....&Mou a.....&Suprimeix..&Divideix el fitxer.....Com&bina el fitxer.....P&ropietats..C.{K.+..1m!.5...o.H.b$...6*9..z...x.p.eI..uZ.G......"....$..rpeta..Crea un fitxer..S&urt..Enlla&...Flux &alternatiu..600..Seleccion&a-ho tot..No seleccionis res..&Inverteix la selecci...-sB..<..6...z.y.f...oa...8d<.."wv.{.v.eIh.._i.X.............a..iona per tipus..700..Icones g&rans..Icones petites..&Llista..&Detalls..730..No ordenat..Vista plana..&2 Panells..&Barres d'einess.a..:..9@H.&...bK..qa....k/.Nx.\...vl.h

                              C:\Program Files\7-Zip\Lang\co.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11266
                              Entropy (8bit):6.622425604466206
                              Encrypted:false
                              SSDEEP:192:TfVJBazB1dqkwKEL9HM1PDHCrk4u08Bbb1AlMdrpdeDErrHW2Oi9QmT8UjpS8vQk:T9JIJqkDy9HMlHaz8Bb2AlcDErFOi9Qw
                              MD5:85D51AF674B0A8CF59137AAB3133BD08
                              SHA1:42257A16B9419C61D70AC72804F73A94B12BA268
                              SHA-256:100F635BBBEF31C04B082EE89885A4C468DD297F2B7215BEE7EC70ED07536D18
                              SHA-512:BA571B26666384DABF9172A283FCABE6042CE9C6A5CEEAB4C30EDF199759838F0D38F5FED91EB08094B080FD8BA9615CEF5575B2C35AF0CAA1E42465476989A9
                              Malicious:false
                              Preview:,...<.[*..X....~.... K.kg.>.p.a....&.Z...'....+W..&.L....wK... Maria . Sich. (Latest Update)..; 9.20 : 2010-12-12 : Patriccollu di Santa Maria . Sich. (Creation)..;..;..;..;..;..;..;..;.71...AS.0.Q..{....I..T_.a.#.L:....7:..8-\.5..=K..*..j.Z...8)..&N...&Chjode..Aiutu....&Cuntinu...440..S. per &tutti..N. per t&utti..Piant...Rilanci...Tacca di &fondu..&Primu pianu..&P...]..^%D...R..2....^../0.o.5.5U..eH..\..Zy.i..ro.C....%q..Mudific...&Affiss...&Favuriti..A&ttrezzi..Ai&utu..540..&Apre..Apre den&tru..Apre f&ora..&Fighj...&Mudific...&Rinumin...&Cup.o..k.e8.d.],..|....K.......5.2EP0..7?..@Fn..S...(.T....${...riu...&Unisce i schedarii...&Prupriet...Cumme&ntu...Calcul. a somma di cuntrollu..Paragun. e sfarenze..Cre. un cartula...6^.r.......P....C..Ss.}.5.K|..n0f..@Tn.w..5J..'.T....].....&Tuttu selezziun....n selezziun. &nunda..&Arritrus. a selezzione..&Selezziun.....n &micca selezziun....Selezziun. da..,Ht.bFnE....T...._.=.u.o.%.5Y.....\..

                              C:\Program Files\7-Zip\Lang\co.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11266
                              Entropy (8bit):6.622425604466206
                              Encrypted:false
                              SSDEEP:192:TfVJBazB1dqkwKEL9HM1PDHCrk4u08Bbb1AlMdrpdeDErrHW2Oi9QmT8UjpS8vQk:T9JIJqkDy9HMlHaz8Bb2AlcDErFOi9Qw
                              MD5:85D51AF674B0A8CF59137AAB3133BD08
                              SHA1:42257A16B9419C61D70AC72804F73A94B12BA268
                              SHA-256:100F635BBBEF31C04B082EE89885A4C468DD297F2B7215BEE7EC70ED07536D18
                              SHA-512:BA571B26666384DABF9172A283FCABE6042CE9C6A5CEEAB4C30EDF199759838F0D38F5FED91EB08094B080FD8BA9615CEF5575B2C35AF0CAA1E42465476989A9
                              Malicious:false
                              Preview:,...<.[*..X....~.... K.kg.>.p.a....&.Z...'....+W..&.L....wK... Maria . Sich. (Latest Update)..; 9.20 : 2010-12-12 : Patriccollu di Santa Maria . Sich. (Creation)..;..;..;..;..;..;..;..;.71...AS.0.Q..{....I..T_.a.#.L:....7:..8-\.5..=K..*..j.Z...8)..&N...&Chjode..Aiutu....&Cuntinu...440..S. per &tutti..N. per t&utti..Piant...Rilanci...Tacca di &fondu..&Primu pianu..&P...]..^%D...R..2....^../0.o.5.5U..eH..\..Zy.i..ro.C....%q..Mudific...&Affiss...&Favuriti..A&ttrezzi..Ai&utu..540..&Apre..Apre den&tru..Apre f&ora..&Fighj...&Mudific...&Rinumin...&Cup.o..k.e8.d.],..|....K.......5.2EP0..7?..@Fn..S...(.T....${...riu...&Unisce i schedarii...&Prupriet...Cumme&ntu...Calcul. a somma di cuntrollu..Paragun. e sfarenze..Cre. un cartula...6^.r.......P....C..Ss.}.5.K|..n0f..@Tn.w..5J..'.T....].....&Tuttu selezziun....n selezziun. &nunda..&Arritrus. a selezzione..&Selezziun.....n &micca selezziun....Selezziun. da..,Ht.bFnE....T...._.=.u.o.%.5Y.....\..

                              C:\Program Files\7-Zip\Lang\cs.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9464
                              Entropy (8bit):6.806489210032425
                              Encrypted:false
                              SSDEEP:192:ydZODALE5aKFLolEbrUvrsGoJ/oA5V0t4153tuVjrGTs+QEBfzxxW:FALpKFLolEbrUTsG6/o4F1DuVjCIF6zC
                              MD5:4AFC45943704336F2D0A3DD8EF050E45
                              SHA1:375C11FAA493333A2E30BFF7F128690390F5E745
                              SHA-256:667C04B3792E3080B0DE8FF1E9B97FEA6659360FC970FBE4AA384C4FB62D3394
                              SHA-512:95AA2287DA11ECFE50A4B7B0F08259A579A16A70141E7019635875C5B18E7C29D88B02DFBF70CA65A98B8DE19D3D3D7B7DD03605FD1DBD316BD81791C3E1BA75
                              Malicious:false
                              Preview:R.8*.Z......m.> ...F`.......5p.Ez......7.@O.'..S.....q..TsElhanec..; 9.07 : Ji.. Mal.k..; 15.00 : Kry.tof .ern...;..;..;..;..;..;..;..0..7-Zip..Czech...e.tina..401..OK..Storno....g...dW......4.Iy..U....6...eR.....{w.......N.R.#.."p...Q.na &v.echno..N&e na v.echno..Zastavit..Spustit znovu..&Pozad...P&op.ed...Po&zastavit..Pozastaveno..Jste si jist., .e to c..{wnbe.......M....3.pJ...I..O.7P.k....!>`....i.V...#..p.dW.[D...&N.stroje..N.po&v.da..540..&Otev..t..Otev..t u&vnit...Otev..t &mimo..&Zobrazit..&Upravit..&P.ejmenovat..Kop.rova.J8gdl8....\..\.fv.v.]$.....klP.Sz.....Db^....g.K.S.F.<S..RmFou.it soubory.....Vlast&nosti..Pozn.mk&a..Vypo..tat kontroln. sou.et..Porovnat soubory..Vytvo.it slo.ku..Vytvo.it soubo.g.%@-x.......Fiy...[...N..Ip..]i.....(..q9.q.Y..._h.wp...K.it v.b.r v.e..&Invertovat v.b.r..Vybrat.....Zru.it v.b.r.....Vybrat podle typu..Zru.it v.b.r podle typu..700..&Velk..Jwhd,o.....G..zs.m.pJ...F..P.7.yt....

                              C:\Program Files\7-Zip\Lang\cs.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9464
                              Entropy (8bit):6.806489210032425
                              Encrypted:false
                              SSDEEP:192:ydZODALE5aKFLolEbrUvrsGoJ/oA5V0t4153tuVjrGTs+QEBfzxxW:FALpKFLolEbrUTsG6/o4F1DuVjCIF6zC
                              MD5:4AFC45943704336F2D0A3DD8EF050E45
                              SHA1:375C11FAA493333A2E30BFF7F128690390F5E745
                              SHA-256:667C04B3792E3080B0DE8FF1E9B97FEA6659360FC970FBE4AA384C4FB62D3394
                              SHA-512:95AA2287DA11ECFE50A4B7B0F08259A579A16A70141E7019635875C5B18E7C29D88B02DFBF70CA65A98B8DE19D3D3D7B7DD03605FD1DBD316BD81791C3E1BA75
                              Malicious:false
                              Preview:R.8*.Z......m.> ...F`.......5p.Ez......7.@O.'..S.....q..TsElhanec..; 9.07 : Ji.. Mal.k..; 15.00 : Kry.tof .ern...;..;..;..;..;..;..;..0..7-Zip..Czech...e.tina..401..OK..Storno....g...dW......4.Iy..U....6...eR.....{w.......N.R.#.."p...Q.na &v.echno..N&e na v.echno..Zastavit..Spustit znovu..&Pozad...P&op.ed...Po&zastavit..Pozastaveno..Jste si jist., .e to c..{wnbe.......M....3.pJ...I..O.7P.k....!>`....i.V...#..p.dW.[D...&N.stroje..N.po&v.da..540..&Otev..t..Otev..t u&vnit...Otev..t &mimo..&Zobrazit..&Upravit..&P.ejmenovat..Kop.rova.J8gdl8....\..\.fv.v.]$.....klP.Sz.....Db^....g.K.S.F.<S..RmFou.it soubory.....Vlast&nosti..Pozn.mk&a..Vypo..tat kontroln. sou.et..Porovnat soubory..Vytvo.it slo.ku..Vytvo.it soubo.g.%@-x.......Fiy...[...N..Ip..]i.....(..q9.q.Y..._h.wp...K.it v.b.r v.e..&Invertovat v.b.r..Vybrat.....Zru.it v.b.r.....Vybrat podle typu..Zru.it v.b.r podle typu..700..&Velk..Jwhd,o.....G..zs.m.pJ...F..P.7.yt....

                              C:\Program Files\7-Zip\Lang\cy.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5530
                              Entropy (8bit):6.637842761261161
                              Encrypted:false
                              SSDEEP:96:55sAgs3rkKtBFXrrlHr1vGLQpBUYXiHA2XchEzFsY+aPx6DpgPnsKotK:5+AJF3NLuEXUYX/2shlHpg/sKGK
                              MD5:8B5B8EEAFBBA00F46AB3A5BDEC538F62
                              SHA1:4D9F44C40FEC395B3F682441ED0C70067BBEB52B
                              SHA-256:E35455ECED0DF115AF6FF7FD3FED127670309ADBBC977C03B26207E858848BE2
                              SHA-512:287CE2537D341E8759CF6104C7882B2313A412E08C3EEAF12C09817BF012D4EE9EBA614703145320D644F66D12329CBDE7BE06785B45C3B405CDE378FF5F4058
                              Malicious:false
                              Preview:....=..{..@B^.s.y..y>.......u..!..j+.?fl.......}._..o:h..2{9...;..;..;..0..7-Zip..Welsh..Cymraeg..401..Iawn..Canslo........&Iawn..&Na..&Cau..Cymorth....P&arhau..440..Iawn i'r &Cwbwl..Na i'r .0W.k.L.)..r.)*A..].M_.......N28..v..|Si.v..c...Q.%..._^..~._....Ydych chi am canslo?..500..&Ffeil..&Golygu..Gwe&ld..Ff&efrynnau..&Offer..&Cymorth..540..&Agor..Agor tu &Mewn..Agor tu &Fas..Gw;0L...g]...e.K-.r.].ZK.......;v..*%.P7V.~..*...Y.X..\6..P{..lti ffeil.....Cy&funo ffeilau.....&Priodweddau..Syl&wad..Cyfrifo swm-gwirio....Creu Ffolder..Creu Ffeil..Alla&n..600..Dewis y C&'pA....{...f.1N8t..7MZ.......;.<2..m,.zU`.z........|..o:...$.W..is.....Dewis trwy Math..Dad-ddewis trwy Math..700..Eiconau &Mawr..Eiconau &Bach..&Rhestr..Ma&nylion..730..Dad-dosbarthu..Golwg F2wT...s:*..g./*A..C.UI.....B!.1..$M.5}a.a..}....._...^s..):V..l..Hanes Ffolderi.....&Adnewyddu..750..Bar Offer Archif..Bar Offer Arferol..Botwmau Fawr..Dangos Testun Botwmau..800..&Ychwanegu~pF.p.$hZ.RD.#A9-._.A.......6M&8.....j!

                              C:\Program Files\7-Zip\Lang\cy.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5530
                              Entropy (8bit):6.637842761261161
                              Encrypted:false
                              SSDEEP:96:55sAgs3rkKtBFXrrlHr1vGLQpBUYXiHA2XchEzFsY+aPx6DpgPnsKotK:5+AJF3NLuEXUYX/2shlHpg/sKGK
                              MD5:8B5B8EEAFBBA00F46AB3A5BDEC538F62
                              SHA1:4D9F44C40FEC395B3F682441ED0C70067BBEB52B
                              SHA-256:E35455ECED0DF115AF6FF7FD3FED127670309ADBBC977C03B26207E858848BE2
                              SHA-512:287CE2537D341E8759CF6104C7882B2313A412E08C3EEAF12C09817BF012D4EE9EBA614703145320D644F66D12329CBDE7BE06785B45C3B405CDE378FF5F4058
                              Malicious:false
                              Preview:....=..{..@B^.s.y..y>.......u..!..j+.?fl.......}._..o:h..2{9...;..;..;..0..7-Zip..Welsh..Cymraeg..401..Iawn..Canslo........&Iawn..&Na..&Cau..Cymorth....P&arhau..440..Iawn i'r &Cwbwl..Na i'r .0W.k.L.)..r.)*A..].M_.......N28..v..|Si.v..c...Q.%..._^..~._....Ydych chi am canslo?..500..&Ffeil..&Golygu..Gwe&ld..Ff&efrynnau..&Offer..&Cymorth..540..&Agor..Agor tu &Mewn..Agor tu &Fas..Gw;0L...g]...e.K-.r.].ZK.......;v..*%.P7V.~..*...Y.X..\6..P{..lti ffeil.....Cy&funo ffeilau.....&Priodweddau..Syl&wad..Cyfrifo swm-gwirio....Creu Ffolder..Creu Ffeil..Alla&n..600..Dewis y C&'pA....{...f.1N8t..7MZ.......;.<2..m,.zU`.z........|..o:...$.W..is.....Dewis trwy Math..Dad-ddewis trwy Math..700..Eiconau &Mawr..Eiconau &Bach..&Rhestr..Ma&nylion..730..Dad-dosbarthu..Golwg F2wT...s:*..g./*A..C.UI.....B!.1..$M.5}a.a..}....._...^s..):V..l..Hanes Ffolderi.....&Adnewyddu..750..Bar Offer Archif..Bar Offer Arferol..Botwmau Fawr..Dangos Testun Botwmau..800..&Ychwanegu~pF.p.$hZ.RD.#A9-._.A.......6M&8.....j!

                              C:\Program Files\7-Zip\Lang\da.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8679
                              Entropy (8bit):6.675531881490957
                              Encrypted:false
                              SSDEEP:192:+YMcmiHVv9TpauPWBq9MPPboIGWrtYiDyS7d3HhSZ13QOhOiNTdl73QrCTsQ:+jm1v9pauOHPPboIGkYiDyg3H83QSJN3
                              MD5:96ABC6D9240CF1F664459FB15BC3114D
                              SHA1:06162AE7AB5CA16A0E6A83F3110607FE93D03A34
                              SHA-256:CAC291D429E03B5AEB9F6A6AB8BBFC2EB3BD4A4DFF822BEA3306C572266CC051
                              SHA-512:B920E16E1B8C160CB3E934BFA5EB9D6FF55038CFD27AE34CC772440F5480F6DAB13073B8BD41E6A9355D6914A7DEF5E3F0D9978A5AE281EE453C62A848CDD0E9
                              Malicious:false
                              Preview:..kKk.c........%.Y..6.A....^i..6.....j.s.F..U....;.Y%u...en, J.rgen Rasmussen..; 15.00 : 2016-11-25 : scootergrisen..;..;..;..;..;..;..;..;..0..7-Zip..Danish..Dansk..401..OK..Annuller...!.............I..t.|C....1C...).....\.g.X..?....6._.w....Nej til a&lle..Stop..Genstart..&Baggrund..&Forgrund..&Pause..Sat p. pause..Er du sikker p., at du vil annullere?..500..&Filer...bn.c..........d.....b.....R"...4.....w.9...x..UW._.......bn &inden i...bn &uden for..&Vis..&Rediger..O&md.b..&Kopier til.....&Flyt til.....S&let..&Opdel fil.....Kom&biner filer.......Lbd.o.........k.....8.k....['...>.....\..S.......W.6.i....appe..Opret fil..&Afslut..Opret/rediger henvisning..&Alternative str.mme..600..V.lg &alle..Frav.lg alle..&Omvendt markering.....km.*.....`G...+.s........Y;...+..{..0...........z...~.`..0..Sto&re ikoner..S&m. ikoner..&Liste..&Detaljer..730..Usorteret..Flad visning..&2 paneler..&V.rkt.jslinjer...bn rodmappe..E..En|.e........l.....}.O....s9..>..

                              C:\Program Files\7-Zip\Lang\da.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8679
                              Entropy (8bit):6.675531881490957
                              Encrypted:false
                              SSDEEP:192:+YMcmiHVv9TpauPWBq9MPPboIGWrtYiDyS7d3HhSZ13QOhOiNTdl73QrCTsQ:+jm1v9pauOHPPboIGkYiDyg3H83QSJN3
                              MD5:96ABC6D9240CF1F664459FB15BC3114D
                              SHA1:06162AE7AB5CA16A0E6A83F3110607FE93D03A34
                              SHA-256:CAC291D429E03B5AEB9F6A6AB8BBFC2EB3BD4A4DFF822BEA3306C572266CC051
                              SHA-512:B920E16E1B8C160CB3E934BFA5EB9D6FF55038CFD27AE34CC772440F5480F6DAB13073B8BD41E6A9355D6914A7DEF5E3F0D9978A5AE281EE453C62A848CDD0E9
                              Malicious:false
                              Preview:..kKk.c........%.Y..6.A....^i..6.....j.s.F..U....;.Y%u...en, J.rgen Rasmussen..; 15.00 : 2016-11-25 : scootergrisen..;..;..;..;..;..;..;..;..0..7-Zip..Danish..Dansk..401..OK..Annuller...!.............I..t.|C....1C...).....\.g.X..?....6._.w....Nej til a&lle..Stop..Genstart..&Baggrund..&Forgrund..&Pause..Sat p. pause..Er du sikker p., at du vil annullere?..500..&Filer...bn.c..........d.....b.....R"...4.....w.9...x..UW._.......bn &inden i...bn &uden for..&Vis..&Rediger..O&md.b..&Kopier til.....&Flyt til.....S&let..&Opdel fil.....Kom&biner filer.......Lbd.o.........k.....8.k....['...>.....\..S.......W.6.i....appe..Opret fil..&Afslut..Opret/rediger henvisning..&Alternative str.mme..600..V.lg &alle..Frav.lg alle..&Omvendt markering.....km.*.....`G...+.s........Y;...+..{..0...........z...~.`..0..Sto&re ikoner..S&m. ikoner..&Liste..&Detaljer..730..Usorteret..Flad visning..&2 paneler..&V.rkt.jslinjer...bn rodmappe..E..En|.e........l.....}.O....s9..>..

                              C:\Program Files\7-Zip\Lang\de.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9881
                              Entropy (8bit):6.639829850155529
                              Encrypted:false
                              SSDEEP:192:Dxl0W0gBfeo/CyrcmlBJMQSgPIwLhyrjM2HCiWmRKf66gJXNZ0NHeZghg/YAMqlY:Vl0fgBW/yXJSgPIwyTG6N8eZghg/HMQY
                              MD5:F4E19EDF37997DB384359FB29F7A84BD
                              SHA1:C7D62A7C0C89EFCB921E8A8B9553512C1C164654
                              SHA-256:671C74BCA0FA796220A1412B8A11AADB43426F397537C6B1661392B049CBA20F
                              SHA-512:5E3AFC12D4FE33200055A880BCADC877993DD1831EB32AD9CC4A7559FF76B713CBCF5A989A0672F901FAE560EB5E1609BB23F4B290BE77AAC5D5B283D81ECBF9
                              Malicious:false
                              Preview:.......%..V..1.>......E.*)qj.\..._..'k.....+...."..8._4P.R.t.ntware.DE..; 9.07 : Joachim Henke..;..;..;..;..;..;..;..;..0..7-Zip..German..Deutsch..401..OK..Abbrechen........&Ja..&Nein..&Sch...MS..A..z.hY.$..eE...p`$$.v.Y. ..f..QN(......+..f.Er..k.F\dle..Stopp..Neustart..&Hintergrund..&Vordergrund..&Pause..Pause..M.chten Sie wirklich abbrechen?..500..&Datei..&Bearbeiten..&Ans........*..d..=.$..rC.....g......'..7 xQd|.?....,_..{..z:...A.mn..E&xtern .ffnen..&Ansehen..&Bearbeiten..&Umbenennen..&Kopieren nach.....&Verschieben nach.....&L.schen..Datei auf&splitten..P.x.......0..2~C.l....j4od.v.K.J..tN....7....I{.a..qh;w.-\Xr.fsumme berechnen..Ver&gleichen..Ordner erstellen..Datei erstellen..Be&enden..Verkn.pfung.....&Alternative Datenstr.me..600.t.....&..}..6}#..f[...ex6.q.... ..f_...(.7....K}.}.....l.P..hlen.....Auswahl aufheben.....Nach Typ ausw.hlen..Nach Typ abw.hlen..700..&Gro.e Symbole..&Kleine Symbole..&Liste..&Details..I.B.....$.....^.o.oD...$.($...K.O..b x

                              C:\Program Files\7-Zip\Lang\de.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9881
                              Entropy (8bit):6.639829850155529
                              Encrypted:false
                              SSDEEP:192:Dxl0W0gBfeo/CyrcmlBJMQSgPIwLhyrjM2HCiWmRKf66gJXNZ0NHeZghg/YAMqlY:Vl0fgBW/yXJSgPIwyTG6N8eZghg/HMQY
                              MD5:F4E19EDF37997DB384359FB29F7A84BD
                              SHA1:C7D62A7C0C89EFCB921E8A8B9553512C1C164654
                              SHA-256:671C74BCA0FA796220A1412B8A11AADB43426F397537C6B1661392B049CBA20F
                              SHA-512:5E3AFC12D4FE33200055A880BCADC877993DD1831EB32AD9CC4A7559FF76B713CBCF5A989A0672F901FAE560EB5E1609BB23F4B290BE77AAC5D5B283D81ECBF9
                              Malicious:false
                              Preview:.......%..V..1.>......E.*)qj.\..._..'k.....+...."..8._4P.R.t.ntware.DE..; 9.07 : Joachim Henke..;..;..;..;..;..;..;..;..0..7-Zip..German..Deutsch..401..OK..Abbrechen........&Ja..&Nein..&Sch...MS..A..z.hY.$..eE...p`$$.v.Y. ..f..QN(......+..f.Er..k.F\dle..Stopp..Neustart..&Hintergrund..&Vordergrund..&Pause..Pause..M.chten Sie wirklich abbrechen?..500..&Datei..&Bearbeiten..&Ans........*..d..=.$..rC.....g......'..7 xQd|.?....,_..{..z:...A.mn..E&xtern .ffnen..&Ansehen..&Bearbeiten..&Umbenennen..&Kopieren nach.....&Verschieben nach.....&L.schen..Datei auf&splitten..P.x.......0..2~C.l....j4od.v.K.J..tN....7....I{.a..qh;w.-\Xr.fsumme berechnen..Ver&gleichen..Ordner erstellen..Datei erstellen..Be&enden..Verkn.pfung.....&Alternative Datenstr.me..600.t.....&..}..6}#..f[...ex6.q.... ..f_...(.7....K}.}.....l.P..hlen.....Auswahl aufheben.....Nach Typ ausw.hlen..Nach Typ abw.hlen..700..&Gro.e Symbole..&Kleine Symbole..&Liste..&Details..I.B.....$.....^.o.oD...$.($...K.O..b x

                              C:\Program Files\7-Zip\Lang\el.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):17211
                              Entropy (8bit):6.256546508995493
                              Encrypted:false
                              SSDEEP:384:IEte5co/4pQH0t3S4kmcfRSm/4pt9rav1P3Q/p5GCN3ueMb:l0/MClmWRSm0yvVQ/bGCN+Rb
                              MD5:699D552804193854CDC952C89369C85A
                              SHA1:CA760F66288832C606D92B4D8D4B865ECE8E5E56
                              SHA-256:4634ED00D01A4D3A576102A7E8A9E8184559B4FC1C6D33FC906D32D97380DD5D
                              SHA-512:D04A1E56850EDC9566499417FC3CFA72FC526A5DC7B4CCF0153101FCF145DC0F4D327F9D2FE8631464E3B4D40DB6A238F817E4D877447B9D5317FC76F115CFB6
                              Malicious:false
                              Preview:y-T.]...F)CX......i.....3.;..+<?..g......d.TE..e.:.t<.<.....ill, Vasilis Kosmidis..; 9.07 : SkyHi [HDManiacs Team]..; 15.00 : 2015-05-07: Pete D..;..;..;..;..;..;..;..;..0..7-Zip..Greek..X.%..f].....J.[%..T..)....4..........-....)#..].)z+.{..0........................&..........440..... .. &........ .. .&....&..............,XD...$dC..s>y8.\JD...R@.W......%..IW....bL.i.>....d....0..-,.....&..................... ........ ... ...... .. .........;..500..&.............eu...?[9.\D.F..R@........E.s8 t....!.#.....R....0..2......&......&.........540....&.............. ... &.... ................. ....%..p].....?[9.\M.@..RN........E.s8 t....!.".....P....0...,......&...............&..............&.................&....&.......... ....#XD........._>y8.\H.h..Sx.U......D.s2 `

                              C:\Program Files\7-Zip\Lang\el.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):17211
                              Entropy (8bit):6.256546508995493
                              Encrypted:false
                              SSDEEP:384:IEte5co/4pQH0t3S4kmcfRSm/4pt9rav1P3Q/p5GCN3ueMb:l0/MClmWRSm0yvVQ/bGCN+Rb
                              MD5:699D552804193854CDC952C89369C85A
                              SHA1:CA760F66288832C606D92B4D8D4B865ECE8E5E56
                              SHA-256:4634ED00D01A4D3A576102A7E8A9E8184559B4FC1C6D33FC906D32D97380DD5D
                              SHA-512:D04A1E56850EDC9566499417FC3CFA72FC526A5DC7B4CCF0153101FCF145DC0F4D327F9D2FE8631464E3B4D40DB6A238F817E4D877447B9D5317FC76F115CFB6
                              Malicious:false
                              Preview:y-T.]...F)CX......i.....3.;..+<?..g......d.TE..e.:.t<.<.....ill, Vasilis Kosmidis..; 9.07 : SkyHi [HDManiacs Team]..; 15.00 : 2015-05-07: Pete D..;..;..;..;..;..;..;..;..0..7-Zip..Greek..X.%..f].....J.[%..T..)....4..........-....)#..].)z+.{..0........................&..........440..... .. &........ .. .&....&..............,XD...$dC..s>y8.\JD...R@.W......%..IW....bL.i.>....d....0..-,.....&..................... ........ ... ...... .. .........;..500..&.............eu...?[9.\D.F..R@........E.s8 t....!.#.....R....0..2......&......&.........540....&.............. ... &.... ................. ....%..p].....?[9.\M.@..RN........E.s8 t....!.".....P....0...,......&...............&..............&.................&....&.......... ....#XD........._>y8.\H.h..Sx.U......D.s2 `

                              C:\Program Files\7-Zip\Lang\en.ttt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8224
                              Entropy (8bit):6.639814223765957
                              Encrypted:false
                              SSDEEP:192:VsWmaDh+8Wz2LLqvVC88bAD94hQ7MMKM1+Llu7i6trzep0k:VvuSPqvVCpbO94hAZy0tY0k
                              MD5:A629F9808781A1BB03D7EC784B12EA2C
                              SHA1:FA0571F8EB528C0D814D9469EC2D264463BC8B17
                              SHA-256:D7365FD8AAB34B96B2ED6A8D6C866EFCF4AC0251727CF347795ACA3BCFEF3E34
                              SHA-512:C16A754447E4D1F308723C22A1B7D2858964369D27346EC402A7434ADFCF87E7AA6DFFC7C04062D10CA99346C79822DF09F58F282DEBE39C1C00200EE9D646A6
                              Malicious:false
                              Preview:...g........m..Z/.D.CSd.=..O.....o|...T.X.tq.l8.....;..6..*....;..;..;..;..;..;..;..0..7-Zip..English..English..401..OK..Cancel........&Yes..&No..&Close..Help....&Continue..440..Yes to &All\Z.3.4!X/T.A..hm.h...7.n.^r..g..6).....l9h..y2.......G.Kl..Z*..aused..Are you sure you want to cancel?..500..&File..&Edit..&View..F&avorites..&Tools..&Help..540..&Open..Open &Inside..Open O&u%#.8.MD^8..A.Yf...C:!.n.G.....-7...W.O>Dw.d!.......@.=I..ZS...&Split file.....Com&bine files.....P&roperties..Comme&nt.....Calculate checksum..Diff..Create Folder..Create File..E&xit..Link.[v.0.%<........yc...C^t...y...F..{...s..@+=.h#.........mh...t..ection..Select.....Deselect.....Select by Type..Deselect by Type..700..Lar&ge Icons..S&mall Icons..&List..&Details..730..Unsorte5]...!:X8..A.."...,.7...~...G...C.....Aa!>.+..........;B...k..el..Folders History.....&Refresh..Auto Refresh..750..Archive Toolbar..Standard Toolbar..Large Buttons..Show Buttons Text..800..&.4.|./".....#..}t...=.7.n.'u..J..<<...@.

                              C:\Program Files\7-Zip\Lang\en.ttt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8224
                              Entropy (8bit):6.639814223765957
                              Encrypted:false
                              SSDEEP:192:VsWmaDh+8Wz2LLqvVC88bAD94hQ7MMKM1+Llu7i6trzep0k:VvuSPqvVCpbO94hAZy0tY0k
                              MD5:A629F9808781A1BB03D7EC784B12EA2C
                              SHA1:FA0571F8EB528C0D814D9469EC2D264463BC8B17
                              SHA-256:D7365FD8AAB34B96B2ED6A8D6C866EFCF4AC0251727CF347795ACA3BCFEF3E34
                              SHA-512:C16A754447E4D1F308723C22A1B7D2858964369D27346EC402A7434ADFCF87E7AA6DFFC7C04062D10CA99346C79822DF09F58F282DEBE39C1C00200EE9D646A6
                              Malicious:false
                              Preview:...g........m..Z/.D.CSd.=..O.....o|...T.X.tq.l8.....;..6..*....;..;..;..;..;..;..;..0..7-Zip..English..English..401..OK..Cancel........&Yes..&No..&Close..Help....&Continue..440..Yes to &All\Z.3.4!X/T.A..hm.h...7.n.^r..g..6).....l9h..y2.......G.Kl..Z*..aused..Are you sure you want to cancel?..500..&File..&Edit..&View..F&avorites..&Tools..&Help..540..&Open..Open &Inside..Open O&u%#.8.MD^8..A.Yf...C:!.n.G.....-7...W.O>Dw.d!.......@.=I..ZS...&Split file.....Com&bine files.....P&roperties..Comme&nt.....Calculate checksum..Diff..Create Folder..Create File..E&xit..Link.[v.0.%<........yc...C^t...y...F..{...s..@+=.h#.........mh...t..ection..Select.....Deselect.....Select by Type..Deselect by Type..700..Lar&ge Icons..S&mall Icons..&List..&Details..730..Unsorte5]...!:X8..A.."...,.7...~...G...C.....Aa!>.+..........;B...k..el..Folders History.....&Refresh..Auto Refresh..750..Archive Toolbar..Standard Toolbar..Large Buttons..Show Buttons Text..800..&.4.|./".....#..}t...=.7.n.'u..J..<<...@.

                              C:\Program Files\7-Zip\Lang\eo.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5566
                              Entropy (8bit):6.677413539464986
                              Encrypted:false
                              SSDEEP:96:Vaj7H1Q48Ci+fMLb3udstZ1QfTwZTdKRa+5/FtoUQskNsrX7J1PsMMUHAEWa4xap:VeH1Q48KMneK3ufUZ5sR9ZQskN+PK7bq
                              MD5:448570437127C8511DBC5C0EB3D55520
                              SHA1:FB533CE829CD4991E5399EABB07488A53BD5F660
                              SHA-256:104B1476B7B182FC4AD6D5ED0121E1318C467DD1CB5FBA3D9720EA3980B35C4D
                              SHA-512:0B0886B9BBDDDCE8012B8969D7CB992F27C9F57DFC12A5A0EBAB6C64EF22E37F06FE6685C0869A104934240F59A1E3C6F515A38C899842EB3FE0D627A7D333CE
                              Malicious:false
                              Preview:.h:o.?..a.M...B.R..t@..G.m.ly..n.,...w...X|..M.....!x...c....IU...;..;..;..;..0..7-Zip..Esperanto..Esperanto..401..B&one..Nuligu........&Jes..&Ne..&Fermu..Helpo....&Da.rigu..440..Jes por .&iN..^....`._Ed.0...._.I...N..<X.K.1...Z../^|......kwu....O.."M>0-.Pa.zita...u vi vere volas nuligi?..500..&Dosiero..&Redakto..&Vido..&Favoritaj..&Agordoj..&Helpo..540..&Malfermu..Malfermu &en^......}....,0....G".1.'.<,&... ...#..c..J.b.'.u....c...-*.en.....M&ovu en.....&Forigu..&Erigu dosierojn.....Komb&inu dosierojn.....A&tributoj..Ko&mentu..Kalkulu kontrolsumon....Kreu &dosR..!.........26...../Z...I.}5B._.O.GEZ..OP`....v.r..... ...1..iun..&Inversigu markon..Marku.....Malmarku.....Marku la. tipo..Malmarku la. tipo..700..&Grandaj bildetoj..&Malgrandaj bildetoQ.r....`.u.."b....s}..j.e.>6Y.C.,..x]..._{..H..nuux..4I..(0J..&Ilobretoj..Malfermu radikan dosierujon..Supren je unu nivelo..Dosierujhistorio......&isdatigu..750..Ar.ivo-ilobreto..Norma R..6......8.)r.....&L...).Q.D.^.0...#..

                              C:\Program Files\7-Zip\Lang\eo.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5566
                              Entropy (8bit):6.677413539464986
                              Encrypted:false
                              SSDEEP:96:Vaj7H1Q48Ci+fMLb3udstZ1QfTwZTdKRa+5/FtoUQskNsrX7J1PsMMUHAEWa4xap:VeH1Q48KMneK3ufUZ5sR9ZQskN+PK7bq
                              MD5:448570437127C8511DBC5C0EB3D55520
                              SHA1:FB533CE829CD4991E5399EABB07488A53BD5F660
                              SHA-256:104B1476B7B182FC4AD6D5ED0121E1318C467DD1CB5FBA3D9720EA3980B35C4D
                              SHA-512:0B0886B9BBDDDCE8012B8969D7CB992F27C9F57DFC12A5A0EBAB6C64EF22E37F06FE6685C0869A104934240F59A1E3C6F515A38C899842EB3FE0D627A7D333CE
                              Malicious:false
                              Preview:.h:o.?..a.M...B.R..t@..G.m.ly..n.,...w...X|..M.....!x...c....IU...;..;..;..;..0..7-Zip..Esperanto..Esperanto..401..B&one..Nuligu........&Jes..&Ne..&Fermu..Helpo....&Da.rigu..440..Jes por .&iN..^....`._Ed.0...._.I...N..<X.K.1...Z../^|......kwu....O.."M>0-.Pa.zita...u vi vere volas nuligi?..500..&Dosiero..&Redakto..&Vido..&Favoritaj..&Agordoj..&Helpo..540..&Malfermu..Malfermu &en^......}....,0....G".1.'.<,&... ...#..c..J.b.'.u....c...-*.en.....M&ovu en.....&Forigu..&Erigu dosierojn.....Komb&inu dosierojn.....A&tributoj..Ko&mentu..Kalkulu kontrolsumon....Kreu &dosR..!.........26...../Z...I.}5B._.O.GEZ..OP`....v.r..... ...1..iun..&Inversigu markon..Marku.....Malmarku.....Marku la. tipo..Malmarku la. tipo..700..&Grandaj bildetoj..&Malgrandaj bildetoQ.r....`.u.."b....s}..j.e.>6Y.C.,..x]..._{..H..nuux..4I..(0J..&Ilobretoj..Malfermu radikan dosierujon..Supren je unu nivelo..Dosierujhistorio......&isdatigu..750..Ar.ivo-ilobreto..Norma R..6......8.)r.....&L...).Q.D.^.0...#..

                              C:\Program Files\7-Zip\Lang\es.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10353
                              Entropy (8bit):6.553127982278752
                              Encrypted:false
                              SSDEEP:192:lsJFDWkCPO9+Rpb6BvHl4AylnTcss0by7SP8oOyttOuzHOT4x9:lsbrEO9EB/uGdZfvx9
                              MD5:39117549BD3273390458C5A41BDCEABB
                              SHA1:D252B42B7721239ED009D104AC1B6716028EB2B1
                              SHA-256:AC3D08D36489E8DEE047DCF97458DD11A3D0DA5FB91B9CC2D8ACD1071D8ABBAC
                              SHA-512:109C46EAE95D9842B375AB689F890C94FDB09639D2A4DFFCEAC21503E3EB236DAD2E8ABF9A2FDE8E6181427B9335E8479FC800E315013F4AAC29C6145E5740C1
                              Malicious:false
                              Preview:p^'{qz g...^N..{.c...I.g...h*+..6v.....>69..'.s.@.Z1..........=. : Jbc25..; : 2007-09-05 : Guillermo Gabrielli..; 9.07 : 2010-06-10 : Purgossu..; 2010-10-23 : S...)pw.b...>G..O.>...'J...y2%..6l.....3&(..G.+.n.}-.Jy.E-..;.hGdated)..; 22.00 : 2023-05-13 : To.o Calo (updated and minor fixes)..;..;..;..;..0..7-Zip..Spanish..Espa.ol..401..Aceptar..Canc...2]0a....I.c..Q....a.AC:ky.1W/.QZ....?....x.Z.zSj...he.k..;V todo..No a t&odo..Parar..Volver a empezar..Se&gundo plano..P&rimer plano..&Pausa..Pausado...Est.s seguro de que deseas cancel...MZ.\6..X...X.4...7j..ECE.-.^d[.s...qdp......J.z?..C.....\N&uda..540..&Abrir..Abr&ir dentro..Abrir f&uera..&Ver..&Editar..Reno&mbrar..&Copiar a.....&Mover a.....&Borrar..Di&vidir archivo...J.U. .......O.3... i.);.,y.K.3.T_....Z......N.a1m.......~.kRrificaci.n..Diferencia..Crear carpeta..Crear fichero..&Salir..Vincular..Flujos &alternativos..600..Seleccionar &todo..Deselecci...2pN.b...8&..X./....k+.GR!..6...Y^..w

                              C:\Program Files\7-Zip\Lang\es.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10353
                              Entropy (8bit):6.553127982278752
                              Encrypted:false
                              SSDEEP:192:lsJFDWkCPO9+Rpb6BvHl4AylnTcss0by7SP8oOyttOuzHOT4x9:lsbrEO9EB/uGdZfvx9
                              MD5:39117549BD3273390458C5A41BDCEABB
                              SHA1:D252B42B7721239ED009D104AC1B6716028EB2B1
                              SHA-256:AC3D08D36489E8DEE047DCF97458DD11A3D0DA5FB91B9CC2D8ACD1071D8ABBAC
                              SHA-512:109C46EAE95D9842B375AB689F890C94FDB09639D2A4DFFCEAC21503E3EB236DAD2E8ABF9A2FDE8E6181427B9335E8479FC800E315013F4AAC29C6145E5740C1
                              Malicious:false
                              Preview:p^'{qz g...^N..{.c...I.g...h*+..6v.....>69..'.s.@.Z1..........=. : Jbc25..; : 2007-09-05 : Guillermo Gabrielli..; 9.07 : 2010-06-10 : Purgossu..; 2010-10-23 : S...)pw.b...>G..O.>...'J...y2%..6l.....3&(..G.+.n.}-.Jy.E-..;.hGdated)..; 22.00 : 2023-05-13 : To.o Calo (updated and minor fixes)..;..;..;..;..0..7-Zip..Spanish..Espa.ol..401..Aceptar..Canc...2]0a....I.c..Q....a.AC:ky.1W/.QZ....?....x.Z.zSj...he.k..;V todo..No a t&odo..Parar..Volver a empezar..Se&gundo plano..P&rimer plano..&Pausa..Pausado...Est.s seguro de que deseas cancel...MZ.\6..X...X.4...7j..ECE.-.^d[.s...qdp......J.z?..C.....\N&uda..540..&Abrir..Abr&ir dentro..Abrir f&uera..&Ver..&Editar..Reno&mbrar..&Copiar a.....&Mover a.....&Borrar..Di&vidir archivo...J.U. .......O.3... i.);.,y.K.3.T_....Z......N.a1m.......~.kRrificaci.n..Diferencia..Crear carpeta..Crear fichero..&Salir..Vincular..Flujos &alternativos..600..Seleccionar &todo..Deselecci...2pN.b...8&..X./....k+.GR!..6...Y^..w

                              C:\Program Files\7-Zip\Lang\et.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7385
                              Entropy (8bit):6.662537268040554
                              Encrypted:false
                              SSDEEP:192:428KWR8Q2NTijA412YK9eK35G6ztc8c9s+B:424wTRR3g6Zc8c9s+B
                              MD5:A968E2E23BC6136EEB5CB7AA00707610
                              SHA1:B4E1A371C09370423A84B55CDCBB1E6F01C93507
                              SHA-256:4242F242E2C92F78D05A4F9EA772C6614C651B57CE68ED7FBA73A6D3C700054D
                              SHA-512:B1E8DAC2B3E38E73DB477ACFC5F773BB9B971C29A6C5675702E0CB678841FCB80E35749FE7DCBADE412E75719E82E6CC73A4768C5F23F51239FE4D0053DBDE81
                              Malicious:false
                              Preview:..<..(../.:..j0...pJ...$.b..P}..U;..Q.E..j.f.I.y..._h..>..O.nnov..;..;..;..;..;..;..;..;..;..0..7-Zip..Estonian..eesti keel..401..OK..Loobu........&Jah..&Ei..&Sulge..Abi....&J.tka..440..]@9....$.b..Wi.j(-.'...7.tY2`...S ....V......>c..6.......(.Wwaanile..&Paus..Pausiks peatatud..Kas soovite kindlasti loobuda?..500..&Fail..&Redigeeri..&Vaade..&Lemmikud..&T..riistad..&Abi..#...b.>7....I..R...3...a.rF..1..S;..m.>.....JF..q.....wd.,V..Uimeta .mber..&Kopeeri asukohta.....&Teisalda asukohta.....Ku&stuta..T.kel&da fail......&henda failid.....Atri&buudid..Ko&mmen.w...F.rK.z..K..J...2...d.?]^gW.h.9..g.9..q...F...]....sh.HQ.q.lju..600..V&ali k.ik..T.hista k.ik valikud..&P..ra valik..Vali.....T.hista valik.....Vali t..bi j.rgi..T.hista t..b.6.Oe...a.i..Ti...pJ...b.7T..6..N".....~.u...V...<.......4.I....ksikasja&d..730..Sortimata..Lame vaade..&Kaks paani..&T..riistaribad..Ava juurkaust..Taseme v.rra .les..Kaustaajalugu..........*.f..2n...w....~.;BV....R"....`

                              C:\Program Files\7-Zip\Lang\et.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7385
                              Entropy (8bit):6.662537268040554
                              Encrypted:false
                              SSDEEP:192:428KWR8Q2NTijA412YK9eK35G6ztc8c9s+B:424wTRR3g6Zc8c9s+B
                              MD5:A968E2E23BC6136EEB5CB7AA00707610
                              SHA1:B4E1A371C09370423A84B55CDCBB1E6F01C93507
                              SHA-256:4242F242E2C92F78D05A4F9EA772C6614C651B57CE68ED7FBA73A6D3C700054D
                              SHA-512:B1E8DAC2B3E38E73DB477ACFC5F773BB9B971C29A6C5675702E0CB678841FCB80E35749FE7DCBADE412E75719E82E6CC73A4768C5F23F51239FE4D0053DBDE81
                              Malicious:false
                              Preview:..<..(../.:..j0...pJ...$.b..P}..U;..Q.E..j.f.I.y..._h..>..O.nnov..;..;..;..;..;..;..;..;..;..0..7-Zip..Estonian..eesti keel..401..OK..Loobu........&Jah..&Ei..&Sulge..Abi....&J.tka..440..]@9....$.b..Wi.j(-.'...7.tY2`...S ....V......>c..6.......(.Wwaanile..&Paus..Pausiks peatatud..Kas soovite kindlasti loobuda?..500..&Fail..&Redigeeri..&Vaade..&Lemmikud..&T..riistad..&Abi..#...b.>7....I..R...3...a.rF..1..S;..m.>.....JF..q.....wd.,V..Uimeta .mber..&Kopeeri asukohta.....&Teisalda asukohta.....Ku&stuta..T.kel&da fail......&henda failid.....Atri&buudid..Ko&mmen.w...F.rK.z..K..J...2...d.?]^gW.h.9..g.9..q...F...]....sh.HQ.q.lju..600..V&ali k.ik..T.hista k.ik valikud..&P..ra valik..Vali.....T.hista valik.....Vali t..bi j.rgi..T.hista t..b.6.Oe...a.i..Ti...pJ...b.7T..6..N".....~.u...V...<.......4.I....ksikasja&d..730..Sortimata..Lame vaade..&Kaks paani..&T..riistaribad..Ava juurkaust..Taseme v.rra .les..Kaustaajalugu..........*.f..2n...w....~.;BV....R"....`

                              C:\Program Files\7-Zip\Lang\eu.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9208
                              Entropy (8bit):6.491740075605579
                              Encrypted:false
                              SSDEEP:192:4p4T3/H0mMmQAhGWatheVz1JgCVd/EX8DJPHbLNFj:s0PUxG+hUHgCVd/EXSJnHj
                              MD5:3BA3F320522E01D35EDE089D02128BEC
                              SHA1:31985CA2A3505E60C66111E372515BF41B2AD365
                              SHA-256:D699F025D7269C33BEAFB92164917FF57F4CD498106D5AF3481BE1E94C376A4B
                              SHA-512:F563DA5A75C3030535E598CDAB94478BF25860CA867F6AD81D79FECF965CC6E777C7DEF8F1A45639E915F850BA34AB0A9C6B5597415C0A5C27A7F88753F9B9E8
                              Malicious:false
                              Preview:\*.y..u..(..1....IR.0..>.9..p.\4.......(+.U...E.U/..96.J..1..l.;..;..;..;..;..;..;..;..;..0..7-Zip..Basque..Euskara..401..&Ongi..E&zeztatu........&Bai..&Ez..It&xi..&Laguntza....&Jarraitu..44..n.9..2..`.F..;..-%.L..u.~.9*vA..\....]..B...M.Fu..R.....Y..n..&Gainean..&Pausatu..Pausatuta..Zihur zaude ezeztatzea nahi duzula?..500..&Agiria..&Editatu..&Ikusi..&Gogokoenak..&Tresnak..&L....,....V.."n....6....j.~...F.h..8..}t.O...\.Fa...0.Q..1..$ditatu..Berrize&ndatu..Kopiatu &Hona.....&Mugitu Hona.....E&zabatu..Banan&du agiria.....Nahas&tu agiriak.....Ezau&garriak..&Aipa....v....({.C..>....l..u.v..>..g..T...b}..=...^.R/..1).P..U..kS&ortu Agiria..I&rten..Lotura..&Aldikatu Jarioak..600..Hautatu &Guztiak..Deshatutau G&uztiak..&Alderantzizkatu Hautapena..&Hauta..J.v..2..i.N..3..Fq....n.c.%.ZK..O...}l..E..Y.j)..9!...T...(kur &Handiak..Ikur Txi&kiak..&Zerrenda..&Xehetasunak..730..Ant&olatugabe..Ik&uspegi Laua..&2 Panel..&Tresnabarrak..Ireki &Erro A....,..}.n..N..3...+.-..}....7N.o..\...

                              C:\Program Files\7-Zip\Lang\eu.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9208
                              Entropy (8bit):6.491740075605579
                              Encrypted:false
                              SSDEEP:192:4p4T3/H0mMmQAhGWatheVz1JgCVd/EX8DJPHbLNFj:s0PUxG+hUHgCVd/EXSJnHj
                              MD5:3BA3F320522E01D35EDE089D02128BEC
                              SHA1:31985CA2A3505E60C66111E372515BF41B2AD365
                              SHA-256:D699F025D7269C33BEAFB92164917FF57F4CD498106D5AF3481BE1E94C376A4B
                              SHA-512:F563DA5A75C3030535E598CDAB94478BF25860CA867F6AD81D79FECF965CC6E777C7DEF8F1A45639E915F850BA34AB0A9C6B5597415C0A5C27A7F88753F9B9E8
                              Malicious:false
                              Preview:\*.y..u..(..1....IR.0..>.9..p.\4.......(+.U...E.U/..96.J..1..l.;..;..;..;..;..;..;..;..;..0..7-Zip..Basque..Euskara..401..&Ongi..E&zeztatu........&Bai..&Ez..It&xi..&Laguntza....&Jarraitu..44..n.9..2..`.F..;..-%.L..u.~.9*vA..\....]..B...M.Fu..R.....Y..n..&Gainean..&Pausatu..Pausatuta..Zihur zaude ezeztatzea nahi duzula?..500..&Agiria..&Editatu..&Ikusi..&Gogokoenak..&Tresnak..&L....,....V.."n....6....j.~...F.h..8..}t.O...\.Fa...0.Q..1..$ditatu..Berrize&ndatu..Kopiatu &Hona.....&Mugitu Hona.....E&zabatu..Banan&du agiria.....Nahas&tu agiriak.....Ezau&garriak..&Aipa....v....({.C..>....l..u.v..>..g..T...b}..=...^.R/..1).P..U..kS&ortu Agiria..I&rten..Lotura..&Aldikatu Jarioak..600..Hautatu &Guztiak..Deshatutau G&uztiak..&Alderantzizkatu Hautapena..&Hauta..J.v..2..i.N..3..Fq....n.c.%.ZK..O...}l..E..Y.j)..9!...T...(kur &Handiak..Ikur Txi&kiak..&Zerrenda..&Xehetasunak..730..Ant&olatugabe..Ik&uspegi Laua..&2 Panel..&Tresnabarrak..Ireki &Erro A....,..}.n..N..3...+.-..}....7N.o..\...

                              C:\Program Files\7-Zip\Lang\ext.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8035
                              Entropy (8bit):6.590378060970491
                              Encrypted:false
                              SSDEEP:192:1+so70FQly6ck22e5VSgU4gUAtPoCPeiqFSncuBEuIUMrqz:1DoIFQsxWehbGPoC8Mn9BEMz
                              MD5:8191F5FD09A2F41E0841750428FA24DA
                              SHA1:3F1091AAF341FB605A5BBE34F6A6FF8D7ACF01AC
                              SHA-256:D6E8F7CB1B78DA125C6ED87C4689BF1A88EED14AB3F8CB4E98B85301264F403E
                              SHA-512:D85954ECCD90A161FD667AEA96E6D35D49AA35BBE5C52F1D03BE87DFABA315103BF312FB7B4269DCD596D5D2E2F712621B62B124D57ACF812D4A87FCA604B886
                              Malicious:false
                              Preview:..s+1*.X..wKDXm....2.1.-.=....ZZ}...!w..'v! ....A.C.>.vM.m.:..;..;..;..;..;..;..;..;..;..0..7-Zip..Extremaduran..Estreme.u..401..Acetal..Cancelal........&S...&Nu..&Fechal..Ayua....A&contiUmdE.ER.;.`..1*J..:v5._.-.=..<..9J....m..".Bx....{......`_.n..tu..&Primel pranu..&Paral..Parau..De siguru que quieri cancelal la operaci.n?..500..&Archivu..&Eital..&Vel..A&tihus..&HerramientZ..BKW..W.9.^!.!...Q...L.o....sVt....jX."..=......i..... .[.;{l..Renom&bral..&Copial a.....&Movel pa.....&Eliminal..De&sapartal ficheru.....Com&binal ficherus.....P&ropieais..Come&ntariu..CaWo}$k.F.C.R..1zN..[.r..Is..HqU..4...u..".No8O....i....h..w.'.ru..&Salil..600..Selecional &t...Deselecional t...&Invertil seleci.n..Selecional.....Deselecional.....Selecional pol tipu..DeHid-i...W..G.},_....2.!...T..Td.}.....p..A2Ht...........w'.8.&itau..&Detallis..730..Nu soportau..Vista prana..&2 panelis..Barra e herramien&tas..Abril diret.riu ra...Subil un nivel..EstoriaW,l-*...S....xyX....2.P.x.q..M.9-.G.."x

                              C:\Program Files\7-Zip\Lang\ext.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8035
                              Entropy (8bit):6.590378060970491
                              Encrypted:false
                              SSDEEP:192:1+so70FQly6ck22e5VSgU4gUAtPoCPeiqFSncuBEuIUMrqz:1DoIFQsxWehbGPoC8Mn9BEMz
                              MD5:8191F5FD09A2F41E0841750428FA24DA
                              SHA1:3F1091AAF341FB605A5BBE34F6A6FF8D7ACF01AC
                              SHA-256:D6E8F7CB1B78DA125C6ED87C4689BF1A88EED14AB3F8CB4E98B85301264F403E
                              SHA-512:D85954ECCD90A161FD667AEA96E6D35D49AA35BBE5C52F1D03BE87DFABA315103BF312FB7B4269DCD596D5D2E2F712621B62B124D57ACF812D4A87FCA604B886
                              Malicious:false
                              Preview:..s+1*.X..wKDXm....2.1.-.=....ZZ}...!w..'v! ....A.C.>.vM.m.:..;..;..;..;..;..;..;..;..;..0..7-Zip..Extremaduran..Estreme.u..401..Acetal..Cancelal........&S...&Nu..&Fechal..Ayua....A&contiUmdE.ER.;.`..1*J..:v5._.-.=..<..9J....m..".Bx....{......`_.n..tu..&Primel pranu..&Paral..Parau..De siguru que quieri cancelal la operaci.n?..500..&Archivu..&Eital..&Vel..A&tihus..&HerramientZ..BKW..W.9.^!.!...Q...L.o....sVt....jX."..=......i..... .[.;{l..Renom&bral..&Copial a.....&Movel pa.....&Eliminal..De&sapartal ficheru.....Com&binal ficherus.....P&ropieais..Come&ntariu..CaWo}$k.F.C.R..1zN..[.r..Is..HqU..4...u..".No8O....i....h..w.'.ru..&Salil..600..Selecional &t...Deselecional t...&Invertil seleci.n..Selecional.....Deselecional.....Selecional pol tipu..DeHid-i...W..G.},_....2.!...T..Td.}.....p..A2Ht...........w'.8.&itau..&Detallis..730..Nu soportau..Vista prana..&2 panelis..Barra e herramien&tas..Abril diret.riu ra...Subil un nivel..EstoriaW,l-*...S....xyX....2.P.x.q..M.9-.G.."x

                              C:\Program Files\7-Zip\Lang\fa.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14110
                              Entropy (8bit):6.292690438566404
                              Encrypted:false
                              SSDEEP:384:ROIZ2zREJeh2ZyDCzL+vOaR6HDRVMKrJq7xGF:RO6C2z62O6H1VMKQ7MF
                              MD5:DD62A1CAFF9AC9503DED810E19D4CEC5
                              SHA1:54E2D8DA73D46C864AD7DF1EFC031816FEF69213
                              SHA-256:1479A821546E023680C3609440622B8973FF320EF10A7F4EF14876CFD692A5D0
                              SHA-512:6BE7FA922F57AB892449C2D00F19E15CE2F257012BCA81DEE097FBC8235BE071DE027BB0B398B6D946C3F6FD8848F3493BCE81F04EAC36F220BE84600AC9181A
                              Malicious:false
                              Preview:.h.e...I.....D's...w..v....G......<&E.p...o3>Q.rq.b.Uj.......rhadi..; 9.22 : Hessam Mohamadi..; 22.00: Mohammad Ali Sohrabi..;..;..;..;..;..;..;..0..7-Zip..Farsi.........401.......x"N..m.(......F.............s.$:|....;.qbfh......L....Gkt...Y.......440..... ... ....... ... ...................... .......... ...........9....k.=.s.3.2...<.;.....TTZ..q.'..$R..Q..?:...h|.z.6U.....9.X.........500.........................................................540........p...w6..;2...>........Uu...SS.S......8...n....H..Gk.y.>/.................................. ............. ................. ...............{...t.kxK[..b.....k<.TW..p.$>.,..,..qbh......j.O...Ga.liUY.. ..... ...... .......... ......... ........... ...........&..........&....p..#.9.v.......C.......vTT*m.Q.{S..

                              C:\Program Files\7-Zip\Lang\fa.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14110
                              Entropy (8bit):6.292690438566404
                              Encrypted:false
                              SSDEEP:384:ROIZ2zREJeh2ZyDCzL+vOaR6HDRVMKrJq7xGF:RO6C2z62O6H1VMKQ7MF
                              MD5:DD62A1CAFF9AC9503DED810E19D4CEC5
                              SHA1:54E2D8DA73D46C864AD7DF1EFC031816FEF69213
                              SHA-256:1479A821546E023680C3609440622B8973FF320EF10A7F4EF14876CFD692A5D0
                              SHA-512:6BE7FA922F57AB892449C2D00F19E15CE2F257012BCA81DEE097FBC8235BE071DE027BB0B398B6D946C3F6FD8848F3493BCE81F04EAC36F220BE84600AC9181A
                              Malicious:false
                              Preview:.h.e...I.....D's...w..v....G......<&E.p...o3>Q.rq.b.Uj.......rhadi..; 9.22 : Hessam Mohamadi..; 22.00: Mohammad Ali Sohrabi..;..;..;..;..;..;..;..0..7-Zip..Farsi.........401.......x"N..m.(......F.............s.$:|....;.qbfh......L....Gkt...Y.......440..... ... ....... ... ...................... .......... ...........9....k.=.s.3.2...<.;.....TTZ..q.'..$R..Q..?:...h|.z.6U.....9.X.........500.........................................................540........p...w6..;2...>........Uu...SS.S......8...n....H..Gk.y.>/.................................. ............. ................. ...............{...t.kxK[..b.....k<.TW..p.$>.,..,..qbh......j.O...Ga.liUY.. ..... ...... .......... ......... ........... ...........&..........&....p..#.9.v.......C.......vTT*m.Q.{S..

                              C:\Program Files\7-Zip\Lang\fi.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9345
                              Entropy (8bit):6.5423571995101915
                              Encrypted:false
                              SSDEEP:192:Kw9zpETVS0fen+Lq35VfIsGUhBBV3wV0rwtS+8ZFaQ/Fe3:P9zpF0G73LsNaktN20cM3
                              MD5:0FAC4102C986A3014BB327D6C23C113B
                              SHA1:AE8C0C507358B17E249C97FA5759426184AA2562
                              SHA-256:5638128811902AC51DE1B18C2F2D66090B7BFCFC01E502F20F460AECD0ECA544
                              SHA-512:75BC381955B95F15DD1B257E181E30782514B1B8C2E236DBD6EE3A4CE3051C57EBD025BC23E2AD217E4200C51F8025D81241113783574D2975AEC553B632A557
                              Malicious:false
                              Preview:....'.3.....z>m....g.E<.<.-..>.J.W...u....:(...>..$........a...; 4.42 : Juhani Valtasalmi..; 9.35 : T.Sakkara..; 15.05 : 2015-08-07 : Lauri Kentt...; 19.00 : 2020-12-28 : Sampo Hippel.in.N./=Wu....QP4....`.R1.{.......J.m.p.a....:'.....d.......L<.......&Kyll...&Ei..&Sulje..Ohje....&Jatka..440..Kyll. k&aikkiin..E&i kaikkiin..Pys.yt...Aloita uudelleen..&Tausta..&Edusta..&5ApNiWu.....7.4........h.s..b...N.k....k..B=....u.@w......BZ.a..&N.yt...&Suosikit..Ty.&kalut..&Ohje..540..&Avaa..Avaa s&is.isesti..Avaa ulkoisesti..&N.yt...&Muokkaa..Nime. &uudelleenl*#ni*...[.Va.....%K2....]....B...0.uA...Y}......]....O..E.dostoja.....&Ominaisuudet..Komme&nttti.....Laske tarkiste..Ero..Luo kansio..Luo tiedosto..&Lopeta..Linkit...Vaihtoehtoiset virr.T./0jO..#..7.M.......u....d......d...z...x.Xz.Q..[a.....AX.a..Valitse.....Poista valinta.....Valitse tyypeitt.in..Poista valinta tyypeitt.in..700..Suu&ret kuvakkeet..&Pienet kuvakkeet..Glp@r....x....\..Z.U..S..x..._..k...~

                              C:\Program Files\7-Zip\Lang\fi.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9345
                              Entropy (8bit):6.5423571995101915
                              Encrypted:false
                              SSDEEP:192:Kw9zpETVS0fen+Lq35VfIsGUhBBV3wV0rwtS+8ZFaQ/Fe3:P9zpF0G73LsNaktN20cM3
                              MD5:0FAC4102C986A3014BB327D6C23C113B
                              SHA1:AE8C0C507358B17E249C97FA5759426184AA2562
                              SHA-256:5638128811902AC51DE1B18C2F2D66090B7BFCFC01E502F20F460AECD0ECA544
                              SHA-512:75BC381955B95F15DD1B257E181E30782514B1B8C2E236DBD6EE3A4CE3051C57EBD025BC23E2AD217E4200C51F8025D81241113783574D2975AEC553B632A557
                              Malicious:false
                              Preview:....'.3.....z>m....g.E<.<.-..>.J.W...u....:(...>..$........a...; 4.42 : Juhani Valtasalmi..; 9.35 : T.Sakkara..; 15.05 : 2015-08-07 : Lauri Kentt...; 19.00 : 2020-12-28 : Sampo Hippel.in.N./=Wu....QP4....`.R1.{.......J.m.p.a....:'.....d.......L<.......&Kyll...&Ei..&Sulje..Ohje....&Jatka..440..Kyll. k&aikkiin..E&i kaikkiin..Pys.yt...Aloita uudelleen..&Tausta..&Edusta..&5ApNiWu.....7.4........h.s..b...N.k....k..B=....u.@w......BZ.a..&N.yt...&Suosikit..Ty.&kalut..&Ohje..540..&Avaa..Avaa s&is.isesti..Avaa ulkoisesti..&N.yt...&Muokkaa..Nime. &uudelleenl*#ni*...[.Va.....%K2....]....B...0.uA...Y}......]....O..E.dostoja.....&Ominaisuudet..Komme&nttti.....Laske tarkiste..Ero..Luo kansio..Luo tiedosto..&Lopeta..Linkit...Vaihtoehtoiset virr.T./0jO..#..7.M.......u....d......d...z...x.Xz.Q..[a.....AX.a..Valitse.....Poista valinta.....Valitse tyypeitt.in..Poista valinta tyypeitt.in..700..Suu&ret kuvakkeet..&Pienet kuvakkeet..Glp@r....x....\..Z.U..S..x..._..k...~

                              C:\Program Files\7-Zip\Lang\fr.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10224
                              Entropy (8bit):6.584261583846985
                              Encrypted:false
                              SSDEEP:192:RLQgCK5Cs0dJcIHFcW8zUxLv+qbvTBKelqNX6DLHhXoo+M/Z5lXN78eYDF0EsAsv:RwQaJbFcqNvpbvTBKelEqnVtX/Z5ld7p
                              MD5:6C5D7CB4107DCBA7FD711D8B2FCAF1D6
                              SHA1:CA8D1BCDBCB87FD8BFF4943D4567B4688FCE1125
                              SHA-256:3A209CB5506A199B9086B6A2800F8E07197612ACFDADF9C790DE55B9D5CB0145
                              SHA-512:9C4FA5A030485A5284505760C3CDBED8758491E5567775CD995A10529E8D87B525DB2BA2953144A3CCB9354E6876F2358F7E3900BE740F4B1A007DA1BB0EEB3D
                              Malicious:false
                              Preview:=....{....h..D...1 &.W........B.i...u.>|.R.I.....!...Rzge Berthault..; 15.14 : Sylvain St-Amand (SSTSylvain)..;..;..;..;..;..;..;..;..0..7-Zip..French..Fran.ais..401..OK..Annuler...........^j...'..$..EQOo!}`SN..-.\..i...S.).x..s3......n....Ny..Non pour T&ous..Arr.ter..Red.marrer..&Arri.re-plan..P&remier plan..&Pause..En pause...tes-vous sur de vouloir annuler ?..50......T.....C.&...CUEs!}`\L....7L.....P.)g.0.eq.....=.....1?#0..&Ouvrir..Ouvrir . l'&int.rieur..Ouvrir . l'e&xt.rieur..&Voir..&.dition..Reno&mmer..&Copier vers.....&D.placer vers......&...^.......k..E.Fx.QGSI..B.x.....D.5k...&M......~....6.G&ropri.t.s..Comme&ntaire.....Somme de contr.le..Diff..Cr.er un dossier..Cr.er un fichier..&Quitter..Lien..Flux &Alternatif..6....d.f..=..l..E..IC.U7 .6.....c...H.>|Ri.6J....i.....Z*D.lection..S.lectionner.....D.s.lectionner.....S.lectionner par Sorte..D.s.lectionner par Sorte..700..&Grandes Ic.nes..&P.t......l..,....^O^x!}.~.=.F.:X......,

                              C:\Program Files\7-Zip\Lang\fr.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10224
                              Entropy (8bit):6.584261583846985
                              Encrypted:false
                              SSDEEP:192:RLQgCK5Cs0dJcIHFcW8zUxLv+qbvTBKelqNX6DLHhXoo+M/Z5lXN78eYDF0EsAsv:RwQaJbFcqNvpbvTBKelEqnVtX/Z5ld7p
                              MD5:6C5D7CB4107DCBA7FD711D8B2FCAF1D6
                              SHA1:CA8D1BCDBCB87FD8BFF4943D4567B4688FCE1125
                              SHA-256:3A209CB5506A199B9086B6A2800F8E07197612ACFDADF9C790DE55B9D5CB0145
                              SHA-512:9C4FA5A030485A5284505760C3CDBED8758491E5567775CD995A10529E8D87B525DB2BA2953144A3CCB9354E6876F2358F7E3900BE740F4B1A007DA1BB0EEB3D
                              Malicious:false
                              Preview:=....{....h..D...1 &.W........B.i...u.>|.R.I.....!...Rzge Berthault..; 15.14 : Sylvain St-Amand (SSTSylvain)..;..;..;..;..;..;..;..;..0..7-Zip..French..Fran.ais..401..OK..Annuler...........^j...'..$..EQOo!}`SN..-.\..i...S.).x..s3......n....Ny..Non pour T&ous..Arr.ter..Red.marrer..&Arri.re-plan..P&remier plan..&Pause..En pause...tes-vous sur de vouloir annuler ?..50......T.....C.&...CUEs!}`\L....7L.....P.)g.0.eq.....=.....1?#0..&Ouvrir..Ouvrir . l'&int.rieur..Ouvrir . l'e&xt.rieur..&Voir..&.dition..Reno&mmer..&Copier vers.....&D.placer vers......&...^.......k..E.Fx.QGSI..B.x.....D.5k...&M......~....6.G&ropri.t.s..Comme&ntaire.....Somme de contr.le..Diff..Cr.er un dossier..Cr.er un fichier..&Quitter..Lien..Flux &Alternatif..6....d.f..=..l..E..IC.U7 .6.....c...H.>|Ri.6J....i.....Z*D.lection..S.lectionner.....D.s.lectionner.....S.lectionner par Sorte..D.s.lectionner par Sorte..700..&Grandes Ic.nes..&P.t......l..,....^O^x!}.~.=.F.:X......,

                              C:\Program Files\7-Zip\Lang\fur.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7831
                              Entropy (8bit):6.601743556729752
                              Encrypted:false
                              SSDEEP:192:Yk/YW7VF9Zg9ewRyHDBOPoa90/JyCwc1tUILBz/+UG+ycmQRoTg:5/YKfZgRyjcga90EILN/JG+ycmQRoTg
                              MD5:33A23E15FE0837D73F8CB5BBDE99238C
                              SHA1:0F4628546A55A941A731E47483E7F90851B9B530
                              SHA-256:9E6772453198EFE4E4774EC15C7B50593EEB7DD1E663E70D9C9C7AF68778DD9F
                              SHA-512:D28D5EA68273F057F420D62C128005F8ED714DDB84A253FEC7732E1E447477244304D62920A5DB4688F803849A00D84F1FCFEE804C7AC2D1F219D6224FAD2A71
                              Malicious:false
                              Preview:..G.E.Z.....;L.4...../...'.8..nP.<e.^..>..O....?...j.....A.7l'ortografie ufici.l de Provincie di Udin..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Friulian..Furlan..401..Va ben..Scancele......?..7........d>.pY.u..).Y.~.q- "4..o....(.........3.e....H..x a &ducj..Ferme..Torne a invi...&Sfont..P&rin plan..&Pause..In pause..S.stu sig.r di vol. scancel.?..500..&File..&Modifiche.8...r....>j..]...|R&.X.hRO\].C..4..2.. ....P..."..E..t.... dentri 7-&Zip..V&iar. f.r di 7-Zip..&Mostre..M&odifiche..Gambie &non..&Copie in.....M.&f in.....&Elimine..&Div.t file......]....w......N~.u].>"..U|.c.hIO[.$:s.t..0..^5...6...&.....G...7control....Cree cartele..Cree file..V&a f.r..600..Selezione d&ut..&Deselezione dut..&Invert.s selezion..Selezione.....Deselezi.\..J........w.|..q~.h5I.p..*nJM."e....8...X..4...I....k...~s &grandis..Iconis &pi.ulis..&Liste..&Detais..730..Cence ordin..Viodude plane..&2 panei..Sbaris dai impresc&j..Viar. cartele p.[...........k.k].te.z1..x.}L'%m.!r....

                              C:\Program Files\7-Zip\Lang\fur.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7831
                              Entropy (8bit):6.601743556729752
                              Encrypted:false
                              SSDEEP:192:Yk/YW7VF9Zg9ewRyHDBOPoa90/JyCwc1tUILBz/+UG+ycmQRoTg:5/YKfZgRyjcga90EILN/JG+ycmQRoTg
                              MD5:33A23E15FE0837D73F8CB5BBDE99238C
                              SHA1:0F4628546A55A941A731E47483E7F90851B9B530
                              SHA-256:9E6772453198EFE4E4774EC15C7B50593EEB7DD1E663E70D9C9C7AF68778DD9F
                              SHA-512:D28D5EA68273F057F420D62C128005F8ED714DDB84A253FEC7732E1E447477244304D62920A5DB4688F803849A00D84F1FCFEE804C7AC2D1F219D6224FAD2A71
                              Malicious:false
                              Preview:..G.E.Z.....;L.4...../...'.8..nP.<e.^..>..O....?...j.....A.7l'ortografie ufici.l de Provincie di Udin..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Friulian..Furlan..401..Va ben..Scancele......?..7........d>.pY.u..).Y.~.q- "4..o....(.........3.e....H..x a &ducj..Ferme..Torne a invi...&Sfont..P&rin plan..&Pause..In pause..S.stu sig.r di vol. scancel.?..500..&File..&Modifiche.8...r....>j..]...|R&.X.hRO\].C..4..2.. ....P..."..E..t.... dentri 7-&Zip..V&iar. f.r di 7-Zip..&Mostre..M&odifiche..Gambie &non..&Copie in.....M.&f in.....&Elimine..&Div.t file......]....w......N~.u].>"..U|.c.hIO[.$:s.t..0..^5...6...&.....G...7control....Cree cartele..Cree file..V&a f.r..600..Selezione d&ut..&Deselezione dut..&Invert.s selezion..Selezione.....Deselezi.\..J........w.|..q~.h5I.p..*nJM."e....8...X..4...I....k...~s &grandis..Iconis &pi.ulis..&Liste..&Detais..730..Cence ordin..Viodude plane..&2 panei..Sbaris dai impresc&j..Viar. cartele p.[...........k.k].te.z1..x.}L'%m.!r....

                              C:\Program Files\7-Zip\Lang\fy.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6747
                              Entropy (8bit):6.654895501195357
                              Encrypted:false
                              SSDEEP:192:voLERXepwWN/zqVH/Nn6DJJ/bVobPTufKLLbgm48:GbqVHQhBeifWgm48
                              MD5:1A0F7DFBCE3448DACF4B721B408A155A
                              SHA1:A510973038AD849510E2F514F63C985319A18F5D
                              SHA-256:67CEE5BD505C4B684B53B953C0452641D858FCFBDA31BF905AAB65B45EACE92A
                              SHA-512:9CDAD1EB492263F4956826014F3EFDF24781C04C0AC530815E0D94F839972EF0457CD0B59B2D6B8F7E9869AACA49E7A02D0008CFFB4A3BAE3017DCF9798A4F63
                              Malicious:false
                              Preview:.{.s.b....a.l...u^.E..7/..PH:.R.g.....h.(".&...y.O.=...nS....N..;..;..;..0..7-Zip..Frisian..Frysk..401..Okee..Ofbrekke........&Jawis..&Nee..&Slute..Help....&Ferfetsje..440..Jawis foar &Allesb.3-..$...s.k..@u.;..f....s...g.....~.C..{.....iY..).1s..n..&Skoftsje..Skoft..Binne jo wis dat jo .fbrekke wolle?..500..&Triem..&Bewurkje..&Byld..B&l.dwizers..&Ark..&Help..540..&Iepe...E.k'...9.m....G6.?..f!.;.Tn.Y........om.j.....y.x..js?....SKopiearje nei.....&Ferpleats nei.....&Wiskje..Triemmen &spjalte.....Triemmen Kom&binearje.....E&igenskippen..Komme&ntaar..Kontr...;.Ob...6.(..Gr.....nd......=.p....~.=\.x..R...Y..cn"...4lles selektearje..Alles net selektearje..&Seleksje omdraaien..Selektearje.....Net selektearje.....Selektearje neffens type..Net ...-.V'...6.#..#..;......@...E.$...'p.(A.s..R...R..d:?|....&List..&Details..730..Net Sortearre..Platte werjefte..&2 Panielen..&Arkbalke..Haadmap iepenje..Ien nivo omheech..Maphistoarje...b.[..P$...8.(...}r....e!....{.\.......

                              C:\Program Files\7-Zip\Lang\fy.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6747
                              Entropy (8bit):6.654895501195357
                              Encrypted:false
                              SSDEEP:192:voLERXepwWN/zqVH/Nn6DJJ/bVobPTufKLLbgm48:GbqVHQhBeifWgm48
                              MD5:1A0F7DFBCE3448DACF4B721B408A155A
                              SHA1:A510973038AD849510E2F514F63C985319A18F5D
                              SHA-256:67CEE5BD505C4B684B53B953C0452641D858FCFBDA31BF905AAB65B45EACE92A
                              SHA-512:9CDAD1EB492263F4956826014F3EFDF24781C04C0AC530815E0D94F839972EF0457CD0B59B2D6B8F7E9869AACA49E7A02D0008CFFB4A3BAE3017DCF9798A4F63
                              Malicious:false
                              Preview:.{.s.b....a.l...u^.E..7/..PH:.R.g.....h.(".&...y.O.=...nS....N..;..;..;..0..7-Zip..Frisian..Frysk..401..Okee..Ofbrekke........&Jawis..&Nee..&Slute..Help....&Ferfetsje..440..Jawis foar &Allesb.3-..$...s.k..@u.;..f....s...g.....~.C..{.....iY..).1s..n..&Skoftsje..Skoft..Binne jo wis dat jo .fbrekke wolle?..500..&Triem..&Bewurkje..&Byld..B&l.dwizers..&Ark..&Help..540..&Iepe...E.k'...9.m....G6.?..f!.;.Tn.Y........om.j.....y.x..js?....SKopiearje nei.....&Ferpleats nei.....&Wiskje..Triemmen &spjalte.....Triemmen Kom&binearje.....E&igenskippen..Komme&ntaar..Kontr...;.Ob...6.(..Gr.....nd......=.p....~.=\.x..R...Y..cn"...4lles selektearje..Alles net selektearje..&Seleksje omdraaien..Selektearje.....Net selektearje.....Selektearje neffens type..Net ...-.V'...6.#..#..;......@...E.$...'p.(A.s..R...R..d:?|....&List..&Details..730..Net Sortearre..Platte werjefte..&2 Panielen..&Arkbalke..Haadmap iepenje..Ien nivo omheech..Maphistoarje...b.[..P$...8.(...}r....e!....{.\.......

                              C:\Program Files\7-Zip\Lang\ga.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8624
                              Entropy (8bit):6.539769829233085
                              Encrypted:false
                              SSDEEP:192:SOoJdKfptABqTm/UEbruPHPGDlkgitgvxKDdzBFrY0MpVBSi19Ln1XC:1oJAhtAETm/vilrpMFSoB1S
                              MD5:1246C283C2EFAACC93CE9F7508E84864
                              SHA1:982FF528F392639E41C2A382FC5DC55977C8BDDE
                              SHA-256:CFBDF7F98ACBA90BB72B0A59F4EE9CADD45C7092D245DF82F54A4749774C5564
                              SHA-512:649920AB591CE05F76F7E847419085D542DC32CAC820C6C79CDED997E1C457FAFBB579086D88D98044618CD7D67C5AAF805204BE27593C7AB84DFFE6E3A0C885
                              Malicious:false
                              Preview:....,.\...).,g...PS]....k.....)~.....j...q.zeU.....).....%...;..;..;..;..;..;..0..7-Zip..Irish..Gaeilge..401..T. go maith..Cealaigh........&T...&N.l..&D.n..Cabhair....&Lean ar aghaidh..}.q.....K.t.jS.....1u@. ........+~.d^../....K.o......B.e...u.@lra..&Tulra..&Cuir ar sos..Ar sos..An bhfuil t. cinnte gur mian leat . a cheal.?..500..&Comhad..&Leagan..Am&harc..Cean.in..&..3.d2..f.=.lP..Q..Z...'X.s.....A......"....l.i......J."..\W`.igh..&Amharc..&Eagar..Athainmnigh..&Macasamhlaigh go.....&Bog go.....S&crios..Scar an comhad.....Cumascaigh na comhaid.....Air.&./..K^...z.y@o1[..1.$....Q.....8l.e.O.&......b........A..GWd.h fillte.n..Cruthaigh comhad..&Scoir..600..Roghnaigh &uile..D.roghnaigh uile..&Aisiompaigh an roghn.ch.n..Roghnaigh.....D.r&.).l(w.E.5..`..P..9|F.N7.N0=.../v.i..C.t$j.i.....G.".zkFD-.ine.l..700..&Deilbh.n. m.ra..&Deilbh.n. beaga..&Liosta..&Sonra...730..Neamhaicmithe..Gach rud in aon chiseal..&2 fhuinneo..K.O b..F..cS....."wG....6... ?.b^...

                              C:\Program Files\7-Zip\Lang\ga.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8624
                              Entropy (8bit):6.539769829233085
                              Encrypted:false
                              SSDEEP:192:SOoJdKfptABqTm/UEbruPHPGDlkgitgvxKDdzBFrY0MpVBSi19Ln1XC:1oJAhtAETm/vilrpMFSoB1S
                              MD5:1246C283C2EFAACC93CE9F7508E84864
                              SHA1:982FF528F392639E41C2A382FC5DC55977C8BDDE
                              SHA-256:CFBDF7F98ACBA90BB72B0A59F4EE9CADD45C7092D245DF82F54A4749774C5564
                              SHA-512:649920AB591CE05F76F7E847419085D542DC32CAC820C6C79CDED997E1C457FAFBB579086D88D98044618CD7D67C5AAF805204BE27593C7AB84DFFE6E3A0C885
                              Malicious:false
                              Preview:....,.\...).,g...PS]....k.....)~.....j...q.zeU.....).....%...;..;..;..;..;..;..0..7-Zip..Irish..Gaeilge..401..T. go maith..Cealaigh........&T...&N.l..&D.n..Cabhair....&Lean ar aghaidh..}.q.....K.t.jS.....1u@. ........+~.d^../....K.o......B.e...u.@lra..&Tulra..&Cuir ar sos..Ar sos..An bhfuil t. cinnte gur mian leat . a cheal.?..500..&Comhad..&Leagan..Am&harc..Cean.in..&..3.d2..f.=.lP..Q..Z...'X.s.....A......"....l.i......J."..\W`.igh..&Amharc..&Eagar..Athainmnigh..&Macasamhlaigh go.....&Bog go.....S&crios..Scar an comhad.....Cumascaigh na comhaid.....Air.&./..K^...z.y@o1[..1.$....Q.....8l.e.O.&......b........A..GWd.h fillte.n..Cruthaigh comhad..&Scoir..600..Roghnaigh &uile..D.roghnaigh uile..&Aisiompaigh an roghn.ch.n..Roghnaigh.....D.r&.).l(w.E.5..`..P..9|F.N7.N0=.../v.i..C.t$j.i.....G.".zkFD-.ine.l..700..&Deilbh.n. m.ra..&Deilbh.n. beaga..&Liosta..&Sonra...730..Neamhaicmithe..Gach rud in aon chiseal..&2 fhuinneo..K.O b..F..cS....."wG....6... ?.b^...

                              C:\Program Files\7-Zip\Lang\gl.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9927
                              Entropy (8bit):6.631338574699835
                              Encrypted:false
                              SSDEEP:192:2AiVQ5ksszIUKnJA1zdlsLTfQ1O9pqnUm4ZtiKWhoZBeBPaoo6a84Cu:iQ5bs/KnJCjYfQI9pqnF4fvB9Ia84t
                              MD5:C186441C473023ABF9C2714E36711A07
                              SHA1:F51F1FAFFDBC05B6DC9D0BE4DD66468570CB958B
                              SHA-256:8D76736E2C0B68F9E7C9C9DC36D521320D320ACDD5AAF86829A53522474084EE
                              SHA-512:3D8CE8ED4FB96CED7DBD93B5421E26FFF0BBEE5854DF8035ED352EE7E3E64CCA5D319A5994D3EB1F5E6246DFBF2C62C169E0B1E93E85A33498F2A8F7502C84BE
                              Malicious:false
                              Preview:..q]V.....v.uz)._.......8.|HjA...W1.oV........RF.. ..w@.#...5. : 2014-11-26 : enfeitizador..; 15.00 : 2016-02-01 : enfeitizador..; 22.00 : 2023-05-13 : enfeitizador..;..;..;..;..;..;..;..0...G.....1..-.=N..x..........eZ%....sE:.........L.k[.F.dw@.P..!.on..Pe&char..Axuda....&Continuar..440..Si &a todo..Non a &todo..Parar..Reiniciar..Po.er por de&baixo..Traer ao &fronte..&Pausa..:..........1]..R.......y.D]`Q...&uT6........D..#.F.8.8....q.ritos..Ferramen&tas..A&xuda..540..&Abrir..Abr&ir dentro..Abrir &f.ra..&Ver..&Editar..Cambiar no&me..&Copiar a.....&Mover a....../........N..F.........n..!F~O....q.<.........H..>.b.@w@.%...n.dades..Come&ntario.....Calcular suma de verificaci.n..Diferenzas..Crear cartafol..Crear ficheiro..Sa&.r..Ligaz.n..&Alternar f.......@..I..J.........+..*.]k...}E=.........'.>...j.f...d..n..Seleccionar.....Desmarcar.....Seleccionar por tipo..Desmarcar por tipo..700..Iconas lon&gas..Iconas &mi.das..&Lista..&Deta....z..E..N.1A]...........>.1....F.....

                              C:\Program Files\7-Zip\Lang\gl.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9927
                              Entropy (8bit):6.631338574699835
                              Encrypted:false
                              SSDEEP:192:2AiVQ5ksszIUKnJA1zdlsLTfQ1O9pqnUm4ZtiKWhoZBeBPaoo6a84Cu:iQ5bs/KnJCjYfQI9pqnF4fvB9Ia84t
                              MD5:C186441C473023ABF9C2714E36711A07
                              SHA1:F51F1FAFFDBC05B6DC9D0BE4DD66468570CB958B
                              SHA-256:8D76736E2C0B68F9E7C9C9DC36D521320D320ACDD5AAF86829A53522474084EE
                              SHA-512:3D8CE8ED4FB96CED7DBD93B5421E26FFF0BBEE5854DF8035ED352EE7E3E64CCA5D319A5994D3EB1F5E6246DFBF2C62C169E0B1E93E85A33498F2A8F7502C84BE
                              Malicious:false
                              Preview:..q]V.....v.uz)._.......8.|HjA...W1.oV........RF.. ..w@.#...5. : 2014-11-26 : enfeitizador..; 15.00 : 2016-02-01 : enfeitizador..; 22.00 : 2023-05-13 : enfeitizador..;..;..;..;..;..;..;..0...G.....1..-.=N..x..........eZ%....sE:.........L.k[.F.dw@.P..!.on..Pe&char..Axuda....&Continuar..440..Si &a todo..Non a &todo..Parar..Reiniciar..Po.er por de&baixo..Traer ao &fronte..&Pausa..:..........1]..R.......y.D]`Q...&uT6........D..#.F.8.8....q.ritos..Ferramen&tas..A&xuda..540..&Abrir..Abr&ir dentro..Abrir &f.ra..&Ver..&Editar..Cambiar no&me..&Copiar a.....&Mover a....../........N..F.........n..!F~O....q.<.........H..>.b.@w@.%...n.dades..Come&ntario.....Calcular suma de verificaci.n..Diferenzas..Crear cartafol..Crear ficheiro..Sa&.r..Ligaz.n..&Alternar f.......@..I..J.........+..*.]k...}E=.........'.>...j.f...d..n..Seleccionar.....Desmarcar.....Seleccionar por tipo..Desmarcar por tipo..700..Iconas lon&gas..Iconas &mi.das..&Lista..&Deta....z..E..N.1A]...........>.1....F.....

                              C:\Program Files\7-Zip\Lang\gu.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18083
                              Entropy (8bit):5.842638015205963
                              Encrypted:false
                              SSDEEP:384:7WzDChoC+5x71C2b+hmh5OKG0B2Z9W/SXJTIOx2rtqAX2ft/fq417/L:6XCIn5RG0+pIOotqAupX/L
                              MD5:9ED35F9115524F929A2853287C6F0780
                              SHA1:4BC120D2AEECA7F9DA40466C92894E294D3CFDB5
                              SHA-256:3F204AB0660D3BFD8EBE576DD41F90A1151DBFE0804649AE8F12E5F8EFBE5ADD
                              SHA-512:2A90E05B8E103C2B927ACD7B456CA3C755BEB26C07EEBBF228C0B659704E1F0B582E073A0206339FD7C07F5455D89402D22B03A1352669A443EA8ABC56995E94
                              Malicious:false
                              Preview:....]>..7.^LH.....q<f4uOG ...[N.{......HU[.;X..$g<..Ak.%...... ...... ..........;..;..;..;..;..;..;..;..;..;..0..7-Zip..Gujarati, Indian, ............qk].....dO|G......\..`.f\j.%J..7#5H?m.$g;..AtJn5O................&.....&....&... ............&.... ......440..&... .....)..7D.p_]....:........Z.f..0.r. .a..........-)....n?%.$...... .... .....&............&........(.........)......V..P..:M0.Q.:.~..L....o.,..{.,H8.*+..$.....oLc....l.Jo.O.... .... .... ... ... .... .... ..?..500..&.......&........%.......j......[.M.@:......\,.h.f`j.'.0.......nsc...].$.kT.....540..&......&.... ......&.... ......&.......&........&...........d.....$[.U4.K.}...\8.R",H".

                              C:\Program Files\7-Zip\Lang\gu.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18083
                              Entropy (8bit):5.842638015205963
                              Encrypted:false
                              SSDEEP:384:7WzDChoC+5x71C2b+hmh5OKG0B2Z9W/SXJTIOx2rtqAX2ft/fq417/L:6XCIn5RG0+pIOotqAupX/L
                              MD5:9ED35F9115524F929A2853287C6F0780
                              SHA1:4BC120D2AEECA7F9DA40466C92894E294D3CFDB5
                              SHA-256:3F204AB0660D3BFD8EBE576DD41F90A1151DBFE0804649AE8F12E5F8EFBE5ADD
                              SHA-512:2A90E05B8E103C2B927ACD7B456CA3C755BEB26C07EEBBF228C0B659704E1F0B582E073A0206339FD7C07F5455D89402D22B03A1352669A443EA8ABC56995E94
                              Malicious:false
                              Preview:....]>..7.^LH.....q<f4uOG ...[N.{......HU[.;X..$g<..Ak.%...... ...... ..........;..;..;..;..;..;..;..;..;..;..0..7-Zip..Gujarati, Indian, ............qk].....dO|G......\..`.f\j.%J..7#5H?m.$g;..AtJn5O................&.....&....&... ............&.... ......440..&... .....)..7D.p_]....:........Z.f..0.r. .a..........-)....n?%.$...... .... .....&............&........(.........)......V..P..:M0.Q.:.~..L....o.,..{.,H8.*+..$.....oLc....l.Jo.O.... .... .... ... ... .... .... ..?..500..&.......&........%.......j......[.M.@:......\,.h.f`j.'.0.......nsc...].$.kT.....540..&......&.... ......&.... ......&.......&........&...........d.....$[.U4.K.}...\8.R",H".

                              C:\Program Files\7-Zip\Lang\he.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11718
                              Entropy (8bit):5.985537849850257
                              Encrypted:false
                              SSDEEP:192:/DVS7vxiSYO33F757NYmkZKpxLQPdt+7fjzvF9YWrWUdXArEV/NKtJfEthNXfQT:/pK/VlSmkYpxLQPdY7TYGDgEVww7NU
                              MD5:3FB96472E4D63F6DF69EAF63AEF08964
                              SHA1:9EA26B0D32DF54C6CC5288056CB15C72F6C5FBDB
                              SHA-256:FA1061C876E5D048EDF7698286649F6D8A4656EF1D59CEA25B2D3A5E1EF54064
                              SHA-512:AEB18246BF0328D49E4D8D96E0577445626BF2D82C95D10D4B809D2F4DFA187A8691682DE5EF7F9193563EFA125D1DC02667E9747E98DCDAD43F8FE164592082
                              Malicious:false
                              Preview:.oQr.8.y..X.....v.......W.>.:.A.........N...*4^.C. .:{.".n : Gal Brill..; 9.13 : 2010-04-30 : Jonathan Lahav..; 19.00 : 2020-05-01 : ION..;..;..;..;..;..;..;..0..7-Zip..Hebrew......$....>.M...2.{|]....Ph...".$k.+...~..\.!.sU..Y.E(.p..;.l.D........&......440.... .&...... &............... ......&.....&.......&...........+...[Ty.......1=2.{@]...a./.j.:..g.E.L=.._...<..4^.S...<...QF....&.......&.......&.........&.......&.....540...&....... .&......... .&.....&...+....[a....s.tO{E.8.].5^..].f.....E..~.._.!.$o...'E(.p.{y...C.&........&. .......&... .......&.............&....... ..... ..............OgY[o.....0t.{B.5...v.....U.:..g.E!L.......4.G..S.(.p....l.D&..... .........600..... &........ ..... .....&.... ................. .....+.......Z.p.M:.{D.9..R..Y.'.\>....g.E.L

                              C:\Program Files\7-Zip\Lang\he.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11718
                              Entropy (8bit):5.985537849850257
                              Encrypted:false
                              SSDEEP:192:/DVS7vxiSYO33F757NYmkZKpxLQPdt+7fjzvF9YWrWUdXArEV/NKtJfEthNXfQT:/pK/VlSmkYpxLQPdY7TYGDgEVww7NU
                              MD5:3FB96472E4D63F6DF69EAF63AEF08964
                              SHA1:9EA26B0D32DF54C6CC5288056CB15C72F6C5FBDB
                              SHA-256:FA1061C876E5D048EDF7698286649F6D8A4656EF1D59CEA25B2D3A5E1EF54064
                              SHA-512:AEB18246BF0328D49E4D8D96E0577445626BF2D82C95D10D4B809D2F4DFA187A8691682DE5EF7F9193563EFA125D1DC02667E9747E98DCDAD43F8FE164592082
                              Malicious:false
                              Preview:.oQr.8.y..X.....v.......W.>.:.A.........N...*4^.C. .:{.".n : Gal Brill..; 9.13 : 2010-04-30 : Jonathan Lahav..; 19.00 : 2020-05-01 : ION..;..;..;..;..;..;..;..0..7-Zip..Hebrew......$....>.M...2.{|]....Ph...".$k.+...~..\.!.sU..Y.E(.p..;.l.D........&......440.... .&...... &............... ......&.....&.......&...........+...[Ty.......1=2.{@]...a./.j.:..g.E.L=.._...<..4^.S...<...QF....&.......&.......&.........&.......&.....540...&....... .&......... .&.....&...+....[a....s.tO{E.8.].5^..].f.....E..~.._.!.$o...'E(.p.{y...C.&........&. .......&... .......&.............&....... ..... ..............OgY[o.....0t.{B.5...v.....U.:..g.E!L.......4.G..S.(.p....l.D&..... .........600..... &........ ..... .....&.... ................. .....+.......Z.p.M:.{D.9..R..Y.'.\>....g.E.L

                              C:\Program Files\7-Zip\Lang\hi.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18185
                              Entropy (8bit):5.904981636226813
                              Encrypted:false
                              SSDEEP:384:0ErDiP7GVnI4Wx//3s16mgD4q1UV8/03jQZ1MKHzWqsBOZvuUpQ:pqTGVIxePjQZ15lhpQ
                              MD5:54E66EB45823B61F65B6ECE8573A2FCE
                              SHA1:890FF4A55180760A5C15B8DF583109F276C45F98
                              SHA-256:6FD14F2471301AE2DCF6DE9535D1A67EEE6D0C5B99C2AA1E59AED72328D1E6AD
                              SHA-512:74793D098AB2CB3B090B63B47367B04E6FABF9AA5B8AF449C44BB067498EEDF0A3BDCD51E1F2E34D907F1BB1D5179704E6D2A8AF52BA0919E99FE07DCA72685D
                              Malicious:false
                              Preview:2W.......LF.[.....H.....'YI.h..e.H..lyF...f-!...Jn..B.....;..... .... .......;..;..;..;..;..;..;..;..;..;..0..7-Zip..Hindi, Indian, ...............b.....T......L....d.Z=(....N.r.p.2.y.F......hL..W\.Y8..Y..J....&......&... ............&.... .....440..&... .. .... ...........t...Tk..B*...8.y,I....=..4.z.Uo...X^/...8..Mn..B...%Y..J... .... ......&............&........(.........)..&.=H...9W5..;...o..d.Z==...N...Y.v..r..........k*..#..`.Y..J... .... ..... ... ....... .... .. ....?..500..&......&.._.....g..../.L....|.)hS...\x......Ux...X^.F...,j.k(W\...Z..G......&.....540..&......&.... ......&.... ......&.......&......yD.>..}XX..k....|.'hR....x..4.q$...

                              C:\Program Files\7-Zip\Lang\hi.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18185
                              Entropy (8bit):5.904981636226813
                              Encrypted:false
                              SSDEEP:384:0ErDiP7GVnI4Wx//3s16mgD4q1UV8/03jQZ1MKHzWqsBOZvuUpQ:pqTGVIxePjQZ15lhpQ
                              MD5:54E66EB45823B61F65B6ECE8573A2FCE
                              SHA1:890FF4A55180760A5C15B8DF583109F276C45F98
                              SHA-256:6FD14F2471301AE2DCF6DE9535D1A67EEE6D0C5B99C2AA1E59AED72328D1E6AD
                              SHA-512:74793D098AB2CB3B090B63B47367B04E6FABF9AA5B8AF449C44BB067498EEDF0A3BDCD51E1F2E34D907F1BB1D5179704E6D2A8AF52BA0919E99FE07DCA72685D
                              Malicious:false
                              Preview:2W.......LF.[.....H.....'YI.h..e.H..lyF...f-!...Jn..B.....;..... .... .......;..;..;..;..;..;..;..;..;..;..0..7-Zip..Hindi, Indian, ...............b.....T......L....d.Z=(....N.r.p.2.y.F......hL..W\.Y8..Y..J....&......&... ............&.... .....440..&... .. .... ...........t...Tk..B*...8.y,I....=..4.z.Uo...X^/...8..Mn..B...%Y..J... .... ......&............&........(.........)..&.=H...9W5..;...o..d.Z==...N...Y.v..r..........k*..#..`.Y..J... .... ..... ... ....... .... .. ....?..500..&......&.._.....g..../.L....|.)hS...\x......Ux...X^.F...,j.k(W\...Z..G......&.....540..&......&.... ......&.... ......&.......&......yD.>..}XX..k....|.'hR....x..4.q$...

                              C:\Program Files\7-Zip\Lang\hr.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8931
                              Entropy (8bit):6.618901821342764
                              Encrypted:false
                              SSDEEP:192:+y61G6DeYNxXKz6VQbUls2lszN2D9meaDKaMGnCze:+jjXiXD2uN2D9OK3ve
                              MD5:2E11C8D583450899BC760D91DC550A10
                              SHA1:56FD5FDB72B9373E697DB80DD73D621377936003
                              SHA-256:F60A1B440E544D0EDE7030159E5C640DC07AF8342C7968A1AEA224969C4EA537
                              SHA-512:246A00F86B166E089D6EADDF6DCCAFF44E4E616EF50AC74CBF9F118327BB13DB9F3725AB95A21876E96FDD0ABAEDC8F64F698A744BA9E304A6D07A018223D617
                              Malicious:false
                              Preview:.W%....M.h.8.e.P...OJW.d. ...e8vT\.?...U.l.dt`._..aBn.#...`..nagi...; 9.07 :..; 15.05 : 2015-06-15 : Stjepan Treger..;..;..;..;..;..;..;..0..7-Zip..Croatian..Hrvatski..401..U redu..Odusta{...!^.&m..xH;q3.......%.{.(gK9x..D..'_...2=Y.^.9KNnN8...@....Ne za Sv&e..&Stani..Ponovi..U pozadini..U prvom planu..&Pauza..Pauzirano..Poni.titi?..500..&Datoteke..&Ure.ivanje..&Izgled..Z..F1.I@b..|H;q<...y`Q.%.}v.:.a#.qC....Q...N. ....]agn.7n..g..ri u &sustavu..Iz&gled..&Ure.ivanje..Prei&menuj..&Kopiraj u.....Premje&sti u.....O&bri.i..Podije&li datoteku.....Spo&ji datote~....Y...`..?1G6p.......8...XEE..O.i....L...+3t....^ ..;1...v.jivanje..Stvo&ri mapu..Stvori &datoteku..&Izlaz..Poveznica..&Alternativni tokovi..600..Odaberi &sve..Poni.ti odabir..&Obrni odab|...c0.N.}..7k<]-..Z....%.s.KE.z97v.....L...d =....d.df....|..bir tipa..700..&Velike ikone..&Male ikone..&Popis..&Detalji..730..Neso&rtirano..Sadr.aj mapa..&2 okna..Alatne &trake..&Korijen....H9.\...k*..[........d...m.W"}_....

                              C:\Program Files\7-Zip\Lang\hr.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8931
                              Entropy (8bit):6.618901821342764
                              Encrypted:false
                              SSDEEP:192:+y61G6DeYNxXKz6VQbUls2lszN2D9meaDKaMGnCze:+jjXiXD2uN2D9OK3ve
                              MD5:2E11C8D583450899BC760D91DC550A10
                              SHA1:56FD5FDB72B9373E697DB80DD73D621377936003
                              SHA-256:F60A1B440E544D0EDE7030159E5C640DC07AF8342C7968A1AEA224969C4EA537
                              SHA-512:246A00F86B166E089D6EADDF6DCCAFF44E4E616EF50AC74CBF9F118327BB13DB9F3725AB95A21876E96FDD0ABAEDC8F64F698A744BA9E304A6D07A018223D617
                              Malicious:false
                              Preview:.W%....M.h.8.e.P...OJW.d. ...e8vT\.?...U.l.dt`._..aBn.#...`..nagi...; 9.07 :..; 15.05 : 2015-06-15 : Stjepan Treger..;..;..;..;..;..;..;..0..7-Zip..Croatian..Hrvatski..401..U redu..Odusta{...!^.&m..xH;q3.......%.{.(gK9x..D..'_...2=Y.^.9KNnN8...@....Ne za Sv&e..&Stani..Ponovi..U pozadini..U prvom planu..&Pauza..Pauzirano..Poni.titi?..500..&Datoteke..&Ure.ivanje..&Izgled..Z..F1.I@b..|H;q<...y`Q.%.}v.:.a#.qC....Q...N. ....]agn.7n..g..ri u &sustavu..Iz&gled..&Ure.ivanje..Prei&menuj..&Kopiraj u.....Premje&sti u.....O&bri.i..Podije&li datoteku.....Spo&ji datote~....Y...`..?1G6p.......8...XEE..O.i....L...+3t....^ ..;1...v.jivanje..Stvo&ri mapu..Stvori &datoteku..&Izlaz..Poveznica..&Alternativni tokovi..600..Odaberi &sve..Poni.ti odabir..&Obrni odab|...c0.N.}..7k<]-..Z....%.s.KE.z97v.....L...d =....d.df....|..bir tipa..700..&Velike ikone..&Male ikone..&Popis..&Detalji..730..Neso&rtirano..Sadr.aj mapa..&2 okna..Alatne &trake..&Korijen....H9.\...k*..[........d...m.W"}_....

                              C:\Program Files\7-Zip\Lang\hu.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10491
                              Entropy (8bit):6.752847802651541
                              Encrypted:false
                              SSDEEP:192:dEFiJzzYdWEgx+FSrPo+wOmauFvzfoosdnP0H6ksmivM0V6p9MVQlZzPJ3fPUf:ug1TFro+w3auFLfo5dnMH6ksmivM0V66
                              MD5:FC48F221C0E44DAE3967F936DB1DE554
                              SHA1:473C2B014FF16634BFAEECBCCDFA883B5BD363F6
                              SHA-256:6E17CFDF8B8815CEF695B2E1ECE7A23D8E914128EDAE9677262F55A0220526BB
                              SHA-512:9ACDD7FA9CA264F6789AD4899067E7BA720DD491D7E37F702F65A34EE56219126A65A89ABFCD705ADE9DD3E5BB9B1B765DD21BD2113F3FDD42202211F53F6FC8
                              Malicious:false
                              Preview:c... .V.Y.!W~!....Zg.2..Z'. ".9>h...J.1Y..5N..@.w....v.......*yilas MISY..; 15.00 : 2021-11-09 : Barnabas Kovacs..; 22.01 : 2022-07-15 : John Fowler..;..;..;..;..;..;..;..0..7-Zip..Hungarian..Q.f.{..._i1. (.>...Aa.w.....[N=...phV....&.x.j|PP....l.........&Folytat.s..440..I&gen, mindre..N&em, mindre..Le.ll.t.s...jraind.t.s..&H.tt.rben..&El.t.rben..&Sz.net..Sz.nete..y.w......-oq.G.\..p1Cu..l~.v.7dz...r.=U..._.0. ..(..x..S..Bzerkeszt.s..&N.zet..Ked&vencek..&Eszk.z.k..&S.g...540..M&egnyit.s..Megnyit.s &bel.l..Megnyit.s k.&v.l..&F.jl megtek..h!.....M#epA..I.W./+.@`.i..t.,....S..K...{...q..|4....4.t&helyez.s mapp.ba.....&T.rl.s..F.jl&darabol.s.....F.jl&egyes.t.s.....T&ulajdons.gok..&Megjegyz.s..Checksum sz.mol.....J7..8M.;s....9.. ,G2.".s..j.,......#....]G..N.u.X....5....p.s..Link..Alternat.v adatfolyam..600..Min&d kijel.l.se..Kijel.l.s megsz.ntet.se..Kijel.l.s &megford.t.sa..Kijel..t../.4...>sx...G....U<..w..sh.:...egmE

                              C:\Program Files\7-Zip\Lang\hu.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10491
                              Entropy (8bit):6.752847802651541
                              Encrypted:false
                              SSDEEP:192:dEFiJzzYdWEgx+FSrPo+wOmauFvzfoosdnP0H6ksmivM0V6p9MVQlZzPJ3fPUf:ug1TFro+w3auFLfo5dnMH6ksmivM0V66
                              MD5:FC48F221C0E44DAE3967F936DB1DE554
                              SHA1:473C2B014FF16634BFAEECBCCDFA883B5BD363F6
                              SHA-256:6E17CFDF8B8815CEF695B2E1ECE7A23D8E914128EDAE9677262F55A0220526BB
                              SHA-512:9ACDD7FA9CA264F6789AD4899067E7BA720DD491D7E37F702F65A34EE56219126A65A89ABFCD705ADE9DD3E5BB9B1B765DD21BD2113F3FDD42202211F53F6FC8
                              Malicious:false
                              Preview:c... .V.Y.!W~!....Zg.2..Z'. ".9>h...J.1Y..5N..@.w....v.......*yilas MISY..; 15.00 : 2021-11-09 : Barnabas Kovacs..; 22.01 : 2022-07-15 : John Fowler..;..;..;..;..;..;..;..0..7-Zip..Hungarian..Q.f.{..._i1. (.>...Aa.w.....[N=...phV....&.x.j|PP....l.........&Folytat.s..440..I&gen, mindre..N&em, mindre..Le.ll.t.s...jraind.t.s..&H.tt.rben..&El.t.rben..&Sz.net..Sz.nete..y.w......-oq.G.\..p1Cu..l~.v.7dz...r.=U..._.0. ..(..x..S..Bzerkeszt.s..&N.zet..Ked&vencek..&Eszk.z.k..&S.g...540..M&egnyit.s..Megnyit.s &bel.l..Megnyit.s k.&v.l..&F.jl megtek..h!.....M#epA..I.W./+.@`.i..t.,....S..K...{...q..|4....4.t&helyez.s mapp.ba.....&T.rl.s..F.jl&darabol.s.....F.jl&egyes.t.s.....T&ulajdons.gok..&Megjegyz.s..Checksum sz.mol.....J7..8M.;s....9.. ,G2.".s..j.,......#....]G..N.u.X....5....p.s..Link..Alternat.v adatfolyam..600..Min&d kijel.l.se..Kijel.l.s megsz.ntet.se..Kijel.l.s &megford.t.sa..Kijel..t../.4...>sx...G....U<..w..sh.:...egmE

                              C:\Program Files\7-Zip\Lang\hy.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14451
                              Entropy (8bit):6.134692009136722
                              Encrypted:false
                              SSDEEP:384:uOJ7/q7RjdYpYb2phgS9kbmbzOsLM4rGZxO:3J7C7F7b2DgS9GkMZxO
                              MD5:9F4E551970D36D799FF4A635A1792024
                              SHA1:521FE45734EED75F9DAD02334CDE8EAEF0AED927
                              SHA-256:2003582A68CF334583FA25562DA4524D81EEE3C75A8D97BC646256BC53285047
                              SHA-512:E4579310DA1E17C32EE6F571B19B6F2636362BA6D60200E57BE0141D9D3BFFDE67AC8153751AFB441EA795BC6CD6F3FCA2D867AAD55767998792DB1C1A8464F4
                              Malicious:false
                              Preview:C........RP`*.f~....S.c~FFaW..0L.{]..u.......f.."N[...E../.Bo|r.Ohanyan..;..;..;..;..;..;..;..;..;..0..7-Zip..Armenian...........401.......................&.....&....&.y.k...w.?...w.N.>M.-.....U..{..s..[:ws.u.=8...7^...;u....... ...... &......... ...... &.............................&..............f|....g2....l.N....P....q5..|.s+.^9Vp.\(^Y..Y........n........500..&......&..........&......&.............&..........&............54.f|....z1....x?2O.=n......aQ.U....._.,n".fr#.^L..G..U.....4..............&.............&.........&.............&..............&................q..a.......3...T...@..d6....s/.V.! ..".^A..D..1..*....n..&.................&.....................................&....... ..........t.F..-....$.M......5....s&X.9

                              C:\Program Files\7-Zip\Lang\hy.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14451
                              Entropy (8bit):6.134692009136722
                              Encrypted:false
                              SSDEEP:384:uOJ7/q7RjdYpYb2phgS9kbmbzOsLM4rGZxO:3J7C7F7b2DgS9GkMZxO
                              MD5:9F4E551970D36D799FF4A635A1792024
                              SHA1:521FE45734EED75F9DAD02334CDE8EAEF0AED927
                              SHA-256:2003582A68CF334583FA25562DA4524D81EEE3C75A8D97BC646256BC53285047
                              SHA-512:E4579310DA1E17C32EE6F571B19B6F2636362BA6D60200E57BE0141D9D3BFFDE67AC8153751AFB441EA795BC6CD6F3FCA2D867AAD55767998792DB1C1A8464F4
                              Malicious:false
                              Preview:C........RP`*.f~....S.c~FFaW..0L.{]..u.......f.."N[...E../.Bo|r.Ohanyan..;..;..;..;..;..;..;..;..;..0..7-Zip..Armenian...........401.......................&.....&....&.y.k...w.?...w.N.>M.-.....U..{..s..[:ws.u.=8...7^...;u....... ...... &......... ...... &.............................&..............f|....g2....l.N....P....q5..|.s+.^9Vp.\(^Y..Y........n........500..&......&..........&......&.............&..........&............54.f|....z1....x?2O.=n......aQ.U....._.,n".fr#.^L..G..U.....4..............&.............&.........&.............&..............&................q..a.......3...T...@..d6....s/.V.! ..".^A..D..1..*....n..&.................&.....................................&....... ..........t.F..-....$.M......5....s&X.9

                              C:\Program Files\7-Zip\Lang\id.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8976
                              Entropy (8bit):6.569115199175694
                              Encrypted:false
                              SSDEEP:192:7mlEmEEy4W0YZuajJo7O45v/e6t7rmb7vQ6CiiL769Qg:7wEmEH4WVZja7Oavj7rwvPQL76Sg
                              MD5:CC812CCF10A5178ADBC0E5AE4ED8FDFA
                              SHA1:DAA3ABB22BEAE78AE410DFAB84060B9B9C1EB592
                              SHA-256:EB058739A959D721807539AAD87F2418138033FA69C75F623906EEA1AD0D5277
                              SHA-512:305E33EEB791EF6AF91D6F1DEE52342FF8B3A1792FC969892E1B41C6D3C6C465EEE6E7B083BA18BA58CAADE130023A766D7502CDC5B371BC728D5EC0E5832F1B
                              Malicious:false
                              Preview:.F...s..JGp|}.....j......0<Z...Q....m..G%...*....$.......2.2..;..;..;..;..;..;..;..0..7-Zip..Indonesian..Bahasa Indonesia..401..Oke..Batal........&Ya..&Tidak..&Tutup..Bantuan....&Lanjut..4<..7.R...H.E<F.!.....A....li....h..G6..0p..d...Gt.}L...}.ea&kang..Latar &Depan..&Jeda..Dijeda..Anda yakin ingin batal?..500..&Berkas..&Edit..Tam&pilan..&Kesukaan..Pera&latan..Ban&tuan..5<..7.q.. .r(C.`...A..F...Ci....B...R-..[Q..-.....@X.xQ.....hma Ulang..&Salin Ke.....P&indah Ke.....&Hapus..Be&lah Berkas.....Gabun&g Berkas.....P&roperti..K&omentar.....Hitung ceksum..Beda..EH.G..._.[)G.)........`om.......>U...q.bN...$..u...S.{an..600..Pi&lih Semua..Batal Pilih Semua..Pilih Sebal&iknya..Pilih.....Batal Pilih.....Pilih Berdasarkan Tipe..Batal Pilih Berda{.uV.]..].=W..p.........`nm.......V<..p...."....X.hY...5.:0..Tidak Disortir..Tampil Datar..&2 Panel..Bilah Ala&t..Buka Akar Direktori..Naik Satu Tingkat..Riwayat Direktori.....&Segarkan...bZ.A...:D2E.4...m......m}.......@6

                              C:\Program Files\7-Zip\Lang\id.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8976
                              Entropy (8bit):6.569115199175694
                              Encrypted:false
                              SSDEEP:192:7mlEmEEy4W0YZuajJo7O45v/e6t7rmb7vQ6CiiL769Qg:7wEmEH4WVZja7Oavj7rwvPQL76Sg
                              MD5:CC812CCF10A5178ADBC0E5AE4ED8FDFA
                              SHA1:DAA3ABB22BEAE78AE410DFAB84060B9B9C1EB592
                              SHA-256:EB058739A959D721807539AAD87F2418138033FA69C75F623906EEA1AD0D5277
                              SHA-512:305E33EEB791EF6AF91D6F1DEE52342FF8B3A1792FC969892E1B41C6D3C6C465EEE6E7B083BA18BA58CAADE130023A766D7502CDC5B371BC728D5EC0E5832F1B
                              Malicious:false
                              Preview:.F...s..JGp|}.....j......0<Z...Q....m..G%...*....$.......2.2..;..;..;..;..;..;..;..0..7-Zip..Indonesian..Bahasa Indonesia..401..Oke..Batal........&Ya..&Tidak..&Tutup..Bantuan....&Lanjut..4<..7.R...H.E<F.!.....A....li....h..G6..0p..d...Gt.}L...}.ea&kang..Latar &Depan..&Jeda..Dijeda..Anda yakin ingin batal?..500..&Berkas..&Edit..Tam&pilan..&Kesukaan..Pera&latan..Ban&tuan..5<..7.q.. .r(C.`...A..F...Ci....B...R-..[Q..-.....@X.xQ.....hma Ulang..&Salin Ke.....P&indah Ke.....&Hapus..Be&lah Berkas.....Gabun&g Berkas.....P&roperti..K&omentar.....Hitung ceksum..Beda..EH.G..._.[)G.)........`om.......>U...q.bN...$..u...S.{an..600..Pi&lih Semua..Batal Pilih Semua..Pilih Sebal&iknya..Pilih.....Batal Pilih.....Pilih Berdasarkan Tipe..Batal Pilih Berda{.uV.]..].=W..p.........`nm.......V<..p...."....X.hY...5.:0..Tidak Disortir..Tampil Datar..&2 Panel..Bilah Ala&t..Buka Akar Direktori..Naik Satu Tingkat..Riwayat Direktori.....&Segarkan...bZ.A...:D2E.4...m......m}.......@6

                              C:\Program Files\7-Zip\Lang\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\7-Zip\Lang\io.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5322
                              Entropy (8bit):6.5972330353621045
                              Encrypted:false
                              SSDEEP:96:CLU7cHYDi1RXZLBa200Q+C4+bcCef9cXz5dffQv52ruWxoK57VzCc/TEBePkgF:8UuYUjLDJt1+b2f6dfIv5nWxoK5ZWc/j
                              MD5:768BB8502CD7623EE9F4009D9FB86236
                              SHA1:C8AD5588E0A41D6350685439A000FF07FE659D01
                              SHA-256:174652E99A8E6DC47943A109EC4F7ABBD177F2AFD7B589FB8C42412430E041E6
                              SHA-512:7226D56F3EDB219EC4C72591B8DA99190962F9F43B1808C381CF1EA56748FF1838392772155106E714D74A53365086AAC26515B84B4831983D4E51603ABEFAD6
                              Malicious:false
                              Preview:.....lV.c.a$o.F..M...b..@.}.%.D...9.....PcZ*s[.....<......]I,.;..0..7-Zip..Ido..Ido..401..B&one..Abandonar........&Yes..&No..&Klozez..Helpo....&Durez..440..Yes por &omni..No por o&mni..Halt.n..Ei.l.'.4......`.d....$.p.'...N...... 1#AE\.....D..r...;.R abortar?..500..&Dosiero..&Redakto..&Aspekto..&Favoraji..&Utensili..&Helpo..540..&Apertigar..Apertigar int&erne..Apertigar e&xte.....E~.j.!iD.@....{..O....$.u._...[..F...39%.)2....<..a...'TNzar aden.....E&facar..F&endar dosiero.....Komb&inar dosieri.....In&heraji..Ko&mentar......Krear &dosieruyo..Krear dos&iero..E&ki.u....*.....<.4..U.b..O....c.z.F...Y....4.2R;?....TV.|...2.Jar.....Desmerkar.....Merkar segun tipo..Desmerkar segun tipo..700..&Granda ikoneti..&Mikra ikoneti..&Listo..&Tabelo..730..&Neara.~..!....aD>.|.......'..H.).?.L...9..}..3?6Rh$......@.`...".N..Ad-supre ye un nivelo..Dosieruya historio.....R&inovigar..750..Utensila panelo di arkivo..Norma utensila panelo..Granda ikonet.....H..a.s.;.}....{..H..^.O.^.G...F..b

                              C:\Program Files\7-Zip\Lang\io.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5322
                              Entropy (8bit):6.5972330353621045
                              Encrypted:false
                              SSDEEP:96:CLU7cHYDi1RXZLBa200Q+C4+bcCef9cXz5dffQv52ruWxoK57VzCc/TEBePkgF:8UuYUjLDJt1+b2f6dfIv5nWxoK5ZWc/j
                              MD5:768BB8502CD7623EE9F4009D9FB86236
                              SHA1:C8AD5588E0A41D6350685439A000FF07FE659D01
                              SHA-256:174652E99A8E6DC47943A109EC4F7ABBD177F2AFD7B589FB8C42412430E041E6
                              SHA-512:7226D56F3EDB219EC4C72591B8DA99190962F9F43B1808C381CF1EA56748FF1838392772155106E714D74A53365086AAC26515B84B4831983D4E51603ABEFAD6
                              Malicious:false
                              Preview:.....lV.c.a$o.F..M...b..@.}.%.D...9.....PcZ*s[.....<......]I,.;..0..7-Zip..Ido..Ido..401..B&one..Abandonar........&Yes..&No..&Klozez..Helpo....&Durez..440..Yes por &omni..No por o&mni..Halt.n..Ei.l.'.4......`.d....$.p.'...N...... 1#AE\.....D..r...;.R abortar?..500..&Dosiero..&Redakto..&Aspekto..&Favoraji..&Utensili..&Helpo..540..&Apertigar..Apertigar int&erne..Apertigar e&xte.....E~.j.!iD.@....{..O....$.u._...[..F...39%.)2....<..a...'TNzar aden.....E&facar..F&endar dosiero.....Komb&inar dosieri.....In&heraji..Ko&mentar......Krear &dosieruyo..Krear dos&iero..E&ki.u....*.....<.4..U.b..O....c.z.F...Y....4.2R;?....TV.|...2.Jar.....Desmerkar.....Merkar segun tipo..Desmerkar segun tipo..700..&Granda ikoneti..&Mikra ikoneti..&Listo..&Tabelo..730..&Neara.~..!....aD>.|.......'..H.).?.L...9..}..3?6Rh$......@.`...".N..Ad-supre ye un nivelo..Dosieruya historio.....R&inovigar..750..Utensila panelo di arkivo..Norma utensila panelo..Granda ikonet.....H..a.s.;.}....{..H..^.O.^.G...F..b

                              C:\Program Files\7-Zip\Lang\is.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key Version 4
                              Category:dropped
                              Size (bytes):9060
                              Entropy (8bit):6.74699694390725
                              Encrypted:false
                              SSDEEP:192:55D2uUFfmdkPExg92fFh35BLVVF9Ux3LtDbX3qBKwicZ7sSIwE33tmh+X:55fUAdD692f7JfVFqBWB6cZ7xIKh+X
                              MD5:895799ACD225F3DE25DA80181C63B1F2
                              SHA1:F3381DEC8420ACD4776DCB757182FE951CEADC35
                              SHA-256:630EAAC52F9AFFFF70E22DD6A855BE2C0F8792FDDDFC73EFA0EC3AC4322587B8
                              SHA-512:309C02E3F78126172043D92D9F6E741F475564AC28975B7625B4F5E0C2BC883F1DE1B93A4248F9BAF7689FB7F80FFF23EEB16D8CEF5635315D163FC12F32212F
                              Malicious:false
                              Preview:..>...!.:.>.4M.f"q..a.].r.<YQ..#E.!.qJ.........".`}..<Q..W..son..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Icelandic...slenska..401... lagi..H.tta vi.........&J...&Nei..&Loka..Hj.lp.....6...'......._.z.....>...@3b~...(w>X.Q.....H...c....17O..Endurr.sa..&Bakgrunnur..&Forgrunnur..&Gera hl.... hl.i..Ert .. viss um a. .. viljir h.tta vi.?..500..&Skr...&Breyta..X....{..a.'..L.@+...E.9.:.h....~.XH..Q.|gG.......x}....F....@. innanver.u..&Opna a. utanver.u..&Sko.a..&Breyta..&Endurnefna..&Afrita ......&F.ra ......&Ey.a..&Klj.fa skr......&Sam......-.....\N.Mm#...#D..)..cF..`..qV9.Z....E...9.&su..uE..Mt5lu..Mismunur..Skapa m.ppu..Skapa skr...&H.tta..Tengill..&V.xlstraumar..600..&Velja allt..&Afvelja allt..&Umsn.a vali..Velja..P.+ .....\N.a~/...oD..!......|...c7.X...RD...F..s{..X<....&St.rar t.knmyndir..&Sm.ar t.knmyndir..&Listi..&Sm.atri.i..730...flokka...Flats.n..&2 spj.ld..&Verkf.rastikur..Opna rn1.....}....x5..K]'...;UO.<.idj.....eQ0.

                              C:\Program Files\7-Zip\Lang\is.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key Version 4
                              Category:dropped
                              Size (bytes):9060
                              Entropy (8bit):6.74699694390725
                              Encrypted:false
                              SSDEEP:192:55D2uUFfmdkPExg92fFh35BLVVF9Ux3LtDbX3qBKwicZ7sSIwE33tmh+X:55fUAdD692f7JfVFqBWB6cZ7xIKh+X
                              MD5:895799ACD225F3DE25DA80181C63B1F2
                              SHA1:F3381DEC8420ACD4776DCB757182FE951CEADC35
                              SHA-256:630EAAC52F9AFFFF70E22DD6A855BE2C0F8792FDDDFC73EFA0EC3AC4322587B8
                              SHA-512:309C02E3F78126172043D92D9F6E741F475564AC28975B7625B4F5E0C2BC883F1DE1B93A4248F9BAF7689FB7F80FFF23EEB16D8CEF5635315D163FC12F32212F
                              Malicious:false
                              Preview:..>...!.:.>.4M.f"q..a.].r.<YQ..#E.!.qJ.........".`}..<Q..W..son..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Icelandic...slenska..401... lagi..H.tta vi.........&J...&Nei..&Loka..Hj.lp.....6...'......._.z.....>...@3b~...(w>X.Q.....H...c....17O..Endurr.sa..&Bakgrunnur..&Forgrunnur..&Gera hl.... hl.i..Ert .. viss um a. .. viljir h.tta vi.?..500..&Skr...&Breyta..X....{..a.'..L.@+...E.9.:.h....~.XH..Q.|gG.......x}....F....@. innanver.u..&Opna a. utanver.u..&Sko.a..&Breyta..&Endurnefna..&Afrita ......&F.ra ......&Ey.a..&Klj.fa skr......&Sam......-.....\N.Mm#...#D..)..cF..`..qV9.Z....E...9.&su..uE..Mt5lu..Mismunur..Skapa m.ppu..Skapa skr...&H.tta..Tengill..&V.xlstraumar..600..&Velja allt..&Afvelja allt..&Umsn.a vali..Velja..P.+ .....\N.a~/...oD..!......|...c7.X...RD...F..s{..X<....&St.rar t.knmyndir..&Sm.ar t.knmyndir..&Listi..&Sm.atri.i..730...flokka...Flats.n..&2 spj.ld..&Verkf.rastikur..Opna rn1.....}....x5..K]'...;UO.<.idj.....eQ0.

                              C:\Program Files\7-Zip\Lang\it.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10064
                              Entropy (8bit):6.518808967233373
                              Encrypted:false
                              SSDEEP:192:SDvmuMre7zsPqLN4aFr1oqoRCasJwMq+1VrdiHgTg3gd6BVyMU4W:nuMeOSZFav6wM1fqgTg3g4ycW
                              MD5:1169AC6187BA8433853FB25EAC51522F
                              SHA1:0BD5BD3E1EF54D2A83057C711B3E4C8B3BB6C86C
                              SHA-256:8DEDC1180BFE15D070FBCD7BBAB1FD5C95DF05EEDC78296F946EE0434FF3F9E1
                              SHA-512:A074E0C81AE9251F59B1B5718730763B4C4655F488C449C70BE61F3A4B5FA482B5AF5876458DB754A3AF89768765BC19807DC3B309EC76AC71EF2AF87863E4F5
                              Malicious:false
                              Preview:X.>.W.;.^..r.o&?.a#..47{I.8...&....u..].H=6..K. ...)n.q.7....6zo Reale (some corrections)..; 15.05 : 2015-06-17 : TJL73..; 17.00 : 2017-02-01 : Massimo Castiglia..; 18.03 : 2018-01-15 : POLA.X..V.E.......BK.t2..='{G.\.o.5....... ..^S..K.....S'.F.(....9n..Italiano..401..OK..Annulla........&S...&No..&Chiudi..Aiuto....&Continua..440..S. per &tutti..No per t&utti..Arresta..Riavvi.X..?.W.Q.U.U...T...a7+.We...o.....J..^."Y...1.u..7..."......7 di voler annullare?..500..&File..&Modifica..&Visualizza..&Preferiti..&Strumenti..&Aiuto..540..&Apri..Apri in &7-Zip File Manage.X......Y..w.B...+g..1..M}.O.|....~..D.Ns:..a.'..^`:.9......>inito..Rino&mina..&Copia in.....&Sposta in.....&Elimina..Sud&dividi il file.....&Unisci i file.....&Propriet...Comme&nto.....Ca.6.....U..Y.O.t..m..ne:.Wg.F.b.....t....k:?..L.C..[)-.9......RCrea file..E&sci..Collegamento..&Alternate Data Streams..600..&Seleziona tutto..&Deseleziona tutto..In&verti selezione..Selezion.{..{.3.C.W.S...w,...D>.[r.L.g.....s..

                              C:\Program Files\7-Zip\Lang\it.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10064
                              Entropy (8bit):6.518808967233373
                              Encrypted:false
                              SSDEEP:192:SDvmuMre7zsPqLN4aFr1oqoRCasJwMq+1VrdiHgTg3gd6BVyMU4W:nuMeOSZFav6wM1fqgTg3g4ycW
                              MD5:1169AC6187BA8433853FB25EAC51522F
                              SHA1:0BD5BD3E1EF54D2A83057C711B3E4C8B3BB6C86C
                              SHA-256:8DEDC1180BFE15D070FBCD7BBAB1FD5C95DF05EEDC78296F946EE0434FF3F9E1
                              SHA-512:A074E0C81AE9251F59B1B5718730763B4C4655F488C449C70BE61F3A4B5FA482B5AF5876458DB754A3AF89768765BC19807DC3B309EC76AC71EF2AF87863E4F5
                              Malicious:false
                              Preview:X.>.W.;.^..r.o&?.a#..47{I.8...&....u..].H=6..K. ...)n.q.7....6zo Reale (some corrections)..; 15.05 : 2015-06-17 : TJL73..; 17.00 : 2017-02-01 : Massimo Castiglia..; 18.03 : 2018-01-15 : POLA.X..V.E.......BK.t2..='{G.\.o.5....... ..^S..K.....S'.F.(....9n..Italiano..401..OK..Annulla........&S...&No..&Chiudi..Aiuto....&Continua..440..S. per &tutti..No per t&utti..Arresta..Riavvi.X..?.W.Q.U.U...T...a7+.We...o.....J..^."Y...1.u..7..."......7 di voler annullare?..500..&File..&Modifica..&Visualizza..&Preferiti..&Strumenti..&Aiuto..540..&Apri..Apri in &7-Zip File Manage.X......Y..w.B...+g..1..M}.O.|....~..D.Ns:..a.'..^`:.9......>inito..Rino&mina..&Copia in.....&Sposta in.....&Elimina..Sud&dividi il file.....&Unisci i file.....&Propriet...Comme&nto.....Ca.6.....U..Y.O.t..m..ne:.Wg.F.b.....t....k:?..L.C..[)-.9......RCrea file..E&sci..Collegamento..&Alternate Data Streams..600..&Seleziona tutto..&Deseleziona tutto..In&verti selezione..Selezion.{..{.3.C.W.S...w,...D>.[r.L.g.....s..

                              C:\Program Files\7-Zip\Lang\ja.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12531
                              Entropy (8bit):6.719308295954861
                              Encrypted:false
                              SSDEEP:192:0Z8hxSqfAusMkdrqkiYq+eGmzt3/Io0BsqWubxo9orStcm0I1aQPt3jIY8POFAAW:0Z8hxAXblTiYet3/2aq/e09s31WO+AGh
                              MD5:5053F90C1FD37B6D15B701FF0603E234
                              SHA1:061475DD8C7BD7DAD0EAE6C5C0BC627A3ED40FB2
                              SHA-256:0EB99E3860B42B5E7023194B98064A4459041857C144C4208E2C26F106573E3F
                              SHA-512:429AF300F10A3A7B46AACA61E01DE79A805284BAAEFAB45573918F7F9658BF059118D20052026A388D4A9C2B2383F3AB94AD153A3E59E510B68DF081B869A945
                              Malicious:false
                              Preview:.].06zl.$ro.......'...vV..-.L...?..z.....(E..#...U...y.3...i : Mick..; : : 2chBBS-software..; : : Crus Mitsuaki..; 9.23 : 2011-06-22 : nabeshin..m.>9....cr.............].l.....\?j.3..G..X......(T...k.#...y : Rukoto Luther..;..;..;..;..0..7-Zip..Japanese.......401..OK.................(&Y).....(&N).......H>7*Ii....J!:.. .....+..a....$c.'F.7 .q...Q.F.t.T.f...T.....(&L)...................(&B)..........(&F)......(&P).......\.(....Ii...J..=#.F........&.az...c.'F...n ..a.....#."....~a&F)....(&E)....(&V).......(&A).....(&T).....(&H)..540....(&O)..7-Zip ...(&I).......wI...!.......=T.. ..~Pn...@.*...7..s....N...u.O5....q..:.)6...(&C).......(&M).......(&D)........(&S)...........(&B)..........(&R).......n.-Y.-..... S*5._6.$.....v.VO...#..$f.*

                              C:\Program Files\7-Zip\Lang\ja.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12531
                              Entropy (8bit):6.719308295954861
                              Encrypted:false
                              SSDEEP:192:0Z8hxSqfAusMkdrqkiYq+eGmzt3/Io0BsqWubxo9orStcm0I1aQPt3jIY8POFAAW:0Z8hxAXblTiYet3/2aq/e09s31WO+AGh
                              MD5:5053F90C1FD37B6D15B701FF0603E234
                              SHA1:061475DD8C7BD7DAD0EAE6C5C0BC627A3ED40FB2
                              SHA-256:0EB99E3860B42B5E7023194B98064A4459041857C144C4208E2C26F106573E3F
                              SHA-512:429AF300F10A3A7B46AACA61E01DE79A805284BAAEFAB45573918F7F9658BF059118D20052026A388D4A9C2B2383F3AB94AD153A3E59E510B68DF081B869A945
                              Malicious:false
                              Preview:.].06zl.$ro.......'...vV..-.L...?..z.....(E..#...U...y.3...i : Mick..; : : 2chBBS-software..; : : Crus Mitsuaki..; 9.23 : 2011-06-22 : nabeshin..m.>9....cr.............].l.....\?j.3..G..X......(T...k.#...y : Rukoto Luther..;..;..;..;..0..7-Zip..Japanese.......401..OK.................(&Y).....(&N).......H>7*Ii....J!:.. .....+..a....$c.'F.7 .q...Q.F.t.T.f...T.....(&L)...................(&B)..........(&F)......(&P).......\.(....Ii...J..=#.F........&.az...c.'F...n ..a.....#."....~a&F)....(&E)....(&V).......(&A).....(&T).....(&H)..540....(&O)..7-Zip ...(&I).......wI...!.......=T.. ..~Pn...@.*...7..s....N...u.O5....q..:.)6...(&C).......(&M).......(&D)........(&S)...........(&B)..........(&R).......n.-Y.-..... S*5._6.$.....v.VO...#..$f.*

                              C:\Program Files\7-Zip\Lang\ka.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18517
                              Entropy (8bit):5.652038318845205
                              Encrypted:false
                              SSDEEP:384:djtqab5RtAVuXBuCF+5vqEtH/cb3r6UsZI4XenPm3vBHI7z:djHx85FcX6PZI4cPp
                              MD5:C79E52AE860EB2A3A2A38144CC112CBD
                              SHA1:D44BBACFE0065FE17AAC7AD40DBEDADF7066B2A5
                              SHA-256:A194D8479443685DBFEC4A344C040CB74B2BBF750039FDDA0C05883961780AF2
                              SHA-512:BDE902C00B4C64D5C66D41833402B08449832DF1DEE1B4B3172B1FE2D9C0DDDF35D35DA5786D833AED09211F4F560F21363369C25D6DD32F344F957876B688F0
                              Malicious:false
                              Preview:..$._..g..N.+.1.....I.....?.[..}GD...{.8.. z.!"W.g!..+.T...;. Maghlakelidze, original translation by Dimitri Gogelia..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Georgian..........5..ON.I......1R.."=.M..R ....d..d.".D...d.:........_.5.J.......&......................&............440...... &.......:L..}.>I4.m..."..."=.M..R ...."...5..o...M...X......a.hQg.......................&.........&.... ........&.........L....I4.m..."...W_...'B....&...5..D.`.0d.:.........w..J..... ..... .......... ........?..500..&.......&...........z..N. H+......2R..../..R ....d..W.l.p`.=d..Xh.......w..J'...........&...........540..&.............. &............]..1...&H+%..."...W_.;?(R ........5...

                              C:\Program Files\7-Zip\Lang\ka.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18517
                              Entropy (8bit):5.652038318845205
                              Encrypted:false
                              SSDEEP:384:djtqab5RtAVuXBuCF+5vqEtH/cb3r6UsZI4XenPm3vBHI7z:djHx85FcX6PZI4cPp
                              MD5:C79E52AE860EB2A3A2A38144CC112CBD
                              SHA1:D44BBACFE0065FE17AAC7AD40DBEDADF7066B2A5
                              SHA-256:A194D8479443685DBFEC4A344C040CB74B2BBF750039FDDA0C05883961780AF2
                              SHA-512:BDE902C00B4C64D5C66D41833402B08449832DF1DEE1B4B3172B1FE2D9C0DDDF35D35DA5786D833AED09211F4F560F21363369C25D6DD32F344F957876B688F0
                              Malicious:false
                              Preview:..$._..g..N.+.1.....I.....?.[..}GD...{.8.. z.!"W.g!..+.T...;. Maghlakelidze, original translation by Dimitri Gogelia..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Georgian..........5..ON.I......1R.."=.M..R ....d..d.".D...d.:........_.5.J.......&......................&............440...... &.......:L..}.>I4.m..."..."=.M..R ...."...5..o...M...X......a.hQg.......................&.........&.... ........&.........L....I4.m..."...W_...'B....&...5..D.`.0d.:.........w..J..... ..... .......... ........?..500..&.......&...........z..N. H+......2R..../..R ....d..W.l.p`.=d..Xh.......w..J'...........&...........540..&.............. &............]..1...&H+%..."...W_.;?(R ........5...

                              C:\Program Files\7-Zip\Lang\kaa.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8416
                              Entropy (8bit):6.663968822131622
                              Encrypted:false
                              SSDEEP:192:9x8pnFte+qdXbvVNCnBPvFufRXx35a5eCjMLsE1cb0:gpnFtelXbvCtEXlujMLsZb0
                              MD5:BE651D473DD62BA564C890050FFD1512
                              SHA1:D128F4CDE84B759C6EE88F881B8D5701FB4FE941
                              SHA-256:F23E7ADA6F59B335A6F10CF9CA945F70C2C73CE3203EAA5CB3D573D63CBFDE87
                              SHA-512:A1FCBAF5B2F452A9FE838D197875DB394A1D737C05707ED0BA79BE09C00D93CB8C46FAB1CAEF9EFB6EF9223F4C1AFDE5D8E5DA97F8D1DA4CEAE1A3DCE28E8ADA
                              Malicious:false
                              Preview:I..%.<...*.Mk...r."W:.V>.[..._.B.Q.pg[..t+....S...l....h.3G..d;..;..;..;..;..0..7-Zip..Karakalpak - Latin..Qaraqalpaqsha - Lat.n..401..OK..Biykar etiw........&Awa..&Yaq..&Jab.w..Ja'rdem..../.......9.zG.z.o..|r.......e.....D..MT..r&....N..F....6.O9...w..Qaytadan baslaw..&Artq. fong'a..Ald.ng'. &fong'a..&Pauza..Pauza q.l.ng'an..An.q biykar etiwdi qa'leysizbe?..500..&Fayl..gZ.[...$..@...x.j4Y..|!..K.^...._.iJ...sl....?...@......3G..^..&Ash.w..&.shinde ash.w..&S.rt.nda ash.w..&Ko'riw..&Du'zetiw..At.n o'&zgertiw..Bul jerge &nusqas.n al.w.....Bul jerge .ffm.....c.#G...,.j(Y..|!..K.[....\@w.a..G....2....s......W&...iw.....Sazlawla&r..Kom&mentariy.....Qadag'alaw summas...Diff..Papka jarat.w..Fayl jarat.w..Sh&.g'.w..600..Barl.g'.n &sayl.~L......:..../.KszD...f.f8.^..W.W..g0..r#.o..:..\......._:..@..Saylawd. al.p taslaw.....Tu'ri boy.nsha saylaw..Tu'ri boy.nsha saylawd. al.p taslaw..700..U'&lken ikonalar..Kishi &ikona.h3..Z...$..@...,.fW:.F..?S.M..F.Z..MB.

                              C:\Program Files\7-Zip\Lang\kaa.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8416
                              Entropy (8bit):6.663968822131622
                              Encrypted:false
                              SSDEEP:192:9x8pnFte+qdXbvVNCnBPvFufRXx35a5eCjMLsE1cb0:gpnFtelXbvCtEXlujMLsZb0
                              MD5:BE651D473DD62BA564C890050FFD1512
                              SHA1:D128F4CDE84B759C6EE88F881B8D5701FB4FE941
                              SHA-256:F23E7ADA6F59B335A6F10CF9CA945F70C2C73CE3203EAA5CB3D573D63CBFDE87
                              SHA-512:A1FCBAF5B2F452A9FE838D197875DB394A1D737C05707ED0BA79BE09C00D93CB8C46FAB1CAEF9EFB6EF9223F4C1AFDE5D8E5DA97F8D1DA4CEAE1A3DCE28E8ADA
                              Malicious:false
                              Preview:I..%.<...*.Mk...r."W:.V>.[..._.B.Q.pg[..t+....S...l....h.3G..d;..;..;..;..;..0..7-Zip..Karakalpak - Latin..Qaraqalpaqsha - Lat.n..401..OK..Biykar etiw........&Awa..&Yaq..&Jab.w..Ja'rdem..../.......9.zG.z.o..|r.......e.....D..MT..r&....N..F....6.O9...w..Qaytadan baslaw..&Artq. fong'a..Ald.ng'. &fong'a..&Pauza..Pauza q.l.ng'an..An.q biykar etiwdi qa'leysizbe?..500..&Fayl..gZ.[...$..@...x.j4Y..|!..K.^...._.iJ...sl....?...@......3G..^..&Ash.w..&.shinde ash.w..&S.rt.nda ash.w..&Ko'riw..&Du'zetiw..At.n o'&zgertiw..Bul jerge &nusqas.n al.w.....Bul jerge .ffm.....c.#G...,.j(Y..|!..K.[....\@w.a..G....2....s......W&...iw.....Sazlawla&r..Kom&mentariy.....Qadag'alaw summas...Diff..Papka jarat.w..Fayl jarat.w..Sh&.g'.w..600..Barl.g'.n &sayl.~L......:..../.KszD...f.f8.^..W.W..g0..r#.o..:..\......._:..@..Saylawd. al.p taslaw.....Tu'ri boy.nsha saylaw..Tu'ri boy.nsha saylawd. al.p taslaw..700..U'&lken ikonalar..Kishi &ikona.h3..Z...$..@...,.fW:.F..?S.M..F.Z..MB.

                              C:\Program Files\7-Zip\Lang\kab.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8903
                              Entropy (8bit):6.751002060912208
                              Encrypted:false
                              SSDEEP:192:KZY3H/5VUZ8cON2SSmyhUBXZpoTDSU0OCJh52wF/MsIIEJoTOE/HCVJ/Q:X3H//gSSmyKZpoPXQJh52w/1zs4RCVJ4
                              MD5:9BD61D747BF0850021FF0FACC8205FB9
                              SHA1:6570CA037FB0EE507A4148AFB175BFD12DE402E7
                              SHA-256:B8646D4819CCD669452411A81912E43B8A97307F3DEB66EDBCDDC561BC586941
                              SHA-512:61FE3C658EED0C6C0B14477A72452AD372A4CF16A0FE2C5AFF9638227BF5ECD43EE75C854156A2A2331BCB9FD5FD0C5EED7C2744057C5B5284F11601B13AEE6B
                              Malicious:false
                              Preview:.4...p....t.s.]T....!J...V..ZjK^.B..........7....lFQgF=..I.S...;..;..;..;..;..;..;..;..;..0..7-Zip..Kabyle..Taqbaylit..401..IH..Sefsex........&Ih..&Uhu..&Mdel..Tallelt....&Kemmel..440..Ih i7..S.. .:.9=s.nY..E....g.^...p...a........../....-.4)f7..L.T.&A.awas Amezwaru..&R.u..I.bes..Teb.i. ad tsefsxe.?..500..A&faylu..&.reg..&Sken..I&nurifen..&Ifecka..&Tallelt..540..&Ls....U.....S.~.....e...F...*...e........F.R9'.A.maN6..A...em..&N.el .er.....&Senkez .er.....&Kkes..&B.u Afaylu.....Sdu&kkel ifuyla.....A&ylan..Awenn&it.....Timernit n Usenqed..Ice.n.S..1...XQS..Y..i..lv.......u.O...............).xB>.~..5.ernate Streams..600..Fren &Me..a..Kkes Afran i Me..a..&Tti Afran..Fren.....Kkes Afran.....Fren s Tawsit..Kkes Afran s Ta`........`^A.u...f.h........Uq;..........>R:/.."bP.-v..O.8.t..&Talqayt..730..Ur Yettwafren ara..Askan Imlebbe...&2 Igalisen..&Ifeggagen n Ifecka..Ldi Akaram Agejdan..Yiwen Uswir d Asawey.....F....Z.o.z...m../U...5...=.b......

                              C:\Program Files\7-Zip\Lang\kab.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8903
                              Entropy (8bit):6.751002060912208
                              Encrypted:false
                              SSDEEP:192:KZY3H/5VUZ8cON2SSmyhUBXZpoTDSU0OCJh52wF/MsIIEJoTOE/HCVJ/Q:X3H//gSSmyKZpoPXQJh52w/1zs4RCVJ4
                              MD5:9BD61D747BF0850021FF0FACC8205FB9
                              SHA1:6570CA037FB0EE507A4148AFB175BFD12DE402E7
                              SHA-256:B8646D4819CCD669452411A81912E43B8A97307F3DEB66EDBCDDC561BC586941
                              SHA-512:61FE3C658EED0C6C0B14477A72452AD372A4CF16A0FE2C5AFF9638227BF5ECD43EE75C854156A2A2331BCB9FD5FD0C5EED7C2744057C5B5284F11601B13AEE6B
                              Malicious:false
                              Preview:.4...p....t.s.]T....!J...V..ZjK^.B..........7....lFQgF=..I.S...;..;..;..;..;..;..;..;..;..0..7-Zip..Kabyle..Taqbaylit..401..IH..Sefsex........&Ih..&Uhu..&Mdel..Tallelt....&Kemmel..440..Ih i7..S.. .:.9=s.nY..E....g.^...p...a........../....-.4)f7..L.T.&A.awas Amezwaru..&R.u..I.bes..Teb.i. ad tsefsxe.?..500..A&faylu..&.reg..&Sken..I&nurifen..&Ifecka..&Tallelt..540..&Ls....U.....S.~.....e...F...*...e........F.R9'.A.maN6..A...em..&N.el .er.....&Senkez .er.....&Kkes..&B.u Afaylu.....Sdu&kkel ifuyla.....A&ylan..Awenn&it.....Timernit n Usenqed..Ice.n.S..1...XQS..Y..i..lv.......u.O...............).xB>.~..5.ernate Streams..600..Fren &Me..a..Kkes Afran i Me..a..&Tti Afran..Fren.....Kkes Afran.....Fren s Tawsit..Kkes Afran s Ta`........`^A.u...f.h........Uq;..........>R:/.."bP.-v..O.8.t..&Talqayt..730..Ur Yettwafren ara..Askan Imlebbe...&2 Igalisen..&Ifeggagen n Ifecka..Ldi Akaram Agejdan..Yiwen Uswir d Asawey.....F....Z.o.z...m../U...5...=.b......

                              C:\Program Files\7-Zip\Lang\kk.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11046
                              Entropy (8bit):6.3775741378042055
                              Encrypted:false
                              SSDEEP:192:WTZnk8KMsqTQNNUnqbM608fBxPnEWuzPdQMKO8Uoseji:WVkWZQHxPny+MKCosx
                              MD5:80C5922E272B45B9EA016C179D9D6830
                              SHA1:BE571BEB71E615A0E44F126F383D31C6A41A3AC4
                              SHA-256:3ADA467E437AEA2765DB4D4F5CB7F89D99DF4D94D0ECE5CF89DDDE25C5E1E484
                              SHA-512:3D9624843D1F9D6055A17901AD97EE57C0017D3A20433947F4679815046C0A40A20EB95D64EFF440EC80BC9093CFB654B5B22FC656F9A60B13F006A56EFFF306
                              Malicious:false
                              Preview:.s...8...........,S....E......gi9.;.T.......Q...%./.r.....,<.;..;..;..;..;..;..;..;..;..;..0..7-Zip..Kazakh...........401............................&....&.....&.^..g.6.....*%E.0..4.3.Z.....i...jm.C....!.kF.D.)I.;.'......)... &.......... &................... .... ......&.......&....... ...........f.7.4z..+...0......]..3.ef.....$....i.@W<...Cz.....Md.I..y... ..... ..?..500..&......&.......&.........&...........&.......&..........540..0...?.d~.<..rI.T_..f`..6..jF7./i...kV.R.3.. 6jpQ.|{................&............ ......&...........&............&........... .....................<X7.4z..+.D>3.. ...eR...4.i...jf.R.:..!...^...z...z...................... ........Diff..&..... ........... .............600....... ...........d~.<..zH!TX..fhS.6..aG.5.........

                              C:\Program Files\7-Zip\Lang\kk.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11046
                              Entropy (8bit):6.3775741378042055
                              Encrypted:false
                              SSDEEP:192:WTZnk8KMsqTQNNUnqbM608fBxPnEWuzPdQMKO8Uoseji:WVkWZQHxPny+MKCosx
                              MD5:80C5922E272B45B9EA016C179D9D6830
                              SHA1:BE571BEB71E615A0E44F126F383D31C6A41A3AC4
                              SHA-256:3ADA467E437AEA2765DB4D4F5CB7F89D99DF4D94D0ECE5CF89DDDE25C5E1E484
                              SHA-512:3D9624843D1F9D6055A17901AD97EE57C0017D3A20433947F4679815046C0A40A20EB95D64EFF440EC80BC9093CFB654B5B22FC656F9A60B13F006A56EFFF306
                              Malicious:false
                              Preview:.s...8...........,S....E......gi9.;.T.......Q...%./.r.....,<.;..;..;..;..;..;..;..;..;..;..0..7-Zip..Kazakh...........401............................&....&.....&.^..g.6.....*%E.0..4.3.Z.....i...jm.C....!.kF.D.)I.;.'......)... &.......... &................... .... ......&.......&....... ...........f.7.4z..+...0......]..3.ef.....$....i.@W<...Cz.....Md.I..y... ..... ..?..500..&......&.......&.........&...........&.......&..........540..0...?.d~.<..rI.T_..f`..6..jF7./i...kV.R.3.. 6jpQ.|{................&............ ......&...........&............&........... .....................<X7.4z..+.D>3.. ...eR...4.i...jf.R.:..!...^...z...z...................... ........Diff..&..... ........... .............600....... ...........d~.<..zH!TX..fhS.6..aG.5.........

                              C:\Program Files\7-Zip\Lang\ko.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10603
                              Entropy (8bit):6.93625715275303
                              Encrypted:false
                              SSDEEP:192:Rr5PoHc7E5FdVaSrgRBDsnBFmWvqDkNXxmjbqwq+8tAn+JyL8rtI:LP+c01aSnBFmQqDEXxEbXaAn8ygpI
                              MD5:943177E77E277471A788ADBA121F1980
                              SHA1:AE903BC1166735E971E3F2352E7127CF57B3DE2E
                              SHA-256:D98D0AA62A9D74B3E2BFEC75A481429C61DB2B33FCE3D3B697C9E035B976FF18
                              SHA-512:411DF48AC5EFDE3B367A79C1B5FFEA898C3874F4858EFD19AB3E8AC165C3AFEC111184741F3BF7598140E0E8692108428BBE28E512C8F0C6EFF9DC3F009064EE
                              Malicious:false
                              Preview:}..[...!L..q...........ta...hE....{}F.E.pp..*..$.F.AQ.z...P>..zImage..; 4.52 : Hyeong il Kim (kurt Sawyer)..; 9.07 : Dong-yoon Han (...)..; 15.12 : Winterscenery (Ji-yong BAE)..; 16...@..#$F..C...&.R.a.^:%...;.....Y`}E..S...h.bm....W..4..1A...; 22.00 : Winterscenery (Ji-yong BAE)..;..;..;..;..0..7-Zip..Korean.......401.................(&Y).....(&...j?x..|....@..0.<?.......".mQ.W..g.....m..Z&... r..}.Vq.. ...(&L)........ ...... ...(&B).... ...(&F)......(&P)...... ..............J".5We.n...K5...oN'\mh....t=.....R..@...\9.+...|...z..o.(&V)......(&A)....(&T).....(&H)..540....(&O).... ..(&I).... ..(&U).... ..(&V)......sbJfg.;LL.j.....;.r...;..zL9._t=..C,..e.m......T_.W..Y...G(&D).... ...(&S)....... ...(&B).......(&R)....(&N)........ ...... ...... ..6....... 3..$........2^.f9uR..~..!..!N

                              C:\Program Files\7-Zip\Lang\ko.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10603
                              Entropy (8bit):6.93625715275303
                              Encrypted:false
                              SSDEEP:192:Rr5PoHc7E5FdVaSrgRBDsnBFmWvqDkNXxmjbqwq+8tAn+JyL8rtI:LP+c01aSnBFmQqDEXxEbXaAn8ygpI
                              MD5:943177E77E277471A788ADBA121F1980
                              SHA1:AE903BC1166735E971E3F2352E7127CF57B3DE2E
                              SHA-256:D98D0AA62A9D74B3E2BFEC75A481429C61DB2B33FCE3D3B697C9E035B976FF18
                              SHA-512:411DF48AC5EFDE3B367A79C1B5FFEA898C3874F4858EFD19AB3E8AC165C3AFEC111184741F3BF7598140E0E8692108428BBE28E512C8F0C6EFF9DC3F009064EE
                              Malicious:false
                              Preview:}..[...!L..q...........ta...hE....{}F.E.pp..*..$.F.AQ.z...P>..zImage..; 4.52 : Hyeong il Kim (kurt Sawyer)..; 9.07 : Dong-yoon Han (...)..; 15.12 : Winterscenery (Ji-yong BAE)..; 16...@..#$F..C...&.R.a.^:%...;.....Y`}E..S...h.bm....W..4..1A...; 22.00 : Winterscenery (Ji-yong BAE)..;..;..;..;..0..7-Zip..Korean.......401.................(&Y).....(&...j?x..|....@..0.<?.......".mQ.W..g.....m..Z&... r..}.Vq.. ...(&L)........ ...... ...(&B).... ...(&F)......(&P)...... ..............J".5We.n...K5...oN'\mh....t=.....R..@...\9.+...|...z..o.(&V)......(&A)....(&T).....(&H)..540....(&O).... ..(&I).... ..(&U).... ..(&V)......sbJfg.;LL.j.....;.r...;..zL9._t=..C,..e.m......T_.W..Y...G(&D).... ...(&S)....... ...(&B).......(&R)....(&N)........ ...... ...... ..6....... 3..$........2^.f9uR..~..!..!N

                              C:\Program Files\7-Zip\Lang\ku-ckb.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12651
                              Entropy (8bit):6.305984390584062
                              Encrypted:false
                              SSDEEP:384:Rb55FqTtPAPZwXSTqWnYaDHwcpAnHspU2hIg3iG:Rb5382ZwXSTDY+HfAnHspVIgSG
                              MD5:266ADEF11AB8A8A2931ADD9C62B1B012
                              SHA1:81F075F49FD6BF654578394C59D1E92888374FAB
                              SHA-256:33211A0DF6349E2A6F760351CC1652C9EC799DE792E425B3EB8D9371BC74D8B5
                              SHA-512:9C3CE57AB6ABA769E564D7975E2BED08918C46BD1C24CDEE122FA4DCB7DFB13337A4942E96F2FF7C3AC8CC6C835FDA21CC5EF45788AD867D57ABF044525B07AC
                              Malicious:false
                              Preview:=.. &V..E.iiv.......Qf*`.c.Z.h..\.v..l....k.q.2.....Z'..'.D..}....;..;..;..;..;..;..;..;..;..0..7-Zip..Kurdish - Sorani.........401.............................&......c....H.f..Z.r.h.q+....|..w.k..O....<g.o..q...=..3..Z-...K>..h......440...... .. &............ .. ..&..............................&..........A&.qd.s.C+..C...A_.t...h..q.}...v..7=.....Z3.8.r>.......... .. ................500..&......&..........&........&...........&........s.A...9YZ..Z+....S...L.k_$.b.e..e.l...C.yp..}...X.O..I.@6... ..&... ............. .. &........&.......&..........&..........&.......c....C?.3..........Q{....T.>.?....Z..r*.l....<..%.~...Y.N..s.N6...&........ ..........&...... ....... .............&...................&.........p.......f.u..*#.&...'._$.\....f

                              C:\Program Files\7-Zip\Lang\ku-ckb.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12651
                              Entropy (8bit):6.305984390584062
                              Encrypted:false
                              SSDEEP:384:Rb55FqTtPAPZwXSTqWnYaDHwcpAnHspU2hIg3iG:Rb5382ZwXSTDY+HfAnHspVIgSG
                              MD5:266ADEF11AB8A8A2931ADD9C62B1B012
                              SHA1:81F075F49FD6BF654578394C59D1E92888374FAB
                              SHA-256:33211A0DF6349E2A6F760351CC1652C9EC799DE792E425B3EB8D9371BC74D8B5
                              SHA-512:9C3CE57AB6ABA769E564D7975E2BED08918C46BD1C24CDEE122FA4DCB7DFB13337A4942E96F2FF7C3AC8CC6C835FDA21CC5EF45788AD867D57ABF044525B07AC
                              Malicious:false
                              Preview:=.. &V..E.iiv.......Qf*`.c.Z.h..\.v..l....k.q.2.....Z'..'.D..}....;..;..;..;..;..;..;..;..;..0..7-Zip..Kurdish - Sorani.........401.............................&......c....H.f..Z.r.h.q+....|..w.k..O....<g.o..q...=..3..Z-...K>..h......440...... .. &............ .. ..&..............................&..........A&.qd.s.C+..C...A_.t...h..q.}...v..7=.....Z3.8.r>.......... .. ................500..&......&..........&........&...........&........s.A...9YZ..Z+....S...L.k_$.b.e..e.l...C.yp..}...X.O..I.@6... ..&... ............. .. &........&.......&..........&..........&.......c....C?.3..........Q{....T.>.?....Z..r*.l....<..%.~...Y.N..s.N6...&........ ..........&...... ....... .............&...................&.........p.......f.u..*#.&...'._$.\....f

                              C:\Program Files\7-Zip\Lang\ku.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6088
                              Entropy (8bit):6.70389037526212
                              Encrypted:false
                              SSDEEP:96:ujQWtX63VpgdxktSuzyCgijefHan7fBMGmoWUo8Py0NrcLLgO8W/+nKdI63xu:uUW03VpgditSHCgijevan7JmoZowyYa4
                              MD5:FD02570D1AF54838F8C6A822557C400C
                              SHA1:EEE769806F8596652382AE82880EAD140ECD483F
                              SHA-256:1E14C07A1750D7B7BD68D0D09656FA8EE34DC54C31239E32B9229F890A14A181
                              SHA-512:9E3E5EC4F3B711B783139E5BD7018EF9764EA8C002F310005C7C0353D669651865F74D1FAF1DBE066CFEADF8B1AB9D89B5DA46D72F54513F62800C31035CA3F6
                              Malicious:false
                              Preview:.%.4...W....4V..kHR.t=....u..g7..C..3..%K...~.v..q.d.q......;..;..;..;..0..7-Zip..Kurdish..Kurd...401..Temam..Betal........&Er...&Na..Bi&gire..Al.kar.....Bi&dom.ne..440..&Ji Bo Hem.^]./..JV4...G@....2K.d.T..#......N.V.......j@..g/.d.Y..]..tt..Li &P....&Rawest.ne..Rawestiya -..Ma bila betal bibe?..500..&Dosya..&Bipergal.ne..&N..an Bide..Bi&jare..&Am.r..A&l.kaU]......4....g.0u-6..|..S2.."E%._.Q.v.>...v...d,....q.Ce...an Bide..&Sererast bike..&Navek. N. Bid...&Ji Ber Bigire..B&ar Bike..J. B&ibe..Par.e Bi&ke.....Bike &Yek.....&Taybet...Da..7v..JR4....i.O>I7.<x..].)..Mhy....?.=.....~..n*9......Ce...De&rkeve..600..&Hem.y. hilbij.re..He&m. hilijartin. rake..Be&revaj. w. hilbij.re..&Hilbij.re.....Hilbijarti&n. Rake....HYS-..L....".S?.6...2....%...N.5..5....nX..G6<z.d.8....E(.n Mezin..D&aw.r.n Bi..k..&L.ste..&H.ragah...730..B. Dor..xuyakirina sade..&2 Panelan veke..Da&rik. am.ran..Peldanka KH.bY....3.........-. o..{2.,.S..V.:.

                              C:\Program Files\7-Zip\Lang\ku.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6088
                              Entropy (8bit):6.70389037526212
                              Encrypted:false
                              SSDEEP:96:ujQWtX63VpgdxktSuzyCgijefHan7fBMGmoWUo8Py0NrcLLgO8W/+nKdI63xu:uUW03VpgditSHCgijevan7JmoZowyYa4
                              MD5:FD02570D1AF54838F8C6A822557C400C
                              SHA1:EEE769806F8596652382AE82880EAD140ECD483F
                              SHA-256:1E14C07A1750D7B7BD68D0D09656FA8EE34DC54C31239E32B9229F890A14A181
                              SHA-512:9E3E5EC4F3B711B783139E5BD7018EF9764EA8C002F310005C7C0353D669651865F74D1FAF1DBE066CFEADF8B1AB9D89B5DA46D72F54513F62800C31035CA3F6
                              Malicious:false
                              Preview:.%.4...W....4V..kHR.t=....u..g7..C..3..%K...~.v..q.d.q......;..;..;..;..0..7-Zip..Kurdish..Kurd...401..Temam..Betal........&Er...&Na..Bi&gire..Al.kar.....Bi&dom.ne..440..&Ji Bo Hem.^]./..JV4...G@....2K.d.T..#......N.V.......j@..g/.d.Y..]..tt..Li &P....&Rawest.ne..Rawestiya -..Ma bila betal bibe?..500..&Dosya..&Bipergal.ne..&N..an Bide..Bi&jare..&Am.r..A&l.kaU]......4....g.0u-6..|..S2.."E%._.Q.v.>...v...d,....q.Ce...an Bide..&Sererast bike..&Navek. N. Bid...&Ji Ber Bigire..B&ar Bike..J. B&ibe..Par.e Bi&ke.....Bike &Yek.....&Taybet...Da..7v..JR4....i.O>I7.<x..].)..Mhy....?.=.....~..n*9......Ce...De&rkeve..600..&Hem.y. hilbij.re..He&m. hilijartin. rake..Be&revaj. w. hilbij.re..&Hilbij.re.....Hilbijarti&n. Rake....HYS-..L....".S?.6...2....%...N.5..5....nX..G6<z.d.8....E(.n Mezin..D&aw.r.n Bi..k..&L.ste..&H.ragah...730..B. Dor..xuyakirina sade..&2 Panelan veke..Da&rik. am.ran..Peldanka KH.bY....3.........-. o..{2.,.S..V.:.

                              C:\Program Files\7-Zip\Lang\ky.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12770
                              Entropy (8bit):6.3641501903952715
                              Encrypted:false
                              SSDEEP:384:H11MPB8R6vW7OG3P/zAunC8e7T1gNPYweqPB:/MZ8X1LC3oA05
                              MD5:6909751772D4433DA0C505F9D54D6D11
                              SHA1:0674E5246C6B0B5433F1AD069262C9108DB0AFDC
                              SHA-256:FF55E4DE6D0644666F7DE06575EBF878F4141C92F949D3918D506DAB70217F30
                              SHA-512:3601E1ADF14D9CCBCDB37F470EFCB43FBEE7710070843196AC7D8A980465B723425F3BD01264CF714ED884BFCFCBCA20980B173538BB8FF376F4C72EB0E7FD5E
                              Malicious:false
                              Preview:<.L.*v&y*URS....J]....oC...{E.....T...`..yk....HW..{b...9..,.Q4;..;..;..;..;..0..7-Zip..Kyrgyz............401..OK...............&......&.....&.................&..#........De.SQn..2..[_...l)r.O.Y.s:R..I....h(.OR43.3~.Q.... .................. .........&.......&....... ........&................P.Gc.;`....."..2..x.3..[[k.)..H....8.$a:.)u.Bb.T(..8T..=..P..... ..... ......?..500..&......&.......&......&............&.......&........540.t.c.........6Yd...'_...6..F.m.s..&X.s:S..{.L...H..U.....Q.3........&.................& ..........&.... ............&.... ..... .........%;`>....GI.5..j....;..G.m.....!..c-.(J.f...W....;>.~........... .............&...........&.................. ..........Diff..&........c.........7Bd.hT.S2....>.EG.l(s.O.Y.s

                              C:\Program Files\7-Zip\Lang\ky.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12770
                              Entropy (8bit):6.3641501903952715
                              Encrypted:false
                              SSDEEP:384:H11MPB8R6vW7OG3P/zAunC8e7T1gNPYweqPB:/MZ8X1LC3oA05
                              MD5:6909751772D4433DA0C505F9D54D6D11
                              SHA1:0674E5246C6B0B5433F1AD069262C9108DB0AFDC
                              SHA-256:FF55E4DE6D0644666F7DE06575EBF878F4141C92F949D3918D506DAB70217F30
                              SHA-512:3601E1ADF14D9CCBCDB37F470EFCB43FBEE7710070843196AC7D8A980465B723425F3BD01264CF714ED884BFCFCBCA20980B173538BB8FF376F4C72EB0E7FD5E
                              Malicious:false
                              Preview:<.L.*v&y*URS....J]....oC...{E.....T...`..yk....HW..{b...9..,.Q4;..;..;..;..;..0..7-Zip..Kyrgyz............401..OK...............&......&.....&.................&..#........De.SQn..2..[_...l)r.O.Y.s:R..I....h(.OR43.3~.Q.... .................. .........&.......&....... ........&................P.Gc.;`....."..2..x.3..[[k.)..H....8.$a:.)u.Bb.T(..8T..=..P..... ..... ......?..500..&......&.......&......&............&.......&........540.t.c.........6Yd...'_...6..F.m.s..&X.s:S..{.L...H..U.....Q.3........&.................& ..........&.... ............&.... ..... .........%;`>....GI.5..j....;..G.m.....!..c-.(J.f...W....;>.~........... .............&...........&.................. ..........Diff..&........c.........7Bd.hT.S2....>.EG.l(s.O.Y.s

                              C:\Program Files\7-Zip\Lang\lij.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8189
                              Entropy (8bit):6.601853127860106
                              Encrypted:false
                              SSDEEP:192:7yhmFg0yhbel7noPhO4PnOn33Ro2kL/phGca:7yECXGn1AOnybLxhGca
                              MD5:249C7C06C2699168B32725863A48233F
                              SHA1:C2C9970DCBD4D0F1B4622E9C387B512B8FFF11E8
                              SHA-256:0D4B429D1BF48D00824C5BB74CFF86DFFA8A68321EC3334108A197246390979E
                              SHA-512:D694FFA76A316274C5276F2257DEF6947650CB73EBB1B564B4638BD8AFC25FF155A8CDA7F33F8A486DFC340F0EC096A374D8F760727284F5D83D66C1AEF5D322
                              Malicious:false
                              Preview:...{H..g....X...q.Q. ).N.\..8V..W.....5...#a.).c.....(Cz..$..;..;..0..7-Zip..Ligurian..Zeneize..401..D'ac.rdio..Anulla........&Sci..&No..S.&ra..Agiutto....&Continoa..440..Sci pe &Tutti..N.=s%I..s...s.3.1.}.c|......l..........K.P.M5.).'..{..H$...vlo..&Paoza..In paoza..Ti . seguo de voei anul.?..500..&Archivio..&Modifica..&Vixoalizza..&Preferii..&Strumenti..A&giutto..540..&&ou)d..t.....:9.....Ps..8R..y....q....5.~._3.JG...N..I&3...'Vixoalizza..&Modifica..Ri&nomina..&C.pia inte.....&Sp.sta inte.....Scancel&la..&Dividi l'archivio.....&Unisci i archivi.....P&.rs)..d..x...+8.(.^....-....t...u....W.K....OFc.fb../.3.?n`rtella..Crea archivio..Sc&i.rti..600..Sele.ionn-a &tutto..Desele.ionn-a tutto..In&verti sele.ion..Sele.ionn-a.....Desele.i.smm..(.x...+..5....s...R..h....k..7..W.Q.Hz.F...Rd...yq..Ydfue &grende..Figue picinn-e..&Listin..&D.ti..730..Nisciun ordine..Vista ciatta..&2 barco.n..Bare di &Strumenti..Arvi cartella p.tm....v....83.0.P._b..O..[....w....

                              C:\Program Files\7-Zip\Lang\lij.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8189
                              Entropy (8bit):6.601853127860106
                              Encrypted:false
                              SSDEEP:192:7yhmFg0yhbel7noPhO4PnOn33Ro2kL/phGca:7yECXGn1AOnybLxhGca
                              MD5:249C7C06C2699168B32725863A48233F
                              SHA1:C2C9970DCBD4D0F1B4622E9C387B512B8FFF11E8
                              SHA-256:0D4B429D1BF48D00824C5BB74CFF86DFFA8A68321EC3334108A197246390979E
                              SHA-512:D694FFA76A316274C5276F2257DEF6947650CB73EBB1B564B4638BD8AFC25FF155A8CDA7F33F8A486DFC340F0EC096A374D8F760727284F5D83D66C1AEF5D322
                              Malicious:false
                              Preview:...{H..g....X...q.Q. ).N.\..8V..W.....5...#a.).c.....(Cz..$..;..;..0..7-Zip..Ligurian..Zeneize..401..D'ac.rdio..Anulla........&Sci..&No..S.&ra..Agiutto....&Continoa..440..Sci pe &Tutti..N.=s%I..s...s.3.1.}.c|......l..........K.P.M5.).'..{..H$...vlo..&Paoza..In paoza..Ti . seguo de voei anul.?..500..&Archivio..&Modifica..&Vixoalizza..&Preferii..&Strumenti..A&giutto..540..&&ou)d..t.....:9.....Ps..8R..y....q....5.~._3.JG...N..I&3...'Vixoalizza..&Modifica..Ri&nomina..&C.pia inte.....&Sp.sta inte.....Scancel&la..&Dividi l'archivio.....&Unisci i archivi.....P&.rs)..d..x...+8.(.^....-....t...u....W.K....OFc.fb../.3.?n`rtella..Crea archivio..Sc&i.rti..600..Sele.ionn-a &tutto..Desele.ionn-a tutto..In&verti sele.ion..Sele.ionn-a.....Desele.i.smm..(.x...+..5....s...R..h....k..7..W.Q.Hz.F...Rd...yq..Ydfue &grende..Figue picinn-e..&Listin..&D.ti..730..Nisciun ordine..Vista ciatta..&2 barco.n..Bare di &Strumenti..Arvi cartella p.tm....v....83.0.P._b..O..[....w....

                              C:\Program Files\7-Zip\Lang\lt.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9839
                              Entropy (8bit):6.658392566469246
                              Encrypted:false
                              SSDEEP:192:zM+94mAawnNJSdZB0HxXhFmgsWESdIOt8BGx6uXADB1:zMmwnLUZB0HHFBsTzmhXADB1
                              MD5:9C707A1333E4E748B1D64C63AA65BF8C
                              SHA1:54AF43D59C827AAD19964FEA6E4DA44460E2DC1F
                              SHA-256:B569C7861C10AADF43425AAA3549A78969538FC5BB345520B2BD329921A8BC64
                              SHA-512:2C3711E03DF275B27E8F03D784CBD2A9DDC82CBA7669B89D3F23B5A9A5BC7010F049C134BA0212A4D8B5F74270C856E7815A125565D1F6D018AC4A8C8FFA8670
                              Malicious:false
                              Preview:........A]..R.v...OLp.UN.?.-#7.@..... .0jQ9q.JP9Y....<....{...Jokubauskis..; 15.05 : Vaidas777..;..;..;..;..;..;..;..;..0..7-Zip..Lithuanian..Lietuvi...401..Gerai..At.aukti........&Taip..&..>6..ts.G..NnS:...)29J.._e.-..O.....dxL%f...33.s....H..3.6?..iems..Ne v&isiems..Sustabdyti..I. naujo..&Fone..&Pirminis procesas..&Laikinai sustabdyti..Laikinai sustabdyta..Ar j.s esate ti8.Z.....H..Ss;...9.'>N.....8)'.+.......K.ytu.4.kt>...e.W.[.o.i&amiausi...ran&kiai..&Elektroninis .inynas..540..&Atverti..Atverti v&iduje..Atverti i.&or.je..&Rodyti..K&eisti..Pervadi&nti^u.wO...I.........H`.@..T`.d9./...qk..*j\td.JP$*_..h..<...<$.....Jungti &failus.....Savy&b.s..Kome&ntuoti..Skai.iuoti kontrolin. sum...Sulyginti..Sukurti aplank...Sukurti fail...I.e:YGU-....T..[.T....'4%D..G.W~9d.@.....dCv3?X@...{..H...:.).....Nu.ym.ti visk...Atv&irk.tinis .ym.jimas..Parinkti.....At.ym.ti.....Pasirinkti pagal tip...At.ym.ti pagal tip...700....W.E.uZ....Qs1W...-5F/S1P.Bbj7.H.......

                              C:\Program Files\7-Zip\Lang\lt.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9839
                              Entropy (8bit):6.658392566469246
                              Encrypted:false
                              SSDEEP:192:zM+94mAawnNJSdZB0HxXhFmgsWESdIOt8BGx6uXADB1:zMmwnLUZB0HHFBsTzmhXADB1
                              MD5:9C707A1333E4E748B1D64C63AA65BF8C
                              SHA1:54AF43D59C827AAD19964FEA6E4DA44460E2DC1F
                              SHA-256:B569C7861C10AADF43425AAA3549A78969538FC5BB345520B2BD329921A8BC64
                              SHA-512:2C3711E03DF275B27E8F03D784CBD2A9DDC82CBA7669B89D3F23B5A9A5BC7010F049C134BA0212A4D8B5F74270C856E7815A125565D1F6D018AC4A8C8FFA8670
                              Malicious:false
                              Preview:........A]..R.v...OLp.UN.?.-#7.@..... .0jQ9q.JP9Y....<....{...Jokubauskis..; 15.05 : Vaidas777..;..;..;..;..;..;..;..;..0..7-Zip..Lithuanian..Lietuvi...401..Gerai..At.aukti........&Taip..&..>6..ts.G..NnS:...)29J.._e.-..O.....dxL%f...33.s....H..3.6?..iems..Ne v&isiems..Sustabdyti..I. naujo..&Fone..&Pirminis procesas..&Laikinai sustabdyti..Laikinai sustabdyta..Ar j.s esate ti8.Z.....H..Ss;...9.'>N.....8)'.+.......K.ytu.4.kt>...e.W.[.o.i&amiausi...ran&kiai..&Elektroninis .inynas..540..&Atverti..Atverti v&iduje..Atverti i.&or.je..&Rodyti..K&eisti..Pervadi&nti^u.wO...I.........H`.@..T`.d9./...qk..*j\td.JP$*_..h..<...<$.....Jungti &failus.....Savy&b.s..Kome&ntuoti..Skai.iuoti kontrolin. sum...Sulyginti..Sukurti aplank...Sukurti fail...I.e:YGU-....T..[.T....'4%D..G.W~9d.@.....dCv3?X@...{..H...:.).....Nu.ym.ti visk...Atv&irk.tinis .ym.jimas..Parinkti.....At.ym.ti.....Pasirinkti pagal tip...At.ym.ti pagal tip...700....W.E.uZ....Qs1W...-5F/S1P.Bbj7.H.......

                              C:\Program Files\7-Zip\Lang\lv.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5734
                              Entropy (8bit):6.715106383242443
                              Encrypted:false
                              SSDEEP:96:ngBCUAMJ/nFtrmFZVWLrPiORkouibSJlueL9jKEdPiGaTPFXsoUYmm9RJ4f7hU:nhUnjrmJWKOuob2J9VK2PijDF8rhU
                              MD5:021AA131A9B8F7BAF6C5D73DEF5A3A0E
                              SHA1:23D3BFD54989A544BA25497ADA321526056B10B8
                              SHA-256:5A5AE32845299F251A339985B84189A565C56EAC8722D60AC59E0A135398150F
                              SHA-512:F82EDFB0F58AE1BEA7F87345E1614A5C32442A8393CC5CA1774255D508C386B94E355885F1485A13A9F8399EA2685EDF0329800BC02829B847CAEE5E7AF4161E
                              Malicious:false
                              Preview:.'ZEKw..PzZ=.E.R.....Q.k...=#..T.o....GS.:.].....{NV.s..-..r.....;..;..;..;..;..0..7-Zip..Latvian..Latvie.u..401..&Labi..&Atcelt........&J...&N...Aiz&v.rt..&Rokasgr.mata....&Turpin.t..44>..4...IHt..J}....2.L.8_.[...z..o>...r.?.\..`s.W34.....8.;....pl.n...Pa&uze..Pauz.ts..Vai piekr.tat p.rtraukt .o darb.bu?..500..&Fails..&Labo.ana..&Izskats..Ie&cien.t.s..&R.ki..&^....S.....p%%.$. ....O.D.;.B...p.N...j(..]..s.0.-!.yy6..;..}...Ap&skate..&Labot..P.&rd.v.t..&Kop.t uz.....P.r&vietot uz.....&Dz.st..&Sadal.t failu.....Ap&vienot failus......pa..(...g=.?Wx...}.g. ...`.1@._il..3.c....{.;.L.]4X...7.E.+T{.....800..Iez.m.t &visu..Atcelt vis&u..I&nvert.t iez.m.jumu..Ie&z.m.t.....&Atcelt.....I&ez.m.t p.c tipa..A&tcelt p.c tipa..9..s`...[q...y.{.K...L.*L.E-j.{.qhd...s.5.\.$.-<.S0!.`..).y...@e..irot....&2 pane.i..&R.ku joslas..&Atv.rt saknes mapi..L.meni &uz aug.u..Mapju &v.sture.....&P.rlas.t..750..Arh.va |XN.....Mq.p%C.u.N.....9..]x#.f.chd...m

                              C:\Program Files\7-Zip\Lang\lv.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5734
                              Entropy (8bit):6.715106383242443
                              Encrypted:false
                              SSDEEP:96:ngBCUAMJ/nFtrmFZVWLrPiORkouibSJlueL9jKEdPiGaTPFXsoUYmm9RJ4f7hU:nhUnjrmJWKOuob2J9VK2PijDF8rhU
                              MD5:021AA131A9B8F7BAF6C5D73DEF5A3A0E
                              SHA1:23D3BFD54989A544BA25497ADA321526056B10B8
                              SHA-256:5A5AE32845299F251A339985B84189A565C56EAC8722D60AC59E0A135398150F
                              SHA-512:F82EDFB0F58AE1BEA7F87345E1614A5C32442A8393CC5CA1774255D508C386B94E355885F1485A13A9F8399EA2685EDF0329800BC02829B847CAEE5E7AF4161E
                              Malicious:false
                              Preview:.'ZEKw..PzZ=.E.R.....Q.k...=#..T.o....GS.:.].....{NV.s..-..r.....;..;..;..;..;..0..7-Zip..Latvian..Latvie.u..401..&Labi..&Atcelt........&J...&N...Aiz&v.rt..&Rokasgr.mata....&Turpin.t..44>..4...IHt..J}....2.L.8_.[...z..o>...r.?.\..`s.W34.....8.;....pl.n...Pa&uze..Pauz.ts..Vai piekr.tat p.rtraukt .o darb.bu?..500..&Fails..&Labo.ana..&Izskats..Ie&cien.t.s..&R.ki..&^....S.....p%%.$. ....O.D.;.B...p.N...j(..]..s.0.-!.yy6..;..}...Ap&skate..&Labot..P.&rd.v.t..&Kop.t uz.....P.r&vietot uz.....&Dz.st..&Sadal.t failu.....Ap&vienot failus......pa..(...g=.?Wx...}.g. ...`.1@._il..3.c....{.;.L.]4X...7.E.+T{.....800..Iez.m.t &visu..Atcelt vis&u..I&nvert.t iez.m.jumu..Ie&z.m.t.....&Atcelt.....I&ez.m.t p.c tipa..A&tcelt p.c tipa..9..s`...[q...y.{.K...L.*L.E-j.{.qhd...s.5.\.$.-<.S0!.`..).y...@e..irot....&2 pane.i..&R.ku joslas..&Atv.rt saknes mapi..L.meni &uz aug.u..Mapju &v.sture.....&P.rlas.t..750..Arh.va |XN.....Mq.p%C.u.N.....9..]x#.f.chd...m

                              C:\Program Files\7-Zip\Lang\mk.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9070
                              Entropy (8bit):6.115397377861735
                              Encrypted:false
                              SSDEEP:192:EAR0/EMKbyU5vHt23ySqJeMLN1xnNnIltWaULjvKD4F+DgG6Ua:rR08RbyUlHt23tq7NTnBGWaUHs4F+Dg/
                              MD5:E0A2ACCA72B4856D086484F080D20FD9
                              SHA1:6577DC70E1B9FC29A59E6222E79753DE96F4D584
                              SHA-256:9836625C880582A3342F28542B9890267C33E60D307D6C382A2B785290AA32AD
                              SHA-512:CE0E018A19907546B29050A6C9B0A57FEEE9EAC57C77842EE9163DF20D51FAF6A893E16A942FEB75EEA98B306127555469ADD18975AC1AA0D9716953F1288896
                              Malicious:false
                              Preview:!..V.....bEp.R>+...........Sa.R..n.C....,.(.j.?...V.[#a.......;..;..;..;..;..0..7-Zip..Macedonian..............401....................&....&....&............r..=............#KZZ....s...]q.9...7...Pd...c..\9Da.|'..................................&........&........&...................... .......pp..e-X.c....J.JG+.Z..-.q.W9.:.....""...K{`c...8[a..u...............&........&.........&........&.......540..&.............. &................X#c...../....D.e..7R.._.y~!W...!......p9F`..B...............&....... .......&........ .......&.........&...... ................&.......d..n......|G.40.c......._....7...sd..c...8[a..M..W....z.................... .................... ..........&........600.............IKe<X........"K_Z....I._8.?..T.&..G

                              C:\Program Files\7-Zip\Lang\mk.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9070
                              Entropy (8bit):6.115397377861735
                              Encrypted:false
                              SSDEEP:192:EAR0/EMKbyU5vHt23ySqJeMLN1xnNnIltWaULjvKD4F+DgG6Ua:rR08RbyUlHt23tq7NTnBGWaUHs4F+Dg/
                              MD5:E0A2ACCA72B4856D086484F080D20FD9
                              SHA1:6577DC70E1B9FC29A59E6222E79753DE96F4D584
                              SHA-256:9836625C880582A3342F28542B9890267C33E60D307D6C382A2B785290AA32AD
                              SHA-512:CE0E018A19907546B29050A6C9B0A57FEEE9EAC57C77842EE9163DF20D51FAF6A893E16A942FEB75EEA98B306127555469ADD18975AC1AA0D9716953F1288896
                              Malicious:false
                              Preview:!..V.....bEp.R>+...........Sa.R..n.C....,.(.j.?...V.[#a.......;..;..;..;..;..0..7-Zip..Macedonian..............401....................&....&....&............r..=............#KZZ....s...]q.9...7...Pd...c..\9Da.|'..................................&........&........&...................... .......pp..e-X.c....J.JG+.Z..-.q.W9.:.....""...K{`c...8[a..u...............&........&.........&........&.......540..&.............. &................X#c...../....D.e..7R.._.y~!W...!......p9F`..B...............&....... .......&........ .......&.........&...... ................&.......d..n......|G.40.c......._....7...sd..c...8[a..M..W....z.................... .................... ..........&........600.............IKe<X........"K_Z....I._8.?..T.&..G

                              C:\Program Files\7-Zip\Lang\mn.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8787
                              Entropy (8bit):6.295059308830914
                              Encrypted:false
                              SSDEEP:192:wkGAiAn83tyXiocGRwVWYVUtmBYH6mcMj3EHCwxyxhIvu1HR1Fa8axZj:piJWqeiYaMj3Ayxht10t
                              MD5:4B62C36D0FCD4B0694E82795691AE931
                              SHA1:FD6D37F844F477DF97864F1866692B24496434CF
                              SHA-256:FF72712AFB629DFD5C5561AB59462C82EBC3D4FA98427E6373591403F236A163
                              SHA-512:7FE4D1A4A4CB3CC2454A41DD9BEC53675D6E2789049B6BB784388EFE17007650EEEA693E2684127432BCE11B75F30E03E9CDBF5E2DCD451046267160516B7952
                              Malicious:false
                              Preview:d....]....%.z..*........|.Ekg*...^....^.o$.\]...b2K........S.;..;..;..;..;..;..;..;..0..7-Zip..Mongolian........ .....401...................&......&......&........M..1......U...3.0...l......43n..r.M..E0.Lp .z{...IHrB1H\$I[........ .&................ .........&.. ......&.... .....&... ......... .....0..p..1...E.3V.a..3...m......RX...%.M.:...\...[y....(.c.....k00..&......&.......&..........&..... ......&............&.........540..&........5..p...U.....n:..3Xq.j_.....},R^...-P.s.i.....P;...4e...0z].IP........... .&............ &................. &.........&........&.... .............;..u..0......P..Q..2...l.....$...5Kp.L.;..'...k:$....7..1G].....&................ ............ ..........&.....600......... ..&...........Z...y11......[:..3.2..1l.....92W..p?..

                              C:\Program Files\7-Zip\Lang\mn.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8787
                              Entropy (8bit):6.295059308830914
                              Encrypted:false
                              SSDEEP:192:wkGAiAn83tyXiocGRwVWYVUtmBYH6mcMj3EHCwxyxhIvu1HR1Fa8axZj:piJWqeiYaMj3Ayxht10t
                              MD5:4B62C36D0FCD4B0694E82795691AE931
                              SHA1:FD6D37F844F477DF97864F1866692B24496434CF
                              SHA-256:FF72712AFB629DFD5C5561AB59462C82EBC3D4FA98427E6373591403F236A163
                              SHA-512:7FE4D1A4A4CB3CC2454A41DD9BEC53675D6E2789049B6BB784388EFE17007650EEEA693E2684127432BCE11B75F30E03E9CDBF5E2DCD451046267160516B7952
                              Malicious:false
                              Preview:d....]....%.z..*........|.Ekg*...^....^.o$.\]...b2K........S.;..;..;..;..;..;..;..;..0..7-Zip..Mongolian........ .....401...................&......&......&........M..1......U...3.0...l......43n..r.M..E0.Lp .z{...IHrB1H\$I[........ .&................ .........&.. ......&.... .....&... ......... .....0..p..1...E.3V.a..3...m......RX...%.M.:...\...[y....(.c.....k00..&......&.......&..........&..... ......&............&.........540..&........5..p...U.....n:..3Xq.j_.....},R^...-P.s.i.....P;...4e...0z].IP........... .&............ &................. &.........&........&.... .............;..u..0......P..Q..2...l.....$...5Kp.L.;..'...k:$....7..1G].....&................ ............ ..........&.....600......... ..&...........Z...y11......[:..3.2..1l.....92W..p?..

                              C:\Program Files\7-Zip\Lang\mng.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):20504
                              Entropy (8bit):5.628865781893704
                              Encrypted:false
                              SSDEEP:384:yzqFlVc7VwbqtIeBO2ASP9D57Oqv42qbOkfVIIwgh7yFC8NhSFqFqF7ShpJ4oXjG:WCC5Sqvyqk2e7Ch2gpyGFNu1dAyYNfv2
                              MD5:03923029DCABCE08B135C5B2487E0A3E
                              SHA1:341CAA89080C437E2AD41EB8EAF06B228486ED32
                              SHA-256:C34BBD4B702D45B0E31C5D014A70257AD26D9DB0F508E8AB432B5C2D95421209
                              SHA-512:4C9A239AF9CE553954EF940CAABFF264B6B2D6E4B0BE86E48C1FF06AC16E26E133081BF1ECD5F645CDC6415947BD2C431E9FF8DF8E95C2C2EFB7C480C7379048
                              Malicious:false
                              Preview:.........7...<+{.]&K.f%I.E[.....`..1..B.~)....7.....V.|....Y..pdated: 2014-1-1..;..;..;..;..;..;..;..;..0..7-Zip..Mongolian (Unicode)........ ......401............T..|.V..~.M..'....L.m..l.N,.!.]... .R+!..R..f.A9.#.Q..O...)........ (&C)........................ (&C)..440........ ......O.u..{.>.3.K...j..G...bU...m.c.\P..c..-E.....Hl].:.b......q........... ............ ..... (&B)........ ..... (&F).....K....-.E=.r....+...Cf4A.\l.N,.!.^... .R.B[?,.....A/.#.Q....aK........ ...... ........ .. ...500....... (&F)...................W.....M..>.....c.A......._.a......?...Hl^.:.b......q. (&A)........ (&T)............ (&H)..540.......... (&O)....... ........B=..|.}.M..)\..O..."..S.-.`.._.a.

                              C:\Program Files\7-Zip\Lang\mng.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):20504
                              Entropy (8bit):5.628865781893704
                              Encrypted:false
                              SSDEEP:384:yzqFlVc7VwbqtIeBO2ASP9D57Oqv42qbOkfVIIwgh7yFC8NhSFqFqF7ShpJ4oXjG:WCC5Sqvyqk2e7Ch2gpyGFNu1dAyYNfv2
                              MD5:03923029DCABCE08B135C5B2487E0A3E
                              SHA1:341CAA89080C437E2AD41EB8EAF06B228486ED32
                              SHA-256:C34BBD4B702D45B0E31C5D014A70257AD26D9DB0F508E8AB432B5C2D95421209
                              SHA-512:4C9A239AF9CE553954EF940CAABFF264B6B2D6E4B0BE86E48C1FF06AC16E26E133081BF1ECD5F645CDC6415947BD2C431E9FF8DF8E95C2C2EFB7C480C7379048
                              Malicious:false
                              Preview:.........7...<+{.]&K.f%I.E[.....`..1..B.~)....7.....V.|....Y..pdated: 2014-1-1..;..;..;..;..;..;..;..;..0..7-Zip..Mongolian (Unicode)........ ......401............T..|.V..~.M..'....L.m..l.N,.!.]... .R+!..R..f.A9.#.Q..O...)........ (&C)........................ (&C)..440........ ......O.u..{.>.3.K...j..G...bU...m.c.\P..c..-E.....Hl].:.b......q........... ............ ..... (&B)........ ..... (&F).....K....-.E=.r....+...Cf4A.\l.N,.!.^... .R.B[?,.....A/.#.Q....aK........ ...... ........ .. ...500....... (&F)...................W.....M..>.....c.A......._.a......?...Hl^.:.b......q. (&A)........ (&T)............ (&H)..540.......... (&O)....... ........B=..|.}.M..)\..O..."..S.-.`.._.a.

                              C:\Program Files\7-Zip\Lang\mng2.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):21887
                              Entropy (8bit):5.694253316531416
                              Encrypted:false
                              SSDEEP:192:7geavCFV9uZ3mTD39hZ513VT9/bcO3BuUM5EXWmLhLEcgVCk4y4Rt+ZY268iYzdQ:20I3odl7wmjEcgVCbQ28n6tsdqdHf
                              MD5:06BC7D1D98E447D475010E700FA7FC96
                              SHA1:9850A9BB83F7ADCA461E6E4B38A38E10A2499CEC
                              SHA-256:0DA0A69234FE4B89E70D6D0B37ED9F6A052AC56F3B3CD75ABCF7BDB00914D713
                              SHA-512:83CC5AD7DA4D05C195B5B3B7DB12B45DE39E0A1114CB1C35DF63ECE01EA2A5830445C0D7DA2B2AC238F71727F68CA004FFFC7D264293DD35437ED29C837CC677
                              Malicious:false
                              Preview:.c.H.i...{7..%~.p.Y,.,#.X.E..h.zq.....J...i....E..mj..b.8...npdated: 2013-12-11..; Update and Spelling corrected Bayarsaikhan..;..;..;..;..;..;..;..0..7-Zip..Mongolian (MenkCode)......O..m.r.,.,w..t...L.3.M...g......@5.~Fk..Z..k.!.@..vM.....*...................... (&Y)...... (&N).......... (&C)...........O..m..a...-%..^.t...Y...M..a.4..5r..L..?p.G.......mvM.....*..... ..... (&A)......... .... (&L).........................q...X..T...F..-..T....M..a.4..5r..5.HFk..Z3.k....MN..e.r...... ... (&F)........... (&P)......... ............. .....6....9.!..".P.F..-..T....4...U.T..v5.~Fk..Z..k..19...Ib.....00....... (&F)............... (&E)......... (&V).............W..u....4#..} ?.xT.-..l.@..y.M..Lu....

                              C:\Program Files\7-Zip\Lang\mng2.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):21887
                              Entropy (8bit):5.694253316531416
                              Encrypted:false
                              SSDEEP:192:7geavCFV9uZ3mTD39hZ513VT9/bcO3BuUM5EXWmLhLEcgVCk4y4Rt+ZY268iYzdQ:20I3odl7wmjEcgVCbQ28n6tsdqdHf
                              MD5:06BC7D1D98E447D475010E700FA7FC96
                              SHA1:9850A9BB83F7ADCA461E6E4B38A38E10A2499CEC
                              SHA-256:0DA0A69234FE4B89E70D6D0B37ED9F6A052AC56F3B3CD75ABCF7BDB00914D713
                              SHA-512:83CC5AD7DA4D05C195B5B3B7DB12B45DE39E0A1114CB1C35DF63ECE01EA2A5830445C0D7DA2B2AC238F71727F68CA004FFFC7D264293DD35437ED29C837CC677
                              Malicious:false
                              Preview:.c.H.i...{7..%~.p.Y,.,#.X.E..h.zq.....J...i....E..mj..b.8...npdated: 2013-12-11..; Update and Spelling corrected Bayarsaikhan..;..;..;..;..;..;..;..0..7-Zip..Mongolian (MenkCode)......O..m.r.,.,w..t...L.3.M...g......@5.~Fk..Z..k.!.@..vM.....*...................... (&Y)...... (&N).......... (&C)...........O..m..a...-%..^.t...Y...M..a.4..5r..L..?p.G.......mvM.....*..... ..... (&A)......... .... (&L).........................q...X..T...F..-..T....M..a.4..5r..5.HFk..Z3.k....MN..e.r...... ... (&F)........... (&P)......... ............. .....6....9.!..".P.F..-..T....4...U.T..v5.~Fk..Z..k..19...Ib.....00....... (&F)............... (&E)......... (&V).............W..u....4#..} ?.xT.-..l.@..y.M..Lu....

                              C:\Program Files\7-Zip\Lang\mr.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11113
                              Entropy (8bit):5.956895066257001
                              Encrypted:false
                              SSDEEP:192:7fdrS4rWRy2sAv7PqlmnhkN6tBOxUdUR/lWSmnAqC+n/TrXW:7fl3yRyJALtTSwUj/+Li
                              MD5:13B25AD9A5C9241F8071590B585AC5C8
                              SHA1:44146353144D9E7136C10CBE9CABA655F78826B8
                              SHA-256:BB8784DDBF86DB921813A9DDEA9AAF50D0C929B2FAE48253D2D6EE31CDBD51CC
                              SHA-512:D994F3BAC8E5F1C4DF2E87F8C89E22B646EAA0DAC6072C76A89C7E6F367C0EFF34A8E05DF5738B3D0B3A965F173CD4610F762BEAF40F47EE6837030A973608CA
                              Malicious:false
                              Preview:...Q.Ly....Y......[.....;..:...K...U;.^..@[..CR..;..W.....np. ....... (Subodh Gaikwad)..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Marathi.........401............6.-{/...+....R%.Jm....<O.^pd.(........O..Z9Z...............&......440..&.... .. ....&.... .. ................... ......:1iy...R.C....a..(.<.BK..9.:.>.K...a;.UAh.[......~........np....&.......................... .... .......... .....W..iy...b....a.8X.O[b\s<O....e.X.I.qE.O.Z<Z....;..W.....np.....&........&......&.......&.....540..&......&.... ......&.......,Z....C.y%*a..(.<......4..l.YO.4...FD...U.0G.q............ .....&..............&.........&.......&.... ..... ....e....=..YF....a.3.Jl.b]m<O.^pd~.F..f

                              C:\Program Files\7-Zip\Lang\mr.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11113
                              Entropy (8bit):5.956895066257001
                              Encrypted:false
                              SSDEEP:192:7fdrS4rWRy2sAv7PqlmnhkN6tBOxUdUR/lWSmnAqC+n/TrXW:7fl3yRyJALtTSwUj/+Li
                              MD5:13B25AD9A5C9241F8071590B585AC5C8
                              SHA1:44146353144D9E7136C10CBE9CABA655F78826B8
                              SHA-256:BB8784DDBF86DB921813A9DDEA9AAF50D0C929B2FAE48253D2D6EE31CDBD51CC
                              SHA-512:D994F3BAC8E5F1C4DF2E87F8C89E22B646EAA0DAC6072C76A89C7E6F367C0EFF34A8E05DF5738B3D0B3A965F173CD4610F762BEAF40F47EE6837030A973608CA
                              Malicious:false
                              Preview:...Q.Ly....Y......[.....;..:...K...U;.^..@[..CR..;..W.....np. ....... (Subodh Gaikwad)..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Marathi.........401............6.-{/...+....R%.Jm....<O.^pd.(........O..Z9Z...............&......440..&.... .. ....&.... .. ................... ......:1iy...R.C....a..(.<.BK..9.:.>.K...a;.UAh.[......~........np....&.......................... .... .......... .....W..iy...b....a.8X.O[b\s<O....e.X.I.qE.O.Z<Z....;..W.....np.....&........&......&.......&.....540..&......&.... ......&.......,Z....C.y%*a..(.<......4..l.YO.4...FD...U.0G.q............ .....&..............&.........&.......&.... ..... ....e....=..YF....a.3.Jl.b]m<O.^pd~.F..f

                              C:\Program Files\7-Zip\Lang\ms.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5503
                              Entropy (8bit):6.5488973649981626
                              Encrypted:false
                              SSDEEP:96:G6RqoG6F1MB6wR4GfrqR5YIYU/5ok65tRH4gZ:zRqoGwEzrAYIYuokg/PZ
                              MD5:A2F0DE6AAFCAD22EE6EF9C7084A08C14
                              SHA1:7D76C656790E39030CF940DCEBC952B4FF385756
                              SHA-256:6837C1C0E98B071B788FD19AD267C0D49E032610F31D9A41BF1D46C16CEE7E88
                              SHA-512:A795858A89531A8732107221929021A4D8C4A001EF30255E70F96318C8FC1726DEC186C073F1373705D0E89FD37756A9788F882B8B12E9264FCEBA4CB0F5F1EC
                              Malicious:false
                              Preview:..T..S..*.J...?f....n.mHf:.*El..A.w.V.9...B.T....W.d.<.....z...;..;..;..;..;..;..;..0..7-Zip..Malay..Bahasa Melayu..401..OK..Batal........&Ya..&Tidak..&Tutup..Bantuan....&Teruskan..440..Ya .;..C3..).......*...!L&\.l...A.1E.q.7.&....._Z...z./'/s.......ang..&Latar depan..&Berehat..Berehat..Anda yakin untuk membatalkannya?..500..&Fail..&Edit..&Paparan..K&egemaran..&Alat..&Bantuan._...\M...k.].. ...u}k.$h..u...A.a...M...8..g.....gfD!.....>.m&akan semula..&Salin ke.....&Pindahkan ke.....Hapus..&Bahagi/belah Fail.....Gab&ung Fail.....P&roperti..Kom&en......Buat Folder._..Igv-%.......'...._.}LE..c.%.Y..`.O.f...[.[Y.....aK.b......#.nsangkan Pilihan..Pilih.....Tidak Memilih.....Pilih Berdasarkan Jenis..Tidak Memilih Berdasarkan Jenis..700..Ikon B&esar..Ikon K,0..D.\M...k.6.tA...<K,.E..9OA.-I.d.......F.T:...Q.);/i......lbar..Buka Root Folder..Ke atas Satu Aras..Folder Sejarah.....&Segarkan Semula..750..Toolbar Arkib..Toolbar Standard..Bebutang Bo&..%...6..b.#..%...&...*|.k.+.s..5.0.?

                              C:\Program Files\7-Zip\Lang\ms.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5503
                              Entropy (8bit):6.5488973649981626
                              Encrypted:false
                              SSDEEP:96:G6RqoG6F1MB6wR4GfrqR5YIYU/5ok65tRH4gZ:zRqoGwEzrAYIYuokg/PZ
                              MD5:A2F0DE6AAFCAD22EE6EF9C7084A08C14
                              SHA1:7D76C656790E39030CF940DCEBC952B4FF385756
                              SHA-256:6837C1C0E98B071B788FD19AD267C0D49E032610F31D9A41BF1D46C16CEE7E88
                              SHA-512:A795858A89531A8732107221929021A4D8C4A001EF30255E70F96318C8FC1726DEC186C073F1373705D0E89FD37756A9788F882B8B12E9264FCEBA4CB0F5F1EC
                              Malicious:false
                              Preview:..T..S..*.J...?f....n.mHf:.*El..A.w.V.9...B.T....W.d.<.....z...;..;..;..;..;..;..;..0..7-Zip..Malay..Bahasa Melayu..401..OK..Batal........&Ya..&Tidak..&Tutup..Bantuan....&Teruskan..440..Ya .;..C3..).......*...!L&\.l...A.1E.q.7.&....._Z...z./'/s.......ang..&Latar depan..&Berehat..Berehat..Anda yakin untuk membatalkannya?..500..&Fail..&Edit..&Paparan..K&egemaran..&Alat..&Bantuan._...\M...k.].. ...u}k.$h..u...A.a...M...8..g.....gfD!.....>.m&akan semula..&Salin ke.....&Pindahkan ke.....Hapus..&Bahagi/belah Fail.....Gab&ung Fail.....P&roperti..Kom&en......Buat Folder._..Igv-%.......'...._.}LE..c.%.Y..`.O.f...[.[Y.....aK.b......#.nsangkan Pilihan..Pilih.....Tidak Memilih.....Pilih Berdasarkan Jenis..Tidak Memilih Berdasarkan Jenis..700..Ikon B&esar..Ikon K,0..D.\M...k.6.tA...<K,.E..9OA.-I.d.......F.T:...Q.);/i......lbar..Buka Root Folder..Ke atas Satu Aras..Folder Sejarah.....&Segarkan Semula..750..Toolbar Arkib..Toolbar Standard..Bebutang Bo&..%...6..b.#..%...&...*|.k.+.s..5.0.?

                              C:\Program Files\7-Zip\Lang\nb.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6367
                              Entropy (8bit):6.633754141039465
                              Encrypted:false
                              SSDEEP:192:jJOuZQqxpO9tv9wRvnVj8gfYRNvfh9H1feDfwB:N9Zx+Ej8gfYrvJ9H1SoB
                              MD5:28C4584816BAB2447807B1FADFD566E3
                              SHA1:CACE5127F59F28D7BE6BF3249FE728BAD8FB4136
                              SHA-256:24FBD5209FE78151A8D3B4E365A80A7DF708B2E6021333469C7B81F14F8FD7DE
                              SHA-512:77F3B6DA39875963F1F96B627DFBAD465AE2ACE1962D0C3449CAEB5D1F205FDCF940372269483025D9069A7DD837D636E0141E4F24790D58CCD083FFDF85DC8E
                              Malicious:false
                              Preview:..YV...h)....\8.o0..^"G.h...}.=..%)^.W..J.zbR.K*...r.o.O...wE : Kjetil Hjartnes..; : Robert Gr.nning..;..;..;..;..;..;..;..;..0..7-Zip..Norwegian Bokmal..Norsk Bokm.l..401..OK....W...[..D....4WZ....kj.`...IP....,0=....e.|yG.Z,=.W"..W`...Z;E&alt..Nei til a&lt..Stopp..Start p. nytt..&Bakgrunn..&Forgrunn..&Stopp..Stoppet..Vil du avbryte?..500..&Fil..&Rediger..&Vis..&B+.X...3..D......h..CJ..*....i._.K..@.q....~cQ..1^..d.iP .K.]2E&eksternt..&Vis..&Rediger..Gi nytt &navn..&Kopier til ...&Flytt til ...S&lett..&Del opp arkiv ...&Sett sammen arkiv ...Eb.P...7.c<....g.[2....".L...G/.5.M3*U....N...>.Wx...f.x}..h.9.. f&il ...&Avslutt..600..Merk &alle..Merk i&ngen..Merk &omvendt..Merk ...Merk &ikke ...Merk &valgt type..Merk i&kke valgt t=.Po}.f..D....z..>z...pj....m.}.9..%2=.2..P.k.>.j=D..|.oP C..>]0sortert..&Flat visning..&To felt..&Verkt.ylinjer..Rotmappe..G. opp et niv...Mappelogg ...&Oppdater..750..Arkivverkt.ylinjeIhf...2.t*...|...}...gj.....G}.<..0%B..

                              C:\Program Files\7-Zip\Lang\nb.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6367
                              Entropy (8bit):6.633754141039465
                              Encrypted:false
                              SSDEEP:192:jJOuZQqxpO9tv9wRvnVj8gfYRNvfh9H1feDfwB:N9Zx+Ej8gfYrvJ9H1SoB
                              MD5:28C4584816BAB2447807B1FADFD566E3
                              SHA1:CACE5127F59F28D7BE6BF3249FE728BAD8FB4136
                              SHA-256:24FBD5209FE78151A8D3B4E365A80A7DF708B2E6021333469C7B81F14F8FD7DE
                              SHA-512:77F3B6DA39875963F1F96B627DFBAD465AE2ACE1962D0C3449CAEB5D1F205FDCF940372269483025D9069A7DD837D636E0141E4F24790D58CCD083FFDF85DC8E
                              Malicious:false
                              Preview:..YV...h)....\8.o0..^"G.h...}.=..%)^.W..J.zbR.K*...r.o.O...wE : Kjetil Hjartnes..; : Robert Gr.nning..;..;..;..;..;..;..;..;..0..7-Zip..Norwegian Bokmal..Norsk Bokm.l..401..OK....W...[..D....4WZ....kj.`...IP....,0=....e.|yG.Z,=.W"..W`...Z;E&alt..Nei til a&lt..Stopp..Start p. nytt..&Bakgrunn..&Forgrunn..&Stopp..Stoppet..Vil du avbryte?..500..&Fil..&Rediger..&Vis..&B+.X...3..D......h..CJ..*....i._.K..@.q....~cQ..1^..d.iP .K.]2E&eksternt..&Vis..&Rediger..Gi nytt &navn..&Kopier til ...&Flytt til ...S&lett..&Del opp arkiv ...&Sett sammen arkiv ...Eb.P...7.c<....g.[2....".L...G/.5.M3*U....N...>.Wx...f.x}..h.9.. f&il ...&Avslutt..600..Merk &alle..Merk i&ngen..Merk &omvendt..Merk ...Merk &ikke ...Merk &valgt type..Merk i&kke valgt t=.Po}.f..D....z..>z...pj....m.}.9..%2=.2..P.k.>.j=D..|.oP C..>]0sortert..&Flat visning..&To felt..&Verkt.ylinjer..Rotmappe..G. opp et niv...Mappelogg ...&Oppdater..750..Arkivverkt.ylinjeIhf...2.t*...|...}...gj.....G}.<..0%B..

                              C:\Program Files\7-Zip\Lang\ne.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13768
                              Entropy (8bit):5.8275843014728546
                              Encrypted:false
                              SSDEEP:192:86Tp7clY0qnC+X1n4yPvwq0fRnKmXjqtPLwQZysOSwG/:86FgLun4yPDDtPLzOvk
                              MD5:657F62F94E78AEAEACBE7BBEE0BD76F2
                              SHA1:79561F8BD7E16C890D45C9FD718A124ED2E01BB7
                              SHA-256:8D23646102DB9895DA0D8A9C4391AC6D2A074F312B580019442A8BBEDBED3FA6
                              SHA-512:850793F05DF8201FB845DAAB8DAC4FCFBAD25EFE4A91F8590952CA587CFE71BEAF25909A68B8D97440F490FDEEF4FCDFEF8C269F4FE67F5A69E3BEC594C020EA
                              Malicious:false
                              Preview:Z\m.9.X...2.4^).pI...h.p..e........v2.9....J..#../!,...l..I.;..;..;..;..;..;..;..;..;..0..7-Zip..Nepali..........401..... ....... .................2_,,..0l.Iy....D.,.ou..".gk7.'zfd.....sD..Fc..>...z/k...B..............&.... ............440..&...... ....&...... ..^2..&.8h1......y....Z.-.ou.A.Ogk".&Yfe.........v.@..Hyz.R..5B.. ...........&...........&..........&.. ...........UCx..Z4_,.......y....Z.-.....#e{L=2"I..#k'7P.D3.-S..yz.}...B.. .... ......... ?..500..&......&....... ...........&..UCb..K.. u."[..<.Q./..I......"N{L.2"...%.c.....v..)...jN..7......&.......540..&...................... ...............v..b._,%......y....B.,.ou..j./>ccv4!.

                              C:\Program Files\7-Zip\Lang\ne.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):13768
                              Entropy (8bit):5.8275843014728546
                              Encrypted:false
                              SSDEEP:192:86Tp7clY0qnC+X1n4yPvwq0fRnKmXjqtPLwQZysOSwG/:86FgLun4yPDDtPLzOvk
                              MD5:657F62F94E78AEAEACBE7BBEE0BD76F2
                              SHA1:79561F8BD7E16C890D45C9FD718A124ED2E01BB7
                              SHA-256:8D23646102DB9895DA0D8A9C4391AC6D2A074F312B580019442A8BBEDBED3FA6
                              SHA-512:850793F05DF8201FB845DAAB8DAC4FCFBAD25EFE4A91F8590952CA587CFE71BEAF25909A68B8D97440F490FDEEF4FCDFEF8C269F4FE67F5A69E3BEC594C020EA
                              Malicious:false
                              Preview:Z\m.9.X...2.4^).pI...h.p..e........v2.9....J..#../!,...l..I.;..;..;..;..;..;..;..;..;..0..7-Zip..Nepali..........401..... ....... .................2_,,..0l.Iy....D.,.ou..".gk7.'zfd.....sD..Fc..>...z/k...B..............&.... ............440..&...... ....&...... ..^2..&.8h1......y....Z.-.ou.A.Ogk".&Yfe.........v.@..Hyz.R..5B.. ...........&...........&..........&.. ...........UCx..Z4_,.......y....Z.-.....#e{L=2"I..#k'7P.D3.-S..yz.}...B.. .... ......... ?..500..&......&....... ...........&..UCb..K.. u."[..<.Q./..I......"N{L.2"...%.c.....v..)...jN..7......&.......540..&...................... ...............v..b._,%......y....B.,.ou..j./>ccv4!.

                              C:\Program Files\7-Zip\Lang\nl.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9843
                              Entropy (8bit):6.540572059097982
                              Encrypted:false
                              SSDEEP:192:q/ywp3omBh3/VkA9vqGTnpwdTW+zWCH2TahEjsrUBZhsicJ5B0Uegch0UBaFlw3K:D0+GTnp2TvrWTahosQlSnSgn4nK
                              MD5:4B2D7CCBEA129E1D76776EC55790AF5C
                              SHA1:F80CCFF5D0418591E6639A64C5852D2A969FE75A
                              SHA-256:41985742BCCE6784D4ACF651865D624744F9F556B3DAFF8B4928557024DB4918
                              SHA-512:20C1A068938820E18A41B8181F06855A539767973E1634ADF94826B07A63C5DE5D9F4790917561D94B351EB479472F80852456AA27253A76D2FE1839050FAF74
                              Malicious:false
                              Preview:.;..n..e....>.. .?.b}.~.g<.".k~bHB}4t-B_..+d.0...B....-...... van der Weijde...; : Harm Hilvers..; 9.07 : Jeroen Tulp..; 15.00 : Jeroen Tulp..; 21.03 : Quinten Althues..; 21.05 : JerM....[......Y...8...io.s.p1.,..QuN.n;:YaV..D1.0.;.M-....:z2..e.Dutch..Nederlands..401..OK..Annuleren........&Ja..&Nee..A&fsluiten..Help....&Hervatten..440..Ja op &alles..Nee op a&lles..StoppeL....\..j....f..f{RF.+:.1X#..>.Ftb[.d;~.....;p.H.X.|g...w2...e.Weet u zeker dat u wilt annuleren?..500..&Bestand..Be&werken..Bee&ld..&Favorieten..E&xtra..&Help..540..&Openen..Open b&innen..OpG..[..n.....NrQW.TW..S0y.s.G...*n'tbqW..C..q.F....c6...F...&Verplaatsen naar.....Verwij&deren..Bestand &opsplitsen.....Bestanden &samenvoegen.....&Eigenschappen..O&pmerking plaatsen....(...\..n.....Bj_Y.78.S<.y.l.$.^U.~".-y[..DD._.A..E....iZbX...iten..Koppeling..&Alternatieve streams..600..&Alles selecteren..Alles deselecteren..Selectie &omkeren..&Selecteren.....&DeselectG...........U}T..)}.*O7y...LhuP.h!..

                              C:\Program Files\7-Zip\Lang\nl.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9843
                              Entropy (8bit):6.540572059097982
                              Encrypted:false
                              SSDEEP:192:q/ywp3omBh3/VkA9vqGTnpwdTW+zWCH2TahEjsrUBZhsicJ5B0Uegch0UBaFlw3K:D0+GTnp2TvrWTahosQlSnSgn4nK
                              MD5:4B2D7CCBEA129E1D76776EC55790AF5C
                              SHA1:F80CCFF5D0418591E6639A64C5852D2A969FE75A
                              SHA-256:41985742BCCE6784D4ACF651865D624744F9F556B3DAFF8B4928557024DB4918
                              SHA-512:20C1A068938820E18A41B8181F06855A539767973E1634ADF94826B07A63C5DE5D9F4790917561D94B351EB479472F80852456AA27253A76D2FE1839050FAF74
                              Malicious:false
                              Preview:.;..n..e....>.. .?.b}.~.g<.".k~bHB}4t-B_..+d.0...B....-...... van der Weijde...; : Harm Hilvers..; 9.07 : Jeroen Tulp..; 15.00 : Jeroen Tulp..; 21.03 : Quinten Althues..; 21.05 : JerM....[......Y...8...io.s.p1.,..QuN.n;:YaV..D1.0.;.M-....:z2..e.Dutch..Nederlands..401..OK..Annuleren........&Ja..&Nee..A&fsluiten..Help....&Hervatten..440..Ja op &alles..Nee op a&lles..StoppeL....\..j....f..f{RF.+:.1X#..>.Ftb[.d;~.....;p.H.X.|g...w2...e.Weet u zeker dat u wilt annuleren?..500..&Bestand..Be&werken..Bee&ld..&Favorieten..E&xtra..&Help..540..&Openen..Open b&innen..OpG..[..n.....NrQW.TW..S0y.s.G...*n'tbqW..C..q.F....c6...F...&Verplaatsen naar.....Verwij&deren..Bestand &opsplitsen.....Bestanden &samenvoegen.....&Eigenschappen..O&pmerking plaatsen....(...\..n.....Bj_Y.78.S<.y.l.$.^U.~".-y[..DD._.A..E....iZbX...iten..Koppeling..&Alternatieve streams..600..&Alles selecteren..Alles deselecteren..Selectie &omkeren..&Selecteren.....&DeselectG...........U}T..)}.*O7y...LhuP.h!..

                              C:\Program Files\7-Zip\Lang\nn.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6243
                              Entropy (8bit):6.65653606565886
                              Encrypted:false
                              SSDEEP:192:snE/n5P8o0eOx+9zsF/qo/NUsEYsQ4YvUGvNyN5eMqTfQI:oEfuLYGm6SKUG1AeMqTh
                              MD5:6B2B2FF12861829760EF9BBDA4057A51
                              SHA1:C792570BC0673734E69CABF9D41D05171EB0745D
                              SHA-256:A7A84CE44D0CEC23DC763D0CF3B6B1EBBD8A224E2C8F730FC3D5337C96EBD2ED
                              SHA-512:379EDB91F8C4FE07794DE554617F19C0AA5EBA498605D5069C5D2E9C7EECEEE0FF300EBF80E807EB96DF62F975BDAA63A385B6EA3D24F2A90B080D353EAEB99F
                              Malicious:false
                              Preview:`E.....%k...";.M..3....D>g..u.]o.B.........bn....}.VY.2...;..;..;..;..;..0..7-Zip..Norwegian Nynorsk..Norsk Nynorsk..401..OK..Avbryt........&Ja..&Nei..&Lukke..Hjelp....&Hald fram..440..J..x.[w.%i..@MH.b...R..B.#.(..*.l~=D........bn......5=(5(..grunn..&Pause..Sett p. pause..Er du sikker p. du vil avbryte?..500..&Fil..&Redigere..&Vis..F&avorittar..Verk&t.y..&Hjelp..540..*.G9.I.?.$bN.B..3..X..V^3..A.M.V....V?............)2..`....&Kopiere til.....&Flytt til.....&Slett..&Del opp fil.....Set saman filer.....&Eigenskapar..Ko&mmentar..Rekna ut kontrollnummer....x'.6`..jn..{..q...S..Pm...-.~|/Z...:8..L.eB......76(5H..n alle markeringar..&Omvendt markering..Marker.....Fjern markering.....Merk etter type..Fjern markering etter type..700..S&tore .c.:].bh.ljj..e..r...W.VO"..K.^xQ<..RV?............./sSV}....&2 felt..&Verkt.ylinjer..Opna kjeldemappa..Opp eit niv...Mappelogg.....&Oppdatere..750..Arkiv verkt.ylinje..Standard verkt.7.`.Y=.6.z.>l..+..N...;...xg..F.Oo(S...

                              C:\Program Files\7-Zip\Lang\nn.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6243
                              Entropy (8bit):6.65653606565886
                              Encrypted:false
                              SSDEEP:192:snE/n5P8o0eOx+9zsF/qo/NUsEYsQ4YvUGvNyN5eMqTfQI:oEfuLYGm6SKUG1AeMqTh
                              MD5:6B2B2FF12861829760EF9BBDA4057A51
                              SHA1:C792570BC0673734E69CABF9D41D05171EB0745D
                              SHA-256:A7A84CE44D0CEC23DC763D0CF3B6B1EBBD8A224E2C8F730FC3D5337C96EBD2ED
                              SHA-512:379EDB91F8C4FE07794DE554617F19C0AA5EBA498605D5069C5D2E9C7EECEEE0FF300EBF80E807EB96DF62F975BDAA63A385B6EA3D24F2A90B080D353EAEB99F
                              Malicious:false
                              Preview:`E.....%k...";.M..3....D>g..u.]o.B.........bn....}.VY.2...;..;..;..;..;..0..7-Zip..Norwegian Nynorsk..Norsk Nynorsk..401..OK..Avbryt........&Ja..&Nei..&Lukke..Hjelp....&Hald fram..440..J..x.[w.%i..@MH.b...R..B.#.(..*.l~=D........bn......5=(5(..grunn..&Pause..Sett p. pause..Er du sikker p. du vil avbryte?..500..&Fil..&Redigere..&Vis..F&avorittar..Verk&t.y..&Hjelp..540..*.G9.I.?.$bN.B..3..X..V^3..A.M.V....V?............)2..`....&Kopiere til.....&Flytt til.....&Slett..&Del opp fil.....Set saman filer.....&Eigenskapar..Ko&mmentar..Rekna ut kontrollnummer....x'.6`..jn..{..q...S..Pm...-.~|/Z...:8..L.eB......76(5H..n alle markeringar..&Omvendt markering..Marker.....Fjern markering.....Merk etter type..Fjern markering etter type..700..S&tore .c.:].bh.ljj..e..r...W.VO"..K.^xQ<..RV?............./sSV}....&2 felt..&Verkt.ylinjer..Opna kjeldemappa..Opp eit niv...Mappelogg.....&Oppdatere..750..Arkiv verkt.ylinje..Standard verkt.7.`.Y=.6.z.>l..+..N...;...xg..F.Oo(S...

                              C:\Program Files\7-Zip\Lang\pa-in.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14977
                              Entropy (8bit):5.991545612053482
                              Encrypted:false
                              SSDEEP:384:nf6SHMlJnAJ4PsL/eteSjlc5t1hO2t0JL:nf6IMlJAYG/6i5jhV0
                              MD5:D6A0D8B47ED029E15C720A291F0EF99D
                              SHA1:9B286296AF30D968EBC7DF2F529EA33318E3985F
                              SHA-256:0EF754B5687930EADB97E6270E06225240C7B7C25A9B9FD27D7316E35E3D7EE2
                              SHA-512:76EF6C85DD2A497EDD7F55EA2B050D2682EACF0C4590393877B13A088265C063BD46EB738A0C31AEC6DAC06A06C86FDCAA1821B552173EF283A58E10B62BD06C
                              Malicious:false
                              Preview:(V!...u..4A..]....jg....(..........Z..r2#.^.7.&F..l..2b.."YM.;..;..;..;..;..;..0..7-Zip..Punjabi, Indian..........401..... ....... .............. (&.....d.|..H\..m$...%1.]?;sfU.t.nEo.*/.uc.V.Y..Z;/.......%hM..... ... (&C)..440........ .. ... (&A)........ .. .... (&l)....'E.1D.4l,..5...w...;C:{y..v".....CS.'.A..../.I.,..s.......^.... (&B)........... (&F)...... (&P)...... ........ ..... .....ow~yR...,....Y>.rk...rl(..0.sffT<...o.b8<....H.,..r.......^..`..?..500...... (&F)..... (&E)...... (&V)......... (&a)..... (&T)...... (&H.....p4l,..5...v.........v#..Z.t.]Eo..f..*...~.....GE.2bP...... .... (&u)....... (&V)..... ... (&E)..... .... (&m)...... ....y.6r..F,..5...>.Z..4C:w....k;j..*CS.'.A

                              C:\Program Files\7-Zip\Lang\pa-in.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14977
                              Entropy (8bit):5.991545612053482
                              Encrypted:false
                              SSDEEP:384:nf6SHMlJnAJ4PsL/eteSjlc5t1hO2t0JL:nf6IMlJAYG/6i5jhV0
                              MD5:D6A0D8B47ED029E15C720A291F0EF99D
                              SHA1:9B286296AF30D968EBC7DF2F529EA33318E3985F
                              SHA-256:0EF754B5687930EADB97E6270E06225240C7B7C25A9B9FD27D7316E35E3D7EE2
                              SHA-512:76EF6C85DD2A497EDD7F55EA2B050D2682EACF0C4590393877B13A088265C063BD46EB738A0C31AEC6DAC06A06C86FDCAA1821B552173EF283A58E10B62BD06C
                              Malicious:false
                              Preview:(V!...u..4A..]....jg....(..........Z..r2#.^.7.&F..l..2b.."YM.;..;..;..;..;..;..0..7-Zip..Punjabi, Indian..........401..... ....... .............. (&.....d.|..H\..m$...%1.]?;sfU.t.nEo.*/.uc.V.Y..Z;/.......%hM..... ... (&C)..440........ .. ... (&A)........ .. .... (&l)....'E.1D.4l,..5...w...;C:{y..v".....CS.'.A..../.I.,..s.......^.... (&B)........... (&F)...... (&P)...... ........ ..... .....ow~yR...,....Y>.rk...rl(..0.sffT<...o.b8<....H.,..r.......^..`..?..500...... (&F)..... (&E)...... (&V)......... (&a)..... (&T)...... (&H.....p4l,..5...v.........v#..Z.t.]Eo..f..*...~.....GE.2bP...... .... (&u)....... (&V)..... ... (&E)..... .... (&m)...... ....y.6r..F,..5...>.Z..4C:w....k;j..*CS.'.A

                              C:\Program Files\7-Zip\Lang\pl.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10125
                              Entropy (8bit):6.800217417875889
                              Encrypted:false
                              SSDEEP:192:5E5SOQuTK2FXFedmcczWNUdn66TvrELt7xF/tm6VxxIJwClEsseR6uk+umfl19:5USOpXFpDdnPTvQLDHm6VY9Bd19
                              MD5:AD6BAA2AA646870584D944B8771B2D48
                              SHA1:CC9B7079C011C277E9854677D7753F6D1C6A59C0
                              SHA-256:7A52C33D1E559E374201DD0704AB862553C7758C15CA3A71BE02BBA5366DF168
                              SHA-512:C18284FC82149D11E1E4E80D2279070ADFC3D8C66BED0A1379F62E80FE0B386ABACCF5B11EC5BA466DC8C88BD4A4AB9604AB177ABF53641727A066B6DFA46929
                              Malicious:false
                              Preview:m.+...=a.....I.3..[U.....t.4...p.-G./...bqh.GV.....>.3..y...b.07 : F1xat..; 9.33 : .ukasz Maria P. Pastuszczak..; 22.00 : Micha. L...;..;..;..;..;..;..0..7-Zip..Polish..Polski..401..OK..A.I.Z..{....%:...%p~.F...rsu.J`z.E#.3...bq^.A=.....;.F}..C...:&k na wszystkie..Ni&e na wszystkie..Zatrzymaj..Pon.w..&T.o..&Pierwszy plan..&Wstrzymaj..Wstrzymano..Czy na pewno chcesz anulowaF.."..A0....Cu<x..?<.L..)^.C.Eax.B..0.....6.mP....H|*."...#...}c..540..&Otw.rz..Otw.rz &wewn.trz..Otw.rz na &zewn.trz..Pod&gl.d..&Edytuj..Zmie. &nazw...Kopiuj &do.....&Przenie. do.......\.'.....Uu2S...4.D...Y#N7...+S.,....U}.j|..m.. ."..L...QKo&mentarz..Oblicz sum. kontroln...R..nice pomi.dzy plikami..Utw.rz &folder..U&tw.rz plik..Za&ko.cz..Dow&i.zanie..&Alter.].V.. ...Bu2..MwR.......u.Oop.h^.&.....^.A9.....n.8......QOdwr.. &zaznaczenie..Zaznacz.....Odznacz.....Zaznacz wed.ug typu..Odznacz wed.ug typu..700..&Du.e ikony..&Ma.e ikony..&List.1.....z......x..Ih.%..A$Fg.Sz|.)G.Q..

                              C:\Program Files\7-Zip\Lang\pl.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10125
                              Entropy (8bit):6.800217417875889
                              Encrypted:false
                              SSDEEP:192:5E5SOQuTK2FXFedmcczWNUdn66TvrELt7xF/tm6VxxIJwClEsseR6uk+umfl19:5USOpXFpDdnPTvQLDHm6VY9Bd19
                              MD5:AD6BAA2AA646870584D944B8771B2D48
                              SHA1:CC9B7079C011C277E9854677D7753F6D1C6A59C0
                              SHA-256:7A52C33D1E559E374201DD0704AB862553C7758C15CA3A71BE02BBA5366DF168
                              SHA-512:C18284FC82149D11E1E4E80D2279070ADFC3D8C66BED0A1379F62E80FE0B386ABACCF5B11EC5BA466DC8C88BD4A4AB9604AB177ABF53641727A066B6DFA46929
                              Malicious:false
                              Preview:m.+...=a.....I.3..[U.....t.4...p.-G./...bqh.GV.....>.3..y...b.07 : F1xat..; 9.33 : .ukasz Maria P. Pastuszczak..; 22.00 : Micha. L...;..;..;..;..;..;..0..7-Zip..Polish..Polski..401..OK..A.I.Z..{....%:...%p~.F...rsu.J`z.E#.3...bq^.A=.....;.F}..C...:&k na wszystkie..Ni&e na wszystkie..Zatrzymaj..Pon.w..&T.o..&Pierwszy plan..&Wstrzymaj..Wstrzymano..Czy na pewno chcesz anulowaF.."..A0....Cu<x..?<.L..)^.C.Eax.B..0.....6.mP....H|*."...#...}c..540..&Otw.rz..Otw.rz &wewn.trz..Otw.rz na &zewn.trz..Pod&gl.d..&Edytuj..Zmie. &nazw...Kopiuj &do.....&Przenie. do.......\.'.....Uu2S...4.D...Y#N7...+S.,....U}.j|..m.. ."..L...QKo&mentarz..Oblicz sum. kontroln...R..nice pomi.dzy plikami..Utw.rz &folder..U&tw.rz plik..Za&ko.cz..Dow&i.zanie..&Alter.].V.. ...Bu2..MwR.......u.Oop.h^.&.....^.A9.....n.8......QOdwr.. &zaznaczenie..Zaznacz.....Odznacz.....Zaznacz wed.ug typu..Odznacz wed.ug typu..700..&Du.e ikony..&Ma.e ikony..&List.1.....z......x..Ih.%..A$Fg.Sz|.)G.Q..

                              C:\Program Files\7-Zip\Lang\ps.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8954
                              Entropy (8bit):6.419815391222439
                              Encrypted:false
                              SSDEEP:96:wFPGOQhg6U7hCnEDZ5UunqxxISAMuZHdttpY1qdGGJUd+yccGCY3wPBerjX8OPec:2TOjPnEsuqxxxAdveqzWEwdH3defT9
                              MD5:BBBCEB9E55E5D6BACE818D1C1E0384B0
                              SHA1:33AA1F1531040512CA9CE92B93AA937DCC34059B
                              SHA-256:DE6C8F6A1E8337259775DAFA0EF6721D921EEEEF31A892F783D548491FCDCAE5
                              SHA-512:D12D3A39EA567DB8E4856DFCB152B46C240C8D21BC1C970523A8E9BF3BC604354BEE2ABF4017B8A6ACCC910B77A5F106BB281DD067B941D1E7C359EBCA248CFF
                              Malicious:false
                              Preview:n.;...3'...PX.+GV.4.9...MtgL.Y[....T.........I.B.}......=@7...rt..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Pashto........401.......................&....&.......&......+w....u......K....}....Mnbr..^....t.J.s2.<......v"....v.e"d.. .........................&........&.......&............. ...... .... .....'.^).W_...$......5~.j.L..r.VK.(.[.%.J.s3/bo%s.i.*G7..T....#D..&...&............&.......&..540..........&......& ............. .&...............wi...+.$6t.....3|.i.M..n.../.W$.K!.lr<....i.+...\...}.......&.......&.......... ...&.......... ...&.....................&......... ..Z>\..CrL.w{.......5|.i.N..bnq_....V...-..I......v...V....r.N..600..... ....&..... ............. .......&........................ ... ........0.^&.O...$..J....}....Ij_u?.....Y$.K

                              C:\Program Files\7-Zip\Lang\ps.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8954
                              Entropy (8bit):6.419815391222439
                              Encrypted:false
                              SSDEEP:96:wFPGOQhg6U7hCnEDZ5UunqxxISAMuZHdttpY1qdGGJUd+yccGCY3wPBerjX8OPec:2TOjPnEsuqxxxAdveqzWEwdH3defT9
                              MD5:BBBCEB9E55E5D6BACE818D1C1E0384B0
                              SHA1:33AA1F1531040512CA9CE92B93AA937DCC34059B
                              SHA-256:DE6C8F6A1E8337259775DAFA0EF6721D921EEEEF31A892F783D548491FCDCAE5
                              SHA-512:D12D3A39EA567DB8E4856DFCB152B46C240C8D21BC1C970523A8E9BF3BC604354BEE2ABF4017B8A6ACCC910B77A5F106BB281DD067B941D1E7C359EBCA248CFF
                              Malicious:false
                              Preview:n.;...3'...PX.+GV.4.9...MtgL.Y[....T.........I.B.}......=@7...rt..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Pashto........401.......................&....&.......&......+w....u......K....}....Mnbr..^....t.J.s2.<......v"....v.e"d.. .........................&........&.......&............. ...... .... .....'.^).W_...$......5~.j.L..r.VK.(.[.%.J.s3/bo%s.i.*G7..T....#D..&...&............&.......&..540..........&......& ............. .&...............wi...+.$6t.....3|.i.M..n.../.W$.K!.lr<....i.+...\...}.......&.......&.......... ...&.......... ...&.....................&......... ..Z>\..CrL.w{.......5|.i.N..bnq_....V...-..I......v...V....r.N..600..... ....&..... ............. .......&........................ ... ........0.^&.O...$..J....}....Ij_u?.....Y$.K

                              C:\Program Files\7-Zip\Lang\pt-br.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10237
                              Entropy (8bit):6.627242198197784
                              Encrypted:false
                              SSDEEP:192:SkmqOqOkIfXDijlnD5KQizNQ8iPUOwYvsMWnq:VmqOVvfzIyQwQ8iMOwJMWnq
                              MD5:FECD8BF9ABC96AE90112E9976567E0AF
                              SHA1:6B605333C6E0B850B29C549DD34C244AB5A779D2
                              SHA-256:C31837F29686F2E9E8B1F57EA5BD89B5928A1CFF5D73F3BAE5B83FA55C006439
                              SHA-512:80ECDB155C974A2FE9AC00063BD7DEAE95BE8CB04846D786A7D95392C082CFBA7B851937330776AA49B1E1974CC452DB509C8F03A7545BCF1AFB6D5562A55E96
                              Malicious:false
                              Preview:..Q. \...Q.r..S1&. ...;..,(.i..7.q*1..Yg.}....fq...$..........Biazzotto..; 23.00 : Atualizado por Felipe..;..;..;..;..;..;..;..;..0..7-Zip..Portuguese Brazilian..Portugu.s Brasileiro..401..$:..B}..Z.@9..}......r...*F....OHY,;..DJ.N}...XR..mq.(.....x.40..Sim pra &Todos..N.o pra T&odos..Parar..Reiniciar..&Em 2. plano..&Em 1. plano..&Pausar..Pausado..Voc. tem certeza que voc...ty...W.QQ.f.4.........~yI:.Hd9.<..W5..1...33..Ol.V.......os..&Ferramentas..&Ajuda..540..&Abrir..Abrir &por Dentro..Abrir p&or Fora..&Visualizar..&Editar..Re&nomear..&Copiar Para.....&Mo....Q}.Z..?>.F.j.`.=..elU!..7.j ..K.i..T....;1.....-.....\...P&ropriedades..Comen&t.rio..Calcular checksum..Diff..Criar Pasta..Criar Arquivo..S&air..Link..&Correntes Alternantes..600..Se....nr.T..GP..}O.r...x...X}X<..c'q?=..S5.\r...6....$M.0...........Desmarcar.....Selecionar por Tipo..Desfazer a Sele..o por Tipo..700...co&nes Grandes...c&ones Pequenos..&Lista..&Detalhe.|..2,..0S.]F.f.b.`.....yiP:....7.5Z

                              C:\Program Files\7-Zip\Lang\pt-br.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10237
                              Entropy (8bit):6.627242198197784
                              Encrypted:false
                              SSDEEP:192:SkmqOqOkIfXDijlnD5KQizNQ8iPUOwYvsMWnq:VmqOVvfzIyQwQ8iMOwJMWnq
                              MD5:FECD8BF9ABC96AE90112E9976567E0AF
                              SHA1:6B605333C6E0B850B29C549DD34C244AB5A779D2
                              SHA-256:C31837F29686F2E9E8B1F57EA5BD89B5928A1CFF5D73F3BAE5B83FA55C006439
                              SHA-512:80ECDB155C974A2FE9AC00063BD7DEAE95BE8CB04846D786A7D95392C082CFBA7B851937330776AA49B1E1974CC452DB509C8F03A7545BCF1AFB6D5562A55E96
                              Malicious:false
                              Preview:..Q. \...Q.r..S1&. ...;..,(.i..7.q*1..Yg.}....fq...$..........Biazzotto..; 23.00 : Atualizado por Felipe..;..;..;..;..;..;..;..;..0..7-Zip..Portuguese Brazilian..Portugu.s Brasileiro..401..$:..B}..Z.@9..}......r...*F....OHY,;..DJ.N}...XR..mq.(.....x.40..Sim pra &Todos..N.o pra T&odos..Parar..Reiniciar..&Em 2. plano..&Em 1. plano..&Pausar..Pausado..Voc. tem certeza que voc...ty...W.QQ.f.4.........~yI:.Hd9.<..W5..1...33..Ol.V.......os..&Ferramentas..&Ajuda..540..&Abrir..Abrir &por Dentro..Abrir p&or Fora..&Visualizar..&Editar..Re&nomear..&Copiar Para.....&Mo....Q}.Z..?>.F.j.`.=..elU!..7.j ..K.i..T....;1.....-.....\...P&ropriedades..Comen&t.rio..Calcular checksum..Diff..Criar Pasta..Criar Arquivo..S&air..Link..&Correntes Alternantes..600..Se....nr.T..GP..}O.r...x...X}X<..c'q?=..S5.\r...6....$M.0...........Desmarcar.....Selecionar por Tipo..Desfazer a Sele..o por Tipo..700...co&nes Grandes...c&ones Pequenos..&Lista..&Detalhe.|..2,..0S.]F.f.b.`.....yiP:....7.5Z

                              C:\Program Files\7-Zip\Lang\pt.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10203
                              Entropy (8bit):6.585236938498762
                              Encrypted:false
                              SSDEEP:192:+PB32xdeJCK7p9yGRxNXzU9KUMzpyWWydUH2QynHTj0aHkRWvko+S8n4AIq:VxKC00GRxNXzYRMzpysdUH2Qynzj0aEz
                              MD5:B03CCFD2B1690A3505F63681B0F9AE93
                              SHA1:E620193736ED99939AAFBE219103FA77CB40C984
                              SHA-256:F11005CA82751EB84D46352D0E6B85C1227DC48DB2B734D41A31444BA038BE7B
                              SHA-512:431AB21FA8D3441FA2DD0F1BC2959092052FFF69A3DD82E2F50556AABE0D186980767BC770DE66D957256D6764AC0A9332FCEA3AA1E1BD01FEDF4955F7ADCCC6
                              Malicious:false
                              Preview:.H>....2+..(...+..6...'I...W.WhP....5(.j.i..Tt.Z~..F/.!.\.lD.`5.es..; : Jo.o Frade (100 NOME TR)..; 4.46 : Rui Costa..; 9.17 : S.rgio Marques..; 15.00 : Rui Aguiar..; 15.00 : 2022-03f....c.&"..+.'....x...'[...G.Wh!.?[.v>.9.(Y..:S.~ML.y.m.\....+b..;..0..7-Zip..Portuguese Portugal..Portugu.s..401..Aceitar..Cancelar........&Sim..&N.o..&Fechar..Ajuda....&Continuar..440..Simk....66<H....:....1....c~.Y..`BA.d..%a.y..E.;(A.:a..c.o.>....H4.iro plano..&Pausar..Em pausa..Quer mesmo cancelar?..500..&Ficheiro..&Editar..&Ver..F&avoritos..Ferramen&tas..&Ajuda..540..&AbrirF....* sc....'.`..u...'OH.Y..gnE..d.`M.b.i..T.A.?|.F`.o.^~.!.b6.iar para.....&Mover para.....&Eliminar..&Dividir ficheiro.....Com&binar ficheiros.....P&ropriedades..Come&nt.rio..Calcular o ch......_Y....._....e...t.O.!4..)a.k...m.y..i...].S.a.h..b.&....ternar fluxos..600..Seleccionar &tudo..Desseleccionar tudo..&Inverter selec..o..Seleccionar.....Dessseleccionar.....Selecciona9....c&:5..b.0....r...h.O.....hg.}..L?.;

                              C:\Program Files\7-Zip\Lang\pt.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10203
                              Entropy (8bit):6.585236938498762
                              Encrypted:false
                              SSDEEP:192:+PB32xdeJCK7p9yGRxNXzU9KUMzpyWWydUH2QynHTj0aHkRWvko+S8n4AIq:VxKC00GRxNXzYRMzpysdUH2Qynzj0aEz
                              MD5:B03CCFD2B1690A3505F63681B0F9AE93
                              SHA1:E620193736ED99939AAFBE219103FA77CB40C984
                              SHA-256:F11005CA82751EB84D46352D0E6B85C1227DC48DB2B734D41A31444BA038BE7B
                              SHA-512:431AB21FA8D3441FA2DD0F1BC2959092052FFF69A3DD82E2F50556AABE0D186980767BC770DE66D957256D6764AC0A9332FCEA3AA1E1BD01FEDF4955F7ADCCC6
                              Malicious:false
                              Preview:.H>....2+..(...+..6...'I...W.WhP....5(.j.i..Tt.Z~..F/.!.\.lD.`5.es..; : Jo.o Frade (100 NOME TR)..; 4.46 : Rui Costa..; 9.17 : S.rgio Marques..; 15.00 : Rui Aguiar..; 15.00 : 2022-03f....c.&"..+.'....x...'[...G.Wh!.?[.v>.9.(Y..:S.~ML.y.m.\....+b..;..0..7-Zip..Portuguese Portugal..Portugu.s..401..Aceitar..Cancelar........&Sim..&N.o..&Fechar..Ajuda....&Continuar..440..Simk....66<H....:....1....c~.Y..`BA.d..%a.y..E.;(A.:a..c.o.>....H4.iro plano..&Pausar..Em pausa..Quer mesmo cancelar?..500..&Ficheiro..&Editar..&Ver..F&avoritos..Ferramen&tas..&Ajuda..540..&AbrirF....* sc....'.`..u...'OH.Y..gnE..d.`M.b.i..T.A.?|.F`.o.^~.!.b6.iar para.....&Mover para.....&Eliminar..&Dividir ficheiro.....Com&binar ficheiros.....P&ropriedades..Come&nt.rio..Calcular o ch......_Y....._....e...t.O.!4..)a.k...m.y..i...].S.a.h..b.&....ternar fluxos..600..Seleccionar &tudo..Desseleccionar tudo..&Inverter selec..o..Seleccionar.....Dessseleccionar.....Selecciona9....c&:5..b.0....r...h.O.....hg.}..L?.;

                              C:\Program Files\7-Zip\Lang\ro.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7887
                              Entropy (8bit):6.668473260860112
                              Encrypted:false
                              SSDEEP:192:XlqAzxJngvYc6LeGwrQS6svwKs6G33f0wPVKTT2n5jyd5GF:IIgvYcZV06Y3Pv5GCF
                              MD5:8B212079430E2619CC05BB26474CC230
                              SHA1:7103F4B35E2799771C10D774F9685E2A1B6E2625
                              SHA-256:29EDB829A23DF54B5AF8CD34E229299A3D2E3B87C320F882EEFE5B76999E8341
                              SHA-512:90B2F5071764F8718D7FF2DD21D78A03C70D56B51102F190F031D61B8835D6173AC6409EBD6ADDA96E21FB63860D9DC6AF88E50895B94614BCC4284CFFA071A0
                              Malicious:false
                              Preview:.I.uM2.._.Mp0</Yw..Yc..q....4M...H.g.i.......L.b..-./c.2.......;..;..;..0..7-Zip..Romanian..Rom.n...401..Bine..Anulare........&Da..&Nu..&.nchide..Ajutor....&Continu...440..Da, pe &toate..*..-.R..D.r:^..z.q..^R.R6.V..k..8.,c..I.7....{..b....Q.SM."..A ^..&Pauz....n pauz...E.ti sigur c. vrei s. anulezi?..500..&Fi.ier..&Editeaz...&Vizualizeaz...F&avorite..&Unelte..&Ajutori..z\...u..Sy..zW... ;.^!..5f(..."D.j.N.t.6=.:Qd....&/c.i.>.y...ez...&Editeaz...&Redenume.te..&Copiaz. la.....&Mut. la......ter&ge...mparte &fi.ierul.....&Une.te fi.ierele.....&Propr.....0.<.<_|..9....&U.t$.T..k..8...|.F.u....h.c...U./c.5.6.y. ^ director..Creaz. fi.ier..&Ie.ire..600..&Selecteaz. tot..&Deselecteaz. tot..&Inverseaz. selec.ia..Selecteaz......Deselec...4....uct..|......S0..u.z...le.z.K.r......%....&..JO.N.(...Iconi.e m&ari..Iconi.e m&ici..&List...&Detalii..730..Nesortat..Vedere plan...&2 panouri..Bare de &unelte..Deschide directoru.....W.R....dqJ4...%=..(.^.{.../R.f.N.

                              C:\Program Files\7-Zip\Lang\ro.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7887
                              Entropy (8bit):6.668473260860112
                              Encrypted:false
                              SSDEEP:192:XlqAzxJngvYc6LeGwrQS6svwKs6G33f0wPVKTT2n5jyd5GF:IIgvYcZV06Y3Pv5GCF
                              MD5:8B212079430E2619CC05BB26474CC230
                              SHA1:7103F4B35E2799771C10D774F9685E2A1B6E2625
                              SHA-256:29EDB829A23DF54B5AF8CD34E229299A3D2E3B87C320F882EEFE5B76999E8341
                              SHA-512:90B2F5071764F8718D7FF2DD21D78A03C70D56B51102F190F031D61B8835D6173AC6409EBD6ADDA96E21FB63860D9DC6AF88E50895B94614BCC4284CFFA071A0
                              Malicious:false
                              Preview:.I.uM2.._.Mp0</Yw..Yc..q....4M...H.g.i.......L.b..-./c.2.......;..;..;..0..7-Zip..Romanian..Rom.n...401..Bine..Anulare........&Da..&Nu..&.nchide..Ajutor....&Continu...440..Da, pe &toate..*..-.R..D.r:^..z.q..^R.R6.V..k..8.,c..I.7....{..b....Q.SM."..A ^..&Pauz....n pauz...E.ti sigur c. vrei s. anulezi?..500..&Fi.ier..&Editeaz...&Vizualizeaz...F&avorite..&Unelte..&Ajutori..z\...u..Sy..zW... ;.^!..5f(..."D.j.N.t.6=.:Qd....&/c.i.>.y...ez...&Editeaz...&Redenume.te..&Copiaz. la.....&Mut. la......ter&ge...mparte &fi.ierul.....&Une.te fi.ierele.....&Propr.....0.<.<_|..9....&U.t$.T..k..8...|.F.u....h.c...U./c.5.6.y. ^ director..Creaz. fi.ier..&Ie.ire..600..&Selecteaz. tot..&Deselecteaz. tot..&Inverseaz. selec.ia..Selecteaz......Deselec...4....uct..|......S0..u.z...le.z.K.r......%....&..JO.N.(...Iconi.e m&ari..Iconi.e m&ici..&List...&Detalii..730..Nesortat..Vedere plan...&2 panouri..Bare de &unelte..Deschide directoru.....W.R....dqJ4...%=..(.^.{.../R.f.N.

                              C:\Program Files\7-Zip\Lang\ru.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15680
                              Entropy (8bit):6.091692996957918
                              Encrypted:false
                              SSDEEP:384:qseSzXZrECZhL/supm6OjLylRJ83g+roHAkQd/:qseSnc5LylRJ83g+rP/
                              MD5:7AD31C33D65B22ADCB4CAA273AEEF2A2
                              SHA1:987C28BB796CDFD525D61922927ECF4B602639CE
                              SHA-256:34E3C717A1014C28CAA3442DA18299CB16A0006F25A6A7C05B660CD7C567ADB5
                              SHA-512:3F5DF6677BB328C321CB391FF83B591BDF2B8E921D6E08751EC3384559BFFF62FEB18B8804BD2D80BC45A315E5BCFF77C980206D6FC8229A109AC49875F7CD83
                              Malicious:false
                              Preview:.S...Xq.]\......+dn.X...j.H_]....1^.;.:_b....2..mf..|.....1}z..;..;..;..;..;..;..;..0..7-Zip..Russian...........401..OK................&....&.....&..............a.;2..39....7.Qh.......@.l...u[...........f.w.4........W.... ... .&.......................&.......&.. ........ ......&......... ........z.<.GT.....64Qn.......C.b....O.0[c....#.....G(.......$.V...........?..500..&......&........&.....&............&.......&.........540..&.......do...1..b..Elg..A*O.oh.)H?....+.[C....#.....)u2.'....$................&....................&..........&.......... ......&...........dBg......I.77.Ql.....:.t....I..[l....#.E.Y.H)...5$Tt{.k#W........... .............&............&...................... ................x...)0..l..Eeg.........B.mV&...e<..M..

                              C:\Program Files\7-Zip\Lang\ru.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15680
                              Entropy (8bit):6.091692996957918
                              Encrypted:false
                              SSDEEP:384:qseSzXZrECZhL/supm6OjLylRJ83g+roHAkQd/:qseSnc5LylRJ83g+rP/
                              MD5:7AD31C33D65B22ADCB4CAA273AEEF2A2
                              SHA1:987C28BB796CDFD525D61922927ECF4B602639CE
                              SHA-256:34E3C717A1014C28CAA3442DA18299CB16A0006F25A6A7C05B660CD7C567ADB5
                              SHA-512:3F5DF6677BB328C321CB391FF83B591BDF2B8E921D6E08751EC3384559BFFF62FEB18B8804BD2D80BC45A315E5BCFF77C980206D6FC8229A109AC49875F7CD83
                              Malicious:false
                              Preview:.S...Xq.]\......+dn.X...j.H_]....1^.;.:_b....2..mf..|.....1}z..;..;..;..;..;..;..;..0..7-Zip..Russian...........401..OK................&....&.....&..............a.;2..39....7.Qh.......@.l...u[...........f.w.4........W.... ... .&.......................&.......&.. ........ ......&......... ........z.<.GT.....64Qn.......C.b....O.0[c....#.....G(.......$.V...........?..500..&......&........&.....&............&.......&.........540..&.......do...1..b..Elg..A*O.oh.)H?....+.[C....#.....)u2.'....$................&....................&..........&.......... ......&...........dBg......I.77.Ql.....:.t....I..[l....#.E.Y.H)...5$Tt{.k#W........... .............&............&...................... ................x...)0..l..Eeg.........B.mV&...e<..M..

                              C:\Program Files\7-Zip\Lang\sa.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19552
                              Entropy (8bit):5.8563103298485775
                              Encrypted:false
                              SSDEEP:384:p48rInBLHt1isuPZVEt/E1dgeq00ThrhtSexjWO34nka:uvntN6zEXta
                              MD5:824219C50C19EDAD76F3399194966970
                              SHA1:B1A25F0A6CBABFDE6A089FDFA5C3A366FB66E250
                              SHA-256:FF961ECA8BFDA76C6C2E171A0CADBE65EB93628EA8FA19E03D72A1587F1773BE
                              SHA-512:4D666E655E6EE92CD5FD682E5DCAB5D718A1D4AE11D761E9585F87CF1F4DFEF96E1AD8D3F78267B012549A89DA6BD9698D4186C8E298043CCCBA419EA928395F
                              Malicious:false
                              Preview:..._.)5....dSD=..MK.Oj...../.4..2. ..c.q.o.t)....X.......q.. .... .......;..;..;..;..;..;..;..;..;..;..0..7-Zip..Sanskrit, Indian, ...............+.M...I,_S...Z..?.^.....%.Ox..&[aO...no.|)....f.JKI..Us..........&.....&....&... ..............&.... .....440..&.......-...o....j.........V..{..Hk.{D3.%..=&.bj..i...6*..m0].....G..p5... .... ......&............&........(.........)..&.....o. ..[.0....d.Z..?..y.>l^.1..cb.,......r.!.)....T.......5..... .... ..... ... ....... .... ..... ....?..500..&....=...N`.......4..1.../.=...a..='...gO...fo.|)....q........&..........&........&.......540..&.........&.... ........>....OTt.I..%Z..?..q.?T^....yb...

                              C:\Program Files\7-Zip\Lang\sa.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19552
                              Entropy (8bit):5.8563103298485775
                              Encrypted:false
                              SSDEEP:384:p48rInBLHt1isuPZVEt/E1dgeq00ThrhtSexjWO34nka:uvntN6zEXta
                              MD5:824219C50C19EDAD76F3399194966970
                              SHA1:B1A25F0A6CBABFDE6A089FDFA5C3A366FB66E250
                              SHA-256:FF961ECA8BFDA76C6C2E171A0CADBE65EB93628EA8FA19E03D72A1587F1773BE
                              SHA-512:4D666E655E6EE92CD5FD682E5DCAB5D718A1D4AE11D761E9585F87CF1F4DFEF96E1AD8D3F78267B012549A89DA6BD9698D4186C8E298043CCCBA419EA928395F
                              Malicious:false
                              Preview:..._.)5....dSD=..MK.Oj...../.4..2. ..c.q.o.t)....X.......q.. .... .......;..;..;..;..;..;..;..;..;..;..0..7-Zip..Sanskrit, Indian, ...............+.M...I,_S...Z..?.^.....%.Ox..&[aO...no.|)....f.JKI..Us..........&.....&....&... ..............&.... .....440..&.......-...o....j.........V..{..Hk.{D3.%..=&.bj..i...6*..m0].....G..p5... .... ......&............&........(.........)..&.....o. ..[.0....d.Z..?..y.>l^.1..cb.,......r.!.)....T.......5..... .... ..... ... ....... .... ..... ....?..500..&....=...N`.......4..1.../.=...a..='...gO...fo.|)....q........&..........&........&.......540..&.........&.... ........>....OTt.I..%Z..?..q.?T^....yb...

                              C:\Program Files\7-Zip\Lang\si.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):19515
                              Entropy (8bit):6.0011322981059285
                              Encrypted:false
                              SSDEEP:384:tF/kVR8PJPmyF0iqRJLDwqOxLZz9Vk4+UqA37wfbOXUIdy7rHN3eRrmDJBOzunPA:/kVR8BmJLOxLZZ+U5AOExuxmD1xSKg7/
                              MD5:1C61342EF1CA775835B3BC6B642FFE0C
                              SHA1:CB5F42911B4A4E4EF0072FA25812E5AF5D7E2C73
                              SHA-256:987396B70057D48FF0277E7AD5F1ACC2EB91AC726373E692F4D7595B0D690B83
                              SHA-512:A0ADAB132FC3E1E1264DF744844D16A67148C68832EB0A77785A71B6B83B4C77F648877CDD22BBDF5E0F7D20E18D2F21AD7700CC1428986A3BD6C8D6F1BB1038
                              Malicious:false
                              Preview:..=.,. ..d.u(..Tjt......G...U4..=....z..z.x.......!6.id...'... (Supun Budhajeewa)..; 15.00 : ..... ..... (HelaBasa Group)..;..;..;..;..;..;..;..;..;..0..7-Zip..Sin.;i...*..>\...f....%.../t.AL.T...;..H.ZL...x^n..v....~...v.&.....&......&...............&.........440..&........ .......|..*..?s..._...%...$...AX.U3..9..|.ZL...x^]..v......'.. ........&...........&...........&................}....:J...ix...FU.G.s.H.V........[.Y..J.ZL./.x_o..B.i4.;*'........?..500..&.......&..........&........&...............:m|.............r..-....~....[.t.2=.:..Kx...[....B.G4..*'.......&..... ..... .......&....... ..... .......&....|.<*..?.HO...a...%.+.s...l(.YW..IH.5

                              C:\Program Files\7-Zip\Lang\si.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):19515
                              Entropy (8bit):6.0011322981059285
                              Encrypted:false
                              SSDEEP:384:tF/kVR8PJPmyF0iqRJLDwqOxLZz9Vk4+UqA37wfbOXUIdy7rHN3eRrmDJBOzunPA:/kVR8BmJLOxLZZ+U5AOExuxmD1xSKg7/
                              MD5:1C61342EF1CA775835B3BC6B642FFE0C
                              SHA1:CB5F42911B4A4E4EF0072FA25812E5AF5D7E2C73
                              SHA-256:987396B70057D48FF0277E7AD5F1ACC2EB91AC726373E692F4D7595B0D690B83
                              SHA-512:A0ADAB132FC3E1E1264DF744844D16A67148C68832EB0A77785A71B6B83B4C77F648877CDD22BBDF5E0F7D20E18D2F21AD7700CC1428986A3BD6C8D6F1BB1038
                              Malicious:false
                              Preview:..=.,. ..d.u(..Tjt......G...U4..=....z..z.x.......!6.id...'... (Supun Budhajeewa)..; 15.00 : ..... ..... (HelaBasa Group)..;..;..;..;..;..;..;..;..;..0..7-Zip..Sin.;i...*..>\...f....%.../t.AL.T...;..H.ZL...x^n..v....~...v.&.....&......&...............&.........440..&........ .......|..*..?s..._...%...$...AX.U3..9..|.ZL...x^]..v......'.. ........&...........&...........&................}....:J...ix...FU.G.s.H.V........[.Y..J.ZL./.x_o..B.i4.;*'........?..500..&.......&..........&........&...............:m|.............r..-....~....[.t.2=.:..Kx...[....B.G4..*'.......&..... ..... .......&....... ..... .......&....|.<*..?.HO...a...%.+.s...l(.YW..IH.5

                              C:\Program Files\7-Zip\Lang\sk.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9686
                              Entropy (8bit):6.775975335132495
                              Encrypted:false
                              SSDEEP:192:4elul7vzStUyjxRvAreauEZAqhwwfCh6o11eyg3LuM5:yzzStUyFRYAuAqhDkR1yuM5
                              MD5:32B4ECED8F00F0C2E96A3A497FA54D43
                              SHA1:68F48C7FEBAA8F99C1ADE63654A201C74C0214D9
                              SHA-256:13317A4E54FF8A254D38C7F7468A94A73BC7F01A6459C74469F0EDD10606D198
                              SHA-512:EB57F8033014587DD0823BBDF26544D9F3DF1C5D18774627692F557CAEE0E684555D36F25852B8E0DE9B3316391EEFCAAE3882E07F4470F188AA4245D7098B6D
                              Malicious:false
                              Preview:.h&_Czo)s....s`../.'..[B!.zs.(\...|R.Zcr..v...4.>...B.._.>pIve.ka..; 9.38 beta : 2015-01-11 : Roman Horv.th..;..;..;..;..;..;..;..;..0..7-Zip..Slovak..Sloven.ina..401..OK..Zru.i.......nD..&r.,..OQ.1.K.^....WY..eg..P~7..:.Q.....CbLo=P.&.P7..Bo na &v.etko..Nie na v.&etko..Zastavi...Re.tartova...&Pozadie..P&opredie..Po&zastavi...Pozastaven...Ste si ist., .e chc}..D.Q@!h.\..G..'..KR..|..'jg.b...v.Vthl).v.oHo..!&..Fu...ben...&N.stroje..&Pomocn.k..540..&Otvori...O&tvori. vn.tri..Ot&vori. externe..&Zobrazi...&Upravi...&Premenova...&Kop.......hy....+>..e.Y.B....z7..&&.e..8u.E....I...b.t.....)@Iv.VCr.....Zl..&i. s.bory.....V&lastnosti..Ko&ment.r..Vypo..ta. kontroln. s..et..Rozdiel (Diff)..Vytvori. prie.inok..Vytn......;..D.+>..x.D'.....P...ir.A..V0.........A....0E.f..7.QPVna.i. v.etko..Invertova. ozna.enie..Ozna.i......Odzna.i......Ozna.i. pod.a typu..Odzna.i. pod.a typu..700..&Ve.k.z...UM1....J.N.~.E.Uvh'.5)..e..I.8t.U

                              C:\Program Files\7-Zip\Lang\sk.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9686
                              Entropy (8bit):6.775975335132495
                              Encrypted:false
                              SSDEEP:192:4elul7vzStUyjxRvAreauEZAqhwwfCh6o11eyg3LuM5:yzzStUyFRYAuAqhDkR1yuM5
                              MD5:32B4ECED8F00F0C2E96A3A497FA54D43
                              SHA1:68F48C7FEBAA8F99C1ADE63654A201C74C0214D9
                              SHA-256:13317A4E54FF8A254D38C7F7468A94A73BC7F01A6459C74469F0EDD10606D198
                              SHA-512:EB57F8033014587DD0823BBDF26544D9F3DF1C5D18774627692F557CAEE0E684555D36F25852B8E0DE9B3316391EEFCAAE3882E07F4470F188AA4245D7098B6D
                              Malicious:false
                              Preview:.h&_Czo)s....s`../.'..[B!.zs.(\...|R.Zcr..v...4.>...B.._.>pIve.ka..; 9.38 beta : 2015-01-11 : Roman Horv.th..;..;..;..;..;..;..;..;..0..7-Zip..Slovak..Sloven.ina..401..OK..Zru.i.......nD..&r.,..OQ.1.K.^....WY..eg..P~7..:.Q.....CbLo=P.&.P7..Bo na &v.etko..Nie na v.&etko..Zastavi...Re.tartova...&Pozadie..P&opredie..Po&zastavi...Pozastaven...Ste si ist., .e chc}..D.Q@!h.\..G..'..KR..|..'jg.b...v.Vthl).v.oHo..!&..Fu...ben...&N.stroje..&Pomocn.k..540..&Otvori...O&tvori. vn.tri..Ot&vori. externe..&Zobrazi...&Upravi...&Premenova...&Kop.......hy....+>..e.Y.B....z7..&&.e..8u.E....I...b.t.....)@Iv.VCr.....Zl..&i. s.bory.....V&lastnosti..Ko&ment.r..Vypo..ta. kontroln. s..et..Rozdiel (Diff)..Vytvori. prie.inok..Vytn......;..D.+>..x.D'.....P...ir.A..V0.........A....0E.f..7.QPVna.i. v.etko..Invertova. ozna.enie..Ozna.i......Odzna.i......Ozna.i. pod.a typu..Odzna.i. pod.a typu..700..&Ve.k.z...UM1....J.N.~.E.Uvh'.5)..e..I.8t.U

                              C:\Program Files\7-Zip\Lang\sl.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9235
                              Entropy (8bit):6.652346274285162
                              Encrypted:false
                              SSDEEP:192:75CcUhGPAFqexOY1g1qpidsHEF8W1pOZr6Ux7xS+BVsqUBKmZm2UZ4:qhxFRBhQKr37ZAZmD4
                              MD5:1A19579DD213ECB4A990A2FC69DD3921
                              SHA1:7D324B2EE6F91C613C95E46B778F691457CE231C
                              SHA-256:74B1B6B9C29964DAB2BA91DD9E287982EAF92C92E1E4C256AF25F52A226E650B
                              SHA-512:9B6792B6724865D4DFF7FEFDD88998648A95B9282C1D8E762B4EDED48A6199E64778568D1FE9EE371042E87776CA0099E79540169D7DD60F6A60D42C34A023FD
                              Malicious:false
                              Preview:`.d.Z_zM+[.<..U....p.R.Z.h..........zU...A.....6....M<"...jo;..;..;..;..;..;..;..;..0..7-Zip..Slovenian..Sloven..ina..401..Vredu..Prekli.i........&Da..&Ne..&Zapri..Po&mo.....&Nadaljuj......Wz.6..;..v.....1.....E.....G+..%.....A.....i...$.st..A*spredje..Premor..Na premoru..Ali ste prepri.ani, da .elite preklicati?..500..Datoteka..Urejanje..&Prikaz..Priljubljene..Orodja.....u..F\.-..5....Z.....h.....OL........Z.]...i..)]xk..A0redi..Prei&menuj..&Kopiraj.....&Premakni.....Iz&bri.i..&Razdeli datoteko.....&Zdru.i datoteke.....L&astnosti..Ko&mentar..Izra.....:ciF%..n..3......Z.....#.....XG..k.....*0........4Ymt..jo&Izhod..Povezava..&Nadomestni tokovi..600..Izberi &vse..Razveljavi izbiro vseh..&Preobrni izbor..Izberi.....Razveljavi izbiro.........ar.<..k..g....&.....!.....A...k.....-oL...n...)]|1....e..&Majhne ikone..&Seznam..&Podrobnosti..730..Nerazvr..eno..Ploski prikaz..&Dve podokni..&Orodne vrstice..Odpri korensko mapo......hrmF"I.|..t.....?.....)......+...

                              C:\Program Files\7-Zip\Lang\sl.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9235
                              Entropy (8bit):6.652346274285162
                              Encrypted:false
                              SSDEEP:192:75CcUhGPAFqexOY1g1qpidsHEF8W1pOZr6Ux7xS+BVsqUBKmZm2UZ4:qhxFRBhQKr37ZAZmD4
                              MD5:1A19579DD213ECB4A990A2FC69DD3921
                              SHA1:7D324B2EE6F91C613C95E46B778F691457CE231C
                              SHA-256:74B1B6B9C29964DAB2BA91DD9E287982EAF92C92E1E4C256AF25F52A226E650B
                              SHA-512:9B6792B6724865D4DFF7FEFDD88998648A95B9282C1D8E762B4EDED48A6199E64778568D1FE9EE371042E87776CA0099E79540169D7DD60F6A60D42C34A023FD
                              Malicious:false
                              Preview:`.d.Z_zM+[.<..U....p.R.Z.h..........zU...A.....6....M<"...jo;..;..;..;..;..;..;..;..0..7-Zip..Slovenian..Sloven..ina..401..Vredu..Prekli.i........&Da..&Ne..&Zapri..Po&mo.....&Nadaljuj......Wz.6..;..v.....1.....E.....G+..%.....A.....i...$.st..A*spredje..Premor..Na premoru..Ali ste prepri.ani, da .elite preklicati?..500..Datoteka..Urejanje..&Prikaz..Priljubljene..Orodja.....u..F\.-..5....Z.....h.....OL........Z.]...i..)]xk..A0redi..Prei&menuj..&Kopiraj.....&Premakni.....Iz&bri.i..&Razdeli datoteko.....&Zdru.i datoteke.....L&astnosti..Ko&mentar..Izra.....:ciF%..n..3......Z.....#.....XG..k.....*0........4Ymt..jo&Izhod..Povezava..&Nadomestni tokovi..600..Izberi &vse..Razveljavi izbiro vseh..&Preobrni izbor..Izberi.....Razveljavi izbiro.........ar.<..k..g....&.....!.....A...k.....-oL...n...)]|1....e..&Majhne ikone..&Seznam..&Podrobnosti..730..Nerazvr..eno..Ploski prikaz..&Dve podokni..&Orodne vrstice..Odpri korensko mapo......hrmF"I.|..t.....?.....)......+...

                              C:\Program Files\7-Zip\Lang\sq.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6297
                              Entropy (8bit):6.658880817962252
                              Encrypted:false
                              SSDEEP:96:fA4haNBEwjPhrlkJBrtjaMZef6F51mxySn2SZ4XDvGfHRHdHlmSA59+Mi3j54uP1:Thq8ZMo51m72W4XseSv5k7kBtInOD
                              MD5:FC61128DF30E947FDD97CA58755BF332
                              SHA1:F0122EB44F56E7F60E69AD145C62B40D22B52074
                              SHA-256:4B398BBB88DB79CA76D810353777747D0D8070345C376B6EA109CEF70DEEFB69
                              SHA-512:9F0B5BDF86DA7A96D21EB562704CA4872C785FB68292D89671ECCD9CBEED6BF24C953CAF0190774E3F0A47CE1C4C639B1D542F4069D72D1BD4026DAA0505D20E
                              Malicious:false
                              Preview:`&.>.:*......w.=.Y]..-.....0.h..>0.{...5.W..'ml..k.x..".<...;..;..;..0..7-Zip..Albanian..Shqip..401..N. rregull..Anulim........&Po..&Jo..&Mbyll..Ndihm.....&Vazhdim..440..Po p.r t. gji..ad.p,..U!..W....:..+SY.7tt.$?...5..i..'..|r..C2l.~..c.x9X... par...&Pushim..N. pushim..Jeni t. sigurt se d.shironi ta anuloni?..500..&Skedari..&Redaktimi..&Pamja..&T. parap.lqyerit..aS.........J.}.uZ..=62.u[`.B...{,%`h...Q.;...L&A....)..?wB...&Pamja..&Redakto..Ri&em.rto..&Kopjo tek.....&Zhvendos tek.....&Fshi..N&daj skedarin.....Kom&bino skedar.t.....&Vetit...Ko&me.....6.......P.e.....h.N.OSv.#9../Q.....P.4k.>.2..Z..I.puY..j. skedar..&Dil..600..S&elekto t. gjith....se&lekto t. gjith...Anasill selekti&min..Selekto......selekto.....Selekto sipa..3l..........F.d.X#..lH..TJy.EZ..kQ.q...KE.!......Qk....w~.... &vogla..&List...&Detaje..730..&T. parenditur..Pamje e rrafsht...&2 panele..&Shiritat e veglave..Hap dosjen rr.nj...Nj. n.."i...q..........#...RS..S0.'#.(r....

                              C:\Program Files\7-Zip\Lang\sq.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6297
                              Entropy (8bit):6.658880817962252
                              Encrypted:false
                              SSDEEP:96:fA4haNBEwjPhrlkJBrtjaMZef6F51mxySn2SZ4XDvGfHRHdHlmSA59+Mi3j54uP1:Thq8ZMo51m72W4XseSv5k7kBtInOD
                              MD5:FC61128DF30E947FDD97CA58755BF332
                              SHA1:F0122EB44F56E7F60E69AD145C62B40D22B52074
                              SHA-256:4B398BBB88DB79CA76D810353777747D0D8070345C376B6EA109CEF70DEEFB69
                              SHA-512:9F0B5BDF86DA7A96D21EB562704CA4872C785FB68292D89671ECCD9CBEED6BF24C953CAF0190774E3F0A47CE1C4C639B1D542F4069D72D1BD4026DAA0505D20E
                              Malicious:false
                              Preview:`&.>.:*......w.=.Y]..-.....0.h..>0.{...5.W..'ml..k.x..".<...;..;..;..0..7-Zip..Albanian..Shqip..401..N. rregull..Anulim........&Po..&Jo..&Mbyll..Ndihm.....&Vazhdim..440..Po p.r t. gji..ad.p,..U!..W....:..+SY.7tt.$?...5..i..'..|r..C2l.~..c.x9X... par...&Pushim..N. pushim..Jeni t. sigurt se d.shironi ta anuloni?..500..&Skedari..&Redaktimi..&Pamja..&T. parap.lqyerit..aS.........J.}.uZ..=62.u[`.B...{,%`h...Q.;...L&A....)..?wB...&Pamja..&Redakto..Ri&em.rto..&Kopjo tek.....&Zhvendos tek.....&Fshi..N&daj skedarin.....Kom&bino skedar.t.....&Vetit...Ko&me.....6.......P.e.....h.N.OSv.#9../Q.....P.4k.>.2..Z..I.puY..j. skedar..&Dil..600..S&elekto t. gjith....se&lekto t. gjith...Anasill selekti&min..Selekto......selekto.....Selekto sipa..3l..........F.d.X#..lH..TJy.EZ..kQ.q...KE.!......Qk....w~.... &vogla..&List...&Detaje..730..&T. parenditur..Pamje e rrafsht...&2 panele..&Shiritat e veglave..Hap dosjen rr.nj...Nj. n.."i...q..........#...RS..S0.'#.(r....

                              C:\Program Files\7-Zip\Lang\sr-spc.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12307
                              Entropy (8bit):6.110893177513773
                              Encrypted:false
                              SSDEEP:384:bSOkP3WRhCqKqU6A29Vv9mPZjNRkCtdMDqX:uOkPUCF8rXCtJ
                              MD5:F7890A85C6A4A9983F7C03CFDDC6AFDE
                              SHA1:6785911CF93E35C6EE06604D7627C4907F76FF45
                              SHA-256:EA1027B686437C1D0E723FE8D091DC8A16A0400D2068227230CF9275404A8EDC
                              SHA-512:AEEF2519FEB23FFF47C4AFD4813D8F96BE92D592C6E7DE61CF8E78161255975C002E3CC5AC398A5E25B5872D3AC489F0E457C9B597FB8A5734B1EBEC974D8ECF
                              Malicious:false
                              Preview:..i.......9..#.d.....^.`h.paH....iIW..tW...#.!...).'......Gz.;..;..;..;..;..;..0..7-Zip..Serbian - Cyrillic........ - ..........401... ..........................{..e.<.]I;`..h..Q.$/.N.B..L.Vb........J...=../d]..M...ow5.L......... .. ................................ ...................... .. ... .....#F]L.$Y.8.\..|jB`. .......HFI."X...X...._~...I..T.$..%..v......................................................540.................. ........`..Th..$%2.B.@..M.{..-.....p........-P.1......*..0.............................................. .............. ............7|.."{\x.,Y.... ..%(.KP.nE....)-.C.D...}...1....G..M...ou..*............................ ........ ....................... ..............@.<..-Y...8.u.jA`. ..J....--.B.iIZ.

                              C:\Program Files\7-Zip\Lang\sr-spc.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12307
                              Entropy (8bit):6.110893177513773
                              Encrypted:false
                              SSDEEP:384:bSOkP3WRhCqKqU6A29Vv9mPZjNRkCtdMDqX:uOkPUCF8rXCtJ
                              MD5:F7890A85C6A4A9983F7C03CFDDC6AFDE
                              SHA1:6785911CF93E35C6EE06604D7627C4907F76FF45
                              SHA-256:EA1027B686437C1D0E723FE8D091DC8A16A0400D2068227230CF9275404A8EDC
                              SHA-512:AEEF2519FEB23FFF47C4AFD4813D8F96BE92D592C6E7DE61CF8E78161255975C002E3CC5AC398A5E25B5872D3AC489F0E457C9B597FB8A5734B1EBEC974D8ECF
                              Malicious:false
                              Preview:..i.......9..#.d.....^.`h.paH....iIW..tW...#.!...).'......Gz.;..;..;..;..;..;..0..7-Zip..Serbian - Cyrillic........ - ..........401... ..........................{..e.<.]I;`..h..Q.$/.N.B..L.Vb........J...=../d]..M...ow5.L......... .. ................................ ...................... .. ... .....#F]L.$Y.8.\..|jB`. .......HFI."X...X...._~...I..T.$..%..v......................................................540.................. ........`..Th..$%2.B.@..M.{..-.....p........-P.1......*..0.............................................. .............. ............7|.."{\x.,Y.... ..%(.KP.nE....)-.C.D...}...1....G..M...ou..*............................ ........ ....................... ..............@.<..-Y...8.u.jA`. ..J....--.B.iIZ.

                              C:\Program Files\7-Zip\Lang\sr-spl.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7483
                              Entropy (8bit):6.66535309721948
                              Encrypted:false
                              SSDEEP:192:OR7j+eEMKD8tcnkt82r4GRc/FM84XpdPE7GOje1s8GqnRbYjXKsGk:jeEf8tcR28mcgjP6qRMjXKsGk
                              MD5:10E46E7A854E439A5842260139B1FF47
                              SHA1:050A09FA6E2F0CF254F5561A52EF08B2AE26552F
                              SHA-256:EFDCB8AF88C0BCE53D3BF077C60DF6148C162439800707D9CC7C38CD862BA8D1
                              SHA-512:2379D7C9E481EC572AE88CD58969D5F8295BFAEF41572234DEC6FAF941DA53CE9C1B089D0D9D398B0F0BE8C7E93B2A5997924D367F3F20BF9AD6FECBBC05EC07
                              Malicious:false
                              Preview:...Hc...A.a...i>..V.d^..... ..K..tR.r.3..P.I...\jh.-......<.;..;..;..;..;..;..0..7-Zip..Serbian - Latin..Srpski - latinica..401..U redu..Otka.i........Da..Ne..Zatvori..Pomo.....Nastavi..d.h~H....r.Q...4?..M.2....In..;...7.=..x.......+.O.....I...P.za..Pauza..Da li ste sigurni da .elite da prekinete?..500..Datoteka..Ure.ivanje..Pregled..Omiljeno..Alati..Pomo...540..Pogled1ZUy.....r.....8o...N1....A ......<.'].M...S...Aq`.H...l...].daj..Promeni..Preimenuj..Kopiraj u.....Premesti u.....Obri.i..Podeli fajl.....Spoj delove.....Svojstva..Komentar..Izra.unajte B7.'....Om....$.....(.....fo......;.9.k%.)....Gwn.B...6...P...600..Izaberi sve..Poni.ti izbor svega..Obrnuti izbor..Izaberi.....Poni.ti izbor.....Izaberi po tipu..Poni.ti izbor po tipu.Z.hCO....O..z..#z....7.....Be.b...9._.NM........01.-.......E.ranja..Ravan pregled..2 Prozora..Trake sa alatkama..Otvori po.etnu fasciklu..Gore za jedan nivo..Hronologija.....Osve.avanje..g.h~H.....K!.F..0r..g.%....La..E...5._

                              C:\Program Files\7-Zip\Lang\sr-spl.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7483
                              Entropy (8bit):6.66535309721948
                              Encrypted:false
                              SSDEEP:192:OR7j+eEMKD8tcnkt82r4GRc/FM84XpdPE7GOje1s8GqnRbYjXKsGk:jeEf8tcR28mcgjP6qRMjXKsGk
                              MD5:10E46E7A854E439A5842260139B1FF47
                              SHA1:050A09FA6E2F0CF254F5561A52EF08B2AE26552F
                              SHA-256:EFDCB8AF88C0BCE53D3BF077C60DF6148C162439800707D9CC7C38CD862BA8D1
                              SHA-512:2379D7C9E481EC572AE88CD58969D5F8295BFAEF41572234DEC6FAF941DA53CE9C1B089D0D9D398B0F0BE8C7E93B2A5997924D367F3F20BF9AD6FECBBC05EC07
                              Malicious:false
                              Preview:...Hc...A.a...i>..V.d^..... ..K..tR.r.3..P.I...\jh.-......<.;..;..;..;..;..;..0..7-Zip..Serbian - Latin..Srpski - latinica..401..U redu..Otka.i........Da..Ne..Zatvori..Pomo.....Nastavi..d.h~H....r.Q...4?..M.2....In..;...7.=..x.......+.O.....I...P.za..Pauza..Da li ste sigurni da .elite da prekinete?..500..Datoteka..Ure.ivanje..Pregled..Omiljeno..Alati..Pomo...540..Pogled1ZUy.....r.....8o...N1....A ......<.'].M...S...Aq`.H...l...].daj..Promeni..Preimenuj..Kopiraj u.....Premesti u.....Obri.i..Podeli fajl.....Spoj delove.....Svojstva..Komentar..Izra.unajte B7.'....Om....$.....(.....fo......;.9.k%.)....Gwn.B...6...P...600..Izaberi sve..Poni.ti izbor svega..Obrnuti izbor..Izaberi.....Poni.ti izbor.....Izaberi po tipu..Poni.ti izbor po tipu.Z.hCO....O..z..#z....7.....Be.b...9._.NM........01.-.......E.ranja..Ravan pregled..2 Prozora..Trake sa alatkama..Otvori po.etnu fasciklu..Gore za jedan nivo..Hronologija.....Osve.avanje..g.h~H.....K!.F..0r..g.%....La..E...5._

                              C:\Program Files\7-Zip\Lang\sv.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9539
                              Entropy (8bit):6.641914396475346
                              Encrypted:false
                              SSDEEP:192:cfql4thyPuFOO3a2GqUCtXtXoR3/Gf5h4LusDLdU0Xat0ECfM0KqSYMR3nmJBTLh:wHtkGjq25UC7X4LuCdU0Xat2fJS8Hh
                              MD5:E288DB7C855457D985F6A72D48A74762
                              SHA1:71E69A0F87F6EBBB250CF84F59C3EEBB3732D527
                              SHA-256:47EEA3E3ADA2D22A8C5A095FB3411949EF7C5EAB226517AC7133C0FCEBFC7247
                              SHA-512:21285E50B3916AD1C1014E53A045740DE232E95E49EACF6ED28D5DC84BE13CADF176178BF9B53CA05EFAD6E73B9073CC1A2A30A21AA976F5B7110845649846A9
                              Malicious:false
                              Preview:.......Q.k.A......Q.R..2.4'.....00.}..5...e.,....#9.me..k.#.|qvist..; 4.59 : Bernhard Eriksson..; 22.00 : (2022-06-20) Mikael Hiort af Orn.s..;..;..;..;..;..;..;..;..0..7-Zip..Swedish..Sv.j_..O..=../..S.Z...........,....Hs?k.F.....F-....!..razj...%.`ts.tt..440..Ja till &alla..Nej till a&lla..Stoppa..Starta om..&Bakgrunden..&F.rgrunden..&Pausa..Pausad...r du s.ker p. att .q....)..z.....f.&.l.d..`.}q+...&<.k.*......"....*=.lx.....U.`kt&yg..&Hj.lp..540..&.ppna...ppna &internt...ppna &externt..&Visa..&Redigera..&Byt namn..&Kopiera till.....&Flytta till......PM...7D.......y.\.|.....<..!u....,3.i.ks...d.m....m,.pb..}...Yomme&ntera..Ber.kna kontrollsumma..Differens..Skapa mapp..Skapa fil..&Avsluta..Skapa l.nk..&Alternativa datastr.mmar..600..Ma.oI..cQ.`..j..4.^.9....~........0!.|.kx...s.*....*.ut..#....Svmarkera.....Markera efter typ..Avmarkera efter typ..700..St&ora ikoner..Sm&. ikoner..&Lista..&Detaljerad lista..730..Osorterad..|...1..u..F...q..=.......2QC....%&...'

                              C:\Program Files\7-Zip\Lang\sv.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9539
                              Entropy (8bit):6.641914396475346
                              Encrypted:false
                              SSDEEP:192:cfql4thyPuFOO3a2GqUCtXtXoR3/Gf5h4LusDLdU0Xat0ECfM0KqSYMR3nmJBTLh:wHtkGjq25UC7X4LuCdU0Xat2fJS8Hh
                              MD5:E288DB7C855457D985F6A72D48A74762
                              SHA1:71E69A0F87F6EBBB250CF84F59C3EEBB3732D527
                              SHA-256:47EEA3E3ADA2D22A8C5A095FB3411949EF7C5EAB226517AC7133C0FCEBFC7247
                              SHA-512:21285E50B3916AD1C1014E53A045740DE232E95E49EACF6ED28D5DC84BE13CADF176178BF9B53CA05EFAD6E73B9073CC1A2A30A21AA976F5B7110845649846A9
                              Malicious:false
                              Preview:.......Q.k.A......Q.R..2.4'.....00.}..5...e.,....#9.me..k.#.|qvist..; 4.59 : Bernhard Eriksson..; 22.00 : (2022-06-20) Mikael Hiort af Orn.s..;..;..;..;..;..;..;..;..0..7-Zip..Swedish..Sv.j_..O..=../..S.Z...........,....Hs?k.F.....F-....!..razj...%.`ts.tt..440..Ja till &alla..Nej till a&lla..Stoppa..Starta om..&Bakgrunden..&F.rgrunden..&Pausa..Pausad...r du s.ker p. att .q....)..z.....f.&.l.d..`.}q+...&<.k.*......"....*=.lx.....U.`kt&yg..&Hj.lp..540..&.ppna...ppna &internt...ppna &externt..&Visa..&Redigera..&Byt namn..&Kopiera till.....&Flytta till......PM...7D.......y.\.|.....<..!u....,3.i.ks...d.m....m,.pb..}...Yomme&ntera..Ber.kna kontrollsumma..Differens..Skapa mapp..Skapa fil..&Avsluta..Skapa l.nk..&Alternativa datastr.mmar..600..Ma.oI..cQ.`..j..4.^.9....~........0!.|.kx...s.*....*.ut..#....Svmarkera.....Markera efter typ..Avmarkera efter typ..700..St&ora ikoner..Sm&. ikoner..&Lista..&Detaljerad lista..730..Osorterad..|...1..u..F...q..=.......2QC....%&...'

                              C:\Program Files\7-Zip\Lang\sw.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8848
                              Entropy (8bit):6.571721764666792
                              Encrypted:false
                              SSDEEP:192:G+KCciruPRdReAArqP8P3Q0f+AY76iHRRXAk7:2CcxPRbEh+A8B7
                              MD5:D1312BC004A7848B206255533AB5E499
                              SHA1:85DC616A07C2BE3606EA5B96E7FEBD61CE0A7CA6
                              SHA-256:A65BC7822443F6AE7D97611EB5CECA57E2671A2AB04BBE389464A90D77BCC8CF
                              SHA-512:6C5935AB648181BDAE5580F9F2D879B75AE463D54CD136475C7578EF92CA9926E9B3CA3C27A3F870C97A63BF3EA3D4A1630C4B6F37FA9E23AB5EB3CE031544D9
                              Malicious:false
                              Preview:H...&.^.HQ.....K..Q.../.kb...o.{.bwF]l..&..e......dDTT.o".A.;..;..;..;..;..;..;..;..0..7-Zip..Swahili..Kiswahili..401..Sawa..Ghairi........&Ndio..&Hapana..&Funga..Usaidizi....&Endelea..440~....'....$..].K.......d.*pZ..6.C..+..!..<..(,.......D8S.De.".harinyuma..&Mandharimbele..&Tuliza..Imetulizwa..Una uhakika unataka kughairi?..500..&Faili..&Hariri..&Mwoneko..Z&inazopendwa..&Z..>..n....`..[...u..j...h.*]*.,.;.sd..-..Y.W.......eXTT./_.".ko..&Hariri..Pati&a jina upya..&Nakili hadi.....&Sogeza hadi.....&Futa..&Gawiza faili.....Ung&anisha nyaraka.....S&ifa..Toa m&ao..q..E.'..k..S...$.......[.-1U..1./.Y...-.5..C......k\y8..D.A.F&unga..Kiungo..&Mitiririsho mbadala..600..Teua &zote..Ondoa uteuzi wote..&Pindua uteuzi..Teua.....Ondoa uteuzi.....Teua kulinga.....h.......\...a......d.'9N.,.n.2b.."..^...v. ....f.2+..I.F.koni ndogo..&Orodha..&Maelezo..730..Haijapangwa..Mwoneko bapa..&2 paneli..&Miambaa zana..Fungua kabrasha shina..Juu kiwango kimo..R..!....m..K.............5K..7.7.^H1.

                              C:\Program Files\7-Zip\Lang\sw.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8848
                              Entropy (8bit):6.571721764666792
                              Encrypted:false
                              SSDEEP:192:G+KCciruPRdReAArqP8P3Q0f+AY76iHRRXAk7:2CcxPRbEh+A8B7
                              MD5:D1312BC004A7848B206255533AB5E499
                              SHA1:85DC616A07C2BE3606EA5B96E7FEBD61CE0A7CA6
                              SHA-256:A65BC7822443F6AE7D97611EB5CECA57E2671A2AB04BBE389464A90D77BCC8CF
                              SHA-512:6C5935AB648181BDAE5580F9F2D879B75AE463D54CD136475C7578EF92CA9926E9B3CA3C27A3F870C97A63BF3EA3D4A1630C4B6F37FA9E23AB5EB3CE031544D9
                              Malicious:false
                              Preview:H...&.^.HQ.....K..Q.../.kb...o.{.bwF]l..&..e......dDTT.o".A.;..;..;..;..;..;..;..;..0..7-Zip..Swahili..Kiswahili..401..Sawa..Ghairi........&Ndio..&Hapana..&Funga..Usaidizi....&Endelea..440~....'....$..].K.......d.*pZ..6.C..+..!..<..(,.......D8S.De.".harinyuma..&Mandharimbele..&Tuliza..Imetulizwa..Una uhakika unataka kughairi?..500..&Faili..&Hariri..&Mwoneko..Z&inazopendwa..&Z..>..n....`..[...u..j...h.*]*.,.;.sd..-..Y.W.......eXTT./_.".ko..&Hariri..Pati&a jina upya..&Nakili hadi.....&Sogeza hadi.....&Futa..&Gawiza faili.....Ung&anisha nyaraka.....S&ifa..Toa m&ao..q..E.'..k..S...$.......[.-1U..1./.Y...-.5..C......k\y8..D.A.F&unga..Kiungo..&Mitiririsho mbadala..600..Teua &zote..Ondoa uteuzi wote..&Pindua uteuzi..Teua.....Ondoa uteuzi.....Teua kulinga.....h.......\...a......d.'9N.,.n.2b.."..^...v. ....f.2+..I.F.koni ndogo..&Orodha..&Maelezo..730..Haijapangwa..Mwoneko bapa..&2 paneli..&Miambaa zana..Fungua kabrasha shina..Juu kiwango kimo..R..!....m..K.............5K..7.7.^H1.

                              C:\Program Files\7-Zip\Lang\ta.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12775
                              Entropy (8bit):5.830759502996535
                              Encrypted:false
                              SSDEEP:192:v7MxwP+sU5ByB+xlTaTu2/Le13R7HJBkJ1jxJE+aezUnWrwZAFlqyc5Xhl14P:4+U5BtlTaUjXkJz3gTIlk6
                              MD5:BAE99AF708D076C3C69A6FBC06E077E1
                              SHA1:289F03DA612226233B9602532CA88F0E569ADD98
                              SHA-256:0BF58D5927C71E1E94DEDB635BDDEC298E93C46264FE8648B4A91F4DD3A0B96D
                              SHA-512:71EC448E51B054195DAFA68B5204964C04C38B305A9E6C318EE6C16368967142D25E94281D2270447A64C459E43FA4738BC271A178E01B3CEC49F95D93F63F80
                              Malicious:false
                              Preview:..#.....X.=..<.....stP....7.....t.%....Qo.....\.wr..so%}..Y5..;..;..;..;..;..;..;..;..;..0..7-Zip..Tamil.........401..................................I7.%.H..%c)dtg....d.%:...R.C{.(.rdd~.o=.Jc.&.oO..OQ....R.......440............... .................. ..............I-.$.H.%..H..g...{.$.u.f...5.I.i1*oU...Jc#&....K.....T................................ ..................S...I!.%.H.0..H*t#Z..UJj.'.Dq,.5.A.i5*nM...Jc.&.oO..Ot....R.s...... ..... .................?..500.................6.H.P....a..)djg...N.%3...R.C{.(.wde@,...@Vh..!x.l.....N.....................540............ ........... ..........S.|Go.Wk.../..gu:).....@ [:.....{.f.'*{!

                              C:\Program Files\7-Zip\Lang\ta.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):12775
                              Entropy (8bit):5.830759502996535
                              Encrypted:false
                              SSDEEP:192:v7MxwP+sU5ByB+xlTaTu2/Le13R7HJBkJ1jxJE+aezUnWrwZAFlqyc5Xhl14P:4+U5BtlTaUjXkJz3gTIlk6
                              MD5:BAE99AF708D076C3C69A6FBC06E077E1
                              SHA1:289F03DA612226233B9602532CA88F0E569ADD98
                              SHA-256:0BF58D5927C71E1E94DEDB635BDDEC298E93C46264FE8648B4A91F4DD3A0B96D
                              SHA-512:71EC448E51B054195DAFA68B5204964C04C38B305A9E6C318EE6C16368967142D25E94281D2270447A64C459E43FA4738BC271A178E01B3CEC49F95D93F63F80
                              Malicious:false
                              Preview:..#.....X.=..<.....stP....7.....t.%....Qo.....\.wr..so%}..Y5..;..;..;..;..;..;..;..;..;..0..7-Zip..Tamil.........401..................................I7.%.H..%c)dtg....d.%:...R.C{.(.rdd~.o=.Jc.&.oO..OQ....R.......440............... .................. ..............I-.$.H.%..H..g...{.$.u.f...5.I.i1*oU...Jc#&....K.....T................................ ..................S...I!.%.H.0..H*t#Z..UJj.'.Dq,.5.A.i5*nM...Jc.&.oO..Ot....R.s...... ..... .................?..500.................6.H.P....a..)djg...N.%3...R.C{.(.wde@,...@Vh..!x.l.....N.....................540............ ........... ..........S.|Go.Wk.../..gu:).....@ [:.....{.f.'*{!

                              C:\Program Files\7-Zip\Lang\tg.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15441
                              Entropy (8bit):6.187870584355274
                              Encrypted:false
                              SSDEEP:384:MmAcG0ndsbb+Bw9R2J64oIHcD92jEUqzbE:Sz6BwWJ6FI8c4Uu4
                              MD5:37A8091E68AF37A3AC7D53BF38F9A208
                              SHA1:D0F2A611053A59745B4654A647E7A90022765D2E
                              SHA-256:817140A0BD08A1036C29075F4DBE9936A940FB82B7AEC8E8497811535777CA95
                              SHA-512:F574B21587A1CC5919D5FB11CC6149B1201E600378526AA0B2E59629801CFB454D5ECBF005B88ABF0F1E67CFFF4B70A9925C2EEC232139E9C0CAFC004809BAAC
                              Malicious:false
                              Preview:g...c.J........#..*s..V.n.n...t#.......+..k.m...t..4....W.YB;..;..;..;..;..;..;..;..;..;..0..7-Zip..Tajik..........401........................&......&....&.....5..F..`&...2..0...!...q...R./Y"<....i}....!.\.t..ftq.W...~.&... &......... ..... &................. ........&........&.. ... .........&....8..D$.^.h.3..#z.....7q...P.-r#....;jv_.Wj.~v.Y..gMq..q..........., .. ......... .... ...... .......?..500..&......&........&........&....X..o.....YFOsC..1....p...S./W"5...;..........X..f{..B.r-.Wv............. ..... &............ ..... .................&.............. ...X.+.)..q..2...{.]...V!...<..:Q...........Z..4..........sQv...f....&.... ................. ..... &..........&..... ....... ................X.%o..!<bYSNKA. ..*sW=...3.D9BZ..V..._.

                              C:\Program Files\7-Zip\Lang\tg.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15441
                              Entropy (8bit):6.187870584355274
                              Encrypted:false
                              SSDEEP:384:MmAcG0ndsbb+Bw9R2J64oIHcD92jEUqzbE:Sz6BwWJ6FI8c4Uu4
                              MD5:37A8091E68AF37A3AC7D53BF38F9A208
                              SHA1:D0F2A611053A59745B4654A647E7A90022765D2E
                              SHA-256:817140A0BD08A1036C29075F4DBE9936A940FB82B7AEC8E8497811535777CA95
                              SHA-512:F574B21587A1CC5919D5FB11CC6149B1201E600378526AA0B2E59629801CFB454D5ECBF005B88ABF0F1E67CFFF4B70A9925C2EEC232139E9C0CAFC004809BAAC
                              Malicious:false
                              Preview:g...c.J........#..*s..V.n.n...t#.......+..k.m...t..4....W.YB;..;..;..;..;..;..;..;..;..;..0..7-Zip..Tajik..........401........................&......&....&.....5..F..`&...2..0...!...q...R./Y"<....i}....!.\.t..ftq.W...~.&... &......... ..... &................. ........&........&.. ... .........&....8..D$.^.h.3..#z.....7q...P.-r#....;jv_.Wj.~v.Y..gMq..q..........., .. ......... .... ...... .......?..500..&......&........&........&....X..o.....YFOsC..1....p...S./W"5...;..........X..f{..B.r-.Wv............. ..... &............ ..... .................&.............. ...X.+.)..q..2...{.]...V!...<..:Q...........Z..4..........sQv...f....&.... ................. ..... &..........&..... ....... ................X.%o..!<bYSNKA. ..*sW=...3.D9BZ..V..._.

                              C:\Program Files\7-Zip\Lang\th.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):16168
                              Entropy (8bit):5.919305012220995
                              Encrypted:false
                              SSDEEP:384:DS+0MsXZxQbmpbpBfZHeX9PgtMerRAvKeISsG4d59WqI7IN02aS1K7PWga8RmjFJ:DS+LsXZxFp1BfZHSPV7vKeISZ4d59Wqn
                              MD5:CAC32E748363E878B7069E7A70FCF4AA
                              SHA1:92F36C8B5706E9BBAC9C633CDB089B1F480A5C43
                              SHA-256:91CEEF84AC6363D0122F6E298017FD749E5F23610E1D0C06F9B1ADD32CE7A341
                              SHA-512:DC7BAFAAFDC9D6B1525BC6E44804BE27A0C569F5E5858CED567A59BE00EC8AADF8DA732450ECBE630A9780B4333E16A8001D46FC08E983B9C5BF93FCAA2F81BA
                              Malicious:false
                              Preview:...u.w..I...%>{.+...E..E..L._O.hI...............q.(...J...afire06..; 9.13 : Kom10..;..;..;..;..;..;..;..;..0..7-Zip..Thai.......401......................&....y...[.t.@..h...|q.7:..u"..(.>.1.rQ(.b.H=.8..,9.....)w...U..............440......................................y......BFk...).zb..-..y.(./.>.LQ(.b..=.....9....5..B.t..&...................&............................H^.[.H.@..h...q..:..u". %c.......m.p.%.qU.+.X1Q...w..#.Jm.....500..&......&.......&........&............&...........K4.?.Sr.CYk...).zc..-1.x8(.....,...|.X(d.s.#ia....9...".Kv......................................&........&...g....R|.BS.. .(.zb..-?.x((.<...LQ

                              C:\Program Files\7-Zip\Lang\th.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):16168
                              Entropy (8bit):5.919305012220995
                              Encrypted:false
                              SSDEEP:384:DS+0MsXZxQbmpbpBfZHeX9PgtMerRAvKeISsG4d59WqI7IN02aS1K7PWga8RmjFJ:DS+LsXZxFp1BfZHSPV7vKeISZ4d59Wqn
                              MD5:CAC32E748363E878B7069E7A70FCF4AA
                              SHA1:92F36C8B5706E9BBAC9C633CDB089B1F480A5C43
                              SHA-256:91CEEF84AC6363D0122F6E298017FD749E5F23610E1D0C06F9B1ADD32CE7A341
                              SHA-512:DC7BAFAAFDC9D6B1525BC6E44804BE27A0C569F5E5858CED567A59BE00EC8AADF8DA732450ECBE630A9780B4333E16A8001D46FC08E983B9C5BF93FCAA2F81BA
                              Malicious:false
                              Preview:...u.w..I...%>{.+...E..E..L._O.hI...............q.(...J...afire06..; 9.13 : Kom10..;..;..;..;..;..;..;..;..0..7-Zip..Thai.......401......................&....y...[.t.@..h...|q.7:..u"..(.>.1.rQ(.b.H=.8..,9.....)w...U..............440......................................y......BFk...).zb..-..y.(./.>.LQ(.b..=.....9....5..B.t..&...................&............................H^.[.H.@..h...q..:..u". %c.......m.p.%.qU.+.X1Q...w..#.Jm.....500..&......&.......&........&............&...........K4.?.Sr.CYk...).zc..-1.x8(.....,...|.X(d.s.#ia....9...".Kv......................................&........&...g....R|.BS.. .(.zb..-?.x((.<...LQ

                              C:\Program Files\7-Zip\Lang\tk.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9545
                              Entropy (8bit):6.752911505121751
                              Encrypted:false
                              SSDEEP:192:PKiNoXCQ/YYQ2Cjzw0YDMfjrpJs67/NFMPF0J0NVRd8tq1YMwPa0jiy:PKiNx+YYujxJPgPF02NVr8tq1YM50j5
                              MD5:50904E9C01EB5E96D6FAC48A63BBD022
                              SHA1:2BA4AF195FCA2AEC4592ABD8D689CAA028D29D26
                              SHA-256:6A7AA3D32F147807BB7E9BB3A216F279E01B404C463FC2378D4E4BD126C52E09
                              SHA-512:9E7EDA63FB634F337B0DA51FF20CE633BC2766F5525BF9FCE4A43C618F2ECB0BA75FB256E1ED0869E456871367589A887F1D2E2D948F14D6D708321FA35166C1
                              Malicious:false
                              Preview:.6.~......_.9..c.9p8?%.....gq...q.k...F...F......&.*[.Y.z:g9...lkan H.K...;..;..;..;..;..;..;..;..;..;..0..7-Zip..Turkmen..T.rkmen.e..401..Howwa..Go.bolsun et........&Howwa..&.ok...a&p....4_....)...u.-.R&8kh...._..G$R/@.......~.~.#...w7..=..$..Dur..Ga.tadan ba.la..&G.r.nme..&..e .yksyn..&S.gindir..S.gindi..Go.bolsun etjekmi?..500..&Dos.a..&D.zelt..&G.r..F&a.x.[....H.M......R9..:.p....XK...L+`o|Jq....\..R.n5u..S=... 2.. A...&G.r..&D.zelt..Adyn&y ..tget...u .ere &kop.ala......u .ere &g...r.....&...r..Fa.ly &b.l.....Fa.llary &bi.{.....k.$.u..FI,.r......'L..O2.1G..R..v...W.n...w7..s!u*....Tapawutlanma..Bukja d.ret..Fa.l d.ret..&.yk..Bag..Akymlary .&aly...600..Hemmesini Se...Hemmesini Se.me..Se.im&i tersi.r...St7....(Fl..F.]y%....{L..C1M#\....o......+..~....w%t"...g.ra se.me..700..U&ly Ikon..Ki.i Ikon..Tablissa..Jikme-jikleri..730..Sortlanmadyk..D.z G.rn....&2 Paneller..&Esbaplar..D.+.?BM../.d._."..9.q|<.........K3XK$|{.

                              C:\Program Files\7-Zip\Lang\tk.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9545
                              Entropy (8bit):6.752911505121751
                              Encrypted:false
                              SSDEEP:192:PKiNoXCQ/YYQ2Cjzw0YDMfjrpJs67/NFMPF0J0NVRd8tq1YMwPa0jiy:PKiNx+YYujxJPgPF02NVr8tq1YM50j5
                              MD5:50904E9C01EB5E96D6FAC48A63BBD022
                              SHA1:2BA4AF195FCA2AEC4592ABD8D689CAA028D29D26
                              SHA-256:6A7AA3D32F147807BB7E9BB3A216F279E01B404C463FC2378D4E4BD126C52E09
                              SHA-512:9E7EDA63FB634F337B0DA51FF20CE633BC2766F5525BF9FCE4A43C618F2ECB0BA75FB256E1ED0869E456871367589A887F1D2E2D948F14D6D708321FA35166C1
                              Malicious:false
                              Preview:.6.~......_.9..c.9p8?%.....gq...q.k...F...F......&.*[.Y.z:g9...lkan H.K...;..;..;..;..;..;..;..;..;..;..0..7-Zip..Turkmen..T.rkmen.e..401..Howwa..Go.bolsun et........&Howwa..&.ok...a&p....4_....)...u.-.R&8kh...._..G$R/@.......~.~.#...w7..=..$..Dur..Ga.tadan ba.la..&G.r.nme..&..e .yksyn..&S.gindir..S.gindi..Go.bolsun etjekmi?..500..&Dos.a..&D.zelt..&G.r..F&a.x.[....H.M......R9..:.p....XK...L+`o|Jq....\..R.n5u..S=... 2.. A...&G.r..&D.zelt..Adyn&y ..tget...u .ere &kop.ala......u .ere &g...r.....&...r..Fa.ly &b.l.....Fa.llary &bi.{.....k.$.u..FI,.r......'L..O2.1G..R..v...W.n...w7..s!u*....Tapawutlanma..Bukja d.ret..Fa.l d.ret..&.yk..Bag..Akymlary .&aly...600..Hemmesini Se...Hemmesini Se.me..Se.im&i tersi.r...St7....(Fl..F.]y%....{L..C1M#\....o......+..~....w%t"...g.ra se.me..700..U&ly Ikon..Ki.i Ikon..Tablissa..Jikme-jikleri..730..Sortlanmadyk..D.z G.rn....&2 Paneller..&Esbaplar..D.+.?BM../.d._."..9.q|<.........K3XK$|{.

                              C:\Program Files\7-Zip\Lang\tr.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10161
                              Entropy (8bit):6.71502371807396
                              Encrypted:false
                              SSDEEP:192:42KsChQRlah9xKVQ6YejNfS4FqmsiXa822Lsk6yd96wacCXC:42Kp/ZKebeRXs1iXmfi
                              MD5:AD4D091E391C96776676786849998A6C
                              SHA1:5772C6A13C7A83AABC1A0F3436B35C6B5D43E378
                              SHA-256:2CD691C9715DFBB97CE681F6F1E5E36278DA9C86B83037B6363C9472A50FD320
                              SHA-512:522A956F4D246752008F5D9262A928D71A86B5BA6EEA61729DE698D3B73A94ABDDD662FD9A4D8037EE5A565E5AD7D2D9C926692D235637CCAB48CED3CE453F12
                              Malicious:false
                              Preview:.s...^..jwQe..8TQ!......n"....E.z.....w.TIB.........b.n....p.18-11-21 : Kaya Zeren..; 9.07 : 2009-09-22 : X-FoRcE ..;..;..;..;..;..;..;..;..0..7-Zip..Turkish..T.rk.e..401..Tamam...ptal.._.E.=..o aE.>&==R<U......$c_ ....+.'.,.Z..dU.....0..Y...7H.'.&Evet..T.m.ne &Hay.r..Durdur..Yeniden Ba.lat..&Arka Planda...&n Planda..&Duraklat..Duraklat.ld....ptal etmek istedi.ini^7.-.Y..G?wX.]zJQ!.......'{J ....iY..,.q...B`H.:H.....%.$....n.lanlar..&Ara.lar..&Yard.m..540..&A...7-Zip ..i&nde A...&Varsay.lan Uygulamada A...&G.r.nt.le..D.&zenle..&Yeniden e6.).TBiX[.z.Us..Y.......8c....b.#B.^..2..tQfk.H.*..u.)#....1.ay. &B.l.....Dosyalar. Bi&rle.tir......&zellikler..A..kla&ma......Sa.lamalar. Hesapla..Fark..Klas.r Olu.tur..Dosya OlQ.O<.B......._...J. ....S..!l...!B..G.q.R.fk.......c.J..H.R... &Se...T.m.n.n Se.imini Kald.r..Se.imi &Tersine .evir..Se......Se.imini Kald.r.....T.re G.re Se...T.re G.re Se...%...F2...9.Bl....tJ.T.i.~...#F.+.

                              C:\Program Files\7-Zip\Lang\tr.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):10161
                              Entropy (8bit):6.71502371807396
                              Encrypted:false
                              SSDEEP:192:42KsChQRlah9xKVQ6YejNfS4FqmsiXa822Lsk6yd96wacCXC:42Kp/ZKebeRXs1iXmfi
                              MD5:AD4D091E391C96776676786849998A6C
                              SHA1:5772C6A13C7A83AABC1A0F3436B35C6B5D43E378
                              SHA-256:2CD691C9715DFBB97CE681F6F1E5E36278DA9C86B83037B6363C9472A50FD320
                              SHA-512:522A956F4D246752008F5D9262A928D71A86B5BA6EEA61729DE698D3B73A94ABDDD662FD9A4D8037EE5A565E5AD7D2D9C926692D235637CCAB48CED3CE453F12
                              Malicious:false
                              Preview:.s...^..jwQe..8TQ!......n"....E.z.....w.TIB.........b.n....p.18-11-21 : Kaya Zeren..; 9.07 : 2009-09-22 : X-FoRcE ..;..;..;..;..;..;..;..;..0..7-Zip..Turkish..T.rk.e..401..Tamam...ptal.._.E.=..o aE.>&==R<U......$c_ ....+.'.,.Z..dU.....0..Y...7H.'.&Evet..T.m.ne &Hay.r..Durdur..Yeniden Ba.lat..&Arka Planda...&n Planda..&Duraklat..Duraklat.ld....ptal etmek istedi.ini^7.-.Y..G?wX.]zJQ!.......'{J ....iY..,.q...B`H.:H.....%.$....n.lanlar..&Ara.lar..&Yard.m..540..&A...7-Zip ..i&nde A...&Varsay.lan Uygulamada A...&G.r.nt.le..D.&zenle..&Yeniden e6.).TBiX[.z.Us..Y.......8c....b.#B.^..2..tQfk.H.*..u.)#....1.ay. &B.l.....Dosyalar. Bi&rle.tir......&zellikler..A..kla&ma......Sa.lamalar. Hesapla..Fark..Klas.r Olu.tur..Dosya OlQ.O<.B......._...J. ....S..!l...!B..G.q.R.fk.......c.J..H.R... &Se...T.m.n.n Se.imini Kald.r..Se.imi &Tersine .evir..Se......Se.imini Kald.r.....T.re G.re Se...T.re G.re Se...%...F2...9.Bl....tJ.T.i.~...#F.+.

                              C:\Program Files\7-Zip\Lang\tt.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14515
                              Entropy (8bit):6.306930761466133
                              Encrypted:false
                              SSDEEP:384:JIXo2pn/0Ju/6B0cq4H0qQGyX0RB9ge1uHS8ZO1OcL9JDc:JIXosn/0Ju/6B0cq4HRQPX0dgeQvC9m
                              MD5:638E927CA3A35C4C2F018DDDDCA3F174
                              SHA1:3AD4898F92717CEFB6F81AAADA93364D37088602
                              SHA-256:F425F782F234970FCEDACFF95C6B016D2B7B22B199A8196FFF3E3FC08AC45551
                              SHA-512:5EA329497E64BB6A2544EDB965B650581C65CAE693D56BD51DE9CC737205F7897C60D37FA944490A100D0B743EBC9E80EE8943044AC96FFFFEA6CAD37D34C041
                              Malicious:false
                              Preview:a<S.9..Q..}...zP.*y.`.../.....h.b.......%.<..jW... ..%.o....;..;..;..;..;..;..;..;..0..7-Zip..Tatar...........401..OK..... .............&.....&....&...........:Tu_...=......#..&........h..W.2^:.....p}.A.....z.0b.av).$..O. ........ .&....... ....................&.......&.... ........&............^3<?..u..P....#..++.=...V.Q.Ws7.{..%]B..9..+.m?..+hj1...D.A......500..&......&.........&.......&...........&.........&.........540..&...........4Tu.>]..U....g@....+.....;i7.4.z..H=&,.8....u?..)iQ1....?..O................ &............&.................&..............&............*W\_.]..o..n.gB..F..<...5......P{..(]N|..S}.@.?R....1Q.aw..*..N/..............&..............&............... .....................&..... ..Vm_.\%.a..C)gW....Y......i7.d......'.9

                              C:\Program Files\7-Zip\Lang\tt.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):14515
                              Entropy (8bit):6.306930761466133
                              Encrypted:false
                              SSDEEP:384:JIXo2pn/0Ju/6B0cq4H0qQGyX0RB9ge1uHS8ZO1OcL9JDc:JIXosn/0Ju/6B0cq4HRQPX0dgeQvC9m
                              MD5:638E927CA3A35C4C2F018DDDDCA3F174
                              SHA1:3AD4898F92717CEFB6F81AAADA93364D37088602
                              SHA-256:F425F782F234970FCEDACFF95C6B016D2B7B22B199A8196FFF3E3FC08AC45551
                              SHA-512:5EA329497E64BB6A2544EDB965B650581C65CAE693D56BD51DE9CC737205F7897C60D37FA944490A100D0B743EBC9E80EE8943044AC96FFFFEA6CAD37D34C041
                              Malicious:false
                              Preview:a<S.9..Q..}...zP.*y.`.../.....h.b.......%.<..jW... ..%.o....;..;..;..;..;..;..;..;..0..7-Zip..Tatar...........401..OK..... .............&.....&....&...........:Tu_...=......#..&........h..W.2^:.....p}.A.....z.0b.av).$..O. ........ .&....... ....................&.......&.... ........&............^3<?..u..P....#..++.=...V.Q.Ws7.{..%]B..9..+.m?..+hj1...D.A......500..&......&.........&.......&...........&.........&.........540..&...........4Tu.>]..U....g@....+.....;i7.4.z..H=&,.8....u?..)iQ1....?..O................ &............&.................&..............&............*W\_.]..o..n.gB..F..<...5......P{..(]N|..S}.@.?R....1Q.aw..*..N/..............&..............&............... .....................&..... ..Vm_.\%.a..C)gW....Y......i7.d......'.9

                              C:\Program Files\7-Zip\Lang\ug.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11700
                              Entropy (8bit):6.4271175326768555
                              Encrypted:false
                              SSDEEP:192:7IFG8EEpM2EgoRV1C9X4ZtFRYAfeWKiBF61ovzF+BVRAD/l:7NAM/g+49oZqke3V1ovQ9ADd
                              MD5:3623B2E5C9CF131C67F8E260F6490066
                              SHA1:9192D8717B8DBAA10C22F64017BBA057E3155D27
                              SHA-256:70A3D30501FA4DBAAB659C91C3D852B96285B1B0092924F6C951804D7E44A545
                              SHA-512:8F528D9A59C4F7118D7B18BE1FED27F4645DE3A3C77BFB497F7D2FAA31F9C75D5BC5FC901A1BD1D53E3E302FEBA17808E547C27A57DEA3E36F702046DE583450
                              Malicious:false
                              Preview:g..."..&..-......u.[.k.J..Q.4..x..w...l...]!x...x4..........)...;..0..7-Zip..Uyghur............401............. ...........(&Y).........(&N).....(&C).............dD..V....H.E].%.^.......2...b.-.........H.....!.J.`.s....&A)......... ...(&L).............. ............ ....(&B)....... ....(&F)...........4...6k.)..e.6...Q.j1.v.D.....V..>.....xD.....\...qEH.b.....j....... ... ...........500........(&F)........(&E).........(&V)........(&A)......Q....c.k.)..~.>.....F.b.n.#A...)..m...H.......^...pkI+b.r/..1....... ...(&I)...... ........ ...(&U).........(&V)........(&E)..... .......(&M).h.nB...i.)..G.%.D....[.(..?W.=...e....I.......y....ppI$b.....P.........(&D)........ .......(&S)......... .........(&B).........(&R)..........Ds..."i.)..c...6..-...*....E....b.._].

                              C:\Program Files\7-Zip\Lang\ug.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11700
                              Entropy (8bit):6.4271175326768555
                              Encrypted:false
                              SSDEEP:192:7IFG8EEpM2EgoRV1C9X4ZtFRYAfeWKiBF61ovzF+BVRAD/l:7NAM/g+49oZqke3V1ovQ9ADd
                              MD5:3623B2E5C9CF131C67F8E260F6490066
                              SHA1:9192D8717B8DBAA10C22F64017BBA057E3155D27
                              SHA-256:70A3D30501FA4DBAAB659C91C3D852B96285B1B0092924F6C951804D7E44A545
                              SHA-512:8F528D9A59C4F7118D7B18BE1FED27F4645DE3A3C77BFB497F7D2FAA31F9C75D5BC5FC901A1BD1D53E3E302FEBA17808E547C27A57DEA3E36F702046DE583450
                              Malicious:false
                              Preview:g..."..&..-......u.[.k.J..Q.4..x..w...l...]!x...x4..........)...;..0..7-Zip..Uyghur............401............. ...........(&Y).........(&N).....(&C).............dD..V....H.E].%.^.......2...b.-.........H.....!.J.`.s....&A)......... ...(&L).............. ............ ....(&B)....... ....(&F)...........4...6k.)..e.6...Q.j1.v.D.....V..>.....xD.....\...qEH.b.....j....... ... ...........500........(&F)........(&E).........(&V)........(&A)......Q....c.k.)..~.>.....F.b.n.#A...)..m...H.......^...pkI+b.r/..1....... ...(&I)...... ........ ...(&U).........(&V)........(&E)..... .......(&M).h.nB...i.)..G.%.D....[.(..?W.=...e....I.......y....ppI$b.....P.........(&D)........ .......(&S)......... .........(&B).........(&R)..........Ds..."i.)..c...6..-...*....E....b.._].

                              C:\Program Files\7-Zip\Lang\uk.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):16076
                              Entropy (8bit):6.203005156552274
                              Encrypted:false
                              SSDEEP:384:DKeXAeUHhcr8AD7OgAmUlYRkx68Yy586PsNIrUGxDxFxByF+AxOPXOg:iLy8AO/YRv8eCr/VXx
                              MD5:18F06BE890C273ECCCC469A7085E931D
                              SHA1:5EF757CB5E95290CD863894993950D2EEF95A189
                              SHA-256:E9D8CEF5317E5A7470615D971AFEDA707DF0F5327B39D1B93BFC43F7A37D6297
                              SHA-512:713322DF4358E4C1270C0EDCC98AB4B6660DCAD3067A1FB659653790FFA99024FEAFEC3BFCCB1F97EE8475207BF5DB6F85AA51746EA81136981FAD10AC3712B5
                              Malicious:false
                              Preview:.J.........o!..1..Q1%.v.. .-..+..~..-..w....Q..|}...D%q._o}.. : Mokiy Mazaylo..; : Sergiy Gontaruk..; : Misha Padalka..; 22.00 : 2022-0O...........n$..n.V4Pq*\..........S.....Z.......fPA.M'p.4:P.............401..OK...................&.....&....&....................&..........t......{...A.T.L.l...8..wD.G..*.}:....2...r.Yc.I...9........j.....................&.. ........ .......&.. .......... .......&..........I.O!...cc,...E.i(V.......E...w.S..;.."......=...lV8...Z............ ........?..500..&......&.............&........&............&.......!..+rcz....DR.l.i.....v{.b.%*...n.&+V...-sYk.H=...lX.&..Z........ .&.................. &.......&.............&................&.......!...rf.r.c....G.A.....wG.i-E....p.!.V.

                              C:\Program Files\7-Zip\Lang\uk.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):16076
                              Entropy (8bit):6.203005156552274
                              Encrypted:false
                              SSDEEP:384:DKeXAeUHhcr8AD7OgAmUlYRkx68Yy586PsNIrUGxDxFxByF+AxOPXOg:iLy8AO/YRv8eCr/VXx
                              MD5:18F06BE890C273ECCCC469A7085E931D
                              SHA1:5EF757CB5E95290CD863894993950D2EEF95A189
                              SHA-256:E9D8CEF5317E5A7470615D971AFEDA707DF0F5327B39D1B93BFC43F7A37D6297
                              SHA-512:713322DF4358E4C1270C0EDCC98AB4B6660DCAD3067A1FB659653790FFA99024FEAFEC3BFCCB1F97EE8475207BF5DB6F85AA51746EA81136981FAD10AC3712B5
                              Malicious:false
                              Preview:.J.........o!..1..Q1%.v.. .-..+..~..-..w....Q..|}...D%q._o}.. : Mokiy Mazaylo..; : Sergiy Gontaruk..; : Misha Padalka..; 22.00 : 2022-0O...........n$..n.V4Pq*\..........S.....Z.......fPA.M'p.4:P.............401..OK...................&.....&....&....................&..........t......{...A.T.L.l...8..wD.G..*.}:....2...r.Yc.I...9........j.....................&.. ........ .......&.. .......... .......&..........I.O!...cc,...E.i(V.......E...w.S..;.."......=...lV8...Z............ ........?..500..&......&.............&........&............&.......!..+rcz....DR.l.i.....v{.b.%*...n.&+V...-sYk.H=...lX.&..Z........ .&.................. &.......&.............&................&.......!...rf.r.c....G.A.....wG.i-E....p.!.V.

                              C:\Program Files\7-Zip\Lang\uz-cyrl.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15481
                              Entropy (8bit):6.143068857952323
                              Encrypted:false
                              SSDEEP:384:BHCr33wToE2YqehzAewFdm0YAU/H/Dh/1t:Bizw8RFehzAew/m0Y9f7R
                              MD5:A03BDA1563DA48042B03A42FEEB398C7
                              SHA1:3C383867DED86210D0226AEBCE6A28341CEDB13D
                              SHA-256:8A1E136ED1B28063C16595D3A171528B0D918F6FAA840DCE213ED601EF259C28
                              SHA-512:889A069EF454A9136DFEC02B8B6C7FF76F696889F8528217D38B16975B4CE6044F9EAD18E832B6102DD3E267248BC74AF70AD530C33160FFE32B4CDEC71B747A
                              Malicious:false
                              Preview:.f<........D...U.&wkqXU.j...?.*.g..!x{J..6.uv.9...e+m.w<y...}$.;..;..;..;..;..;..;..;..;..;..0..7-Zip..Uzbek-Cyrillic...........401........... ..............&....&........s6.&|.....7...."...'....z...............me.H7_1.)I....1... &.......... &..........................&.......&..... ......&..... ....X.=....6.&r..'?..>....I.V'..I.Z.......}.v......oE......!V..a.?..500..&......&.............&.........&..............&..........&.......540..&.z...2.r4..."QoY.}....J.Z'.?-...........0w..n.D|$.......I6B.`......&.........&.............&..... ..........&.......... .....................u6.&v.1';.....C.H.p&..E..v....I....s.@.w~...b.....V..a.....&...... ...........&......... .................&.............&..........4gRE^..^.O...&......n.".>G../........l

                              C:\Program Files\7-Zip\Lang\uz-cyrl.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15481
                              Entropy (8bit):6.143068857952323
                              Encrypted:false
                              SSDEEP:384:BHCr33wToE2YqehzAewFdm0YAU/H/Dh/1t:Bizw8RFehzAew/m0Y9f7R
                              MD5:A03BDA1563DA48042B03A42FEEB398C7
                              SHA1:3C383867DED86210D0226AEBCE6A28341CEDB13D
                              SHA-256:8A1E136ED1B28063C16595D3A171528B0D918F6FAA840DCE213ED601EF259C28
                              SHA-512:889A069EF454A9136DFEC02B8B6C7FF76F696889F8528217D38B16975B4CE6044F9EAD18E832B6102DD3E267248BC74AF70AD530C33160FFE32B4CDEC71B747A
                              Malicious:false
                              Preview:.f<........D...U.&wkqXU.j...?.*.g..!x{J..6.uv.9...e+m.w<y...}$.;..;..;..;..;..;..;..;..;..;..0..7-Zip..Uzbek-Cyrillic...........401........... ..............&....&........s6.&|.....7...."...'....z...............me.H7_1.)I....1... &.......... &..........................&.......&..... ......&..... ....X.=....6.&r..'?..>....I.V'..I.Z.......}.v......oE......!V..a.?..500..&......&.............&.........&..............&..........&.......540..&.z...2.r4..."QoY.}....J.Z'.?-...........0w..n.D|$.......I6B.`......&.........&.............&..... ..........&.......... .....................u6.&v.1';.....C.H.p&..E..v....I....s.@.w~...b.....V..a.....&...... ...........&......... .................&.............&..........4gRE^..^.O...&......n.".>G../........l

                              C:\Program Files\7-Zip\Lang\uz.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9697
                              Entropy (8bit):6.683087816859785
                              Encrypted:false
                              SSDEEP:192:nGSytFJn0Dqt/U8EuqRV5EMQfTFPCi8foOYK+aNHKF:GzvJ0DqtM8EuqRV5ERLFqhwxaNHKF
                              MD5:27AE1D978065EA2B730450CAC21376BE
                              SHA1:0654C768B7608EB8A9BBE5734540C5A8EBCC38AC
                              SHA-256:8E2BCE501524B60003DA15D455265C8BBD54C204049A66EA5921D1400FFFDB6E
                              SHA-512:F1233348F41113FEB0EFE4AAF13B71390AD91853FB2BF3578C8C23C5614CD6A1E2E4525C2D337E80E650FD3D45EF7C7B25DF7D8614A8658D836C14F1CA559565
                              Malicious:false
                              Preview:\..n.....[...[.'.'I4.....x...V.....PH.2.e.%EE....(.W..P._..&..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Uzbek..O.zbekcha..401..OK..Bekor qilmoq........&Ha..&Yo.q..&Yopmoq..Ko.mak....&Dav..0O'...6.m...#.m.^...Y.[......V....8....U....%..8.V.hz._..5..n..&Fonda..&Fonda emas..&Pauza qilmoq..Pauza qilindi..Bekor qilinsinmi?..500..&Fayl..&Tahrirlamoq..&Ko.rinish..&Tanlanganlar.....=T0...1..ma..`r.R.....[......XJ7w_..h..-..L..>..#.4.C$.M..5..ga ochmoq..&Ko.rinish..&Tahrirlamoq..&Qayta nomlamoq..&Quyidagiga nusxalamoq.....&Quyidagiga ko.chirmoq.....&Olib tashlamoq....4B&...^......nF......7.....^.X....s..6..BU.sO.F.a....W.. ..r..&Sharh.....Yakuniy summa..Taqqoslamoq..Jild tuzmoq..Fayl tuzmoq..&Dasturdan chiqmoq..Havola..&Muqobil oqimlar..600..&Barini t...4V%..~.+O`.A.~.U..B.?..J..DP[....a..>.. ..<..-.V.K^.3o95..amaslik.....Turi bo.yicha tanlamoq..Turi bo.yicha tanlamaslik..700..&Yirik ikonkalarda..&Kichik ikonkalarda..&Ro.yxatsimon....Z,..S.5O..V./e3...P.7.....:1x....i

                              C:\Program Files\7-Zip\Lang\uz.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9697
                              Entropy (8bit):6.683087816859785
                              Encrypted:false
                              SSDEEP:192:nGSytFJn0Dqt/U8EuqRV5EMQfTFPCi8foOYK+aNHKF:GzvJ0DqtM8EuqRV5ERLFqhwxaNHKF
                              MD5:27AE1D978065EA2B730450CAC21376BE
                              SHA1:0654C768B7608EB8A9BBE5734540C5A8EBCC38AC
                              SHA-256:8E2BCE501524B60003DA15D455265C8BBD54C204049A66EA5921D1400FFFDB6E
                              SHA-512:F1233348F41113FEB0EFE4AAF13B71390AD91853FB2BF3578C8C23C5614CD6A1E2E4525C2D337E80E650FD3D45EF7C7B25DF7D8614A8658D836C14F1CA559565
                              Malicious:false
                              Preview:\..n.....[...[.'.'I4.....x...V.....PH.2.e.%EE....(.W..P._..&..;..;..;..;..;..;..;..;..;..;..0..7-Zip..Uzbek..O.zbekcha..401..OK..Bekor qilmoq........&Ha..&Yo.q..&Yopmoq..Ko.mak....&Dav..0O'...6.m...#.m.^...Y.[......V....8....U....%..8.V.hz._..5..n..&Fonda..&Fonda emas..&Pauza qilmoq..Pauza qilindi..Bekor qilinsinmi?..500..&Fayl..&Tahrirlamoq..&Ko.rinish..&Tanlanganlar.....=T0...1..ma..`r.R.....[......XJ7w_..h..-..L..>..#.4.C$.M..5..ga ochmoq..&Ko.rinish..&Tahrirlamoq..&Qayta nomlamoq..&Quyidagiga nusxalamoq.....&Quyidagiga ko.chirmoq.....&Olib tashlamoq....4B&...^......nF......7.....^.X....s..6..BU.sO.F.a....W.. ..r..&Sharh.....Yakuniy summa..Taqqoslamoq..Jild tuzmoq..Fayl tuzmoq..&Dasturdan chiqmoq..Havola..&Muqobil oqimlar..600..&Barini t...4V%..~.+O`.A.~.U..B.?..J..DP[....a..>.. ..<..-.V.K^.3o95..amaslik.....Turi bo.yicha tanlamoq..Turi bo.yicha tanlamaslik..700..&Yirik ikonkalarda..&Kichik ikonkalarda..&Ro.yxatsimon....Z,..S.5O..V./e3...P.7.....:1x....i

                              C:\Program Files\7-Zip\Lang\va.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6736
                              Entropy (8bit):6.5961395514882675
                              Encrypted:false
                              SSDEEP:96:1kUDagmvKJwsklmXzV8PZHKLwFpStPtFs57LrnfIYiJYcVaHC8o4793UNhAe2kLD:/BDJ4mDguwFktPt6573fIY2Pn3l2kLVd
                              MD5:F760BAE2E9D86556635ECDA41D0C168A
                              SHA1:EC4881F1B46AFA469A74658FEF87B7778EA7E404
                              SHA-256:9032C9E07173EECA2A7A91944FA1F7C252B4C1BBC41FDC12100E12C8263C9822
                              SHA-512:3985D008B596425D0DA29A7CA33694EF5BB360175C83B89A7B0613C5631AFD32FD3DD8AB0140663837253C80FF652CFBDF73264D4C1F0AB41BFB2BFC0D5E1D8D
                              Malicious:false
                              Preview:..o.... .?.Z..x..k..DUDC..O.^h.b(.Ed..,i...w.4...JR{0/..Gr.32o Verd...;..;..;..;..;..;..;..;..;..0..7-Zip..Valencian..Valenci...401..Acceptar..Cancel.lar........&Si..&No..Tan&car..Ajuda.......5.6.{.&..G....AL...x.Dh.b{..b.JU...........8cn!.?O.:9n pla..Primer pla..&Pausa..Parat..Est. segur que vol cancel.lar?..500..&Arxiu..&Editar..&Visualitzar..Favorits..Ferramentes..A..K...u.U.<..^..@.....A.W.....H.q2.(k..!......a.....:x.Y.px.)7r..Renom&enar..&Copiar a.....&Moure a.....&Suprimir..&Separar fitxer.....Com&binar fitxers.....P&ropietats..Come&ntari..Calcular..O...4.U....^..j............xb.q{.ay..2.....f...NVV.\6.P..49n&ar-ho tot..Deseleccionar-ho tot..&Invertir selecci...Seleccionar.....No seleccionar.....Seleccionar per tipus..No seleccionar...X...1.+........)....D.L......N.l5.{-...p...p.2.....:..u.Ph.1:s..730..No ordenat..Vista plana..&2 Taules..&Barres de ferramentes..Obrir directori arrel..Directori pare..Historial de carpetes..'...5.9.s..M...@....n ....x.Ot....ll.

                              C:\Program Files\7-Zip\Lang\va.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6736
                              Entropy (8bit):6.5961395514882675
                              Encrypted:false
                              SSDEEP:96:1kUDagmvKJwsklmXzV8PZHKLwFpStPtFs57LrnfIYiJYcVaHC8o4793UNhAe2kLD:/BDJ4mDguwFktPt6573fIY2Pn3l2kLVd
                              MD5:F760BAE2E9D86556635ECDA41D0C168A
                              SHA1:EC4881F1B46AFA469A74658FEF87B7778EA7E404
                              SHA-256:9032C9E07173EECA2A7A91944FA1F7C252B4C1BBC41FDC12100E12C8263C9822
                              SHA-512:3985D008B596425D0DA29A7CA33694EF5BB360175C83B89A7B0613C5631AFD32FD3DD8AB0140663837253C80FF652CFBDF73264D4C1F0AB41BFB2BFC0D5E1D8D
                              Malicious:false
                              Preview:..o.... .?.Z..x..k..DUDC..O.^h.b(.Ed..,i...w.4...JR{0/..Gr.32o Verd...;..;..;..;..;..;..;..;..;..0..7-Zip..Valencian..Valenci...401..Acceptar..Cancel.lar........&Si..&No..Tan&car..Ajuda.......5.6.{.&..G....AL...x.Dh.b{..b.JU...........8cn!.?O.:9n pla..Primer pla..&Pausa..Parat..Est. segur que vol cancel.lar?..500..&Arxiu..&Editar..&Visualitzar..Favorits..Ferramentes..A..K...u.U.<..^..@.....A.W.....H.q2.(k..!......a.....:x.Y.px.)7r..Renom&enar..&Copiar a.....&Moure a.....&Suprimir..&Separar fitxer.....Com&binar fitxers.....P&ropietats..Come&ntari..Calcular..O...4.U....^..j............xb.q{.ay..2.....f...NVV.\6.P..49n&ar-ho tot..Deseleccionar-ho tot..&Invertir selecci...Seleccionar.....No seleccionar.....Seleccionar per tipus..No seleccionar...X...1.+........)....D.L......N.l5.{-...p...p.2.....:..u.Ph.1:s..730..No ordenat..Vista plana..&2 Taules..&Barres de ferramentes..Obrir directori arrel..Directori pare..Historial de carpetes..'...5.9.s..M...@....n ....x.Ot....ll.

                              C:\Program Files\7-Zip\Lang\vi.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8829
                              Entropy (8bit):6.820050489374242
                              Encrypted:false
                              SSDEEP:192:xRfWjXSAF8GhovVbHxaeqlX/qZuJ431o+1dfO:xRQ5FVhovpHxaeogQ4lo+7O
                              MD5:AD2DFD2F8A31838891977379E99AD5EE
                              SHA1:DB45C6CC350FFB01D70F24414591738D809CFD50
                              SHA-256:2B23AD98D4A25A16CFBD7F4FD2701A076788B49FA76B1AFF59C29FF1A85438B5
                              SHA-512:EFCCB49B1E6AA79F566FE73EC5B776A91D4A6477F1DC975DC4CE4DEE2EB9FC8B30D426834778681162197B95CF37E070EFF1E671124AA2E3062F931961870B12
                              Malicious:false
                              Preview:0.c.w.=........ ).6{>....=.<G...W......@}..ST..-c..@.<-......2 : : Le Vu Hoang..; 4.48 : : Nguyen Hong Quan..; 9.07 : 2011-04-12 : Vietnamize Team..;..;..;..;..;..;..?.f.{...3..he.Z.`D:.-Z]...Z.W..:..js.r,?.{..>..(b.*..=.. b.........C...Kh.ng....ng..Gi.p ......Ti.p t.c..440..C. t.t c...Kh.ng t.t c...D.ng..L.m l.i..Ch..$.g.K....{*......Q.*.Sg....>...g..R....`cE.c@.k......I.Vg.)c ch.n mu.n h.y b.?..500..T.p tin..Bi.n t.p..Xem...a th.ch..C.ng c...Gi.p ....540..M...M. t.i ..y..I==.......c.t=`l1....4..W.w.Q.z...B.....y.Q8./...v.(...4.Y. ch.p ..n.....Di chuy.n ..n.....Xo...Chia c.t t.p n.n.....N.i t.p n.n.....Thu.c t.nh..Ch. th.ch..T.nh .l..=......'....^~.H..Y7.-Z......s|..de.J....y.ExLX$x._.`.3.l.o.t..600..Ch.n t.t c...B. ch.n t.t c.....o l.a ch.n..Ch.n.....B. ch.n.....Ch.n theo lo.i..B. c..g.8...../.t<ld...A5:U.N...@7.TwW.8.

                              C:\Program Files\7-Zip\Lang\vi.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8829
                              Entropy (8bit):6.820050489374242
                              Encrypted:false
                              SSDEEP:192:xRfWjXSAF8GhovVbHxaeqlX/qZuJ431o+1dfO:xRQ5FVhovpHxaeogQ4lo+7O
                              MD5:AD2DFD2F8A31838891977379E99AD5EE
                              SHA1:DB45C6CC350FFB01D70F24414591738D809CFD50
                              SHA-256:2B23AD98D4A25A16CFBD7F4FD2701A076788B49FA76B1AFF59C29FF1A85438B5
                              SHA-512:EFCCB49B1E6AA79F566FE73EC5B776A91D4A6477F1DC975DC4CE4DEE2EB9FC8B30D426834778681162197B95CF37E070EFF1E671124AA2E3062F931961870B12
                              Malicious:false
                              Preview:0.c.w.=........ ).6{>....=.<G...W......@}..ST..-c..@.<-......2 : : Le Vu Hoang..; 4.48 : : Nguyen Hong Quan..; 9.07 : 2011-04-12 : Vietnamize Team..;..;..;..;..;..;..?.f.{...3..he.Z.`D:.-Z]...Z.W..:..js.r,?.{..>..(b.*..=.. b.........C...Kh.ng....ng..Gi.p ......Ti.p t.c..440..C. t.t c...Kh.ng t.t c...D.ng..L.m l.i..Ch..$.g.K....{*......Q.*.Sg....>...g..R....`cE.c@.k......I.Vg.)c ch.n mu.n h.y b.?..500..T.p tin..Bi.n t.p..Xem...a th.ch..C.ng c...Gi.p ....540..M...M. t.i ..y..I==.......c.t=`l1....4..W.w.Q.z...B.....y.Q8./...v.(...4.Y. ch.p ..n.....Di chuy.n ..n.....Xo...Chia c.t t.p n.n.....N.i t.p n.n.....Thu.c t.nh..Ch. th.ch..T.nh .l..=......'....^~.H..Y7.-Z......s|..de.J....y.ExLX$x._.`.3.l.o.t..600..Ch.n t.t c...B. ch.n t.t c.....o l.a ch.n..Ch.n.....B. ch.n.....Ch.n theo lo.i..B. c..g.8...../.t<ld...A5:U.N...@7.TwW.8.

                              C:\Program Files\7-Zip\Lang\yo.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11278
                              Entropy (8bit):6.748913448588631
                              Encrypted:false
                              SSDEEP:192:M6wg7PuPyNmSg4e2XMSAerMenVrANBOd6koxUhL7kWZ6Ud1i9kXG4zfIWRH5mDQT:MKPu0MderMGrgBOf4UhLAezPzA7a
                              MD5:1646B276E0955D4C54253772B04ABB8D
                              SHA1:373ED51F7732695C6FBAEF74AD3433C7883B5A53
                              SHA-256:00778BC0B7BCF5B064A665965848C016473DB58CE195305CC3093212C3E5167D
                              SHA-512:DD93060494A4213C182255E17C84CA9EFF4DBDADBEC449C5DF6B49CE34C162DBCC7CD41D1A64D724F3586A33090F1151437C56249C03B1B91513EB3524A41BD7
                              Malicious:false
                              Preview:.!u.L(.....i..N.TVX/...h......7I^.C|0...v.~..-.\...R..n......;..;..;..;..;..;..;..0..7-Zip..Yoruba..Yoruba..401..O DAA..Pa re........&B..ni..&B..k...&P.d....r.nl.w.....&..F.k.V..<....4ShW?..."2..R.."..NNhn.^.].,)...v.Mz?.N.]<...v. &gbogbo ...D.r.....t.nb..r....&...h.n-.gb.h.n..&Oj.-.gb.h.n..&D.d.r....d.r....e . d.j. pe ....T/...{V.*..X8...+..m...+......IcD/.D.T..E.N.....4..y..'..f..&Irin.....&.r.nl.w...540..&.i...i &si .n....i &si .ta..&.w...&Tunk...&Tun oruk. k...&...d. si...8....V...T..X4Sz3n.&.!....^>lD.A..e....u.)..N.eo`..O.....yo. k.p.......&.b.d...&.r. .w.ye......e i.iro checksum...y.t....D. .p. fa.li sil....D. fa.li sil.....P.+I.3..{sIh}...7.|Q}.R..}X..c..A./)..]K...r.LH....M.......#.gbogbo fa.li..Paa ...y.n gbogbo fa.li..&Yi ...y.n Pad......y.n.....Paa ...y.n........y.n bi ir. fa.3l\.'....{..0e.. ..a...x.........IcD>..

                              C:\Program Files\7-Zip\Lang\yo.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11278
                              Entropy (8bit):6.748913448588631
                              Encrypted:false
                              SSDEEP:192:M6wg7PuPyNmSg4e2XMSAerMenVrANBOd6koxUhL7kWZ6Ud1i9kXG4zfIWRH5mDQT:MKPu0MderMGrgBOf4UhLAezPzA7a
                              MD5:1646B276E0955D4C54253772B04ABB8D
                              SHA1:373ED51F7732695C6FBAEF74AD3433C7883B5A53
                              SHA-256:00778BC0B7BCF5B064A665965848C016473DB58CE195305CC3093212C3E5167D
                              SHA-512:DD93060494A4213C182255E17C84CA9EFF4DBDADBEC449C5DF6B49CE34C162DBCC7CD41D1A64D724F3586A33090F1151437C56249C03B1B91513EB3524A41BD7
                              Malicious:false
                              Preview:.!u.L(.....i..N.TVX/...h......7I^.C|0...v.~..-.\...R..n......;..;..;..;..;..;..;..0..7-Zip..Yoruba..Yoruba..401..O DAA..Pa re........&B..ni..&B..k...&P.d....r.nl.w.....&..F.k.V..<....4ShW?..."2..R.."..NNhn.^.].,)...v.Mz?.N.]<...v. &gbogbo ...D.r.....t.nb..r....&...h.n-.gb.h.n..&Oj.-.gb.h.n..&D.d.r....d.r....e . d.j. pe ....T/...{V.*..X8...+..m...+......IcD/.D.T..E.N.....4..y..'..f..&Irin.....&.r.nl.w...540..&.i...i &si .n....i &si .ta..&.w...&Tunk...&Tun oruk. k...&...d. si...8....V...T..X4Sz3n.&.!....^>lD.A..e....u.)..N.eo`..O.....yo. k.p.......&.b.d...&.r. .w.ye......e i.iro checksum...y.t....D. .p. fa.li sil....D. fa.li sil.....P.+I.3..{sIh}...7.|Q}.R..}X..c..A./)..]K...r.LH....M.......#.gbogbo fa.li..Paa ...y.n gbogbo fa.li..&Yi ...y.n Pad......y.n.....Paa ...y.n........y.n bi ir. fa.3l\.'....{..0e.. ..a...x.........IcD>..

                              C:\Program Files\7-Zip\Lang\zh-cn.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8581
                              Entropy (8bit):7.122096447793698
                              Encrypted:false
                              SSDEEP:192:4BuIjbINnnl1UcLn7MRN9poLjNi29TSzyv0Pdd5yeVUZR2iZTRC/iQ:Ylinnl1Uc/XNibyEk7ZT0/iQ
                              MD5:205D445E15C39FF4BED11941CDFED2AB
                              SHA1:C92FEB53084AE1BCA0EF5FB032F40ECF26330DD8
                              SHA-256:85C3930C263E5E347062F77968E773F902B8E803B7E58F3B10F2FF2B9FC8EFE4
                              SHA-512:F248AC3B1BD05481543F86F86091120336A9C92B7E3A648D0C574ED02DD14CB0E0973636C1A3EF6B7F0B0349D969DCFA2E15C23E6668BF8765645DF2D0A8A96D
                              Malicious:false
                              Preview:yLgl..w..._.w]|^.C8..|..s4......._..x...z...#.Q..c.N.$...L6.G!tu Li..; 3.08 : 2003-08-29 : Tunghsiao Liu..; 22.00 : 2022-06-09 : Tunghsiao Liu..;..;..;..;..;..;..;..;..0..7-Zip..Chinese Sim2.NF..t;.........^XC.s%.5.U%.nyk...=.&..y.[.{B..T.......'rN)....(&C)..........(&C)..440....(&A)....(&L)..............(&B)....(&F)....(&P).......mP.<...x...8..I:.OX..%.c.7v..S..B....]..y.7f..+.mQ.N..b3......(&V)....(&A)....(&T)....(&H)..540....(&O)........(&I)........(&U)....(&V)...........<...z...1a%..C.[.%.B..Y..%..a.?....G....9,.q.a...(..(&D)......(&S).........(&B).......(&R)....(&N)...........................**.L..m.".iYIuU..Q....d.oKm|p..%..*..v.~.g.AB..I..9................(&I)..........................................700............<...z...;a%..C.[.(.\....lcV.L.

                              C:\Program Files\7-Zip\Lang\zh-cn.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8581
                              Entropy (8bit):7.122096447793698
                              Encrypted:false
                              SSDEEP:192:4BuIjbINnnl1UcLn7MRN9poLjNi29TSzyv0Pdd5yeVUZR2iZTRC/iQ:Ylinnl1Uc/XNibyEk7ZT0/iQ
                              MD5:205D445E15C39FF4BED11941CDFED2AB
                              SHA1:C92FEB53084AE1BCA0EF5FB032F40ECF26330DD8
                              SHA-256:85C3930C263E5E347062F77968E773F902B8E803B7E58F3B10F2FF2B9FC8EFE4
                              SHA-512:F248AC3B1BD05481543F86F86091120336A9C92B7E3A648D0C574ED02DD14CB0E0973636C1A3EF6B7F0B0349D969DCFA2E15C23E6668BF8765645DF2D0A8A96D
                              Malicious:false
                              Preview:yLgl..w..._.w]|^.C8..|..s4......._..x...z...#.Q..c.N.$...L6.G!tu Li..; 3.08 : 2003-08-29 : Tunghsiao Liu..; 22.00 : 2022-06-09 : Tunghsiao Liu..;..;..;..;..;..;..;..;..0..7-Zip..Chinese Sim2.NF..t;.........^XC.s%.5.U%.nyk...=.&..y.[.{B..T.......'rN)....(&C)..........(&C)..440....(&A)....(&L)..............(&B)....(&F)....(&P).......mP.<...x...8..I:.OX..%.c.7v..S..B....]..y.7f..+.mQ.N..b3......(&V)....(&A)....(&T)....(&H)..540....(&O)........(&I)........(&U)....(&V)...........<...z...1a%..C.[.%.B..Y..%..a.?....G....9,.q.a...(..(&D)......(&S).........(&B).......(&R)....(&N)...........................**.L..m.".iYIuU..Q....d.oKm|p..%..*..v.~.g.AB..I..9................(&I)..........................................700............<...z...;a%..C.[.(.\....lcV.L.

                              C:\Program Files\7-Zip\Lang\zh-tw.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8668
                              Entropy (8bit):7.1221830809516335
                              Encrypted:false
                              SSDEEP:192:2D5RTogJewMM93yL/9ZP00VJDeWyDY1k7AJQkRqvNn+s6yzcG:2FRTogUk3yf0oDSZR+s9IG
                              MD5:D2BAB57980EBAF5ED8D9E465AEDDBFEB
                              SHA1:31D1B4C5A268B659E518F01CD75C11D3EA509CE7
                              SHA-256:7219DA7D9D61EA8210F9CF8CAC9AE5334B52D8E88BD44B62F5531860D608E0D0
                              SHA-512:E05EC00B2744E3550AD2BF4FC3A5068FB501BF5F5AAC8B4E97284EBB77A32032EF722BC64AA3E4BCD298C89A0290FEF454228F6C3C45FBE30F84A9168931646A
                              Malicious:false
                              Preview:c06...@..:.V.4;R...N........!.U.....L`I.........."h...H.. - 22.00 : Jack Pang..;..;..;..;..;..;..;..;..;..0..7-Zip..Chinese Traditional........401.................(&Y)..l.j.*..P>.........m..49..C..>..VaB....!&..Q...Cu.!.?V~_.S..A)......(&L)................(&B)......(&F)....(&P).............?..500..m#.*.......&..j)m.b....[y..1.....Z...q9:.(gYa.7<U..oi.<..r)....(&H)..540....(&O).......(&I).......(&U)....(&V)....(&E)......(&M).....(&C.......{5......<...j...v.[2...?.....4....u2.ok.o._;v.h.)h1.A.....(&B).......(&R)....(&N)..............................(&X)..........m..*.......&W_$..'/.U)d.......wU`s.=./..zRC._.C.v.p.,...P.DW...............................700.....(&G).....(&M)....(&L)......(&D)..730..m.AQ.Nk..&...k.IL..@z.?.2...HWxB.U.

                              C:\Program Files\7-Zip\Lang\zh-tw.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):8668
                              Entropy (8bit):7.1221830809516335
                              Encrypted:false
                              SSDEEP:192:2D5RTogJewMM93yL/9ZP00VJDeWyDY1k7AJQkRqvNn+s6yzcG:2FRTogUk3yf0oDSZR+s9IG
                              MD5:D2BAB57980EBAF5ED8D9E465AEDDBFEB
                              SHA1:31D1B4C5A268B659E518F01CD75C11D3EA509CE7
                              SHA-256:7219DA7D9D61EA8210F9CF8CAC9AE5334B52D8E88BD44B62F5531860D608E0D0
                              SHA-512:E05EC00B2744E3550AD2BF4FC3A5068FB501BF5F5AAC8B4E97284EBB77A32032EF722BC64AA3E4BCD298C89A0290FEF454228F6C3C45FBE30F84A9168931646A
                              Malicious:false
                              Preview:c06...@..:.V.4;R...N........!.U.....L`I.........."h...H.. - 22.00 : Jack Pang..;..;..;..;..;..;..;..;..;..0..7-Zip..Chinese Traditional........401.................(&Y)..l.j.*..P>.........m..49..C..>..VaB....!&..Q...Cu.!.?V~_.S..A)......(&L)................(&B)......(&F)....(&P).............?..500..m#.*.......&..j)m.b....[y..1.....Z...q9:.(gYa.7<U..oi.<..r)....(&H)..540....(&O).......(&I).......(&U)....(&V)....(&E)......(&M).....(&C.......{5......<...j...v.[2...?.....4....u2.ok.o._;v.h.)h1.A.....(&B).......(&R)....(&N)..............................(&X)..........m..*.......&W_$..'/.U)d.......wU`s.=./..zRC._.C.v.p.,...P.DW...............................700.....(&G).....(&M)....(&L)......(&D)..730..m.AQ.Nk..&...k.IL..@z.?.2...HWxB.U.

                              C:\Program Files\7-Zip\License.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4304
                              Entropy (8bit):7.828295296724799
                              Encrypted:false
                              SSDEEP:96:zjHiBYjTQgj5qoUslIWFaCnJjPbg/9vfG8nRj8WAGxuzilZ65QnXI:zjMhg1ws3XnJjjg/xfG8Rj8X9zKZ6/
                              MD5:695190AB6ED5A4FE030EF46A66FC694A
                              SHA1:B8A59F96E55BD84C2F5FAC7AD5C1DAFF8714982C
                              SHA-256:9F6E4438C2F1ED6D6F857465DF26B57478A48BE245EACD25C664D8B02E20A00A
                              SHA-512:6D1DD8F365E4AAE83651754E87E768AD1DE42DAEF4410CB20866535BAF39E1B46D8EBEAFCEEA2D4B556BA1857D94C7E0A77A2443C692EED240A88ACB643F49E9
                              Malicious:false
                              Preview:......v./].m.{.=C......*....M7......5ywY...H.eMgp&{.#r...S.m......x.[...m.{.N7.......Se.\..:......! aY.....S...qO8.`.....t.......p.(w..3.Q.Ui.......*HB...q......#<)=y.v..0.?6hA{-6... .3.K.....+.q...1.K..........y.E...{.....q?|BS..R.0Vh?<.d#1... .3.K.....+.q...1.K..........-..^.QE.....47`US..R.bPmk!.o!r.....|..........]..3.%..i........H.Q.Sv......2<}C..\G.b.}p%.!`=...'.3.K...&.Q...3.l.U:......&q\.xG....s[y3b...R.bPlj<.nm!....z......k.H...3.`.B&......5.P...{.....q0}V...@.yV`?..nnr...^.u.......&.k...)....i....7HQ... ......?yr^...N.`Lzz:Z!j<...I.}.K.....s.@..}.d.S&.......5e.\..7.....+8gY..R...L.{'.&wr...I.g.K....c.....c.|.V&......we.q.2....^..C|S..G.bTok!.o.X.....>.F.....+..P..>...=C......*HH..Mv....^7+vUS..G.gX|zsVxl'..C.a......s.@]..3.k..&.....4.@..F7.....4+3D..\U.bT}?'.!w:...c.3.......c.@...3.p.\ .......G..Lr......35zC.....i.zw-VGq7...B.g......h.D...}.%.Y=.......yHR..L~....Oq6u......yZkq;.-#=...L.3......o.KT.}.%.Q=.......0.JR.5.....*90

                              C:\Program Files\7-Zip\License.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4304
                              Entropy (8bit):7.828295296724799
                              Encrypted:false
                              SSDEEP:96:zjHiBYjTQgj5qoUslIWFaCnJjPbg/9vfG8nRj8WAGxuzilZ65QnXI:zjMhg1ws3XnJjjg/xfG8Rj8X9zKZ6/
                              MD5:695190AB6ED5A4FE030EF46A66FC694A
                              SHA1:B8A59F96E55BD84C2F5FAC7AD5C1DAFF8714982C
                              SHA-256:9F6E4438C2F1ED6D6F857465DF26B57478A48BE245EACD25C664D8B02E20A00A
                              SHA-512:6D1DD8F365E4AAE83651754E87E768AD1DE42DAEF4410CB20866535BAF39E1B46D8EBEAFCEEA2D4B556BA1857D94C7E0A77A2443C692EED240A88ACB643F49E9
                              Malicious:false
                              Preview:......v./].m.{.=C......*....M7......5ywY...H.eMgp&{.#r...S.m......x.[...m.{.N7.......Se.\..:......! aY.....S...qO8.`.....t.......p.(w..3.Q.Ui.......*HB...q......#<)=y.v..0.?6hA{-6... .3.K.....+.q...1.K..........y.E...{.....q?|BS..R.0Vh?<.d#1... .3.K.....+.q...1.K..........-..^.QE.....47`US..R.bPmk!.o!r.....|..........]..3.%..i........H.Q.Sv......2<}C..\G.b.}p%.!`=...'.3.K...&.Q...3.l.U:......&q\.xG....s[y3b...R.bPlj<.nm!....z......k.H...3.`.B&......5.P...{.....q0}V...@.yV`?..nnr...^.u.......&.k...)....i....7HQ... ......?yr^...N.`Lzz:Z!j<...I.}.K.....s.@..}.d.S&.......5e.\..7.....+8gY..R...L.{'.&wr...I.g.K....c.....c.|.V&......we.q.2....^..C|S..G.bTok!.o.X.....>.F.....+..P..>...=C......*HH..Mv....^7+vUS..G.gX|zsVxl'..C.a......s.@]..3.k..&.....4.@..F7.....4+3D..\U.bT}?'.!w:...c.3.......c.@...3.p.\ .......G..Lr......35zC.....i.zw-VGq7...B.g......h.D...}.%.Y=.......yHR..L~....Oq6u......yZkq;.-#=...L.3......o.KT.}.%.Q=.......0.JR.5.....*90

                              C:\Program Files\7-Zip\Uninstall.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):6.602276299126847
                              Encrypted:false
                              SSDEEP:384:ylz1OWDidlOXCCJPVDViXyJ+F2OxO9FWXBCZSjjDHM:+z1OWDidlEHjiFF2OxO9QXBCSDHM
                              MD5:791A2B401A57F543DFA06E3623F5E265
                              SHA1:99D6545F9CD7F183C1DB8D37DC09650B5614CD30
                              SHA-256:B2CE9FF4F1F76CB091D9625C52DE796CD3586371853FAD19B9B9F5385F4A0EA9
                              SHA-512:E50DB9C3338BFBA5ED865DA01321518FCF14E745BAEB39E9145F8E8A36EB937E4E33B9A7461F81E4DC6BFA629CAC29D4FFC4EA46E4674A9FC0D6DCEAD5C85F2F
                              Malicious:true
                              Preview:.h......[..O....8z..O%..Qb..B..=q_.:.l.].....X_wR.F.I.................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X...}...B=......h..`.X....b..B..=q_.:.l....R/.X/9.}F.I..................@......f!.......0....@..........................p..............................................$9.......`...............2/....._..O.d...z..O%...b..B..=q_.:.l.].....X_wR.F.I.....H....0...............................text............................... ..`.rdata.......0......................@..@.data...X....@...0/....._..O.d...z...%..?...!...~_.:..l.M.....X_wR.F.I..........................................................................................................................................2/....._..O.d...z..O%...b..B..=q_.:.l.].....X_wR.F.I.....H....................................................................................................................................2/....._..O.d...z..O%...b..B..=q_.:.l

                              C:\Program Files\7-Zip\Uninstall.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):6.602276299126847
                              Encrypted:false
                              SSDEEP:384:ylz1OWDidlOXCCJPVDViXyJ+F2OxO9FWXBCZSjjDHM:+z1OWDidlEHjiFF2OxO9QXBCSDHM
                              MD5:791A2B401A57F543DFA06E3623F5E265
                              SHA1:99D6545F9CD7F183C1DB8D37DC09650B5614CD30
                              SHA-256:B2CE9FF4F1F76CB091D9625C52DE796CD3586371853FAD19B9B9F5385F4A0EA9
                              SHA-512:E50DB9C3338BFBA5ED865DA01321518FCF14E745BAEB39E9145F8E8A36EB937E4E33B9A7461F81E4DC6BFA629CAC29D4FFC4EA46E4674A9FC0D6DCEAD5C85F2F
                              Malicious:false
                              Preview:.h......[..O....8z..O%..Qb..B..=q_.:.l.].....X_wR.F.I.................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X...}...B=......h..`.X....b..B..=q_.:.l....R/.X/9.}F.I..................@......f!.......0....@..........................p..............................................$9.......`...............2/....._..O.d...z..O%...b..B..=q_.:.l.].....X_wR.F.I.....H....0...............................text............................... ..`.rdata.......0......................@..@.data...X....@...0/....._..O.d...z...%..?...!...~_.:..l.M.....X_wR.F.I..........................................................................................................................................2/....._..O.d...z..O%...b..B..=q_.:.l.].....X_wR.F.I.....H....................................................................................................................................2/....._..O.d...z..O%...b..B..=q_.:.l

                              C:\Program Files\7-Zip\descript.ion

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:COM executable for DOS
                              Category:dropped
                              Size (bytes):680
                              Entropy (8bit):7.118737271223375
                              Encrypted:false
                              SSDEEP:12:CZC52pV+sduwKxQkBB32/oeESuIqPhLeDz7gmf+oS/4A0oCOyIl0/S:CZlQkxqQkBB3F2sPsXM/4IFl0a
                              MD5:838DED3D7EBF44E9C773AB0AC254632F
                              SHA1:439FE913F6AA0DDE1DFABEF5E2C854EADEEABAAF
                              SHA-256:DC29D0A2D7C3AFCE1B2FDAD069651B7D2AC349C84C63F7C227B53EE6690B4640
                              SHA-512:01F162CD9A3646808E670D8691A4A2C2043E9EAB9D10AF80DA2A493980DBEEEF232B4522BBA108CA64D6B5D3BF34B65D11C752832378CFD7FE61B11D70DEB92F
                              Malicious:false
                              Preview:......&EL....|x....5Ks....X/.......N..)...8/.g.kQ.7.4....z.Jti..U...He...X........)*Y....X!.......-.FW...qv67.6+.j.u...G.j3j...HZ.O5.fjs..SP*...).....6.9....I.S......g.<M..a......$E0[p...2..G"HS20..r&B...rk#V...}H.i.....N.HW...qv67.6+.h.:...?\`ip..Jr}.O6YNMC..m|...,6Yw..Gs.n........#....3z..*j..k.i.....P~n|.txt 7-Zip License..readme.txt 7-Zip Overview........w..Q..@..h.d.D.....a.V..#ED.@U@.....=~mM+..9T.+....4..d.F&....Re../....,.i....y..Y... ..W.n.s.E...P)...ox.>,...J..'.nf.C~.T.h..1./,h.....l.s..^.B.G.0F...&.O..I..0......,..9.S%.....N.#.......a......................................................................................@.........tmrk2oxcouu.

                              C:\Program Files\7-Zip\descript.ion.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:COM executable for DOS
                              Category:dropped
                              Size (bytes):680
                              Entropy (8bit):7.118737271223375
                              Encrypted:false
                              SSDEEP:12:CZC52pV+sduwKxQkBB32/oeESuIqPhLeDz7gmf+oS/4A0oCOyIl0/S:CZlQkxqQkBB3F2sPsXM/4IFl0a
                              MD5:838DED3D7EBF44E9C773AB0AC254632F
                              SHA1:439FE913F6AA0DDE1DFABEF5E2C854EADEEABAAF
                              SHA-256:DC29D0A2D7C3AFCE1B2FDAD069651B7D2AC349C84C63F7C227B53EE6690B4640
                              SHA-512:01F162CD9A3646808E670D8691A4A2C2043E9EAB9D10AF80DA2A493980DBEEEF232B4522BBA108CA64D6B5D3BF34B65D11C752832378CFD7FE61B11D70DEB92F
                              Malicious:false
                              Preview:......&EL....|x....5Ks....X/.......N..)...8/.g.kQ.7.4....z.Jti..U...He...X........)*Y....X!.......-.FW...qv67.6+.j.u...G.j3j...HZ.O5.fjs..SP*...).....6.9....I.S......g.<M..a......$E0[p...2..G"HS20..r&B...rk#V...}H.i.....N.HW...qv67.6+.h.:...?\`ip..Jr}.O6YNMC..m|...,6Yw..Gs.n........#....3z..*j..k.i.....P~n|.txt 7-Zip License..readme.txt 7-Zip Overview........w..Q..@..h.d.D.....a.V..#ED.@U@.....=~mM+..9T.+....4..d.F&....Re../....,.i....y..Y... ..W.n.s.E...P)...ox.>,...J..'.nf.C~.T.h..1./,h.....l.s..^.B.G.0F...&.O..I..0......,..9.S%.....N.#.......a......................................................................................@.........tmrk2oxcouu.

                              C:\Program Files\7-Zip\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:24:F6SGOzWKJa3l5OCYj1C1PpiyE/xVHpmjxNkX0lOhA5:VGOzW663RNsxV0jVOK5
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\7-Zip\readme.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2022
                              Entropy (8bit):7.687906752602545
                              Encrypted:false
                              SSDEEP:48:0pdiJpzRlKRxmkPj7mll68xhkfp2TWylwkyhfTo:udUpts3D7mll6fx8ViFs
                              MD5:3E9008BF3FE04F85E0B01036C136BA18
                              SHA1:5C9F8D359045FD3E899669E49E934BE4FD2C0518
                              SHA-256:AC1C52B67FEE0FEB43DB6E20E7846A11D9859E58077B882D6C6A45042589ADC6
                              SHA-512:1B19FF53AF41D033A39390B3BF93C073D94ADB50AC7DA286CA0677217C62CADA944DD0CA05ABD9AE0DE52709E923CA82A018BF59B81E5A9378BE0BF053169A35
                              Malicious:false
                              Preview:..Q..";27..^u->.."...v5...JY.n/.Q...l..;(......&.KI..d.v.......5$[p....pj.Yh..s[..yW..vQBZ.Zb..%......I..J..%.8...K.n..mo!..e:.:3.:....v8....`..Y6....Tb. %........+.KA..d..8..._..."$!J.O#.rg.T/..6y...JN..fC\Z.\n..<#........(..H.Ts..8 ...|.B...)FC.o._TR../..{y....#.9LCQZ.. ..<4.......-....5..4X.....Y.."K`j..gS P.r#....4.....B.w4..<..-...h.......Kh. h..^+....+..")!9..s_ 3../...{8....lN.g.OQ6.u!............."..:..4X..m.+..M^35.m.-,3.:/...{8..`N..fCQZ..-............+.8..!...8-....]...)WQ..s)HW../...4....`..Pf9_w..-...%.......&..F..d.|X...Q.{..qzhv.2Y_ >.cj..>`...4..Sf...._d..&=......%..B..I..8U...L.e..CLR4..e_e}.Bv..4v....w..U(.Q .m-.. )......c..[..6.q....W.c..kgev.Ls,hv.\....v8...2..Xf%....@..3#.........J..1..{...P.+..ll!o.M .o}.:/....w...:..])..Z.R...bd......0.a".yN..B....M.m..g)rv.K$.rv.Tf..2z...`..P#.Q..X-...d...... ..[..+..m.....d..+'...Z2. _.Sj..ul.../..Y)..Z.Sk..?%......6.KC..!.}V...4....Vahj.[:.ta.Rz...58...!...%....Tc.

                              C:\Program Files\7-Zip\readme.txt.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2022
                              Entropy (8bit):7.687906752602545
                              Encrypted:false
                              SSDEEP:48:0pdiJpzRlKRxmkPj7mll68xhkfp2TWylwkyhfTo:udUpts3D7mll6fx8ViFs
                              MD5:3E9008BF3FE04F85E0B01036C136BA18
                              SHA1:5C9F8D359045FD3E899669E49E934BE4FD2C0518
                              SHA-256:AC1C52B67FEE0FEB43DB6E20E7846A11D9859E58077B882D6C6A45042589ADC6
                              SHA-512:1B19FF53AF41D033A39390B3BF93C073D94ADB50AC7DA286CA0677217C62CADA944DD0CA05ABD9AE0DE52709E923CA82A018BF59B81E5A9378BE0BF053169A35
                              Malicious:false
                              Preview:..Q..";27..^u->.."...v5...JY.n/.Q...l..;(......&.KI..d.v.......5$[p....pj.Yh..s[..yW..vQBZ.Zb..%......I..J..%.8...K.n..mo!..e:.:3.:....v8....`..Y6....Tb. %........+.KA..d..8..._..."$!J.O#.rg.T/..6y...JN..fC\Z.\n..<#........(..H.Ts..8 ...|.B...)FC.o._TR../..{y....#.9LCQZ.. ..<4.......-....5..4X.....Y.."K`j..gS P.r#....4.....B.w4..<..-...h.......Kh. h..^+....+..")!9..s_ 3../...{8....lN.g.OQ6.u!............."..:..4X..m.+..M^35.m.-,3.:/...{8..`N..fCQZ..-............+.8..!...8-....]...)WQ..s)HW../...4....`..Pf9_w..-...%.......&..F..d.|X...Q.{..qzhv.2Y_ >.cj..>`...4..Sf...._d..&=......%..B..I..8U...L.e..CLR4..e_e}.Bv..4v....w..U(.Q .m-.. )......c..[..6.q....W.c..kgev.Ls,hv.\....v8...2..Xf%....@..3#.........J..1..{...P.+..ll!o.M .o}.:/....w...:..])..Z.R...bd......0.a".yN..B....M.m..g)rv.K$.rv.Tf..2z...`..P#.Q..X-...d...... ..[..+..m.....d..+'...Z2. _.Sj..ul.../..Y)..Z.Sk..?%......6.KC..!.}V...4....Vahj.[:.ta.Rz...58...!...%....Tc.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):187151
                              Entropy (8bit):7.985715176238855
                              Encrypted:false
                              SSDEEP:3072:4y64XoKcQ9PUBmEWjeCnJWnGQiDUiKfq3Tg7rNfKHen01GXn1Kdcrg+wjRRZjP:HXAQ9PU/XnG5DU6M7RiHen01ugsg+wjJ
                              MD5:1CF953C49C0408F00892993E0B0EDD3D
                              SHA1:F969F95258DC26C2354A78DD55086E95041988F8
                              SHA-256:1AA27F3462B06AC2225993A0AC6680B008617476FE264005B76C12B1D0830F23
                              SHA-512:E8481A2228225BE38AAB4A4C199232F027C627C4EA6FCEDE349BDBB23E94E83873F4234E201FE129F13D225D106278F1F75C378CCB6BC89F697FDE9F6E4D5F7C
                              Malicious:false
                              Preview:..JLT,g.lM...k...[#.=..3....l.5....Yf....4|_...e.(zz.....^5...'YN 1/T 186532/H [ 482 168]>>.endobj. ..22 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<BA..H3H*..#,n9.>..^3.*..h..c.e\....AN...9lW.....3p..s..VLy.)D>]/Index[10 26]/Info 9 0 R/Length 79/Prev 186533/Root 11 0 R/Size 36/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``....~ ...D....l. ......[P...Q..m.....@..\@.~O,$.......]m.x_n...O..P4..E.X.`2..t.bj.startxref..0..%%EOF.. ..35 0 obj.<</Filter/FlateDecode/I 102/L 86/Length 83/S 38>>stream..h.b``.b``2`...8.P.#..0p4 .qA..M".=...(..s...#.%.x.hd.&/*.R|....u.4F.E~....U.5..y.7.c[..b.am.endobj.11 0 obj.<</Metadata 2 0 R/PageLabels 6 0 R/Pages 8 0 R/Type/Catalog>>.endobj.12 0 obj.<</Contents 14 0 R/CropBox[0 0 ..<*N${.N%Nl..L..03.-..h.....7t0...MwX...X.A...9.uV?....._-m....ate 0/Type/Page>>.endobj.13 0 obj.<</Filter/FlateDecode/First 88/Length 868/N 12/Type/ObjStm>>stream..h..mo.0..._nB.Oy..*u)....oB,B1o...X..bZ%P8....q....G...^..3Z..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):187151
                              Entropy (8bit):7.985715176238855
                              Encrypted:false
                              SSDEEP:3072:4y64XoKcQ9PUBmEWjeCnJWnGQiDUiKfq3Tg7rNfKHen01GXn1Kdcrg+wjRRZjP:HXAQ9PU/XnG5DU6M7RiHen01ugsg+wjJ
                              MD5:1CF953C49C0408F00892993E0B0EDD3D
                              SHA1:F969F95258DC26C2354A78DD55086E95041988F8
                              SHA-256:1AA27F3462B06AC2225993A0AC6680B008617476FE264005B76C12B1D0830F23
                              SHA-512:E8481A2228225BE38AAB4A4C199232F027C627C4EA6FCEDE349BDBB23E94E83873F4234E201FE129F13D225D106278F1F75C378CCB6BC89F697FDE9F6E4D5F7C
                              Malicious:false
                              Preview:..JLT,g.lM...k...[#.=..3....l.5....Yf....4|_...e.(zz.....^5...'YN 1/T 186532/H [ 482 168]>>.endobj. ..22 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<BA..H3H*..#,n9.>..^3.*..h..c.e\....AN...9lW.....3p..s..VLy.)D>]/Index[10 26]/Info 9 0 R/Length 79/Prev 186533/Root 11 0 R/Size 36/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``....~ ...D....l. ......[P...Q..m.....@..\@.~O,$.......]m.x_n...O..P4..E.X.`2..t.bj.startxref..0..%%EOF.. ..35 0 obj.<</Filter/FlateDecode/I 102/L 86/Length 83/S 38>>stream..h.b``.b``2`...8.P.#..0p4 .qA..M".=...(..s...#.%.x.hd.&/*.R|....u.4F.E~....U.5..y.7.c[..b.am.endobj.11 0 obj.<</Metadata 2 0 R/PageLabels 6 0 R/Pages 8 0 R/Type/Catalog>>.endobj.12 0 obj.<</Contents 14 0 R/CropBox[0 0 ..<*N${.N%Nl..L..03.-..h.....7t0...MwX...X.A...9.uV?....._-m....ate 0/Type/Page>>.endobj.13 0 obj.<</Filter/FlateDecode/First 88/Length 868/N 12/Type/ObjStm>>stream..h..mo.0..._nB.Oy..*u)....oB,B1o...X..bZ%P8....q....G...^..3Z..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):213266
                              Entropy (8bit):7.110807468268704
                              Encrypted:false
                              SSDEEP:3072:GvcKSX7V/+vAC3D01eXPwC4lTJINYx1p3S16NXdVMNlHu/76COMZZA6oTASgkH6E:GkKYs5eePwC4ljb1jMNlHLMASAC47
                              MD5:1B82C29EFBD6985395F0E8FDAD980969
                              SHA1:79D31A27877056F4374F2095F86DAEF1D095DE21
                              SHA-256:5C49D9A3F46850D27D510EA1BA9905D0792C4E9307FE80A0722B5AC19FAA7F66
                              SHA-512:E7A284F64243F94694CB01D0008F7E5A8FFD851674178A05427C0A25BD3A5FE0288B22B82921CE0C531B66EE13F3DEF7B4470318C1D2CD341E0DD28B56BFD96C
                              Malicious:false
                              Preview:.r...1....5.+.%......u..Z...'....V..fe..SW.)^..Y.6.N.8M.@..............!..L.!This program cannot be run in DOS mode....$........ba8X..kX..kX..kQ{.kH..k.w.j@..k.w.jP..k.w.j[..k.w.j^..kLh.jP..k.R)..2....;.@.N.....z.8-.o.$......ej.GP..p]...e;...7&.)`....v........PE..d...B..d.........." ..........d..............................................0g.....k.....`A.........................8'..1....5.`.%.F..e.u.;....&....1..ce...1..L..Y.5..8M.`d.Y.......p.......................(.......8............0..H............................text............................... ..`.rdata....'......"5.p.%......u..Z...'...7.fe.W.4.)^..Y.6.NN:M.@........@....pdata........f.....................@..@.rsrc.........g.....................@..@.reloc....... g.....................@..B.('..1....5.p.%......u..Z...'....V..fe..SW.)^..Y.6.N.8M.@.....................................................................................................................................('..1....5.p.%......u..Z...'....V..fe.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):213266
                              Entropy (8bit):7.110807468268704
                              Encrypted:false
                              SSDEEP:3072:GvcKSX7V/+vAC3D01eXPwC4lTJINYx1p3S16NXdVMNlHu/76COMZZA6oTASgkH6E:GkKYs5eePwC4ljb1jMNlHLMASAC47
                              MD5:1B82C29EFBD6985395F0E8FDAD980969
                              SHA1:79D31A27877056F4374F2095F86DAEF1D095DE21
                              SHA-256:5C49D9A3F46850D27D510EA1BA9905D0792C4E9307FE80A0722B5AC19FAA7F66
                              SHA-512:E7A284F64243F94694CB01D0008F7E5A8FFD851674178A05427C0A25BD3A5FE0288B22B82921CE0C531B66EE13F3DEF7B4470318C1D2CD341E0DD28B56BFD96C
                              Malicious:false
                              Preview:.r...1....5.+.%......u..Z...'....V..fe..SW.)^..Y.6.N.8M.@..............!..L.!This program cannot be run in DOS mode....$........ba8X..kX..kX..kQ{.kH..k.w.j@..k.w.jP..k.w.j[..k.w.j^..kLh.jP..k.R)..2....;.@.N.....z.8-.o.$......ej.GP..p]...e;...7&.)`....v........PE..d...B..d.........." ..........d..............................................0g.....k.....`A.........................8'..1....5.`.%.F..e.u.;....&....1..ce...1..L..Y.5..8M.`d.Y.......p.......................(.......8............0..H............................text............................... ..`.rdata....'......"5.p.%......u..Z...'...7.fe.W.4.)^..Y.6.NN:M.@........@....pdata........f.....................@..@.rsrc.........g.....................@..@.reloc....... g.....................@..B.('..1....5.p.%......u..Z...'....V..fe..SW.)^..Y.6.N.8M.@.....................................................................................................................................('..1....5.p.%......u..Z...'....V..fe.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1227538
                              Entropy (8bit):7.288809651794473
                              Encrypted:false
                              SSDEEP:24576:rhFni3xLghsUq807/Y8nb/NuNume25oPpEyWDXXOkEnu+Zm/6WZTSrIEWDT6dQdM:VFn3sr8AY8b/NshPcu6m0WDT6dQdTUX
                              MD5:6EDEAD6A4A4A103F0AD45CA5868344CE
                              SHA1:BC65D4BD17326C4CFC359059AFAF6B4542AA2F59
                              SHA-256:9D1D3A2BC593B3E56375053F2E4651A476EDD0C3AFB79D2E687C0BA3E3D31CCC
                              SHA-512:CBA8EB9168A8E5EDAE2947D762D964B7733854835B4CCD0B6E868EDB64B562272FDDD9DC904FEFCEAE38D76F0B1BEFFE65EF34361D848AF8C71D14B55A0BB9A4
                              Malicious:false
                              Preview:...{...n.R......u.....4.N....GT.?......y.]..m).O._...p,>.........!..L.!This program cannot be run in DOS mode....$........".W.C...C...C...;=..C...7...C...7...C...7...C...7...C...(...C....&~......9W.tE..tq.......K}.E.Jc@:#....3.|~..Z..A...R...n...C9..C...7...C..Rich.C..................PE..d...{..d.........." .....V...N......p..........p.......................................{..\j.R*7..r..u.....4.N....GD.?......y.]...8.R.O..X?.$,>..........0..0x.......)......<......T.......................(...P...8............p...............................text....T........{...j.R*7..r..u...w.Fd/...'.?.....p.y..P..m).O._....->..data...89......."..................@....pdata..0x...0...z..................@..@.rsrc................j..............@..@.reloc....{.W..j.R*G..r..u.....4.N...GT.?......y.]..m).O._...X->...................................................................................................................................{...j.R*7..r..u.....4.N....GT.?...

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1227538
                              Entropy (8bit):7.288809651794473
                              Encrypted:false
                              SSDEEP:24576:rhFni3xLghsUq807/Y8nb/NuNume25oPpEyWDXXOkEnu+Zm/6WZTSrIEWDT6dQdM:VFn3sr8AY8b/NshPcu6m0WDT6dQdTUX
                              MD5:6EDEAD6A4A4A103F0AD45CA5868344CE
                              SHA1:BC65D4BD17326C4CFC359059AFAF6B4542AA2F59
                              SHA-256:9D1D3A2BC593B3E56375053F2E4651A476EDD0C3AFB79D2E687C0BA3E3D31CCC
                              SHA-512:CBA8EB9168A8E5EDAE2947D762D964B7733854835B4CCD0B6E868EDB64B562272FDDD9DC904FEFCEAE38D76F0B1BEFFE65EF34361D848AF8C71D14B55A0BB9A4
                              Malicious:false
                              Preview:...{...n.R......u.....4.N....GT.?......y.]..m).O._...p,>.........!..L.!This program cannot be run in DOS mode....$........".W.C...C...C...;=..C...7...C...7...C...7...C...7...C...(...C....&~......9W.tE..tq.......K}.E.Jc@:#....3.|~..Z..A...R...n...C9..C...7...C..Rich.C..................PE..d...{..d.........." .....V...N......p..........p.......................................{..\j.R*7..r..u.....4.N....GD.?......y.]...8.R.O..X?.$,>..........0..0x.......)......<......T.......................(...P...8............p...............................text....T........{...j.R*7..r..u...w.Fd/...'.?.....p.y..P..m).O._....->..data...89......."..................@....pdata..0x...0...z..................@..@.rsrc................j..............@..@.reloc....{.W..j.R*G..r..u.....4.N...GT.?......y.]..m).O._...X->...................................................................................................................................{...j.R*7..r..u.....4.N....GT.?...

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):653074
                              Entropy (8bit):6.134788678307054
                              Encrypted:false
                              SSDEEP:6144:i20EykVeNBc5DXjAhjpyLE/H/zq3NfNaNOm+Jh/aXJK7kGysUi7MNPJj1Ot9XScm:PnVGc87+cPJwjm
                              MD5:70631C3B6A92C1A41ABC5F1FAA8E142B
                              SHA1:221A6D3442AD0CC83B7FFEB97E0AC87AA7A18214
                              SHA-256:6EC727774D2A3DFD352A4105D4EB640AD92FCEF95A2D6CC44A83A8A5D739AFDB
                              SHA-512:48D42A56784167A587DE2456F2B5A577F9B79B7C0B8A6865B3E5C49B9DA3730A8BBAB9C81167E39D41A66A15FF45B0EE72F2C3399C2A6A6ECC8A0C6C0081074D
                              Malicious:false
                              Preview:....N...=$b...F"1r^."F.|'.JX:*.C..dP.....GI.D..m........ |........!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.Fk.....N._.c..XF.b.4....Hf.0~.|mZ..P.L...}l...m........ |PE..d......d.........."......6.....................@..........................................`......................................N...=$......9r"."F.,....X:*.J..]P..E..`.D..m....n`.... |....................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P....(..L...=$....."1r.."...F..JX:..C...X.....G..D..m....... ..pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..D...........................@..B.............N...=$....."1r^."F.|'.JX:*.C..dP.....GI.D..m........ |.....................................................................................................................................N...=$....."1r^."F.|'.JX:*.C..dP.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):653074
                              Entropy (8bit):6.134788678307054
                              Encrypted:false
                              SSDEEP:6144:i20EykVeNBc5DXjAhjpyLE/H/zq3NfNaNOm+Jh/aXJK7kGysUi7MNPJj1Ot9XScm:PnVGc87+cPJwjm
                              MD5:70631C3B6A92C1A41ABC5F1FAA8E142B
                              SHA1:221A6D3442AD0CC83B7FFEB97E0AC87AA7A18214
                              SHA-256:6EC727774D2A3DFD352A4105D4EB640AD92FCEF95A2D6CC44A83A8A5D739AFDB
                              SHA-512:48D42A56784167A587DE2456F2B5A577F9B79B7C0B8A6865B3E5C49B9DA3730A8BBAB9C81167E39D41A66A15FF45B0EE72F2C3399C2A6A6ECC8A0C6C0081074D
                              Malicious:false
                              Preview:....N...=$b...F"1r^."F.|'.JX:*.C..dP.....GI.D..m........ |........!..L.!This program cannot be run in DOS mode....$........U...4.F.4.F.4.F.LEF.4.FE@.G.4.FE@.G.4.FE@.G.4.FE@.G.4.F._.G.4.Fk.....N._.c..XF.b.4....Hf.0~.|mZ..P.L...}l...m........ |PE..d......d.........."......6.....................@..........................................`......................................N...=$......9r"."F.,....X:*.J..]P..E..`.D..m....n`.... |....................(...P...8............P...............................text....4.......6.................. ..`.rdata..>....P....(..L...=$....."1r.."...F..JX:..C...X.....G..D..m....... ..pdata...9.......:..................@..@.rsrc...h....P......................@..@.reloc..D...........................@..B.............N...=$....."1r^."F.|'.JX:*.C..dP.....GI.D..m........ |.....................................................................................................................................N...=$....."1r^."F.|'.JX:*.C..dP.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):339218
                              Entropy (8bit):6.250568557363036
                              Encrypted:false
                              SSDEEP:6144:y3tfElY0RKXQrau0tleDrVWzxXr+1EIFB8X9XXsg6cdTwymoWJvGTqqvQaCVEzWE:y3DX10Dej
                              MD5:1A947080BABF8E48CFB5D7159A9F1A84
                              SHA1:1940EAEB578BFED8D3C893273E5ED61E25296813
                              SHA-256:F5E72455E660A85DA7886BCD69482EFEB858221463B31C62E0DD7791E8147085
                              SHA-512:3CAABACAD457494764938BF2756D302A1043A7B22E72167FD6FF68354BE7BDA5FB4C82D564AEDFFB7BE23712A3D0ED7223D917D63FD451CCADD9F1170EE6DCF6
                              Malicious:false
                              Preview:..@...Q.....%.=6.!..z.5./T#.8..U..W.B=.....(n.Rm..>C.....M.G........!..L.!This program cannot be run in DOS mode....$.......]../...|...|...|B..}...|B..}...|...}...|..S|...|..}=..|..}...|!.}....M.r..s.J.......I.%._.....'.]..A..V.r.....Xu0... ;.1.-.;..9|...|..}...|Rich...|................PE..d......d.........."......H...........&.........@.............................`...........1^......=6.1..z.5./D#.8..E..W.B=.....(n.Rm..>C.....M.G.@..........4........)...P..T......T.......................(...@...8............`...............................text....G...........Q.......=6.!..z.U.]0B.Y..e..W.C=.....do.Rm..>C.....M.....data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc...1T..KT.......96.!..z.5./T#.8...'.8.B=J....xk.Ri..>......M..G....@..B.........................................................................................................................]...Q.......=6.!..z.5./T#.8..U..W.B=

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):339218
                              Entropy (8bit):6.250568557363036
                              Encrypted:false
                              SSDEEP:6144:y3tfElY0RKXQrau0tleDrVWzxXr+1EIFB8X9XXsg6cdTwymoWJvGTqqvQaCVEzWE:y3DX10Dej
                              MD5:1A947080BABF8E48CFB5D7159A9F1A84
                              SHA1:1940EAEB578BFED8D3C893273E5ED61E25296813
                              SHA-256:F5E72455E660A85DA7886BCD69482EFEB858221463B31C62E0DD7791E8147085
                              SHA-512:3CAABACAD457494764938BF2756D302A1043A7B22E72167FD6FF68354BE7BDA5FB4C82D564AEDFFB7BE23712A3D0ED7223D917D63FD451CCADD9F1170EE6DCF6
                              Malicious:false
                              Preview:..@...Q.....%.=6.!..z.5./T#.8..U..W.B=.....(n.Rm..>C.....M.G........!..L.!This program cannot be run in DOS mode....$.......]../...|...|...|B..}...|B..}...|...}...|..S|...|..}=..|..}...|!.}....M.r..s.J.......I.%._.....'.]..A..V.r.....Xu0... ;.1.-.;..9|...|..}...|Rich...|................PE..d......d.........."......H...........&.........@.............................`...........1^......=6.1..z.5./D#.8..E..W.B=.....(n.Rm..>C.....M.G.@..........4........)...P..T......T.......................(...@...8............`...............................text....G...........Q.......=6.!..z.U.]0B.Y..e..W.C=.....do.Rm..>C.....M.....data...............................@....pdata..4...........................@..@.CRT....@....0......................@..@.rsrc...1T..KT.......96.!..z.5./T#.8...'.8.B=J....xk.Ri..>......M..G....@..B.........................................................................................................................]...Q.......=6.!..z.5./T#.8..U..W.B=

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AGM.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7146770
                              Entropy (8bit):7.194417720102254
                              Encrypted:false
                              SSDEEP:98304:0+chLcmw/xFP8eDse+5gUMt6T8cDkBozHJtGponmTqpzU+ja6Uqdn:VchLcm40eDsT5gUMt6T84a+vn
                              MD5:65E0440BA9CF0F3C24239CCB1385FF1B
                              SHA1:B6DFE05EFE28F434BA7D7800DAAB569DF764AFBD
                              SHA-256:E615954D2EB2BEDBC890C50F409D32321FE61BE354AFD0F1A6B7EB6897278C19
                              SHA-512:B0E07FFC6528D92225F302D9E12381D984C3C1CBDC9511C1E9C211202E8C0D3704498745C7F4224CDF006FBDC173AB8AAC44FD8B2121D8C7F1174779C2FF14D1
                              Malicious:false
                              Preview:.?k..8..j.t.{.{.n.Li.e....t\.......M.;..>....6.$......6..&..........!..L.!This program cannot be run in DOS mode....$.......&..Ub.b.b.b.b.b.k...p.b....`.b...f.j.b...a.f.b...c.d.b...g.u.b.....v..........o.*n....0......*$n....s/8sm....".!..@.V.G...Richb.b.........................PE..d...{..d.........." ......K..H$.......H........@.............................0p......Zm...`A.e..8..n.t.@{...\i.e.._...t\.......M.K..>h..k..$.....[Y.d!... l.......l..)...Po.....xSY.T....................TY.(...@RY.8.............K.....d.e.`....................text....K.......K......e...8..n.t.@{x.t(......H..t....R......;..>....6.$\.....W.E'.......pe......\e.............@....pdata....... l.......h.............@..@.didat.......0o.......k.............@....rsrc...@....@o..m.....n.t.@{...Li.e..q....?..G$......;M.>....6.$......6.d'.X.................................................................................................................................e...8..n.t.@{...Li.e.._.t\.......M.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AGM.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7146770
                              Entropy (8bit):7.194417720102254
                              Encrypted:false
                              SSDEEP:98304:0+chLcmw/xFP8eDse+5gUMt6T8cDkBozHJtGponmTqpzU+ja6Uqdn:VchLcm40eDsT5gUMt6T84a+vn
                              MD5:65E0440BA9CF0F3C24239CCB1385FF1B
                              SHA1:B6DFE05EFE28F434BA7D7800DAAB569DF764AFBD
                              SHA-256:E615954D2EB2BEDBC890C50F409D32321FE61BE354AFD0F1A6B7EB6897278C19
                              SHA-512:B0E07FFC6528D92225F302D9E12381D984C3C1CBDC9511C1E9C211202E8C0D3704498745C7F4224CDF006FBDC173AB8AAC44FD8B2121D8C7F1174779C2FF14D1
                              Malicious:false
                              Preview:.?k..8..j.t.{.{.n.Li.e....t\.......M.;..>....6.$......6..&..........!..L.!This program cannot be run in DOS mode....$.......&..Ub.b.b.b.b.b.k...p.b....`.b...f.j.b...a.f.b...c.d.b...g.u.b.....v..........o.*n....0......*$n....s/8sm....".!..@.V.G...Richb.b.........................PE..d...{..d.........." ......K..H$.......H........@.............................0p......Zm...`A.e..8..n.t.@{...\i.e.._...t\.......M.K..>h..k..$.....[Y.d!... l.......l..)...Po.....xSY.T....................TY.(...@RY.8.............K.....d.e.`....................text....K.......K......e...8..n.t.@{x.t(......H..t....R......;..>....6.$\.....W.E'.......pe......\e.............@....pdata....... l.......h.............@..@.didat.......0o.......k.............@....rsrc...@....@o..m.....n.t.@{...Li.e..q....?..G$......;M.>....6.$......6.d'.X.................................................................................................................................e...8..n.t.@{...Li.e.._.t\.......M.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AGMGPUOptIn.ini

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2041
                              Entropy (8bit):7.616175088399003
                              Encrypted:false
                              SSDEEP:48:+Ad+/NNcNKNBDYcJGG/GE3EikePP813gln+eWx:5OXqKfvGG+E0o8UnBY
                              MD5:7323E33E79D39CCD97AE03348F973B22
                              SHA1:4E524302A5E32B77CAFA89D5B7B975E88448C8F7
                              SHA-256:B7995C5BE619E90F46933EB960CAA80F2D042A62E131F35C055EC0B203D0948F
                              SHA-512:6ED1ACB9EC8C1937BEEDC071B250D38C0C0AFBA4FB3070D861D4F3D7D445BC7264AE4EBC66854191B15A5578BE04C045BCFB0E4E3410DE6ED94F9C3912497C48
                              Malicious:false
                              Preview:.J.MPqA..M...Z....8h..52../Zo0..;..s(.....K.^..>|.*x."G.gs..."t.M|i."..q.M..I...3..le.VmZ9~...Z..6...|.!..d..C..ez.v.F+....eI7oJ.s_.r......V...8..]R.cLmv|...J..?(........G..}<O}&.:{G-....Rc.N}Pq|.}......I..Nb..up..+.n ...../]..k.. ..:r.2>Q)z.v.Hg]...pUq).H-..>E...c.).aX.....Z/.:|.....h`..]..]..[..w8T6..p.^^l...Qb;-#&"...L........J{..36.BsRv....._J..j..~..KH.~>Y)r.:B..A..0.#qBP.H.+\..at.*.....y2../.:t...Q.b|........N.nK9I...x.+9...2.w-..yG.w...\B.K..^g..<4..N.<....f.\K..4......H.~6We#."^......n];M..tQ.F,..bu.I..Qw..52..'.v%..[..;6..U.J...=..\$J..v&txH...2.w%.P(..k..........2..%G.vM{Y....<..?(.....E..P..#jW-d.*G.J....S.q..i.!.[/...+.....;..5:.ZvYn9.....ct.....S..g*..].)G.4WN+....2.;|ZEs......pb.6..;..52.c/.:.......}d.....C..K..'{.}+.:y?_q...2.w*..q4..L...d.t..N;..53..-Bk8...@.sU..p..'..e9..A/ez.v.N+...2pv$jmL{.bL.....I..S...hf.AcsE....b..]Y..v..C...H.~KQ)z.v.<Y9...2.w-..qC.....UP...~G..K/.iQzO.......?(.....B..u.<rQ)z.w.N)H...w\#|IP.=.35..fi.=.N;..22..Z.:|...u...j..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AGMGPUOptIn.ini.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2041
                              Entropy (8bit):7.616175088399003
                              Encrypted:false
                              SSDEEP:48:+Ad+/NNcNKNBDYcJGG/GE3EikePP813gln+eWx:5OXqKfvGG+E0o8UnBY
                              MD5:7323E33E79D39CCD97AE03348F973B22
                              SHA1:4E524302A5E32B77CAFA89D5B7B975E88448C8F7
                              SHA-256:B7995C5BE619E90F46933EB960CAA80F2D042A62E131F35C055EC0B203D0948F
                              SHA-512:6ED1ACB9EC8C1937BEEDC071B250D38C0C0AFBA4FB3070D861D4F3D7D445BC7264AE4EBC66854191B15A5578BE04C045BCFB0E4E3410DE6ED94F9C3912497C48
                              Malicious:false
                              Preview:.J.MPqA..M...Z....8h..52../Zo0..;..s(.....K.^..>|.*x."G.gs..."t.M|i."..q.M..I...3..le.VmZ9~...Z..6...|.!..d..C..ez.v.F+....eI7oJ.s_.r......V...8..]R.cLmv|...J..?(........G..}<O}&.:{G-....Rc.N}Pq|.}......I..Nb..up..+.n ...../]..k.. ..:r.2>Q)z.v.Hg]...pUq).H-..>E...c.).aX.....Z/.:|.....h`..]..]..[..w8T6..p.^^l...Qb;-#&"...L........J{..36.BsRv....._J..j..~..KH.~>Y)r.:B..A..0.#qBP.H.+\..at.*.....y2../.:t...Q.b|........N.nK9I...x.+9...2.w-..yG.w...\B.K..^g..<4..N.<....f.\K..4......H.~6We#."^......n];M..tQ.F,..bu.I..Qw..52..'.v%..[..;6..U.J...=..\$J..v&txH...2.w%.P(..k..........2..%G.vM{Y....<..?(.....E..P..#jW-d.*G.J....S.q..i.!.[/...+.....;..5:.ZvYn9.....ct.....S..g*..].)G.4WN+....2.;|ZEs......pb.6..;..52.c/.:.......}d.....C..K..'{.}+.:y?_q...2.w*..q4..L...d.t..N;..53..-Bk8...@.sU..p..'..e9..A/ez.v.N+...2pv$jmL{.bL.....I..S...hf.AcsE....b..]Y..v..C...H.~KQ)z.v.<Y9...2.w-..qC.....UP...~G..K/.iQzO.......?(.....B..u.<rQ)z.w.N)H...w\#|IP.=.35..fi.=.N;..22..Z.:|...u...j..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AIDE.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9668362
                              Entropy (8bit):7.426244578956975
                              Encrypted:false
                              SSDEEP:196608:VYtPv+fSufhT8YtwdDX+FES+w289GS7PwVQtCqmMSw9HSvw6aSU9KbjwzwG3D0me:qtH+zfR8awdDX+FES+w289GS7PwVQtC7
                              MD5:1CD3600BA133DB0366474A9AB07A3590
                              SHA1:68E38003A5BF7CE00A156505E41B917B783123A7
                              SHA-256:87D11916F1B8E4FAB914116CBBFEB644A6697363A83B9B21E95C07BDBDF192D9
                              SHA-512:BFB8DAC7CEB66C8A6881716E911AA6161FF47B467149B1A6C2FB3648AD2BB41E5BFC718EA387E5142D68687333E2FF7632596489AA08895FF83FC44298EA2DA3
                              Malicious:false
                              Preview:Na..=.x0!.n..csO.0.io..XV.W<.@.A..>Yk1..F).*.i)....H........M.........!..L.!This program cannot be run in DOS mode....$........z............c^.....c0.....c.....c.....c.....c..... ...5.........A+..]....u..9....6..p..f$....e.\p.....|j..Gyb....yb2......Z....yb....Rich...........PE..d....[.d.........." ......S..TE..... '+......................................[..>*x0/5..O....0.io..X..W<.@.A..>Yk1..V).*.i)....X....e...M.....@....................\...)......`D......T.......................(...@...@.............S..............................text.......>>x0%f=.M.sO.0.io..X..W<.@.o._-.1.7r..*.:).1..HJO......M.....@..@.data... .... ......................@....pdata..............................@..@.rsrc...............................@..@-I9cQMx0E.n.M..O.v.io.ZX..W<.@.A..>.k1..F).*.i)....H........M..................................................................................................................................;\.>.x0%.n.M.sO.0.io..X..W<.@.A..>Yk1.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AIDE.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9668362
                              Entropy (8bit):7.426244578956975
                              Encrypted:false
                              SSDEEP:196608:VYtPv+fSufhT8YtwdDX+FES+w289GS7PwVQtCqmMSw9HSvw6aSU9KbjwzwG3D0me:qtH+zfR8awdDX+FES+w289GS7PwVQtC7
                              MD5:1CD3600BA133DB0366474A9AB07A3590
                              SHA1:68E38003A5BF7CE00A156505E41B917B783123A7
                              SHA-256:87D11916F1B8E4FAB914116CBBFEB644A6697363A83B9B21E95C07BDBDF192D9
                              SHA-512:BFB8DAC7CEB66C8A6881716E911AA6161FF47B467149B1A6C2FB3648AD2BB41E5BFC718EA387E5142D68687333E2FF7632596489AA08895FF83FC44298EA2DA3
                              Malicious:false
                              Preview:Na..=.x0!.n..csO.0.io..XV.W<.@.A..>Yk1..F).*.i)....H........M.........!..L.!This program cannot be run in DOS mode....$........z............c^.....c0.....c.....c.....c.....c..... ...5.........A+..]....u..9....6..p..f$....e.\p.....|j..Gyb....yb2......Z....yb....Rich...........PE..d....[.d.........." ......S..TE..... '+......................................[..>*x0/5..O....0.io..X..W<.@.A..>Yk1..V).*.i)....X....e...M.....@....................\...)......`D......T.......................(...@...@.............S..............................text.......>>x0%f=.M.sO.0.io..X..W<.@.o._-.1.7r..*.:).1..HJO......M.....@..@.data... .... ......................@....pdata..............................@..@.rsrc...............................@..@-I9cQMx0E.n.M..O.v.io.ZX..W<.@.A..>.k1..F).*.i)....H........M..................................................................................................................................;\.>.x0%.n.M.sO.0.io..X..W<.@.A..>Yk1.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ANCUtility.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):121314
                              Entropy (8bit):6.7921721852358425
                              Encrypted:false
                              SSDEEP:1536:SqKxxf6spCz7x6Pk35PBbMixCFV5LLRuu1iU7lW+5XxZkUs4HV3z7O:yxxf6L7x6Pk3FBMixCFVhj17d5Nnp7O
                              MD5:B66B039F8F6F54A2428FCC95A5585997
                              SHA1:D527D0B79333032830387FAD7F333782997E7A62
                              SHA-256:5FE1C89B88DD1780C2CB18689784F2062DF488141D7B34770BE4588F45A3F654
                              SHA-512:F950606ED70E3B4B6072A7B6D3F841097F2714A6E49F839E213904863D537683BF16DC8CF4B5BF9A493A1606797943F68F765D1F08D7A2D3F07A0F133B67893A
                              Malicious:false
                              Preview:...!.e....7:.nR..g..7Q!.+_PDP/..f.&.E.%A...Y?..\.<..'.~|I..h..........!..L.!This program cannot be run in DOS mode....$..........S...S...S...Z.s.A......[......Q......[......F.....'.X....G..{..?.!S.....b..G....Zn....5l.(t).e.....0...C..M...s..p.RichS...................PE..d...Uk.`.........." ................................................................/.....`A............".e....7.^nR1.g..7Q!..+_@DP/..g..E.1/...X?..<.'.~.H.y......................p...............................................0............................text...V.............................e.e.V.?nR.)g...Q!.?+_P.P/..f.&.E.%A...Y?..8.Hp.'.fWI......&...x..............@....pdata..D...........................@..@.rsrc...............................@..@.reloc......................".e....7.^n.1.g..7Q!..+_PDP/..f.&.E.%A...Y?..\.<..'.~|I..i......................................................................................................................................".e....7.^nR1.g..7Q!..+_PDP/..f.&.E.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ANCUtility.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):121314
                              Entropy (8bit):6.7921721852358425
                              Encrypted:false
                              SSDEEP:1536:SqKxxf6spCz7x6Pk35PBbMixCFV5LLRuu1iU7lW+5XxZkUs4HV3z7O:yxxf6L7x6Pk3FBMixCFVhj17d5Nnp7O
                              MD5:B66B039F8F6F54A2428FCC95A5585997
                              SHA1:D527D0B79333032830387FAD7F333782997E7A62
                              SHA-256:5FE1C89B88DD1780C2CB18689784F2062DF488141D7B34770BE4588F45A3F654
                              SHA-512:F950606ED70E3B4B6072A7B6D3F841097F2714A6E49F839E213904863D537683BF16DC8CF4B5BF9A493A1606797943F68F765D1F08D7A2D3F07A0F133B67893A
                              Malicious:false
                              Preview:...!.e....7:.nR..g..7Q!.+_PDP/..f.&.E.%A...Y?..\.<..'.~|I..h..........!..L.!This program cannot be run in DOS mode....$..........S...S...S...Z.s.A......[......Q......[......F.....'.X....G..{..?.!S.....b..G....Zn....5l.(t).e.....0...C..M...s..p.RichS...................PE..d...Uk.`.........." ................................................................/.....`A............".e....7.^nR1.g..7Q!..+_@DP/..g..E.1/...X?..<.'.~.H.y......................p...............................................0............................text...V.............................e.e.V.?nR.)g...Q!.?+_P.P/..f.&.E.%A...Y?..8.Hp.'.fWI......&...x..............@....pdata..D...........................@..@.rsrc...............................@..@.reloc......................".e....7.^n.1.g..7Q!..+_PDP/..f.&.E.%A...Y?..\.<..'.~|I..i......................................................................................................................................".e....7.^nR1.g..7Q!..+_PDP/..f.&.E.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AXE8SharedExpat.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):169226
                              Entropy (8bit):7.115007957564543
                              Encrypted:false
                              SSDEEP:3072:0q/njgEy6ZZjvZwZtqS7kHHQPeRVzNjt66iyCQSrYpb+ZgC4RkJz:0vHG+ZtqSGwWiHR4i
                              MD5:4E68E670809742F46E1676CCAE11420C
                              SHA1:DBED9060F4F68D11ADE14F7482921FE5CCB4E4EB
                              SHA-256:9324629D1731C54758FCFD8156814EE07E7596F199D290D1CC6E38C5F2CE1173
                              SHA-512:938C6EF68E720B588B610FBAA6CDC9B364ED632825EB81E8DB1DE198D7DB57855DD9BF5534046D5515B4284B4CE2873081DAC7886763F1ED7780CBDDD39DD839
                              Malicious:false
                              Preview:.........ND.K.9.&.U.k.!hR.l3d@2%}G..K..#..1.0_.n.n...BJr..{9........!..L.!This program cannot be run in DOS mode....$.............^..^..^.(^..^..._..^..._..^..._..^..._..^.._..^.j..e.0.....^\.~.Vyf.r.r..7.o.m=.v{..L..e.}...Wi.?1h...+)..q.g................PE..d......c.........." ................`.....................................................`A.................Z.......ND^..'9.&.U..X#h.l3..0%.G..K..#..1.0.nc`...(Hr.{9........0>..T............................<..@............................................text...z........................... ..`.......zND^T.'E.&...+.!hR.l3d@2%=G..e..W..1.hO.n.....DJr..y9............@....pdata...............N..............@..@.rsrc................^..............@..@.reloc...............f...........J.......ND^..'9.&.U.+.!hR.l3d@2%}G..K..#..1.0_.n.n...BJr..{9.................................................................................................................................J.......ND^..'9.&.U.+.!hR.l3d@2%}G..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AXE8SharedExpat.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):169226
                              Entropy (8bit):7.115007957564543
                              Encrypted:false
                              SSDEEP:3072:0q/njgEy6ZZjvZwZtqS7kHHQPeRVzNjt66iyCQSrYpb+ZgC4RkJz:0vHG+ZtqSGwWiHR4i
                              MD5:4E68E670809742F46E1676CCAE11420C
                              SHA1:DBED9060F4F68D11ADE14F7482921FE5CCB4E4EB
                              SHA-256:9324629D1731C54758FCFD8156814EE07E7596F199D290D1CC6E38C5F2CE1173
                              SHA-512:938C6EF68E720B588B610FBAA6CDC9B364ED632825EB81E8DB1DE198D7DB57855DD9BF5534046D5515B4284B4CE2873081DAC7886763F1ED7780CBDDD39DD839
                              Malicious:false
                              Preview:.........ND.K.9.&.U.k.!hR.l3d@2%}G..K..#..1.0_.n.n...BJr..{9........!..L.!This program cannot be run in DOS mode....$.............^..^..^.(^..^..._..^..._..^..._..^..._..^.._..^.j..e.0.....^\.~.Vyf.r.r..7.o.m=.v{..L..e.}...Wi.?1h...+)..q.g................PE..d......c.........." ................`.....................................................`A.................Z.......ND^..'9.&.U..X#h.l3..0%.G..K..#..1.0.nc`...(Hr.{9........0>..T............................<..@............................................text...z........................... ..`.......zND^T.'E.&...+.!hR.l3d@2%=G..e..W..1.hO.n.....DJr..y9............@....pdata...............N..............@..@.rsrc................^..............@..@.reloc...............f...........J.......ND^..'9.&.U.+.!hR.l3d@2%}G..K..#..1.0_.n.n...BJr..{9.................................................................................................................................J.......ND^..'9.&.U.+.!hR.l3d@2%}G..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AXSLE.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):673034
                              Entropy (8bit):7.062603870955304
                              Encrypted:false
                              SSDEEP:12288:yduY1ssiOKBU8QEcmJ+DL2Pvg78uZwSIymBknzuO6DHhS2rJcqmRCN:ydN1ssiPBnHlJ+DL0g78uZwcmB8p6DHt
                              MD5:949EBE82D2831FDDDBB57288EB39AAA9
                              SHA1:B8EBC4D50035E18953F10DE556BE95B3F37FA31C
                              SHA-256:5871906049579421DDE9A87A758CE90A7845A658B207CFF483A047F42633BD7C
                              SHA-512:0DDA845143C860109CB89415555BCF52DA257A2900905DDA98A52067F529982149954856D83E2D885A33677050EC6E8C6C89041B1F0C9A1FB093E9E258E9C248
                              Malicious:false
                              Preview:...I.RE..L...l...`.s....e.g:.....<..P...PX.1q...[......t..*........!..L.!This program cannot be run in DOS mode....$............g.P.g.P.g.P...P.g.P...Q.g.P...Q.g.P...Q.g.P...Q.g.P...Q.g.P</...5.....-..<0ac.,.1#....f.j..o.c..7.WD7...o...<.......hz................PE..d...>..c.........." .........................................................p.......h....`A.................HkI.RE..L.i.l...`.s......g:....<.<......VX.1.............*.P.......:..T............................9..@............0...............................text............................... ..`.:.(w3E..L.Y.l.Y.x.sR...e.g:......<.>4.s.PX......;......d..*............@....pdata..,^.......`..................@..@.rsrc...p....@......................@..@.reloc.......P...................H{ICRE....L.i.l...`.sR...e.g:.....<..P...PX.1q...[......d..*.................................................................................................................................H{I.RE..L.i.l...`.sR...e.g:.....<.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AXSLE.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):673034
                              Entropy (8bit):7.062603870955304
                              Encrypted:false
                              SSDEEP:12288:yduY1ssiOKBU8QEcmJ+DL2Pvg78uZwSIymBknzuO6DHhS2rJcqmRCN:ydN1ssiPBnHlJ+DL0g78uZwcmB8p6DHt
                              MD5:949EBE82D2831FDDDBB57288EB39AAA9
                              SHA1:B8EBC4D50035E18953F10DE556BE95B3F37FA31C
                              SHA-256:5871906049579421DDE9A87A758CE90A7845A658B207CFF483A047F42633BD7C
                              SHA-512:0DDA845143C860109CB89415555BCF52DA257A2900905DDA98A52067F529982149954856D83E2D885A33677050EC6E8C6C89041B1F0C9A1FB093E9E258E9C248
                              Malicious:false
                              Preview:...I.RE..L...l...`.s....e.g:.....<..P...PX.1q...[......t..*........!..L.!This program cannot be run in DOS mode....$............g.P.g.P.g.P...P.g.P...Q.g.P...Q.g.P...Q.g.P...Q.g.P...Q.g.P</...5.....-..<0ac.,.1#....f.j..o.c..7.WD7...o...<.......hz................PE..d...>..c.........." .........................................................p.......h....`A.................HkI.RE..L.i.l...`.s......g:....<.<......VX.1.............*.P.......:..T............................9..@............0...............................text............................... ..`.:.(w3E..L.Y.l.Y.x.sR...e.g:......<.>4.s.PX......;......d..*............@....pdata..,^.......`..................@..@.rsrc...p....@......................@..@.reloc.......P...................H{ICRE....L.i.l...`.sR...e.g:.....<..P...PX.1q...[......d..*.................................................................................................................................H{I.RE..L.i.l...`.sR...e.g:.....<.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):343826
                              Entropy (8bit):7.1241178801824585
                              Encrypted:false
                              SSDEEP:6144:tyeUfYneVqn0idcluuo7YSYxAAf2hrelM4FzwiqylxCund:0eUf+PnRavo8KOttxn
                              MD5:B55B7C3210BC1F92CE1C297C38A1A45F
                              SHA1:19CDA2A00E1525FD55777568482EA71C07F88465
                              SHA-256:3214C3FBD1ADE2260EBAAE043DAA2798CB710B2CF5CA790D041A9A9BF595E773
                              SHA-512:FC9B5E1E628ED03766DDD06164FDF20E9729A50C175A1B26F83E1E6FB9E036422CE9054F62D2F18AD2B7DCDE53B6C141DB36067738B71736553F3338DEFF0E2D
                              Malicious:false
                              Preview:"Dl.z.)....T.......B..G...>q..0.dXj.J..."#..\..........W..&............!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw.....{..."..Y....5a#..gfi....Go.w....o9V.....|.e.iV]H``0CP.G..7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@.............................@......>=..{.Ix...T.o.....B..G.R..q..0.tXj.J..."#..\..........w..&.................+.......)...0..........T.......................(.......8............................................text...........o...y.)....T.o.....B..G.|.Z....0<.Xj.....#.............W..&t....data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc......y+,....T.c.....B..G.R.>q...r.dXj.J..."#..\..........W..&4...................................................................................................................................o...y.)....T.o.....B..G.R.>q..0.dXj.J..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):343826
                              Entropy (8bit):7.1241178801824585
                              Encrypted:false
                              SSDEEP:6144:tyeUfYneVqn0idcluuo7YSYxAAf2hrelM4FzwiqylxCund:0eUf+PnRavo8KOttxn
                              MD5:B55B7C3210BC1F92CE1C297C38A1A45F
                              SHA1:19CDA2A00E1525FD55777568482EA71C07F88465
                              SHA-256:3214C3FBD1ADE2260EBAAE043DAA2798CB710B2CF5CA790D041A9A9BF595E773
                              SHA-512:FC9B5E1E628ED03766DDD06164FDF20E9729A50C175A1B26F83E1E6FB9E036422CE9054F62D2F18AD2B7DCDE53B6C141DB36067738B71736553F3338DEFF0E2D
                              Malicious:false
                              Preview:"Dl.z.)....T.......B..G...>q..0.dXj.J..."#..\..........W..&............!..L.!This program cannot be run in DOS mode....$.........<$.Rw.Rw.Rw...w..Rw5.Vv.Rw5.Qv.Rw5.Sv.Rw7.Sv.Rw..Vv.Rw.....{..."..Y....5a#..gfi....Go.w....o9V.....|.e.iV]H``0CP.G..7.w.Rw..w.Rw7.Pv.RwRich.Rw........PE..d......d.........."..........z......@..........@.............................@......>=..{.Ix...T.o.....B..G.R..q..0.tXj.J..."#..\..........w..&.................+.......)...0..........T.......................(.......8............................................text...........o...y.)....T.o.....B..G.|.Z....0<.Xj.....#.............W..&t....data....d...`...\...T..............@....pdata...+.......,..................@..@.rsrc............0..................@..@.reloc......y+,....T.c.....B..G.R.>q...r.dXj.J..."#..\..........W..&4...................................................................................................................................o...y.)....T.o.....B..G.R.>q..0.dXj.J..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroDunamis.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1098002
                              Entropy (8bit):7.166639969643703
                              Encrypted:false
                              SSDEEP:24576:oqoZWrVLTh1QnO7yoZqL0roabFVYRTlp1iUL/klkif:oDZ81d1D7yoAZsoRhpMUL/kl7f
                              MD5:323BE6A80BDC39A5CD5DB4E9C96DB619
                              SHA1:642B2C67CA46994CE1E0121DAA3FA1E1F54896C0
                              SHA-256:CD7E0C6BCA802BE38022920EF4731860DCDBB5F1B26601E813C9889ADE47C51C
                              SHA-512:836B95A1082B34BA6A2C3EF859455B31CE3582D2CD87EAAC7557972E3487F935024261C0E6BBCFEF40F89433E697BCEE884D68AB5A38B603724D7D3513F53DFA
                              Malicious:false
                              Preview:f.t...+....z.rLO.r.l..^.i~.........J..[-_D~.e?._.U.`..F..9=!........!..L.!This program cannot be run in DOS mode....$........q..J..\J..\J..\Ch6\\..\.d.]B..\.d.]N..\.d.]j..\.d.]L..\,.X\H..\u.)..uwR..RP....4x/X|..T.."..cE..x.......p.T...[...E.<].t..(.}.d.]K..\RichJ..\........................PE..d......d.........." .....(...~......@a..............................................y..t..j......r._.r.l....y~.........J..[-OD~..l._.T.`..I.79=!.........0...}.......)..............T.......................(.......8............@...............................text...,&......+..t...+......r.O.r'l..0......3....J..X-_hr.e?._.U.`..F.8=a.data...0............v..............@....pdata...}...0...~..................@..@.rsrc................|..............@..@.reloc.....t...+......r.O.r.l....i~...[.....J..[-_D~.e?._.U.`..F..8=!................................................................................................................................+..t...+......r.O.r.l....i~.........J

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroDunamis.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1098002
                              Entropy (8bit):7.166639969643703
                              Encrypted:false
                              SSDEEP:24576:oqoZWrVLTh1QnO7yoZqL0roabFVYRTlp1iUL/klkif:oDZ81d1D7yoAZsoRhpMUL/kl7f
                              MD5:323BE6A80BDC39A5CD5DB4E9C96DB619
                              SHA1:642B2C67CA46994CE1E0121DAA3FA1E1F54896C0
                              SHA-256:CD7E0C6BCA802BE38022920EF4731860DCDBB5F1B26601E813C9889ADE47C51C
                              SHA-512:836B95A1082B34BA6A2C3EF859455B31CE3582D2CD87EAAC7557972E3487F935024261C0E6BBCFEF40F89433E697BCEE884D68AB5A38B603724D7D3513F53DFA
                              Malicious:false
                              Preview:f.t...+....z.rLO.r.l..^.i~.........J..[-_D~.e?._.U.`..F..9=!........!..L.!This program cannot be run in DOS mode....$........q..J..\J..\J..\Ch6\\..\.d.]B..\.d.]N..\.d.]j..\.d.]L..\,.X\H..\u.)..uwR..RP....4x/X|..T.."..cE..x.......p.T...[...E.<].t..(.}.d.]K..\RichJ..\........................PE..d......d.........." .....(...~......@a..............................................y..t..j......r._.r.l....y~.........J..[-OD~..l._.T.`..I.79=!.........0...}.......)..............T.......................(.......8............@...............................text...,&......+..t...+......r.O.r'l..0......3....J..X-_hr.e?._.U.`..F.8=a.data...0............v..............@....pdata...}...0...~..................@..@.rsrc................|..............@..@.reloc.....t...+......r.O.r.l....i~...[.....J..[-_D~.e?._.U.`..F..8=!................................................................................................................................+..t...+......r.O.r.l....i~.........J

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):61202
                              Entropy (8bit):7.052308879859632
                              Encrypted:false
                              SSDEEP:768:t4Kfr4wQcKHv9ug/oMQXoaOkfzuCsGbt26OYXRgRHr4aMp4FTanEufeGnmEN:qKfcwBKHlI5K5GbgYhoHr4am4Ran9X
                              MD5:9D557CCA2D8C54813F40756F80D3F7B2
                              SHA1:002CBA59D94D486096B47823208FBF6D7C780552
                              SHA-256:7C012CFF21E7B11BF1B315521DE0A9EC7D11446DE220CCB36B16699F792A1EA7
                              SHA-512:F9449A870DE14102CFF8DB09D3617F906D5198AFDCF0EA09377C5F7E17923FB5A669FB55F6585AD9B375DFC43E88115EECDAE392F22358AC7CAB7B94DE77560F
                              Malicious:false
                              Preview:d.._.8..j.$....%..z.#..E...,.'...M...F..:...qQC.<.f."T.h}}7..mB........!..L.!This program cannot be run in DOS mode....$........e....b..b..b.|...b.epf..b.epa..b.epg..b.epc..b.oc..b....<.+.cC.J{.. ..9..w...l.o#....-L7.$jMSm./u3..<.f."T.h}}7..mBPE..d...R..d.........."......l...Z.......m.........@....................................%.....`.................................).c_.8..n.$....%.Zz._..E.o.,.!...fM...F.....KXQC..f7"T...}7..mB....................(.......8............................................text...>k.......l.................. ..`.rdata..J:......).c_.H..n.$....%G.z.c......X.'....M..&F..>....QC.<.f."T.h}}7..m..pdata..@...........................@..@.rsrc...p...........................@..@.reloc..............................@..B........).c_.8..n.$....%G.z.#..E...,.'...M...F..:...qQC.<.f."T.h}}7..mB................................................................................................................................).c_.8..n.$....%G.z.#..E...,.'...M...F.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):61202
                              Entropy (8bit):7.052308879859632
                              Encrypted:false
                              SSDEEP:768:t4Kfr4wQcKHv9ug/oMQXoaOkfzuCsGbt26OYXRgRHr4aMp4FTanEufeGnmEN:qKfcwBKHlI5K5GbgYhoHr4am4Ran9X
                              MD5:9D557CCA2D8C54813F40756F80D3F7B2
                              SHA1:002CBA59D94D486096B47823208FBF6D7C780552
                              SHA-256:7C012CFF21E7B11BF1B315521DE0A9EC7D11446DE220CCB36B16699F792A1EA7
                              SHA-512:F9449A870DE14102CFF8DB09D3617F906D5198AFDCF0EA09377C5F7E17923FB5A669FB55F6585AD9B375DFC43E88115EECDAE392F22358AC7CAB7B94DE77560F
                              Malicious:false
                              Preview:d.._.8..j.$....%..z.#..E...,.'...M...F..:...qQC.<.f."T.h}}7..mB........!..L.!This program cannot be run in DOS mode....$........e....b..b..b.|...b.epf..b.epa..b.epg..b.epc..b.oc..b....<.+.cC.J{.. ..9..w...l.o#....-L7.$jMSm./u3..<.f."T.h}}7..mBPE..d...R..d.........."......l...Z.......m.........@....................................%.....`.................................).c_.8..n.$....%.Zz._..E.o.,.!...fM...F.....KXQC..f7"T...}7..mB....................(.......8............................................text...>k.......l.................. ..`.rdata..J:......).c_.H..n.$....%G.z.c......X.'....M..&F..>....QC.<.f."T.h}}7..m..pdata..@...........................@..@.rsrc...p...........................@..@.reloc..............................@..B........).c_.8..n.$....%G.z.#..E...,.'...M...F..:...qQC.<.f."T.h}}7..mB................................................................................................................................).c_.8..n.$....%G.z.#..E...,.'...M...F.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):62663442
                              Entropy (8bit):7.176732186293144
                              Encrypted:false
                              SSDEEP:786432:I6TypUn4rufhL9hauJUZ0UYdI18o/F9b3KA+vmMdZmpFiIx/ifun:XTypRrufhxhaaUZJYdI1Ndp3KAK3dAYs
                              MD5:6C883D406A9DE2020DDBF4D24155CC66
                              SHA1:069ACDA8EE3C7418EE79163DC64AA194ECC33C62
                              SHA-256:DC8467BE03A28B224D1A8656A76FB5E2D481DBA4BF2F4CEDE7F3A50556A47045
                              SHA-512:B240BC640464B1BFD68A759A7DB9852C3CCC9232D58FEAD09D20AFBB9039B7E8012BAF8E0C79B9C543C7771F8780A481916BF0D52FF08EF58E5681F1B677A49C
                              Malicious:false
                              Preview:...).[..'mb.]|...|...;/..Z.v0.`E=.._....9.Y.\cC&...I..F.............!..L.!This program cannot be run in DOS mode....$.......P..R...........)........................r.G..........t6...UZ...'.H?\G#...)*..8.@.0w)A:D[1C^u.E.$...op.'.xYH.....ph............F..................)......C.....:...........,...............E......-..........Rich.............,.).[..'...]...{......Z.v0.`E.......982.\..'...I..k........`.............................p............`A........................................ .Z.t,....[.D................E.......).........[0.M%..]...|...{/..Z.v..G..._b4....Y.\cC&...I.Q-.$....JZ......................text...J9j......:j................. ..`fipstx.......Pj......@j............. ..`.rdata..Z_...Pk..`...8k...,.).[..'...........g..Ze.u0xUE=~.\....9.Y.\cC&[...q"t.....E.......F...V..............@..@.didat.......... ..................@...fipsda..^u.......v..................@...fipsrd..`+........,..CX..'...]...<..E.F..(..v0f`E=&K\

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):62663442
                              Entropy (8bit):7.176732186293144
                              Encrypted:false
                              SSDEEP:786432:I6TypUn4rufhL9hauJUZ0UYdI18o/F9b3KA+vmMdZmpFiIx/ifun:XTypRrufhxhaaUZJYdI1Ndp3KAK3dAYs
                              MD5:6C883D406A9DE2020DDBF4D24155CC66
                              SHA1:069ACDA8EE3C7418EE79163DC64AA194ECC33C62
                              SHA-256:DC8467BE03A28B224D1A8656A76FB5E2D481DBA4BF2F4CEDE7F3A50556A47045
                              SHA-512:B240BC640464B1BFD68A759A7DB9852C3CCC9232D58FEAD09D20AFBB9039B7E8012BAF8E0C79B9C543C7771F8780A481916BF0D52FF08EF58E5681F1B677A49C
                              Malicious:false
                              Preview:...).[..'mb.]|...|...;/..Z.v0.`E=.._....9.Y.\cC&...I..F.............!..L.!This program cannot be run in DOS mode....$.......P..R...........)........................r.G..........t6...UZ...'.H?\G#...)*..8.@.0w)A:D[1C^u.E.$...op.'.xYH.....ph............F..................)......C.....:...........,...............E......-..........Rich.............,.).[..'...]...{......Z.v0.`E.......982.\..'...I..k........`.............................p............`A........................................ .Z.t,....[.D................E.......).........[0.M%..]...|...{/..Z.v..G..._b4....Y.\cC&...I.Q-.$....JZ......................text...J9j......:j................. ..`fipstx.......Pj......@j............. ..`.rdata..Z_...Pk..`...8k...,.).[..'...........g..Ze.u0xUE=~.\....9.Y.\cC&[...q"t.....E.......F...V..............@..@.didat.......... ..................@...fipsda..^u.......v..................@...fipsrd..`+........,..CX..'...]...<..E.F..(..v0f`E=&K\

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5641490
                              Entropy (8bit):7.007443793521798
                              Encrypted:false
                              SSDEEP:
                              MD5:84EB080E68837751266FABCE4D894D9B
                              SHA1:85A3FD7285BBF8F13A5A995F715757A8334D1A7C
                              SHA-256:571EC5B5DA09D4349AA2BA0995FBE4183A15F3D4DCB08BB6CD83BA097E8E3130
                              SHA-512:A397A6AF9F3DAAD26F69B2C5770FB32D76FB2CFE0715E65C3180DFEC41C9AA260028CBB41C639F5B2F410AE9C3F46432B2582402807EBFDDDD8419F51676D646
                              Malicious:false
                              Preview:0.Xze>.n.......0.....o.....'..u.@.0..N-i.h..]=.M.....".............!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9|..9...9...9.S@Bi.`Wv|s...5..J4..~V.w....d..].%.>.w..zP...d....f2..B....L....9|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@............................}:.zf:.n.x..\/...0.....o.....'..u.P.0..N-y.h..]=.M.............EF.x....0K..V...@H.......U..)....V..G...n;.T....................o;.(....:.8............p4..... .F.`....................text...Q..zf..n....^+..0.....o.....'.[.$}D..Nmz.h...]=._.....".........@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..."..;2..n....^...2...A.o.....'..u.@.p.........]..F...Q."..................@..@.reloc...G....V..H....U.............@..B........................................................................}..zf>.n....^/..0.....o.....'..u.@.0..N

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5641490
                              Entropy (8bit):7.007443793521798
                              Encrypted:false
                              SSDEEP:
                              MD5:84EB080E68837751266FABCE4D894D9B
                              SHA1:85A3FD7285BBF8F13A5A995F715757A8334D1A7C
                              SHA-256:571EC5B5DA09D4349AA2BA0995FBE4183A15F3D4DCB08BB6CD83BA097E8E3130
                              SHA-512:A397A6AF9F3DAAD26F69B2C5770FB32D76FB2CFE0715E65C3180DFEC41C9AA260028CBB41C639F5B2F410AE9C3F46432B2582402807EBFDDDD8419F51676D646
                              Malicious:false
                              Preview:0.Xze>.n.......0.....o.....'..u.@.0..N-i.h..]=.M.....".............!..L.!This program cannot be run in DOS mode....$.......;..j...9...9...9k..8r..9k..8...9...8l..9...8t..9..p9|..9...9...9.S@Bi.`Wv|s...5..J4..~V.w....d..].%.>.w..zP...d....f2..B....L....9|..9...8~..9Rich...9........................PE..d......d.........."......V4..,"......L(........@............................}:.zf:.n.x..\/...0.....o.....'..u.P.0..N-y.h..]=.M.............EF.x....0K..V...@H.......U..)....V..G...n;.T....................o;.(....:.8............p4..... .F.`....................text...Q..zf..n....^+..0.....o.....'.[.$}D..Nmz.h...]=._.....".........@..@.data...l.....F......nF.............@....pdata.......@H......vG.............@..@.didat.. .....K......>J.............@..."..;2..n....^...2...A.o.....'..u.@.p.........]..F...Q."..................@..@.reloc...G....V..H....U.............@..B........................................................................}..zf>.n....^/..0.....o.....'..u.@.0..N

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):38162
                              Entropy (8bit):7.0154658107452965
                              Encrypted:false
                              SSDEEP:
                              MD5:C39265B83AB9E41BC0A7E498EEF485D0
                              SHA1:6CA0AFD2EEE78978126505FDFAA6AE72FDFB4967
                              SHA-256:CA072BF0645F82529C72C3711933B18D7D07D08D1A367D07DBE209BE59149D03
                              SHA-512:15D2AE8A507793F3ED4907EA352290D3B1EF2A7FF948C2E59D88D366A8C8087338A8737689665C2FD658885DB3A47F25A6EE159AF1EB7549141EE67FAB829C0E
                              Malicious:false
                              Preview:..8...&L..{..$.D.....+A...g.2{.:...%h>..#.L.z..V..s....\?j.........!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}....p. .K.>...bR.>._'m............*._".?pl.aKa..z..V..s....\>j.PE..d......d.........."..........>.......0.........@....................................l.....`...................................8...&H..{..$.....v...k....m.2{.:.w.%h>..#.e.z?.V..s.....>j..................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@.....8...&H..{..$.......LE%v..g.2..:..i%h>..#...z..V..s.....>j..pdata...............X..............@..@.rsrc...h............\..............@..@.reloc..\............h..............@..B..........8...&H..{..$.......kA...g.2{.:...%h>..#.L.z..V..s....\>j...................................................................................................................................8...&H..{..$.......kA...g.2{.:...%h

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):38162
                              Entropy (8bit):7.0154658107452965
                              Encrypted:false
                              SSDEEP:
                              MD5:C39265B83AB9E41BC0A7E498EEF485D0
                              SHA1:6CA0AFD2EEE78978126505FDFAA6AE72FDFB4967
                              SHA-256:CA072BF0645F82529C72C3711933B18D7D07D08D1A367D07DBE209BE59149D03
                              SHA-512:15D2AE8A507793F3ED4907EA352290D3B1EF2A7FF948C2E59D88D366A8C8087338A8737689665C2FD658885DB3A47F25A6EE159AF1EB7549141EE67FAB829C0E
                              Malicious:false
                              Preview:..8...&L..{..$.D.....+A...g.2{.:...%h>..#.L.z..V..s....\?j.........!..L.!This program cannot be run in DOS mode....$.......<.tKx...x...x...q..t.......c.......r.......{.......~...l...}....p. .K.>...bR.>._'m............*._".?pl.aKa..z..V..s....\>j.PE..d......d.........."..........>.......0.........@....................................l.....`...................................8...&H..{..$.....v...k....m.2{.:.w.%h>..#.e.z?.V..s.....>j..................K..(....I..8............@...............................text....,.......................... ..`.rdata..4"...@.....8...&H..{..$.......LE%v..g.2..:..i%h>..#...z..V..s.....>j..pdata...............X..............@..@.rsrc...h............\..............@..@.reloc..\............h..............@..B..........8...&H..{..$.......kA...g.2{.:...%h>..#.L.z..V..s....\>j...................................................................................................................................8...&H..{..$.......kA...g.2{.:...%h

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18627346
                              Entropy (8bit):7.696466670630415
                              Encrypted:false
                              SSDEEP:
                              MD5:6C641DA22ECDACBD0EA35F28FFE6EB5B
                              SHA1:415C165EC2CA420A86829D0ACCB0DB345F4AA9E5
                              SHA-256:F8D179D66E75E7DF61C2EEF295F83AF5A15AFA4E57EDF85E6D023AC6B4D4B8E1
                              SHA-512:D96897DFA7E15503C715E54CEB91120B451A5414D2C8D57A92A906DC29E7E42D17B9E29818B105C2CFAFA0C4CB979E1DCE51D62DB0983AD66A252F449406A8E4
                              Malicious:false
                              Preview:.0\;..N..?.8~.'.v...,.......y...{.........F.R(..B3.,8....2..pl.........!..L.!This program cannot be run in DOS mode....$.........T.].:.].:.].:...>.Y.:...9.^.:.I.;.^.:.].;.U.:...3.^.:....\.:...a..at...9...$....qv.v[...y...{.........F.R(...3.H.......7pl......." .........................................................`.......f....`A.................................................I.;..N..o.8i.<....d...[.......{.........F4R(..B3.,8....2.7pl.......... ..8............ ..H............................text............................... ..`.rdata....... ...................j.;..N."[`L.g'.^...,...[...y...{.........FLR({.2WbXY...2.70l.....................@..@.rsrc........P......................@..@.reloc..(....P......................@..B.........................j.;..N..?.8.g'.....,...[...y...{.........F.R(..B3.,8....2.7pl..................................................................................................................................j.;..N..?.8.g'.....,...[...y...{......

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18627346
                              Entropy (8bit):7.696466670630415
                              Encrypted:false
                              SSDEEP:
                              MD5:6C641DA22ECDACBD0EA35F28FFE6EB5B
                              SHA1:415C165EC2CA420A86829D0ACCB0DB345F4AA9E5
                              SHA-256:F8D179D66E75E7DF61C2EEF295F83AF5A15AFA4E57EDF85E6D023AC6B4D4B8E1
                              SHA-512:D96897DFA7E15503C715E54CEB91120B451A5414D2C8D57A92A906DC29E7E42D17B9E29818B105C2CFAFA0C4CB979E1DCE51D62DB0983AD66A252F449406A8E4
                              Malicious:false
                              Preview:.0\;..N..?.8~.'.v...,.......y...{.........F.R(..B3.,8....2..pl.........!..L.!This program cannot be run in DOS mode....$.........T.].:.].:.].:...>.Y.:...9.^.:.I.;.^.:.].;.U.:...3.^.:....\.:...a..at...9...$....qv.v[...y...{.........F.R(...3.H.......7pl......." .........................................................`.......f....`A.................................................I.;..N..o.8i.<....d...[.......{.........F4R(..B3.,8....2.7pl.......... ..8............ ..H............................text............................... ..`.rdata....... ...................j.;..N."[`L.g'.^...,...[...y...{.........FLR({.2WbXY...2.70l.....................@..@.rsrc........P......................@..@.reloc..(....P......................@..B.........................j.;..N..?.8.g'.....,...[...y...{.........F.R(..B3.,8....2.7pl..................................................................................................................................j.;..N..?.8.g'.....,...[...y...{......

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Adobe.Acrobat.Dependencies.manifest

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2917
                              Entropy (8bit):7.729931453054093
                              Encrypted:false
                              SSDEEP:
                              MD5:5615630A65BF3CBC8E81A556FF5AB560
                              SHA1:5D64935338345226F0015374D5A5DDAEF37B1F50
                              SHA-256:7A1C44330183CD29E4011C2E48BB34AA7A9153ED1DFE1FADEA912271C8A3E51E
                              SHA-512:0C5BC1D8ACC64DDFB0D7E5BD31A4DBB43623C939B30879AF06B95498D53DAB0CCB8CB3ACF7A284B9051573C446B3269A8DE128A8F79E91C10DBFC1E030914E0D
                              Malicious:false
                              Preview:s....G..13.m..%...<j.)...>.=@...0....!-.....1..3...R5..A.r..#...._..`/.m.w._.}|m'...?.o...r....n5N..p:Y./....y...N..&.m...A...#).f..x.s.ya4#...$.p....t....."...\P0_./..J.d.....g..+.....B.4?.p..z...,!pd.V.rMp....n.W...#+....e!B.w..D.=..P.{........T..`j.3..$...,?pz.H.rB>o...=....|%...^.5].w...)^...S..{..o...k...bz.#.}._.rn-/.Z..(....=.....`c_.^1hV.&..G.f...a.9..#..._.;.bz.#..(.S.y/.+...r,X'...|.]...0"....}v..t..M+.....q..*..........F.x...31M@.X.pM B...t.]..-&B...c;y.d..EO+...*..7..o.....]..,;.f..U.U.yC)$...#.i....q....Jc_.^1t..,..LMe......s..*...O.]..bu....4...</`v...5Mn...?.q...,/].@.^..j..M+...L..y..*..(.d...).g..6.....`j.X.pM ^...x.V..}a<...E-@.d..EO+...*..7..o.....]..,;.f..Q.N.rk.)...$Cd...2.5...`c_.^-2Y./..H.n...p..[..a...C...Hz.#..4...zf,/...=.=@...M.]...$/....}v..t..M+.....q..*.......!..q..p.V.< ~G.X.pM B...{.T...!...(x1G.8....g........o...A.....?.m..q...tl,#...~.l....#.2..`c_.Bw=\.j..D.6..T.{..a...C...Hz.#..4...zf,/...=.=@...x.Z..n

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Adobe.Acrobat.Dependencies.manifest.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2917
                              Entropy (8bit):7.729931453054093
                              Encrypted:false
                              SSDEEP:
                              MD5:5615630A65BF3CBC8E81A556FF5AB560
                              SHA1:5D64935338345226F0015374D5A5DDAEF37B1F50
                              SHA-256:7A1C44330183CD29E4011C2E48BB34AA7A9153ED1DFE1FADEA912271C8A3E51E
                              SHA-512:0C5BC1D8ACC64DDFB0D7E5BD31A4DBB43623C939B30879AF06B95498D53DAB0CCB8CB3ACF7A284B9051573C446B3269A8DE128A8F79E91C10DBFC1E030914E0D
                              Malicious:false
                              Preview:s....G..13.m..%...<j.)...>.=@...0....!-.....1..3...R5..A.r..#...._..`/.m.w._.}|m'...?.o...r....n5N..p:Y./....y...N..&.m...A...#).f..x.s.ya4#...$.p....t....."...\P0_./..J.d.....g..+.....B.4?.p..z...,!pd.V.rMp....n.W...#+....e!B.w..D.=..P.{........T..`j.3..$...,?pz.H.rB>o...=....|%...^.5].w...)^...S..{..o...k...bz.#.}._.rn-/.Z..(....=.....`c_.^1hV.&..G.f...a.9..#..._.;.bz.#..(.S.y/.+...r,X'...|.]...0"....}v..t..M+.....q..*..........F.x...31M@.X.pM B...t.]..-&B...c;y.d..EO+...*..7..o.....]..,;.f..U.U.yC)$...#.i....q....Jc_.^1t..,..LMe......s..*...O.]..bu....4...</`v...5Mn...?.q...,/].@.^..j..M+...L..y..*..(.d...).g..6.....`j.X.pM ^...x.V..}a<...E-@.d..EO+...*..7..o.....]..,;.f..Q.N.rk.)...$Cd...2.5...`c_.^-2Y./..H.n...p..[..a...C...Hz.#..4...zf,/...=.=@...M.]...$/....}v..t..M+.....q..*.......!..q..p.V.< ~G.X.pM B...{.T...!...(x1G.8....g........o...A.....?.m..q...tl,#...~.l....#.2..`c_.Bw=\.j..D.6..T.{..a...C...Hz.#..4...zf,/...=.=@...x.Z..n

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11470098
                              Entropy (8bit):7.211614027519715
                              Encrypted:false
                              SSDEEP:
                              MD5:A03DBB03BDCE0C1842F8E3957001BFDD
                              SHA1:C6FF5AAEEB2127DA18D0F9082A96DCE17B404C00
                              SHA-256:09467F60D7D382FE7683B8E42BA51849CBC9C15BB4A683A420810E21CD707770
                              SHA-512:2CEB722D7F61337ADC12229B635B440647590AFFDCE57136B699F49F6B6DEBD2447F5C1256FE774A4AE4B16666405CF490299706C7F4ECD3FFB67EA98EB1B8A8
                              Malicious:false
                              Preview:..r......&c.BBeD........s.!v.-.S...V.k.9;.o...Wd.)..f...'m6........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..}.J*..{Y.B...[.E..9...A'.oo....Z.j.4.q..&.....{AyA...O...X.Dt.v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@.......|....&cu.Be..........!r.-g....V.nk.);.o...Gd.)..f...&m6...................\...,..h........G......Lz......)......5..P..T......................(......8.............................|....&cu.Be........=..!f.-..o..R.k.9;.o...Wd.....H....Gm6f. .......!.................@..@.data..............................@....pdata..Lz.......|.................@..@.didat.............|.k...&cu.Be....._.7.u7.-.S....t.k.9;.5W..Wd.)..f...&mv.rsrc....G.......H...\..............@..@.reloc...5......6..................@..B...................................................|....&cu.Be.........s.!v.-.S...V.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeCollabSync.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11470098
                              Entropy (8bit):7.211614027519715
                              Encrypted:false
                              SSDEEP:
                              MD5:A03DBB03BDCE0C1842F8E3957001BFDD
                              SHA1:C6FF5AAEEB2127DA18D0F9082A96DCE17B404C00
                              SHA-256:09467F60D7D382FE7683B8E42BA51849CBC9C15BB4A683A420810E21CD707770
                              SHA-512:2CEB722D7F61337ADC12229B635B440647590AFFDCE57136B699F49F6B6DEBD2447F5C1256FE774A4AE4B16666405CF490299706C7F4ECD3FFB67EA98EB1B8A8
                              Malicious:false
                              Preview:..r......&c.BBeD........s.!v.-.S...V.k.9;.o...Wd.)..f...'m6........!..L.!This program cannot be run in DOS mode....$.......&.w.bb..bb..bb..v...lb..v...b.....qb.....hb......ab......b..}.J*..{Y.B...[.E..9...A'.oo....Z.j.4.q..&.....{AyA...O...X.Dt.v...Ab..bb..,`.....b.....cb.....cb..bb..`b.....cb..Richbb..........PE..d......d..........".........../.....0.F........@.......|....&cu.Be..........!r.-g....V.nk.);.o...Gd.)..f...&m6...................\...,..h........G......Lz......)......5..P..T......................(......8.............................|....&cu.Be........=..!f.-..o..R.k.9;.o...Wd.....H....Gm6f. .......!.................@..@.data..............................@....pdata..Lz.......|.................@..@.didat.............|.k...&cu.Be....._.7.u7.-.S....t.k.9;.5W..Wd.)..f...&mv.rsrc....G.......H...\..............@..@.reloc...5......6..................@..B...................................................|....&cu.Be.........s.!v.-.S...V.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeLinguistic.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):545818
                              Entropy (8bit):6.764511498809855
                              Encrypted:false
                              SSDEEP:
                              MD5:4B6027BA69DC347673083CC405523265
                              SHA1:7C09434885F4A1316EA0C8DEB471DF22B2B80999
                              SHA-256:93D403CB8117B2D146249C64A9017053DC59773818CD2F48C19217BAACDE225A
                              SHA-512:D3BF3F0444063198095A4F771DE320E93E93A4F89C6D407441E83C1B7ED42D2D0890D51E7EEB4B0DE1CA0288D6819004A57A30C424883A6373CB045FE775EE47
                              Malicious:false
                              Preview:...tM.l..J..&B..}.t..".w........B....".b..{i.B.....4.....G..........!..L.!This program cannot be run in DOS mode....$..........!.hgr.hgr.hgr...r.hgr$.r.hgro.cs.hgro.ds.hgro.fs.hgro.bs.hgr.........Ji.i..={...i.Pu...[q.... .........sd.hql.S..|...&.es.hgrRich.hgr........................PE..d....&a.........." .........z.......................................................v.tL..L.J......m.t..".w........B....".b..{i..#....4.../...@...A......`B...6..........d...@U..T....................U..(....T.......................6..`....................text...........J5.tN{l..J......}.T..B....dx...E@....."@`...m.B.....4...../..data...p1.......$...~..............@....pdata..`B.......D..................@..@.didat..0....0......................@....rsrc......tN?d......U...}.t..".w..P...'.u...F.b...a.B.....<.....o......@..B........................................................................................................................J.tN.l..J......}.t..".w........B....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeLinguistic.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):545818
                              Entropy (8bit):6.764511498809855
                              Encrypted:false
                              SSDEEP:
                              MD5:4B6027BA69DC347673083CC405523265
                              SHA1:7C09434885F4A1316EA0C8DEB471DF22B2B80999
                              SHA-256:93D403CB8117B2D146249C64A9017053DC59773818CD2F48C19217BAACDE225A
                              SHA-512:D3BF3F0444063198095A4F771DE320E93E93A4F89C6D407441E83C1B7ED42D2D0890D51E7EEB4B0DE1CA0288D6819004A57A30C424883A6373CB045FE775EE47
                              Malicious:false
                              Preview:...tM.l..J..&B..}.t..".w........B....".b..{i.B.....4.....G..........!..L.!This program cannot be run in DOS mode....$..........!.hgr.hgr.hgr...r.hgr$.r.hgro.cs.hgro.ds.hgro.fs.hgro.bs.hgr.........Ji.i..={...i.Pu...[q.... .........sd.hql.S..|...&.es.hgrRich.hgr........................PE..d....&a.........." .........z.......................................................v.tL..L.J......m.t..".w........B....".b..{i..#....4.../...@...A......`B...6..........d...@U..T....................U..(....T.......................6..`....................text...........J5.tN{l..J......}.T..B....dx...E@....."@`...m.B.....4...../..data...p1.......$...~..............@....pdata..`B.......D..................@..@.didat..0....0......................@....rsrc......tN?d......U...}.t..".w..P...'.u...F.b...a.B.....<.....o......@..B........................................................................................................................J.tN.l..J......}.t..".w........B....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeXMP.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1261834
                              Entropy (8bit):7.131740717600461
                              Encrypted:false
                              SSDEEP:
                              MD5:1B35BBB941E5D9D77071234F453FA5EB
                              SHA1:CB6E48556D022A5C95654DEBB6FFC5FE17DB4671
                              SHA-256:E96D7F39E4BD787443B69B552B05AA2681972E96578B23388F3CE8E3B0CDF01B
                              SHA-512:313B486274B03850E78D4C37BDAD3B7D39005CBE665479D5B231570B45957D8042E7F3DFB953413986B22272352AC72C1A2DADCAE7D52934D0ECF0769B3A4D5F
                              Malicious:false
                              Preview:>S.._.mF.ZK.z....3..{?J..zA{......[^.0x..~G..$!.7....yy....]........!..L.!This program cannot be run in DOS mode....$........................t......................................s...J....3..c...U...Xb..Q)rJe.4z......."...MB....M.yy....]PE..d....a.d.........." .........n...... ........................................P.......w....`A................................s.A.._.mr.HK....o<!..z?J..iA....s..x.[^.&k.xWG...2......`i.+..]....................(...0...@............................................text.............................. ..`.rdata.........s.B....mB.ZKV...k.3..{?....5...y.....I^..x..BU..$!.7....yy.?....pdata...k.......l...z..............@..@.rsrc...............................@..@.reloc..<&... ...(..................@..B........s.A.._.mB.ZKV...k.3..{?J..zA{......[^.0x..~G..$!.7....yy....]................................................................................................................................s.A.._.mB.ZKV...k.3..{?J..zA{......[^

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\AdobeXMP.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1261834
                              Entropy (8bit):7.131740717600461
                              Encrypted:false
                              SSDEEP:
                              MD5:1B35BBB941E5D9D77071234F453FA5EB
                              SHA1:CB6E48556D022A5C95654DEBB6FFC5FE17DB4671
                              SHA-256:E96D7F39E4BD787443B69B552B05AA2681972E96578B23388F3CE8E3B0CDF01B
                              SHA-512:313B486274B03850E78D4C37BDAD3B7D39005CBE665479D5B231570B45957D8042E7F3DFB953413986B22272352AC72C1A2DADCAE7D52934D0ECF0769B3A4D5F
                              Malicious:false
                              Preview:>S.._.mF.ZK.z....3..{?J..zA{......[^.0x..~G..$!.7....yy....]........!..L.!This program cannot be run in DOS mode....$........................t......................................s...J....3..c...U...Xb..Q)rJe.4z......."...MB....M.yy....]PE..d....a.d.........." .........n...... ........................................P.......w....`A................................s.A.._.mr.HK....o<!..z?J..iA....s..x.[^.&k.xWG...2......`i.+..]....................(...0...@............................................text.............................. ..`.rdata.........s.B....mB.ZKV...k.3..{?....5...y.....I^..x..BU..$!.7....yy.?....pdata...k.......l...z..............@..@.rsrc...............................@..@.reloc..<&... ...(..................@..B........s.A.._.mB.ZKV...k.3..{?J..zA{......[^.0x..~G..$!.7....yy....]................................................................................................................................s.A.._.mB.ZKV...k.3..{?J..zA{......[^

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\BIB.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):139026
                              Entropy (8bit):7.02111107727366
                              Encrypted:false
                              SSDEEP:
                              MD5:34D369E4B87D255403EA8D8C001464A4
                              SHA1:0EC141D365CD9938C17544D57E70F345B7A8C409
                              SHA-256:9A6E6679A2ABDA9747AB7882022B42118AD426549C1E4E3498585A0BF921835E
                              SHA-512:F041518B920C75BC4D738ED8FA3C89CA3FFE78EE3FA52EBCC207CD40C13B952CC6D91F20C9E0CA4A4BEB36B89243FDB4C23764635E3E7EA517BB70F2FAD11A94
                              Malicious:false
                              Preview:k...lR..9..O1.?#24k.c.........6.-t.....x.sg......|..mxx[..$.I........!..L.!This program cannot be run in DOS mode....$............e...e...e.......e..9....e..9....e..9....e..9....e.......e...:.w.7...(..N....#..b.L6...n....K/.8.a~7iq..c[Z..az....xx[..%.IPE..d...{..d.........." .....2...........#.........P.............................@.......T....`A................................&_)..R........?7.5k_c....D..6./t)......s./.....L..m..Z.%.I.........................|..8............P...............................text....0.......2.................. ..`.rdata......P..&.).od..9....?.24k.c....e...V6-t.....t.sg......|..mxx[.%..pdata..............................@..@.rsrc...@.... ......................@..@.reloc..0....0......................@..B........&_).oR..9....?.24k.c.........6.-t.....x.sg......|..mxx[..%.I................................................................................................................................&_).oR..9....?.24k.c.........6.-t....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\BIB.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):139026
                              Entropy (8bit):7.02111107727366
                              Encrypted:false
                              SSDEEP:
                              MD5:34D369E4B87D255403EA8D8C001464A4
                              SHA1:0EC141D365CD9938C17544D57E70F345B7A8C409
                              SHA-256:9A6E6679A2ABDA9747AB7882022B42118AD426549C1E4E3498585A0BF921835E
                              SHA-512:F041518B920C75BC4D738ED8FA3C89CA3FFE78EE3FA52EBCC207CD40C13B952CC6D91F20C9E0CA4A4BEB36B89243FDB4C23764635E3E7EA517BB70F2FAD11A94
                              Malicious:false
                              Preview:k...lR..9..O1.?#24k.c.........6.-t.....x.sg......|..mxx[..$.I........!..L.!This program cannot be run in DOS mode....$............e...e...e.......e..9....e..9....e..9....e..9....e.......e...:.w.7...(..N....#..b.L6...n....K/.8.a~7iq..c[Z..az....xx[..%.IPE..d...{..d.........." .....2...........#.........P.............................@.......T....`A................................&_)..R........?7.5k_c....D..6./t)......s./.....L..m..Z.%.I.........................|..8............P...............................text....0.......2.................. ..`.rdata......P..&.).od..9....?.24k.c....e...V6-t.....t.sg......|..mxx[.%..pdata..............................@..@.rsrc...@.... ......................@..@.reloc..0....0......................@..B........&_).oR..9....?.24k.c.........6.-t.....x.sg......|..mxx[..%.I................................................................................................................................&_).oR..9....?.24k.c.........6.-t....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\BIBUtils.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):170258
                              Entropy (8bit):7.084470305471305
                              Encrypted:false
                              SSDEEP:
                              MD5:70F23FBDD936B1B3239DDAAFB809F522
                              SHA1:9FC60438F597EC560D57AB97CAF8A25DFCE9CBC1
                              SHA-256:A9AB78A04EB27829FB8B003C01EC58AD3DA9AC5B6A63152AF4F181CBBB6DB8D6
                              SHA-512:D73CDCB09437657866A3F93787B6F801B2CBD81B2AD79A2F9464CE2F2F3906B1250D1ADE7EE21F5358FAB486A4235C93226FEABB3E29240CFFB9F54A9F9C77C9
                              Malicious:false
                              Preview:.....E%T.../JZ..l....n.l.t.....&.L?_.Cg.K.u)..... .>...x...........!..L.!This program cannot be run in DOS mode....$.........`R.........................................................+U.../i$...tb.D..o..su#^.9G.'..1^.k..[{(..s.2U..>...x...PE..d......d.........." .................v....................................................`A................................VA...E%T.../9.....n.Z..n...t....&.[?_.-e...u)./.... ..l..,...........................P...8...............@............................text...n........................... ..`.rdata.........V....$T.../......l.............&..=_.Sg.K.w)..... .>...8....pdata.......p.......J..............@..@.rsrc...x............b..............@..@.reloc..p............j..............@..B........VA...E%T.../......l....n.l.t.....&.L?_.Cg.K.u)..... .>...x...................................................................................................................................VA...E%T.../......l....n.l.t.....&.L?_

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\BIBUtils.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):170258
                              Entropy (8bit):7.084470305471305
                              Encrypted:false
                              SSDEEP:
                              MD5:70F23FBDD936B1B3239DDAAFB809F522
                              SHA1:9FC60438F597EC560D57AB97CAF8A25DFCE9CBC1
                              SHA-256:A9AB78A04EB27829FB8B003C01EC58AD3DA9AC5B6A63152AF4F181CBBB6DB8D6
                              SHA-512:D73CDCB09437657866A3F93787B6F801B2CBD81B2AD79A2F9464CE2F2F3906B1250D1ADE7EE21F5358FAB486A4235C93226FEABB3E29240CFFB9F54A9F9C77C9
                              Malicious:false
                              Preview:.....E%T.../JZ..l....n.l.t.....&.L?_.Cg.K.u)..... .>...x...........!..L.!This program cannot be run in DOS mode....$.........`R.........................................................+U.../i$...tb.D..o..su#^.9G.'..1^.k..[{(..s.2U..>...x...PE..d......d.........." .................v....................................................`A................................VA...E%T.../9.....n.Z..n...t....&.[?_.-e...u)./.... ..l..,...........................P...8...............@............................text...n........................... ..`.rdata.........V....$T.../......l.............&..=_.Sg.K.w)..... .>...8....pdata.......p.......J..............@..@.rsrc...x............b..............@..@.reloc..p............j..............@..B........VA...E%T.../......l....n.l.t.....&.L?_.Cg.K.u)..... .>...x...................................................................................................................................VA...E%T.../......l....n.l.t.....&.L?_

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\CRClient.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):492810
                              Entropy (8bit):7.009318229543742
                              Encrypted:false
                              SSDEEP:
                              MD5:E25F649C54EAD64EC94A01E3FFB12BEF
                              SHA1:0E23018934AE7A349185B3B0B3199B3939381BAB
                              SHA-256:F970F42F63DC05EE084FBD0EA0A6DD53266A47D06421D3E060689175E2903ACA
                              SHA-512:C63FA1B8115E076C46FADE75F0E6D01BCC1AA435B41E52646936D9E09DFDFED9CF0F045E6B2336FFC44677E38704FFC70C80E1617DB49C35BA03AA8485D13148
                              Malicious:false
                              Preview:E.`......H...........xG(V..S.......t6"[(F[Q.|.CG...>..n.aTD.`.........!..L.!This program cannot be run in DOS mode....$.......d.H. O&D O&D O&D)7.D.O&Dr''E$O&Dr'#E8O&Dr'"E(O&Dr'%E#O&DE) E!O&DM........o...P *.O..<..pW....c....;.f{g..fWZB.a.E.q'.<f.<|DF.........................PE..d......c.........." ................ g....................................................`A.................X...........x.(V..S..c...ww6".!@[-.|.C...t...n.gT.&`..Z...)..........p;..p....................<..(....;...............................................text...................................,.h...$....j.x..W..........t6"[(F[..|Fm#.t.>..N>aT\[f......:..............@....pdata...-...........P..............@..@.rsrc................~..............@..@.reloc...............V...........H.\..V......x.(V..S.......t6"[(F[Q.|.CG...>..n.aT\.`..........................................................................................................................................H...........x.(V..S.......t6"

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\CRClient.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):492810
                              Entropy (8bit):7.009318229543742
                              Encrypted:false
                              SSDEEP:
                              MD5:E25F649C54EAD64EC94A01E3FFB12BEF
                              SHA1:0E23018934AE7A349185B3B0B3199B3939381BAB
                              SHA-256:F970F42F63DC05EE084FBD0EA0A6DD53266A47D06421D3E060689175E2903ACA
                              SHA-512:C63FA1B8115E076C46FADE75F0E6D01BCC1AA435B41E52646936D9E09DFDFED9CF0F045E6B2336FFC44677E38704FFC70C80E1617DB49C35BA03AA8485D13148
                              Malicious:false
                              Preview:E.`......H...........xG(V..S.......t6"[(F[Q.|.CG...>..n.aTD.`.........!..L.!This program cannot be run in DOS mode....$.......d.H. O&D O&D O&D)7.D.O&Dr''E$O&Dr'#E8O&Dr'"E(O&Dr'%E#O&DE) E!O&DM........o...P *.O..<..pW....c....;.f{g..fWZB.a.E.q'.<f.<|DF.........................PE..d......c.........." ................ g....................................................`A.................X...........x.(V..S..c...ww6".!@[-.|.C...t...n.gT.&`..Z...)..........p;..p....................<..(....;...............................................text...................................,.h...$....j.x..W..........t6"[(F[..|Fm#.t.>..N>aT\[f......:..............@....pdata...-...........P..............@..@.rsrc................~..............@..@.reloc...............V...........H.\..V......x.(V..S.......t6"[(F[Q.|.CG...>..n.aT\.`..........................................................................................................................................H...........x.(V..S.......t6"

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):770314
                              Entropy (8bit):7.050648279587446
                              Encrypted:false
                              SSDEEP:
                              MD5:10BD4C1AFE30FA4B64D728557673E8EF
                              SHA1:43B2AB104B7BA59AE1DD98B2E9B1916950F62D18
                              SHA-256:8622F499BA6A915F49F7A4AA43073C01CD570DBA5C08DEDF380B8378190E1FD8
                              SHA-512:89C609CCCD499DC172086C44EDC7AE2F988BD2ACA83DC2ABDE087C0047EBA2A0EC1CD2CECDCB6544BAC314B38EA34B98D49B4ECC2FB271BB0CD9D3CC86A07AF8
                              Malicious:false
                              Preview:...|.LV.C.8.O....[.q.U..@.. ...r@.9.Q.j._y...N.z.h..-.!.j.P.J........!..L.!This program cannot be run in DOS mode....$......................................s...X.......................j.....l.7-.~W+f.J.l.I.&...^P....T.Fa.&..\h| `.Q.>....F...4..1....n......Rich...........PE..d......c..........".................0i.........@....................................*.....`..k|.LV.S.8.....[.q.U..@.. ...r@.).Q.j._y....}p....-...j.W.J.@..Tx.......)..............p...................`...(...`................................................text....................{|.LV.C.8...,d.:...U..B.. ....B.9/V.j._y...N.z.(..m.E~..Q.J.>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc...........{|..GV.C.8.....[.q....@.. ...r@.9.Q.j._y...N.z.h..-.!.j.Q.J.................................................................................................................................{|.LV.C.8.....[.q.U..@.. ...r@.9.Q.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):770314
                              Entropy (8bit):7.050648279587446
                              Encrypted:false
                              SSDEEP:
                              MD5:10BD4C1AFE30FA4B64D728557673E8EF
                              SHA1:43B2AB104B7BA59AE1DD98B2E9B1916950F62D18
                              SHA-256:8622F499BA6A915F49F7A4AA43073C01CD570DBA5C08DEDF380B8378190E1FD8
                              SHA-512:89C609CCCD499DC172086C44EDC7AE2F988BD2ACA83DC2ABDE087C0047EBA2A0EC1CD2CECDCB6544BAC314B38EA34B98D49B4ECC2FB271BB0CD9D3CC86A07AF8
                              Malicious:false
                              Preview:...|.LV.C.8.O....[.q.U..@.. ...r@.9.Q.j._y...N.z.h..-.!.j.P.J........!..L.!This program cannot be run in DOS mode....$......................................s...X.......................j.....l.7-.~W+f.J.l.I.&...^P....T.Fa.&..\h| `.Q.>....F...4..1....n......Rich...........PE..d......c..........".................0i.........@....................................*.....`..k|.LV.S.8.....[.q.U..@.. ...r@.).Q.j._y....}p....-...j.W.J.@..Tx.......)..............p...................`...(...`................................................text....................{|.LV.C.8...,d.:...U..B.. ....B.9/V.j._y...N.z.(..m.E~..Q.J.>......."..................@....pdata..Tx...@...z..................@..@.rsrc................z..............@..@.reloc...........{|..GV.C.8.....[.q....@.. ...r@.9.Q.j._y...N.z.h..-.!.j.Q.J.................................................................................................................................{|.LV.C.8.....[.q.U..@.. ...r@.9.Q.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):396554
                              Entropy (8bit):6.881187704262013
                              Encrypted:false
                              SSDEEP:
                              MD5:5837EC180454CB5354102C428137E2FE
                              SHA1:81DDDEF8D46C61DE8A1F6E2B1B0F42B22B1806CB
                              SHA-256:5505716E2F61E03AB9FC9749445006B926B619B278E34E50D59391AB129E6550
                              SHA-512:52F863B3DD78BDA4A8615FE9FAC6C737D304F4A93B49E6D826C99388443913E896FE5D1DFBF4D81B5ACA12D121164CFE79BA0242F296C61739E5F1AEA9DEBD80
                              Malicious:false
                              Preview:.Z..I...N..p....#...&M..xb.....}......01....<.....R......A.........!..L.!This program cannot be run in DOS mode....$.....................v.................................KZ.eG..VL.omR..l6mQ.UU...$)V-l..@aS+.f.R|..ns..+j........A.PE..d......c.........."............................@.............................@......0.....`.....................................I...N..x...-'.~..&.m.xb......}......51{...<*.....R......A.....................(....................0...............................text............................... ..`.rdata..Z$...0...&..S...N..x....#..f#.........}....01....<.....R......A..pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc.......0......................@..B............I...N..x....#...&...xb.....}......01....<.....R......A.....................................................................................................................................I...N..x....#...&...xb.....}....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):396554
                              Entropy (8bit):6.881187704262013
                              Encrypted:false
                              SSDEEP:
                              MD5:5837EC180454CB5354102C428137E2FE
                              SHA1:81DDDEF8D46C61DE8A1F6E2B1B0F42B22B1806CB
                              SHA-256:5505716E2F61E03AB9FC9749445006B926B619B278E34E50D59391AB129E6550
                              SHA-512:52F863B3DD78BDA4A8615FE9FAC6C737D304F4A93B49E6D826C99388443913E896FE5D1DFBF4D81B5ACA12D121164CFE79BA0242F296C61739E5F1AEA9DEBD80
                              Malicious:false
                              Preview:.Z..I...N..p....#...&M..xb.....}......01....<.....R......A.........!..L.!This program cannot be run in DOS mode....$.....................v.................................KZ.eG..VL.omR..l6mQ.UU...$)V-l..@aS+.f.R|..ns..+j........A.PE..d......c.........."............................@.............................@......0.....`.....................................I...N..x...-'.~..&.m.xb......}......51{...<*.....R......A.....................(....................0...............................text............................... ..`.rdata..Z$...0...&..S...N..x....#..f#.........}....01....<.....R......A..pdata...............L..............@..@.rsrc....v.......v...j..............@..@.reloc.......0......................@..B............I...N..x....#...&...xb.....}......01....<.....R......A.....................................................................................................................................I...N..x....#...&...xb.....}....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Click on 'Change' to select default PDF handler.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):187151
                              Entropy (8bit):7.986319699952453
                              Encrypted:false
                              SSDEEP:
                              MD5:6E16C4BE3175619F1F810C65AAC86F8F
                              SHA1:0E1DA9BB4D63989D4570C20AB60C3031BB9DF68A
                              SHA-256:B48EF12BBE5A486EEE3F14FC51DFFB8F0F34B91D6A290549B73764FE583B5EE0
                              SHA-512:EE7B78B094965223154901B2F610A852F749E9B9D0FCE55E48DD76F8604235E0DACCE784EBBC809998DBC2A00560023C8DE43DEB6ABA913C82426B645121477C
                              Malicious:false
                              Preview:pL_.d..Ta.....$.&..>.$g.S.g..L....>.....uH4......s........FN 1/T 186532/H [ 482 168]>>.endobj. ..22 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<BAeY].......CG:5.!./.T.Kj..:.J..k..V.l.....}B7.........c......[>]/Index[10 26]/Info 9 0 R/Length 79/Prev 186533/Root 11 0 R/Size 36/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``....~ ...D....l. ..P0.........K...`..*.k.c..$....4e...P.../..Du5...8...(3DW..XR.bj.startxref..0..%%EOF.. ..35 0 obj.<</Filter/FlateDecode/I 102/L 86/Length 83/S 38>>stream..h.b``.b``2`...8.P.#..0p4 .qAd.X.,....V.9mewb....>.......N)...PrWN.|5.TN!..C3.6...L+S...BD.am.endobj.11 0 obj.<</Metadata 2 0 R/PageLabels 6 0 R/Pages 8 0 R/Type/Catalog>>.endobj.12 0 obj.<</Contents 14 0 R/CropBox[0 0 c-)...x.......Hm.O.6.GjK.{.E.S.L....z.....k"g..@....nr.....dY.ate 0/Type/Page>>.endobj.13 0 obj.<</Filter/FlateDecode/First 88/Length 868/N 12/Type/ObjStm>>stream..h..mo.0..._nB.Oy..*u)....Wz...2r<9D.Q5f.q/....QR.1~....+.!...x.o

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Click on 'Change' to select default PDF handler.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):187151
                              Entropy (8bit):7.986319699952453
                              Encrypted:false
                              SSDEEP:
                              MD5:6E16C4BE3175619F1F810C65AAC86F8F
                              SHA1:0E1DA9BB4D63989D4570C20AB60C3031BB9DF68A
                              SHA-256:B48EF12BBE5A486EEE3F14FC51DFFB8F0F34B91D6A290549B73764FE583B5EE0
                              SHA-512:EE7B78B094965223154901B2F610A852F749E9B9D0FCE55E48DD76F8604235E0DACCE784EBBC809998DBC2A00560023C8DE43DEB6ABA913C82426B645121477C
                              Malicious:false
                              Preview:pL_.d..Ta.....$.&..>.$g.S.g..L....>.....uH4......s........FN 1/T 186532/H [ 482 168]>>.endobj. ..22 0 obj.<</DecodeParms<</Columns 5/Predictor 12>>/Filter/FlateDecode/ID[<BAeY].......CG:5.!./.T.Kj..:.J..k..V.l.....}B7.........c......[>]/Index[10 26]/Info 9 0 R/Length 79/Prev 186533/Root 11 0 R/Size 36/Type/XRef/W[1 3 1]>>stream..h.bbd`.``b``....~ ...D....l. ..P0.........K...`..*.k.c..$....4e...P.../..Du5...8...(3DW..XR.bj.startxref..0..%%EOF.. ..35 0 obj.<</Filter/FlateDecode/I 102/L 86/Length 83/S 38>>stream..h.b``.b``2`...8.P.#..0p4 .qAd.X.,....V.9mewb....>.......N)...PrWN.|5.TN!..C3.6...L+S...BD.am.endobj.11 0 obj.<</Metadata 2 0 R/PageLabels 6 0 R/Pages 8 0 R/Type/Catalog>>.endobj.12 0 obj.<</Contents 14 0 R/CropBox[0 0 c-)...x.......Hm.O.6.GjK.{.E.S.L....z.....k"g..@....nr.....dY.ate 0/Type/Page>>.endobj.13 0 obj.<</Filter/FlateDecode/First 88/Length 868/N 12/Type/ObjStm>>stream..h..mo.0..._nB.Oy..*u)....Wz...2r<9D.Q5f.q/....QR.1~....+.!...x.o

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\CoolType.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4294418
                              Entropy (8bit):7.2446153633813335
                              Encrypted:false
                              SSDEEP:
                              MD5:F22CCB00ACC4397396469550F5088D4A
                              SHA1:2311E040D3589135F434120E58FA6D17B7BD85EE
                              SHA-256:8E4EEEE046A299CB92AA57FFFE1226677B324F169887AED30BCEC2A2628750BD
                              SHA-512:200E78653F7C60D83B2E80713F7E16A700BF9371537F09442BB8EE73D809408DAA85BF7CF07837D667C4F9ABE86ADCA9396A3D6BEAB3C22DF922EE8A15D9B194
                              Malicious:false
                              Preview:....o...........7.K.r.C......E.O.7....m....z.......K.<.[.........!..L.!This program cannot be run in DOS mode....$.......G.,...B...B...B......B...F...B...A...B...C...B.e...B...G...B..lD$...K.............D..}KS.~...3b.;S....j.}7F8u.*^="..).........B...@...B.Rich..B.........PE..d...{..d.........." .....J-.......... *........`..............................B.....(qB...`A.....o...........7.K.r.C......E.O.7....m...K.F.`.......t.[...?......\A..)... B.Dr...Q5.T....................R5.(....P5.8............`-.p....2<.@....................text....I-......J-..........o.........w=E.*y..C.....<E.A.7.....m....z.\....i*.}.[.ha...p<..b...\<.............@....pdata........?.. ....>.............@..@.didat........B.......@.............@....rsrc...h.....B..................7.KMr.......E.=.7.....m.....z.......K.\.[......................................................................................................................................o...........7.K.r.C......E.O.7..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\CoolType.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4294418
                              Entropy (8bit):7.2446153633813335
                              Encrypted:false
                              SSDEEP:
                              MD5:F22CCB00ACC4397396469550F5088D4A
                              SHA1:2311E040D3589135F434120E58FA6D17B7BD85EE
                              SHA-256:8E4EEEE046A299CB92AA57FFFE1226677B324F169887AED30BCEC2A2628750BD
                              SHA-512:200E78653F7C60D83B2E80713F7E16A700BF9371537F09442BB8EE73D809408DAA85BF7CF07837D667C4F9ABE86ADCA9396A3D6BEAB3C22DF922EE8A15D9B194
                              Malicious:false
                              Preview:....o...........7.K.r.C......E.O.7....m....z.......K.<.[.........!..L.!This program cannot be run in DOS mode....$.......G.,...B...B...B......B...F...B...A...B...C...B.e...B...G...B..lD$...K.............D..}KS.~...3b.;S....j.}7F8u.*^="..).........B...@...B.Rich..B.........PE..d...{..d.........." .....J-.......... *........`..............................B.....(qB...`A.....o...........7.K.r.C......E.O.7....m...K.F.`.......t.[...?......\A..)... B.Dr...Q5.T....................R5.(....P5.8............`-.p....2<.@....................text....I-......J-..........o.........w=E.*y..C.....<E.A.7.....m....z.\....i*.}.[.ha...p<..b...\<.............@....pdata........?.. ....>.............@..@.didat........B.......@.............@....rsrc...h.....B..................7.KMr.......E.=.7.....m.....z.......K.\.[......................................................................................................................................o...........7.K.r.C......E.O.7..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\DirectInk.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):166154
                              Entropy (8bit):6.997970857534157
                              Encrypted:false
                              SSDEEP:
                              MD5:1A5054BE21699D51D65AF686208DDE5E
                              SHA1:5D89EEDD08733B5D1E4309E44A47453ACF0732E8
                              SHA-256:D1AA213C5EE76C85A5039CE58E8E25B3005B509A9707F7807472D62335A5A1F2
                              SHA-512:B5D15A609242EFF97D92DB2644B6C38E7245B1EA2DEA60611E670B2FBB361F6F980B4381D4955448623D1EC15B286ED9666CED3799CF97F0A35EE099377AC9FB
                              Malicious:false
                              Preview:-...e..:0E.l.9...........1F..G..0.......7...0y.!.+.E.O.M............!..L.!This program cannot be run in DOS mode....$...........v...v...v...r...v...u...v...s...v.Y.s...v.Y.r...v.Y.u...v..36....~..2P..O.m@h8..+.G..\1=...W<s.vd...f/F...k.mg3].&.%&"u7........PE..d....[.c.........." .....`..........P...............................................TX....`A........................`.A..e..>0E..9.....4.....3F..G.........~5...0y...+<.E...M........p.......................(...@...8............p...............................text...,_.......`.................. ..`.rdata..n<A.....>.E.J8.6.........1FS.G..T....p;7...2y.5.+.G.O.M........@....pdata..P....`.......6..............@..@_RDATA...............N..............@..@.rsrc................P..............@..@N.$......7E..;.6....V...1F..G..0........7...0y.!.+.E.O.M....................................................................................................................................`.A..e..>0E..9.6.........1F..G..0.....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\DirectInk.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):166154
                              Entropy (8bit):6.997970857534157
                              Encrypted:false
                              SSDEEP:
                              MD5:1A5054BE21699D51D65AF686208DDE5E
                              SHA1:5D89EEDD08733B5D1E4309E44A47453ACF0732E8
                              SHA-256:D1AA213C5EE76C85A5039CE58E8E25B3005B509A9707F7807472D62335A5A1F2
                              SHA-512:B5D15A609242EFF97D92DB2644B6C38E7245B1EA2DEA60611E670B2FBB361F6F980B4381D4955448623D1EC15B286ED9666CED3799CF97F0A35EE099377AC9FB
                              Malicious:false
                              Preview:-...e..:0E.l.9...........1F..G..0.......7...0y.!.+.E.O.M............!..L.!This program cannot be run in DOS mode....$...........v...v...v...r...v...u...v...s...v.Y.s...v.Y.r...v.Y.u...v..36....~..2P..O.m@h8..+.G..\1=...W<s.vd...f/F...k.mg3].&.%&"u7........PE..d....[.c.........." .....`..........P...............................................TX....`A........................`.A..e..>0E..9.....4.....3F..G.........~5...0y...+<.E...M........p.......................(...@...8............p...............................text...,_.......`.................. ..`.rdata..n<A.....>.E.J8.6.........1FS.G..T....p;7...2y.5.+.G.O.M........@....pdata..P....`.......6..............@..@_RDATA...............N..............@..@.rsrc................P..............@..@N.$......7E..;.6....V...1F..G..0........7...0y.!.+.E.O.M....................................................................................................................................`.A..e..>0E..9.6.........1F..G..0.....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):134922
                              Entropy (8bit):6.846139535964949
                              Encrypted:false
                              SSDEEP:
                              MD5:0A7F13D5627D01442D17561A50237430
                              SHA1:ADE51428EFB9CB1F942D24C9C7BC068DA1C8DF53
                              SHA-256:4A720868B4E05F1A3C38FEE8741A07F935DA29DC9640A03CE0798A1A5ADB1816
                              SHA-512:AF6A39485E1170B663F5ED0F4D419D7C61504D3BB86EB862112040A4CCF28B50E159D7134AB1F159C14BFF331F1C75F62D5EF654412B5727802AFE169A42EC47
                              Malicious:false
                              Preview:|.....@...!i.D........5.J...$.0"...D2......|...11......Pq...........!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%..}[..#:(.CL....}.h.N....nz....(`.>-.'...t.VH.Y.yvY...&...Py...........PE..d...DC,d.........."............................@............................. ............`.........................1.....@...!iL..........5......$..#...D2.x..I..|...1.......P.....Q..T....................S..(... R..8............0...............................text............................... ..`.rdata...g....A..r!i\..........5.J....d.TCo.D2.....|...11y.....Py.......@....pdata..............................@..@.rsrc...@...........................@..@.reloc..d...........................@..B1.....@...!i\..........5.J...$.0"...D2......|...11......Py...................................................................................................................................1.....@...!i\..........5.J...$.0"...D2

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\Eula.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):134922
                              Entropy (8bit):6.846139535964949
                              Encrypted:false
                              SSDEEP:
                              MD5:0A7F13D5627D01442D17561A50237430
                              SHA1:ADE51428EFB9CB1F942D24C9C7BC068DA1C8DF53
                              SHA-256:4A720868B4E05F1A3C38FEE8741A07F935DA29DC9640A03CE0798A1A5ADB1816
                              SHA-512:AF6A39485E1170B663F5ED0F4D419D7C61504D3BB86EB862112040A4CCF28B50E159D7134AB1F159C14BFF331F1C75F62D5EF654412B5727802AFE169A42EC47
                              Malicious:false
                              Preview:|.....@...!i.D........5.J...$.0"...D2......|...11......Pq...........!..L.!This program cannot be run in DOS mode....$........1.v.Pc%.Pc%.Pc%.(.%.Pc%C$g$.Pc%C$`$.Pc%C$f$.Pc%C$b$.Pc%.;g$.Pc%..}[..#:(.CL....}.h.N....nz....(`.>-.'...t.VH.Y.yvY...&...Py...........PE..d...DC,d.........."............................@............................. ............`.........................1.....@...!iL..........5......$..#...D2.x..I..|...1.......P.....Q..T....................S..(... R..8............0...............................text............................... ..`.rdata...g....A..r!i\..........5.J....d.TCo.D2.....|...11y.....Py.......@....pdata..............................@..@.rsrc...@...........................@..@.reloc..d...........................@..B1.....@...!i\..........5.J...$.0"...D2......|...11......Py...................................................................................................................................1.....@...!i\..........5.J...$.0"...D2

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ExtendScript.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):795922
                              Entropy (8bit):6.943781351597246
                              Encrypted:false
                              SSDEEP:
                              MD5:11D91603DF0AB5824C496F8362723953
                              SHA1:65717B4A2C9F7B722A455935DA35BB179EE32591
                              SHA-256:D32E45C6345D74675711DFCD6AAB53A0F16141D3A6441EC4F26CA1A271616EBF
                              SHA-512:BE88E7AB0254FB136254AF2BD5FFA64C2773BF39A34DD8AE91F14ADDF5E96B8F9309CE78F7653E589E942AB8A0B85B7BD5453F400B3488973FC983FA3D72FC8C
                              Malicious:false
                              Preview:N."2.#.....sfl...r..C?..R.8.C.B(E..5.5=..`..L{..<W....4(..........!..L.!This program cannot be run in DOS mode....$..........z...)...)...)..H)...)...(...)7..(...)...(...)...)...)...(...).m.v.....q..w.O....Z8jH+.....(taf..}m&.$y.!....F.Sn..~..w...N.................PE..d...;.%c.........." .................e.......................................@......8e....`A.................t.2.#.......sf....b..C.H...8.O{H(...5.9=?.`..G{..<W.V....... ..t.......T................... ...(... ................................................text............................... ..`-..S..#.......tf...r7.C...R.8.C.B(..O..TI.`..L{..7W....$y..............@....pdata..0W.......X...~..............@..@.rsrc...............................@..@.reloc..t.... ...................t.2..#.....sf....r..C...R.8.C.B(E..5.5=..`..L{..<W....$)...................................................................................................................................t.2.#.....sf....r..C...R.8.C.B(E..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ExtendScript.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):795922
                              Entropy (8bit):6.943781351597246
                              Encrypted:false
                              SSDEEP:
                              MD5:11D91603DF0AB5824C496F8362723953
                              SHA1:65717B4A2C9F7B722A455935DA35BB179EE32591
                              SHA-256:D32E45C6345D74675711DFCD6AAB53A0F16141D3A6441EC4F26CA1A271616EBF
                              SHA-512:BE88E7AB0254FB136254AF2BD5FFA64C2773BF39A34DD8AE91F14ADDF5E96B8F9309CE78F7653E589E942AB8A0B85B7BD5453F400B3488973FC983FA3D72FC8C
                              Malicious:false
                              Preview:N."2.#.....sfl...r..C?..R.8.C.B(E..5.5=..`..L{..<W....4(..........!..L.!This program cannot be run in DOS mode....$..........z...)...)...)..H)...)...(...)7..(...)...(...)...)...)...(...).m.v.....q..w.O....Z8jH+.....(taf..}m&.$y.!....F.Sn..~..w...N.................PE..d...;.%c.........." .................e.......................................@......8e....`A.................t.2.#.......sf....b..C.H...8.O{H(...5.9=?.`..G{..<W.V....... ..t.......T................... ...(... ................................................text............................... ..`-..S..#.......tf...r7.C...R.8.C.B(..O..TI.`..L{..7W....$y..............@....pdata..0W.......X...~..............@..@.rsrc...............................@..@.reloc..t.... ...................t.2..#.....sf....r..C...R.8.C.B(E..5.5=..`..L{..<W....$)...................................................................................................................................t.2.#.....sf....r..C...R.8.C.B(E..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\JP2KLib.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):673034
                              Entropy (8bit):7.269051318062562
                              Encrypted:false
                              SSDEEP:
                              MD5:A2CA3714DEE7689C5387243182CD28FA
                              SHA1:67D0013B3C4FEBB42B5F479E95F93C4FA9003927
                              SHA-256:B734B5A07A81C71F21063127CCF8B914465430976E003511C2775906AECF0DDC
                              SHA-512:CAAE3F873F1876F9376E3B2BBAB07D6FC17C30B9C4D058969F2CAA0D07F8FCECD2D7C432AF24F72C55F03357B1B9A8CF64C255ECAA20AFB54FA90F5BCA8C3061
                              Malicious:false
                              Preview:..wv..$.......%..g..6.Y...9...k.q...."...j)...Y.....n. .A.!c..........!..L.!This program cannot be run in DOS mode....$.......?-.U{L..{L..{L..r4..wL...4..~L...4..jL...4..sL...4...L..o'..yL....wp.....(....R..L....W..Q..._...n..._......-v...]..A.)b..........PE..d....{.d.........." .........@..............................................p.......W....`A...........................v..$.....i.%......Y...0...k.qC...$...z#.r.Y.....8 .A...Eb......T...............................@............................................text............................... ..`.rdata...S.v..-.....y.-.@g..6.Y.W.9...k\_w..."...\)...P..3..n.).A.)b......@....pdata...7.......8..................@..@.rsrc........P......................@..@.reloc..l....`......................@..B...v..$.....y.%.@g..6.Y.W.9...k.q...."...j)...Y.....n. .A.)b.....................................................................................................................................v..$.....y.%.@g..6.Y.W.9...k.q...."..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\JP2KLib.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):673034
                              Entropy (8bit):7.269051318062562
                              Encrypted:false
                              SSDEEP:
                              MD5:A2CA3714DEE7689C5387243182CD28FA
                              SHA1:67D0013B3C4FEBB42B5F479E95F93C4FA9003927
                              SHA-256:B734B5A07A81C71F21063127CCF8B914465430976E003511C2775906AECF0DDC
                              SHA-512:CAAE3F873F1876F9376E3B2BBAB07D6FC17C30B9C4D058969F2CAA0D07F8FCECD2D7C432AF24F72C55F03357B1B9A8CF64C255ECAA20AFB54FA90F5BCA8C3061
                              Malicious:false
                              Preview:..wv..$.......%..g..6.Y...9...k.q...."...j)...Y.....n. .A.!c..........!..L.!This program cannot be run in DOS mode....$.......?-.U{L..{L..{L..r4..wL...4..~L...4..jL...4..sL...4...L..o'..yL....wp.....(....R..L....W..Q..._...n..._......-v...]..A.)b..........PE..d....{.d.........." .........@..............................................p.......W....`A...........................v..$.....i.%......Y...0...k.qC...$...z#.r.Y.....8 .A...Eb......T...............................@............................................text............................... ..`.rdata...S.v..-.....y.-.@g..6.Y.W.9...k\_w..."...\)...P..3..n.).A.)b......@....pdata...7.......8..................@..@.rsrc........P......................@..@.reloc..l....`......................@..B...v..$.....y.%.@g..6.Y.W.9...k.q...."...j)...Y.....n. .A.)b.....................................................................................................................................v..$.....y.%.@g..6.Y.W.9...k.q...."..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1113866
                              Entropy (8bit):7.232669377381374
                              Encrypted:false
                              SSDEEP:
                              MD5:710F8E6BCA5010FEFD3AFAE45DB8A5FC
                              SHA1:AFEB6E41B51E05470A86D5BDEFD1D09FEF436BC8
                              SHA-256:914354DFE7D5CA7ABD5376BD18EF021DE9F950A82E9FDEA8579C01E15F1FEB8F
                              SHA-512:95CED0639F67FA3E9BD60B97F34556F5C1A32CC5D4B15E08F34E2BE856B71D97A1A0CE40F66120963DF9D996E3A0E20A1DB675F88C8A3AE2ED0BF5EA5E1E5BC0
                              Malicious:false
                              Preview:...../.J..@........1%MY...N...&.fV....#.=...00]/..{.$..d.."*.k........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N.=C~|..W.H..^.5c./....*...7.]).[.-..r}..~.G.....j............N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@............................. .......$../y...@........1%MY...N...&.fV....#.=...00]/..{.$......*.k.... ....p..dt.......)......H.......p.......................(... ...8............................................text...kh.......8..+.J..@.........%M9.../Zn..edV....#C?...=0]/..{.$..d..J+.+.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc....5../.J...@.B......1%MY...Nn...&.fV....#.=...00]/..{.$..d...+.k..................................................................................................................................5../.J..@........1%MY...N...&.fV....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\LogTransport2.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1113866
                              Entropy (8bit):7.232669377381374
                              Encrypted:false
                              SSDEEP:
                              MD5:710F8E6BCA5010FEFD3AFAE45DB8A5FC
                              SHA1:AFEB6E41B51E05470A86D5BDEFD1D09FEF436BC8
                              SHA-256:914354DFE7D5CA7ABD5376BD18EF021DE9F950A82E9FDEA8579C01E15F1FEB8F
                              SHA-512:95CED0639F67FA3E9BD60B97F34556F5C1A32CC5D4B15E08F34E2BE856B71D97A1A0CE40F66120963DF9D996E3A0E20A1DB675F88C8A3AE2ED0BF5EA5E1E5BC0
                              Malicious:false
                              Preview:...../.J..@........1%MY...N...&.fV....#.=...00]/..{.$..d.."*.k........!..L.!This program cannot be run in DOS mode....$........ ..N...N...N......N.e.K...N...O...N...J...N...M...N...H...N.=C~|..W.H..^.5c./....*...7.]).[.-..r}..~.G.....j............N...L...N.Rich..N.................PE..d...%..c.........."......j...t......@..........@............................. .......$../y...@........1%MY...N...&.fV....#.=...00]/..{.$......*.k.... ....p..dt.......)......H.......p.......................(... ...8............................................text...kh.......8..+.J..@.........%M9.../Zn..edV....#C?...=0]/..{.$..d..J+.+.data...`S.......F..................@....pdata..dt...p...v...D..............@..@.rsrc... ...........................@..@.reloc....5../.J...@.B......1%MY...Nn...&.fV....#.=...00]/..{.$..d...+.k..................................................................................................................................5../.J..@........1%MY...N...&.fV....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\PDFPrevHndlr.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):126218
                              Entropy (8bit):6.950405088663136
                              Encrypted:false
                              SSDEEP:
                              MD5:7C2F5D5470D521E4458340A8BC0399B0
                              SHA1:643537AFADC751AB610A72BB09A2B7C662B46799
                              SHA-256:555089D1FB46FF368CEF4EE09E6DDC7962A07CE4017A7AB0C176D732C455E379
                              SHA-512:EAAD01E33D405F1802C2C2A3432FA8486639C35E0BC4004904447F8078C3DD988ED63BB4459E5F84D65027E6CE1588806DCDBD1AE75308597999DE80CEBC79A3
                              Malicious:false
                              Preview:c..........:b6..Z.=....#..{...z..$....RW.@..,.7.\.A....0............!..L.!This program cannot be run in DOS mode....$........\.h.=.;.=.;.=.;.Ea;.=.;.I.:.=.;.I.:.=.;.I.:.=.;.I.:.=.;.V.:.=.;.<R/w5.*....5.2.1..u..j.=..g.p.f.....X..}}N..;R..$.!._\.q.h.Rich.=.;................PE..d....^.c.........." ................ .....................................................`A..........L........:...8J.=....#..k......$|...^*..A..,.6..4A...0.........)......l....D..T............................E..8............ ..x............................text...<.........................L....n.x.J....Z.=....!..{8..z..$....RW.@...tS.(xA..m.0.....|..................@..@.data................v..............@....pdata..............................@..@.rsrc....-................L........:.....(..R...!..{...z.$.E..RW.@..,.7...AX...0......................................................................................................................................L........:...8Z.=....#..{...z..$....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\PDFPrevHndlr.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):126218
                              Entropy (8bit):6.950405088663136
                              Encrypted:false
                              SSDEEP:
                              MD5:7C2F5D5470D521E4458340A8BC0399B0
                              SHA1:643537AFADC751AB610A72BB09A2B7C662B46799
                              SHA-256:555089D1FB46FF368CEF4EE09E6DDC7962A07CE4017A7AB0C176D732C455E379
                              SHA-512:EAAD01E33D405F1802C2C2A3432FA8486639C35E0BC4004904447F8078C3DD988ED63BB4459E5F84D65027E6CE1588806DCDBD1AE75308597999DE80CEBC79A3
                              Malicious:false
                              Preview:c..........:b6..Z.=....#..{...z..$....RW.@..,.7.\.A....0............!..L.!This program cannot be run in DOS mode....$........\.h.=.;.=.;.=.;.Ea;.=.;.I.:.=.;.I.:.=.;.I.:.=.;.I.:.=.;.V.:.=.;.<R/w5.*....5.2.1..u..j.=..g.p.f.....X..}}N..;R..$.!._\.q.h.Rich.=.;................PE..d....^.c.........." ................ .....................................................`A..........L........:...8J.=....#..k......$|...^*..A..,.6..4A...0.........)......l....D..T............................E..8............ ..x............................text...<.........................L....n.x.J....Z.=....!..{8..z..$....RW.@...tS.(xA..m.0.....|..................@..@.data................v..............@....pdata..............................@..@.rsrc....-................L........:.....(..R...!..{...z.$.E..RW.@..,.7...AX...0......................................................................................................................................L........:...8Z.=....#..{...z..$....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\PDFSigQFormalRep.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):468520
                              Entropy (8bit):6.994071555138202
                              Encrypted:false
                              SSDEEP:
                              MD5:782B090EB9189D6C630FC412F8329A00
                              SHA1:3E3C7BD49778F2C370E53DE00232EDF8A5A5FD97
                              SHA-256:9EC34AD296437F0DABA5668C8FCE178355F4E65015270E94DDA54F7223E56FEF
                              SHA-512:529B9BC6563D9B3D59632756B38D482C846A5B772E0399B0AA6DAE633FD92CF37F374B8007C95150E22BFB2BEFAE210C0DC8AB46AEAC0997435CBBED97ACD8C7
                              Malicious:false
                              Preview:..\..W....g%....h..Y. ...5......9..Sun...2....k.\..6..<n..Pa...5922/H [ 447 132]>>.endobj. ..12 0 obj.<</DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<3E.f\.V.......c.U.ql.p.....X..$..3c.\.dl...F.w..a.\..S..3i..1e.{.>]/Index[7 13]/Info 6 0 R/Length 48/Prev 5923/Root 8 0 R/Size 20/Type/XRef/W[1 2 1]>>stream..h.bbd.``b`2...6 ..H07.............$..Y.`.......*.s.,^.D.+.([t.....$..C--S....?....*....*y..Pp.F.9 0 obj.<</Filter/FlateDecode/I 67/Length 53/S 38>>stream..h.b```f``....,.....$...,.......\...S..2..........;....endstream.endoT:...V...\.....s.)I.B.j...:.0...#.X.e.d.}.W..E....q...<...2.A. 0 obj.<</Contents 11 0 R/CropBox[0 0 612 792]/MediaBox[0 0 612 792]/Parent 5 0 R/Resources 13 0 R/Rotate 0/Type/Page>>.endobj.1.p(.......@K.s.gk.W./.@]u..O...#.M.lpz..c.Z....J. ..s)..?2...m>>stream..h..kk.0......}pu.$.J i.n.d.6. .h...`.,...d'.M.ad].{t^I.a... c ......1 .d(.D.s.....d........$.O...W..kiJ].]...%..c.u.....q,....t).zHeB.:.;......q,aD}...

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\PDFSigQFormalRep.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):468520
                              Entropy (8bit):6.994071555138202
                              Encrypted:false
                              SSDEEP:
                              MD5:782B090EB9189D6C630FC412F8329A00
                              SHA1:3E3C7BD49778F2C370E53DE00232EDF8A5A5FD97
                              SHA-256:9EC34AD296437F0DABA5668C8FCE178355F4E65015270E94DDA54F7223E56FEF
                              SHA-512:529B9BC6563D9B3D59632756B38D482C846A5B772E0399B0AA6DAE633FD92CF37F374B8007C95150E22BFB2BEFAE210C0DC8AB46AEAC0997435CBBED97ACD8C7
                              Malicious:false
                              Preview:..\..W....g%....h..Y. ...5......9..Sun...2....k.\..6..<n..Pa...5922/H [ 447 132]>>.endobj. ..12 0 obj.<</DecodeParms<</Columns 4/Predictor 12>>/Filter/FlateDecode/ID[<3E.f\.V.......c.U.ql.p.....X..$..3c.\.dl...F.w..a.\..S..3i..1e.{.>]/Index[7 13]/Info 6 0 R/Length 48/Prev 5923/Root 8 0 R/Size 20/Type/XRef/W[1 2 1]>>stream..h.bbd.``b`2...6 ..H07.............$..Y.`.......*.s.,^.D.+.([t.....$..C--S....?....*....*y..Pp.F.9 0 obj.<</Filter/FlateDecode/I 67/Length 53/S 38>>stream..h.b```f``....,.....$...,.......\...S..2..........;....endstream.endoT:...V...\.....s.)I.B.j...:.0...#.X.e.d.}.W..E....q...<...2.A. 0 obj.<</Contents 11 0 R/CropBox[0 0 612 792]/MediaBox[0 0 612 792]/Parent 5 0 R/Resources 13 0 R/Rotate 0/Type/Page>>.endobj.1.p(.......@K.s.gk.W./.@]u..O...#.M.lpz..c.Z....J. ..s)..?2...m>>stream..h..kk.0......}pu.$.J i.n.d.6. .h...`.,...d'.M.ad].{t^I.a... c ......1 .d(.D.s.....d........$.O...W..kiJ].]...%..c.u.....q,....t).zHeB.:.;......q,aD}...

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\RTC.der

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1412
                              Entropy (8bit):7.674699104951198
                              Encrypted:false
                              SSDEEP:
                              MD5:EF95275536B89BF2D9BC890A89CBBC30
                              SHA1:964D12E63D44235D0005B000E955A5ABEB6563EF
                              SHA-256:1A71A4B42728D97773829847E74C795655F17A88C4D3D2B6610AC65CA71B0C3F
                              SHA-512:B39E80CF380012D436DDFBF38FD992D5EBE69AE7DF201FC4F139C0FFE3351C494C999A3A0FBD6211F81CA7482AA1020886679ECF245C16EFEA3920B56BF9DD6C
                              Malicious:false
                              Preview:.4.X.......|....Rl!.M...T.ID.E-..b...OL%.....pw..'.N.....}M..|/!...u..z..@..Am..=.re.V.HN;%].M....29B..!.....C.vp.....7...{.{......93...N.WF.ce.l.~u../..1..|z...c..sS..B.wg......$...N/#...u..u..P...A..6..d.O.O.,<..c....k.O..7..lF....w|......)...rp^M.Fw._....H.o8.U.oT.V`MK(...(iX..K.E,..-.'..e...L.....A3Z...Mp.$S...ng..a.u.."....?..b..}.."...E.zL.c...._wv.2.J......G@......+.t".......n.*../.........C.F.T....I........\.....o..N.O....i...E..6q8.w..o.........h..c......Z...`...9S.........<f..Yp.4.m[.O3.b.8.>.)d.`.l....3XH5..SneAb..s.ve.... ..1.9H!.wsn?....t|h..6.=...0.)6IBy..(...",_..&..]`..o.Bz..8.....\..........?.#..g$.z{....;.bXUK.FN.G....Y..w..u.....v......w....Kc...g.(....!.K..7..<..D.CB+c..1c...k.Y..c..Z`..v.U......;q..xsC......L.$..a4#.tM..:..u.57\Sq..F.../#X..RF..$.y\.va...~......0+%.w.CA.4..f..v..m.8'.\1.(1.J<ye>8..@.4..P.%2)...T.E..ui{..V........l...+%.V4.Y|.........r...k@.>.d*.".u.....bE.s.......K..*...B......~<=.~. .j..p%Iy.s....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\RTC.der.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1412
                              Entropy (8bit):7.674699104951198
                              Encrypted:false
                              SSDEEP:
                              MD5:EF95275536B89BF2D9BC890A89CBBC30
                              SHA1:964D12E63D44235D0005B000E955A5ABEB6563EF
                              SHA-256:1A71A4B42728D97773829847E74C795655F17A88C4D3D2B6610AC65CA71B0C3F
                              SHA-512:B39E80CF380012D436DDFBF38FD992D5EBE69AE7DF201FC4F139C0FFE3351C494C999A3A0FBD6211F81CA7482AA1020886679ECF245C16EFEA3920B56BF9DD6C
                              Malicious:false
                              Preview:.4.X.......|....Rl!.M...T.ID.E-..b...OL%.....pw..'.N.....}M..|/!...u..z..@..Am..=.re.V.HN;%].M....29B..!.....C.vp.....7...{.{......93...N.WF.ce.l.~u../..1..|z...c..sS..B.wg......$...N/#...u..u..P...A..6..d.O.O.,<..c....k.O..7..lF....w|......)...rp^M.Fw._....H.o8.U.oT.V`MK(...(iX..K.E,..-.'..e...L.....A3Z...Mp.$S...ng..a.u.."....?..b..}.."...E.zL.c...._wv.2.J......G@......+.t".......n.*../.........C.F.T....I........\.....o..N.O....i...E..6q8.w..o.........h..c......Z...`...9S.........<f..Yp.4.m[.O3.b.8.>.)d.`.l....3XH5..SneAb..s.ve.... ..1.9H!.wsn?....t|h..6.=...0.)6IBy..(...",_..&..]`..o.Bz..8.....\..........?.#..g$.z{....;.bXUK.FN.G....Y..w..u.....v......w....Kc...g.(....!.K..7..<..D.CB+c..1c...k.Y..c..Z`..v.U......;q..xsC......L.$..a4#.tM..:..u.57\Sq..F.../#X..RF..$.y\.va...~......0+%.w.CA.4..f..v..m.8'.\1.(1.J<ye>8..@.4..P.%2)...T.E..ui{..V........l...+%.V4.Y|.........r...k@.>.d*.".u.....bE.s.......K..*...B......~<=.~. .j..p%Iy.s....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ReaderUC.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2957074
                              Entropy (8bit):7.154083741765269
                              Encrypted:false
                              SSDEEP:
                              MD5:B2512E09120AFF7FC6CD5923794487C4
                              SHA1:2425E44B9A1E85F35C2C8446CC6DA784194E36CC
                              SHA-256:E874341EAB8D088FD81B82929E19D1F89C764615F6082F8FDE55E9A313FE25F2
                              SHA-512:9DF32A9AE2BD0D6AADA6D70906F9C9DFC7FFC6C8C1992BF8136FAF5C859572B8FB166BCE795FBC412A6EE5AA9B9FF477CC7E14171D1F7889369F45501856F4D4
                              Malicious:false
                              Preview:.hGK>y....!T{.h.w!BU..*.0.aiV..b..s.I.T...z.^......J._..?).[|..........!..L.!This program cannot be run in DOS mode....$.........<.;`R.;`R.;`R.2.../`R./.T.:`R...V.3`R...Q.?`R...W..`R...S.=`R..=x.......w..a:U.*....x$K.2.X...f.$d..@..(6d`.S..z.?.g._.'I..k..P.:`R.Rich;`R.........................PE..d......d.........." .........F......@-.......................................`-......X.K?y.Y..1T..h..1BU..*.p.qiV..b..s.I.T...z.N....`.J.^..#...7.... -.@.....+..D....,..)...0-..%..$.%.T.....................%.(.....%.8...............x............................text..............K=}....!T..h..!BU..*.^..."..b.x.I.J...q.^......J._..?).3}...data.........*.......).............@....pdata...D....+..D....+.............@..@.rsrc...@.... -.......,.............@..@.reloc.. ..K=I....!T..D..!BU..*.p.ai... ..s.I.T...z.^......J._..?).s}...................................................................................................................................2.K=y....!T..h..!BU..*.p.aiV..b..s.I.T.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ReaderUC.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2957074
                              Entropy (8bit):7.154083741765269
                              Encrypted:false
                              SSDEEP:
                              MD5:B2512E09120AFF7FC6CD5923794487C4
                              SHA1:2425E44B9A1E85F35C2C8446CC6DA784194E36CC
                              SHA-256:E874341EAB8D088FD81B82929E19D1F89C764615F6082F8FDE55E9A313FE25F2
                              SHA-512:9DF32A9AE2BD0D6AADA6D70906F9C9DFC7FFC6C8C1992BF8136FAF5C859572B8FB166BCE795FBC412A6EE5AA9B9FF477CC7E14171D1F7889369F45501856F4D4
                              Malicious:false
                              Preview:.hGK>y....!T{.h.w!BU..*.0.aiV..b..s.I.T...z.^......J._..?).[|..........!..L.!This program cannot be run in DOS mode....$.........<.;`R.;`R.;`R.2.../`R./.T.:`R...V.3`R...Q.?`R...W..`R...S.=`R..=x.......w..a:U.*....x$K.2.X...f.$d..@..(6d`.S..z.?.g._.'I..k..P.:`R.Rich;`R.........................PE..d......d.........." .........F......@-.......................................`-......X.K?y.Y..1T..h..1BU..*.p.qiV..b..s.I.T...z.N....`.J.^..#...7.... -.@.....+..D....,..)...0-..%..$.%.T.....................%.(.....%.8...............x............................text..............K=}....!T..h..!BU..*.^..."..b.x.I.J...q.^......J._..?).3}...data.........*.......).............@....pdata...D....+..D....+.............@..@.rsrc...@.... -.......,.............@..@.reloc.. ..K=I....!T..D..!BU..*.p.ai... ..s.I.T...z.^......J._..?).s}...................................................................................................................................2.K=y....!T..h..!BU..*.p.aiV..b..s.I.T.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ScCore.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):720146
                              Entropy (8bit):7.077043540815614
                              Encrypted:false
                              SSDEEP:
                              MD5:712B2C4C8B27999501E13F83A9230B8A
                              SHA1:AD89930E870DDF02D0D5A109EBDC89FA3FD2AA7F
                              SHA-256:88C664091994B3ED528C3B228D7EBE6B96F1187E4ECDB9D151D4065FF0D6BF24
                              SHA-512:3FD94E727B1B924213E954CC6E22209673AA546BB985011AF906EAE88A5C8629A2BDD9FE5E9835A9F6FABA37C438A3E91DBABA92D783A67734BA7360785283CC
                              Malicious:false
                              Preview:.N.....~...B|."...Z..tPZ.(z....|@.}....CV.VR......Mae...m.!f.........!..L.!This program cannot be run in DOS mode....$.........8.Y.V.Y.V.Y.V.P..K.V...W.[.V.*.P.Z.V.*.W.R.V.Y.W...V...S.B.V..,.A..zq1[c.]..V.......... ...~*...9M..P..#.^..7.....R.0gRichY.V.........PE..d...4.%c.........." .....@..........@................................................c....`A..................n.....z....."...Z..t ..(.....u@.|...zIV`.R......%ae.y.m..f.....X.......T...................`...(...`................P..@............................text....?.......@.................. ..`.f..d...N.....".(.Z...t.Z.(z....|@.}...""iVR.......he...m..o.............@....pdata..(h.......j..................@..@.rsrc...h].......^...d..............@..@.reloc..X.........................~.P..z....."...Z..t.Z.(z....|@.}....CV.VR......Mae...m. f...................................................................................................................................~.....z....."...Z..t.Z.(z....|@.}..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ScCore.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):720146
                              Entropy (8bit):7.077043540815614
                              Encrypted:false
                              SSDEEP:
                              MD5:712B2C4C8B27999501E13F83A9230B8A
                              SHA1:AD89930E870DDF02D0D5A109EBDC89FA3FD2AA7F
                              SHA-256:88C664091994B3ED528C3B228D7EBE6B96F1187E4ECDB9D151D4065FF0D6BF24
                              SHA-512:3FD94E727B1B924213E954CC6E22209673AA546BB985011AF906EAE88A5C8629A2BDD9FE5E9835A9F6FABA37C438A3E91DBABA92D783A67734BA7360785283CC
                              Malicious:false
                              Preview:.N.....~...B|."...Z..tPZ.(z....|@.}....CV.VR......Mae...m.!f.........!..L.!This program cannot be run in DOS mode....$.........8.Y.V.Y.V.Y.V.P..K.V...W.[.V.*.P.Z.V.*.W.R.V.Y.W...V...S.B.V..,.A..zq1[c.]..V.......... ...~*...9M..P..#.^..7.....R.0gRichY.V.........PE..d...4.%c.........." .....@..........@................................................c....`A..................n.....z....."...Z..t ..(.....u@.|...zIV`.R......%ae.y.m..f.....X.......T...................`...(...`................P..@............................text....?.......@.................. ..`.f..d...N.....".(.Z...t.Z.(z....|@.}...""iVR.......he...m..o.............@....pdata..(h.......j..................@..@.rsrc...h].......^...d..............@..@.reloc..X.........................~.P..z....."...Z..t.Z.(z....|@.}....CV.VR......Mae...m. f...................................................................................................................................~.....z....."...Z..t.Z.(z....|@.}..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):24330
                              Entropy (8bit):7.159659735003895
                              Encrypted:false
                              SSDEEP:
                              MD5:4B4300EBAC55C016CFE749155E3FA69A
                              SHA1:4B36B781EA8224B657BC9D5A1970C53DEC3FC8C0
                              SHA-256:7A2C91088BE8ADCA48CF9047ACAD3CAFB9841CDE870ACAF01168DCD4EC1772CA
                              SHA-512:F43915FEF8799483C7A53329F9F4B57B40DBE094787AFD98957488A1FC7B0973664705D3C3850E305063A5E0E5BAEC37354BBBF3B6F7CE5339466FDB67294E01
                              Malicious:false
                              Preview:9....W.=..G.\g..d!..LU<-P..@..*8......z.....l.;.....I.M..........!..L.!This program cannot be run in DOS mode....$.......................+.............................................. .......t.D...}R...U........p.C[.8Ae...z.....l.;.....I.M..PE..d...~^.c.........."..........$......p..........@.........................................`.................................t.N..W.=.^..\'..d...L.L-P".@..J8.#.....z.....lE;......I.=...........................4..8............0..0............................text...|........................... ..`.rdata.......0..t.N..W.=.^..\...da...;XL$..@..-8.......z.....l.;.....I....{.pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc..@............2..............@..B........t.N..W.=.^..\...d!..L.<-P..@..*8......z.....l.;.....I.M..................................................................................................................................t.N..W.=.^..\...d!..L.<-P..@..*8....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ShowAppPickerForPDF.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):24330
                              Entropy (8bit):7.159659735003895
                              Encrypted:false
                              SSDEEP:
                              MD5:4B4300EBAC55C016CFE749155E3FA69A
                              SHA1:4B36B781EA8224B657BC9D5A1970C53DEC3FC8C0
                              SHA-256:7A2C91088BE8ADCA48CF9047ACAD3CAFB9841CDE870ACAF01168DCD4EC1772CA
                              SHA-512:F43915FEF8799483C7A53329F9F4B57B40DBE094787AFD98957488A1FC7B0973664705D3C3850E305063A5E0E5BAEC37354BBBF3B6F7CE5339466FDB67294E01
                              Malicious:false
                              Preview:9....W.=..G.\g..d!..LU<-P..@..*8......z.....l.;.....I.M..........!..L.!This program cannot be run in DOS mode....$.......................+.............................................. .......t.D...}R...U........p.C[.8Ae...z.....l.;.....I.M..PE..d...~^.c.........."..........$......p..........@.........................................`.................................t.N..W.=.^..\'..d...L.L-P".@..J8.#.....z.....lE;......I.=...........................4..8............0..0............................text...|........................... ..`.rdata.......0..t.N..W.=.^..\...da...;XL$..@..-8.......z.....l.;.....I....{.pdata.......`......................@..@.rsrc........p.......0..............@..@.reloc..@............2..............@..B........t.N..W.=.^..\...d!..L.<-P..@..*8......z.....l.;.....I.M..................................................................................................................................t.N..W.=.^..\...d!..L.<-P..@..*8....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ViewerPS.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):27914
                              Entropy (8bit):6.9904780194869796
                              Encrypted:false
                              SSDEEP:
                              MD5:FDE8433D6D0EB82D2CB065465FCB0102
                              SHA1:D2859182F916119F3161B1064277385F97D8F370
                              SHA-256:5FD5B0D9DA6FE54D57733190F9425E1B06BC5E80A40BAE4F24291D59A154DCF5
                              SHA-512:255C762A9540576DA37B3E1CA2E4B37CB0ABB070F63E88F76F9AFCBCF70C98E811981C556F45282D7BEE038CCEC81E40A431D90774C77500ADE4DF0691D95F5B
                              Malicious:false
                              Preview:.~.p......pZ...x...0.?.5.p.......#...e.MX...,..U.....&..........!..L.!This program cannot be run in DOS mode....$.......-.xi..+i..+i..+`.e+k..+...*k..+...*`..+...*n..+...*k..+}..*`..+...[2...e.p$A=S.5...=E..g..g.,>.~...8...~.-%.<..qO..'|~.....'..................PE..d......d.........." .........,.......%....................................................`A.................$.p......pZL..xf..0...?...5.p........#...e..]..x,....U...........p...@@..T............................@..8............0...............................orpc...V........................... ..`.Po.k.....pZL..xf..0.?...5.p.......#.)..f99...,..U.....1..............@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......:...........$.p_......6#..x...0...?...5.0.......#...e..X....,..U.....'...................................................................................................................................$.p......pZL..xf..0.?...5.p.......#.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ViewerPS.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):27914
                              Entropy (8bit):6.9904780194869796
                              Encrypted:false
                              SSDEEP:
                              MD5:FDE8433D6D0EB82D2CB065465FCB0102
                              SHA1:D2859182F916119F3161B1064277385F97D8F370
                              SHA-256:5FD5B0D9DA6FE54D57733190F9425E1B06BC5E80A40BAE4F24291D59A154DCF5
                              SHA-512:255C762A9540576DA37B3E1CA2E4B37CB0ABB070F63E88F76F9AFCBCF70C98E811981C556F45282D7BEE038CCEC81E40A431D90774C77500ADE4DF0691D95F5B
                              Malicious:false
                              Preview:.~.p......pZ...x...0.?.5.p.......#...e.MX...,..U.....&..........!..L.!This program cannot be run in DOS mode....$.......-.xi..+i..+i..+`.e+k..+...*k..+...*`..+...*n..+...*k..+}..*`..+...[2...e.p$A=S.5...=E..g..g.,>.~...8...~.-%.<..qO..'|~.....'..................PE..d......d.........." .........,.......%....................................................`A.................$.p......pZL..xf..0...?...5.p........#...e..]..x,....U...........p...@@..T............................@..8............0...............................orpc...V........................... ..`.Po.k.....pZL..xf..0.?...5.p.......#.)..f99...,..U.....1..............@..@.data........P.......6..............@....pdata.......`.......8..............@..@.rsrc........p.......:...........$.p_......6#..x...0...?...5.0.......#...e..X....,..U.....'...................................................................................................................................$.p......pZL..xf..0.?...5.p.......#.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):67294
                              Entropy (8bit):6.3127129552499355
                              Encrypted:false
                              SSDEEP:
                              MD5:B7E3E231B61A8C9E7674A2772F585BEC
                              SHA1:F11376D5AC8CCF2C003A3D27B23A6E90F9D55061
                              SHA-256:2101225F26869098DC82164A57C6CF2E780713CB26802735DC1DAE8401DD9E1E
                              SHA-512:979DA4491802D489EFBE2492A955169EF817EDCA28B738AB47781A5CBDF49436A0FD6FCAB8A8A1242A681B0A5A561F811BC15A348FFA3861E890CC2970C94C9A
                              Malicious:false
                              Preview:.B.....*...$..=..../.oV..o..S..>^.vvd..P...".l..u...N!j......k0..... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(.........*O..$ .=..../ycV..c.....>..vvt..P.." b..~...,5j.....M..a....0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ................*...$..=.E../.pV.Xp..[..>[1vv...P..."`M........j.P......a.#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(.......)...........9..l...........p9..\...........D6...............+......t..h...*w..$@.=.f.}..oV.0V..S..>..k..PH..".U...PZi.:j........a........L...(...........................t...T..............$........................................... !...........................*...$..=..../...).o..G..>7.vv...P...".l...PZi.:j......k0............. !.........................................................<....................................... !....................*...$..=..../.oV..o......7.vv0..P

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):67294
                              Entropy (8bit):6.3127129552499355
                              Encrypted:false
                              SSDEEP:
                              MD5:B7E3E231B61A8C9E7674A2772F585BEC
                              SHA1:F11376D5AC8CCF2C003A3D27B23A6E90F9D55061
                              SHA-256:2101225F26869098DC82164A57C6CF2E780713CB26802735DC1DAE8401DD9E1E
                              SHA-512:979DA4491802D489EFBE2492A955169EF817EDCA28B738AB47781A5CBDF49436A0FD6FCAB8A8A1242A681B0A5A561F811BC15A348FFA3861E890CC2970C94C9A
                              Malicious:false
                              Preview:.B.....*...$..=..../.oV..o..S..>^.vvd..P...".l..u...N!j......k0..... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(.........*O..$ .=..../ycV..c.....>..vvt..P.." b..~...,5j.....M..a....0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ................*...$..=.E../.pV.Xp..[..>[1vv...P..."`M........j.P......a.#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(.......)...........9..l...........p9..\...........D6...............+......t..h...*w..$@.=.f.}..oV.0V..S..>..k..PH..".U...PZi.:j........a........L...(...........................t...T..............$........................................... !...........................*...$..=..../...).o..G..>7.vv...P...".l...PZi.:j......k0............. !.........................................................<....................................... !....................*...$..=..../.oV..o......7.vv0..P

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):683
                              Entropy (8bit):7.146649961989853
                              Encrypted:false
                              SSDEEP:
                              MD5:FB049903EF15EAB8630F7DF5518733F0
                              SHA1:88E9E14BB8DC207E4E28DFEFAA1239F4DB3A33D6
                              SHA-256:55B2AEE3681D7F811253CCBA37E9A269DD343A57369B23903C8A9D1A51A549BE
                              SHA-512:F209B4007B42A1A9EC94EC1D390098BEF48592A67A29D5C3D4D779D4DEB486C9CFD58900F00C4F9E6D08A45B2B8EC4FB50FD0216B7D0765222D2AE40B2858918
                              Malicious:false
                              Preview:.'+r.....47.R..cq.I..%..}Tu`..."....6(n..o...@/.k%f_.k...V........$...6....;p....{h....&I..>b.u7......}t[...PS.....)2(F..H.K..r...^..rS........hL...et..G....n.(.WBr9..YZ....O......Is@......H.Sf.S.4...........8...(yh.., ....f..P.....|./..v{.qO......_f.xc..q.za.....+J.-..S.#.T.J...*.bq.{\...a..........=...m.&".(.0.P....9.d.....?8........c3......IEND.B`......;..<.o.B9F7..Z*.H...._.3s...^9....p...M.h...w....~..v%.....g...O.$.qx.6.L(q...|....IsU%.T.K._8..d;.W...LJw..[.0B.ui.b....,q.M~.1.........;..(...5. .y-m.9.....*.y]k.~B...@.w.V......."...!.........................................................................................@.........tmrk2oxcouu.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_reader_appicon_16.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):683
                              Entropy (8bit):7.146649961989853
                              Encrypted:false
                              SSDEEP:
                              MD5:FB049903EF15EAB8630F7DF5518733F0
                              SHA1:88E9E14BB8DC207E4E28DFEFAA1239F4DB3A33D6
                              SHA-256:55B2AEE3681D7F811253CCBA37E9A269DD343A57369B23903C8A9D1A51A549BE
                              SHA-512:F209B4007B42A1A9EC94EC1D390098BEF48592A67A29D5C3D4D779D4DEB486C9CFD58900F00C4F9E6D08A45B2B8EC4FB50FD0216B7D0765222D2AE40B2858918
                              Malicious:false
                              Preview:.'+r.....47.R..cq.I..%..}Tu`..."....6(n..o...@/.k%f_.k...V........$...6....;p....{h....&I..>b.u7......}t[...PS.....)2(F..H.K..r...^..rS........hL...et..G....n.(.WBr9..YZ....O......Is@......H.Sf.S.4...........8...(yh.., ....f..P.....|./..v{.qO......_f.xc..q.za.....+J.-..S.#.T.J...*.bq.{\...a..........=...m.&".(.0.P....9.d.....?8........c3......IEND.B`......;..<.o.B9F7..Z*.H...._.3s...^9....p...M.h...w....~..v%.....g...O.$.qx.6.L(q...|....IsU%.T.K._8..d;.W...LJw..[.0B.ui.b....,q.M~.1.........;..(...5. .y-m.9.....*.y]k.~B...@.w.V......."...!.........................................................................................@.........tmrk2oxcouu.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):42762
                              Entropy (8bit):6.979361471073653
                              Encrypted:false
                              SSDEEP:
                              MD5:F34E9EB5E37C3FEFDCE86837704F5E8D
                              SHA1:CB6D853AC2BA6EF5B0C8DA8CF526D4691C111ED3
                              SHA-256:0F90245ED7EF5AE3D22F27FDC8EE38440699A256F2816486EC89DC3D7E92D928
                              SHA-512:1B7AF69DC6DFDAEF30076B2E1A822135F8E9CBE66C0D821E9835D4B099994D08C93892B56A2BB043A0B7324F76D1893314E43CA48E908BE8B95F9B8EEA666CC5
                              Malicious:false
                              Preview:/N..:..+....k0.,5...+I.-<j.n.zi..T.......y........!......U.X.........!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..|=..I..u=..I..j=..I..p=..bV..q=...)../...UIf:... ......~..Q........b.oV.......~....!......U.X.........PE..d....^.c.........."......<...B.......>.........@..........................................`.........................b.i.9..+......,....+I..Uj.v.zi.8T.E...q.y...........e.UW.X.`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..F3i.9..+.(...,....+I.m<j...z)/.5ut..\..y.B......!......U.X.....@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...............z..............@..Bb.i.9..+......,....+I.m<j.n.zi..T.......y........!......U.X.................................................................................................................................b.i.9..+......,....+I.m<j.n.zi..T....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):42762
                              Entropy (8bit):6.979361471073653
                              Encrypted:false
                              SSDEEP:
                              MD5:F34E9EB5E37C3FEFDCE86837704F5E8D
                              SHA1:CB6D853AC2BA6EF5B0C8DA8CF526D4691C111ED3
                              SHA-256:0F90245ED7EF5AE3D22F27FDC8EE38440699A256F2816486EC89DC3D7E92D928
                              SHA-512:1B7AF69DC6DFDAEF30076B2E1A822135F8E9CBE66C0D821E9835D4B099994D08C93892B56A2BB043A0B7324F76D1893314E43CA48E908BE8B95F9B8EEA666CC5
                              Malicious:false
                              Preview:/N..:..+....k0.,5...+I.-<j.n.zi..T.......y........!......U.X.........!..L.!This program cannot be run in DOS mode....$.......2\.v=..v=..v=...E?.x=..I..|=..I..u=..I..j=..I..p=..bV..q=...)../...UIf:... ......~..Q........b.oV.......~....!......U.X.........PE..d....^.c.........."......<...B.......>.........@..........................................`.........................b.i.9..+......,....+I..Uj.v.zi.8T.E...q.y...........e.UW.X.`X..T............................X..8............P...............................text....;.......<.................. ..`.rdata..F3i.9..+.(...,....+I.m<j...z)/.5ut..\..y.B......!......U.X.....@....pdata..,............l..............@..@.rsrc...P............r..............@..@.reloc...............z..............@..Bb.i.9..+......,....+I.m<j.n.zi..T.......y........!......U.X.................................................................................................................................b.i.9..+......,....+I.m<j.n.zi..T....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\adobeafp.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):376082
                              Entropy (8bit):6.946210460884973
                              Encrypted:false
                              SSDEEP:
                              MD5:8FD90C8FB6D28F486DCB8100FC887EEC
                              SHA1:8723B7B8F674B1A6ACD092B0315FE6F8FC729BEC
                              SHA-256:5B0C435D12955AE639DBAB29A19A4094EDAD79D9F5FA4F7022FF3D3E8C618A94
                              SHA-512:D4B2D551A1CEEB0E81C684742CBF2022720479F7F1E4DA9450691962E936B047698BCAE8EAE4B90357557E1AB9098E36D89B8C09FC974DE916751B73FBCB91CA
                              Malicious:false
                              Preview:....t... 5.....x..3 ....o.20....AN._j..LeW(7P\.O..9..E.u...r........!..L.!This program cannot be run in DOS mode....$........Z...;.\.;.\.;.\.P.].;.\.P.]7;.\sO.].;.\sO.].;.\.P.].;.\.;.\.:.\......E.e6..@D.hW.._...."....lh..C.u...L...l.k.g.......^(....Rich.;.\................PE..d......d.........." .....B...b............................................................`A.........F$.w...$5..S{....x..3 ......20.`...N._6.L.W(7P..Or.9..%.u...r.....)......D....\..T....................^..(...`\..8............`..8............................text....>.......@...............V$.W..y.Z..0{....x..c#....o.10....AN._j..LEW(W~.....9.V.u...r.....F..............@..@.data....F.......2..................@....pdata.......`...0..................@..@_RDATA...............N...V$.w...$5...{..7j...3 ....oc70....A.._j..LeW(7P\.O..9. 7..k..rD...........................@..B.................................................................................................V$.w...$5..S{....x..3 ....o.20....AN._

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\adobeafp.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):376082
                              Entropy (8bit):6.946210460884973
                              Encrypted:false
                              SSDEEP:
                              MD5:8FD90C8FB6D28F486DCB8100FC887EEC
                              SHA1:8723B7B8F674B1A6ACD092B0315FE6F8FC729BEC
                              SHA-256:5B0C435D12955AE639DBAB29A19A4094EDAD79D9F5FA4F7022FF3D3E8C618A94
                              SHA-512:D4B2D551A1CEEB0E81C684742CBF2022720479F7F1E4DA9450691962E936B047698BCAE8EAE4B90357557E1AB9098E36D89B8C09FC974DE916751B73FBCB91CA
                              Malicious:false
                              Preview:....t... 5.....x..3 ....o.20....AN._j..LeW(7P\.O..9..E.u...r........!..L.!This program cannot be run in DOS mode....$........Z...;.\.;.\.;.\.P.].;.\.P.]7;.\sO.].;.\sO.].;.\.P.].;.\.;.\.:.\......E.e6..@D.hW.._...."....lh..C.u...L...l.k.g.......^(....Rich.;.\................PE..d......d.........." .....B...b............................................................`A.........F$.w...$5..S{....x..3 ......20.`...N._6.L.W(7P..Or.9..%.u...r.....)......D....\..T....................^..(...`\..8............`..8............................text....>.......@...............V$.W..y.Z..0{....x..c#....o.10....AN._j..LEW(W~.....9.V.u...r.....F..............@..@.data....F.......2..................@....pdata.......`...0..................@..@_RDATA...............N...V$.w...$5...{..7j...3 ....oc70....A.._j..LeW(7P\.O..9. 7..k..rD...........................@..B.................................................................................................V$.w...$5..S{....x..3 ....o.20....AN._

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ahclient.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):367882
                              Entropy (8bit):7.098097883340251
                              Encrypted:false
                              SSDEEP:
                              MD5:E71CFB57F5BBC30AA4CCBA98B863A38B
                              SHA1:DBD50927C56BBAFA8076573E372E680966534E3A
                              SHA-256:FA7402D5CE74BD4B79D78323BC4469F8018591EC160C9A43903EE9CEE8AA8162
                              SHA-512:2004E7361B3BACC1B1F8217A8796ACC51F30E9D3ADD45057A60345D40C466A17DC13C5C99F7ED27AF21506C9741A4E8939AE13E8EB1A9E462F457A3070BA7AC4
                              Malicious:false
                              Preview:@.]...H.,.[W....bq.B.......'..."9.dm....S..>.~..s....U.............!..L.!This program cannot be run in DOS mode....$........?Sj.^=9.^=9.^=9.&.9.^=9.&.9.^=9.&98.^=9.&>8.^=9.&<8.^=9.&>8.^=9.....u..c]|>..DM..R....:.......PYT..3.!...C..-..G........^.9.^=9S'?8.^=9Rich.^=9................PE..d....LFd.........." .........n......................................................=.....(.(.[."...rq.B........'..."9.dm....C..>.{..r....P.G.......`....p...&...r...)...........|..T....................|..(....z..@............ .. ............................text...?.............H.(.[."...bq.b.....c.'..."9.`m....S..>.~..s....U.....data...($...@.......$..............@....pdata...&...p...(...@..............@..@.rsrc...`............h..............@..@.reloc.......uM.(.[.L...bq.B.....W..e..."9.dm....S..>.~..s....U..........................................................................................................................................H.(.[."...bq.B........'..."9.dm

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ahclient.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):367882
                              Entropy (8bit):7.098097883340251
                              Encrypted:false
                              SSDEEP:
                              MD5:E71CFB57F5BBC30AA4CCBA98B863A38B
                              SHA1:DBD50927C56BBAFA8076573E372E680966534E3A
                              SHA-256:FA7402D5CE74BD4B79D78323BC4469F8018591EC160C9A43903EE9CEE8AA8162
                              SHA-512:2004E7361B3BACC1B1F8217A8796ACC51F30E9D3ADD45057A60345D40C466A17DC13C5C99F7ED27AF21506C9741A4E8939AE13E8EB1A9E462F457A3070BA7AC4
                              Malicious:false
                              Preview:@.]...H.,.[W....bq.B.......'..."9.dm....S..>.~..s....U.............!..L.!This program cannot be run in DOS mode....$........?Sj.^=9.^=9.^=9.&.9.^=9.&.9.^=9.&98.^=9.&>8.^=9.&<8.^=9.&>8.^=9.....u..c]|>..DM..R....:.......PYT..3.!...C..-..G........^.9.^=9S'?8.^=9Rich.^=9................PE..d....LFd.........." .........n......................................................=.....(.(.[."...rq.B........'..."9.dm....C..>.{..r....P.G.......`....p...&...r...)...........|..T....................|..(....z..@............ .. ............................text...?.............H.(.[."...bq.b.....c.'..."9.`m....S..>.~..s....U.....data...($...@.......$..............@....pdata...&...p...(...@..............@..@.rsrc...`............h..............@..@.reloc.......uM.(.[.L...bq.B.....W..e..."9.dm....S..>.~..s....U..........................................................................................................................................H.(.[."...bq.B........'..."9.dm

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_asym.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):266554
                              Entropy (8bit):6.999504316300309
                              Encrypted:false
                              SSDEEP:
                              MD5:09CE223D6C84FF2E45D286C4C91A07A0
                              SHA1:A6A09190B95742EE0B3C1F14870D5085C879CF9F
                              SHA-256:16C0F1F123B1A47B5AB03591FEE34043E5CD35D4CD5CB0BC2B2ADC929A99686B
                              SHA-512:23FAAF8E7FFB70230F669C61AA5EAEA7EAAD40F0F0FE0FDB5860A456947E49BE4DFA319BDC20D638072A5A29101FCDED61F5DF698B53A077B0E9396ACDB06AD8
                              Malicious:false
                              Preview:..Z......J..p...?N,..8.......T~..6......j.t......3$......_..........!..L.!This program cannot be run in DOS mode....$........TMOV5#.V5#.V5#.....T5#.V5".H5#..d..U5#..d..T5#..d..]5#..d..T5#...6......|.......X.0....+....H%.e.a....M..A......3$...H.J...d.[V.........." .........(...............................................@............`.........................................2......?.I. .....J,8.8.......T~..6.....*j.y......3$......_..................0i..p............................................text............................... ..`.rdata..2...............B........J.\..[/X..8.......T~...6......j.t......s$...}..Z>../.......0..................@..@.rsrc........ ......................@..@.reloc..<....0......................@..B................B........J......?N,..8.......T~..6......j.t......3$......_..................................................................................................................................B........J......?N,..8.......T~..6...

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_asym.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):266554
                              Entropy (8bit):6.999504316300309
                              Encrypted:false
                              SSDEEP:
                              MD5:09CE223D6C84FF2E45D286C4C91A07A0
                              SHA1:A6A09190B95742EE0B3C1F14870D5085C879CF9F
                              SHA-256:16C0F1F123B1A47B5AB03591FEE34043E5CD35D4CD5CB0BC2B2ADC929A99686B
                              SHA-512:23FAAF8E7FFB70230F669C61AA5EAEA7EAAD40F0F0FE0FDB5860A456947E49BE4DFA319BDC20D638072A5A29101FCDED61F5DF698B53A077B0E9396ACDB06AD8
                              Malicious:false
                              Preview:..Z......J..p...?N,..8.......T~..6......j.t......3$......_..........!..L.!This program cannot be run in DOS mode....$........TMOV5#.V5#.V5#.....T5#.V5".H5#..d..U5#..d..T5#..d..]5#..d..T5#...6......|.......X.0....+....H%.e.a....M..A......3$...H.J...d.[V.........." .........(...............................................@............`.........................................2......?.I. .....J,8.8.......T~..6.....*j.y......3$......_..................0i..p............................................text............................... ..`.rdata..2...............B........J.\..[/X..8.......T~...6......j.t......s$...}..Z>../.......0..................@..@.rsrc........ ......................@..@.reloc..<....0......................@..B................B........J......?N,..8.......T~..6......j.t......3$......_..................................................................................................................................B........J......?N,..8.......T~..6...

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_base.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):450874
                              Entropy (8bit):7.09877357455456
                              Encrypted:false
                              SSDEEP:
                              MD5:0494CF0914C3031FE5E42D08F9D240D6
                              SHA1:A65BAD96E3FF3A336EA7D3946F7480CC204A130C
                              SHA-256:64ECCACC7159EA5AACB871918B9EDF4AE59974C83457394DCE68894B97499393
                              SHA-512:960068C9D4ACE2A9DE0E29C393F506A293F10019C408C462AA4D817F65798500672C4A488BE8A4FAEBDF634D6A22E7FFE37C61E77E950B5262B2E90E8FB84EBC
                              Malicious:false
                              Preview:..b..b..X......#P..'....Z7AmBhL...a.[......\.$......9........w........!..L.!This program cannot be run in DOS mode....$.........p..r..r..r...#..r...#..r...#..r...#..r..V...r..r...r..S....|.\xvI.a...p`....a?z..0v....3)......h.........9........w........PE..d...e.[V.........." .........d......T........................................0............`...........................b..b..X......;+..p...A!1A.BhL...a.X...m....$......9.......w.................................9..p............................................text...+........................... ..`.rdata..MV.b.ff........P..'....Z7A-Bh...y..[........$......?........w....@....pdata..pA.......B...~..............@..@.rsrc...............................@..@.reloc..X...........................@..B..b..b..X......P..'....Z7AmBhL...a.[......\.$......9........w..................................................................................................................................b..b..X......P..'....Z7AmBhL...a.[..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_base.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):450874
                              Entropy (8bit):7.09877357455456
                              Encrypted:false
                              SSDEEP:
                              MD5:0494CF0914C3031FE5E42D08F9D240D6
                              SHA1:A65BAD96E3FF3A336EA7D3946F7480CC204A130C
                              SHA-256:64ECCACC7159EA5AACB871918B9EDF4AE59974C83457394DCE68894B97499393
                              SHA-512:960068C9D4ACE2A9DE0E29C393F506A293F10019C408C462AA4D817F65798500672C4A488BE8A4FAEBDF634D6A22E7FFE37C61E77E950B5262B2E90E8FB84EBC
                              Malicious:false
                              Preview:..b..b..X......#P..'....Z7AmBhL...a.[......\.$......9........w........!..L.!This program cannot be run in DOS mode....$.........p..r..r..r...#..r...#..r...#..r...#..r..V...r..r...r..S....|.\xvI.a...p`....a?z..0v....3)......h.........9........w........PE..d...e.[V.........." .........d......T........................................0............`...........................b..b..X......;+..p...A!1A.BhL...a.X...m....$......9.......w.................................9..p............................................text...+........................... ..`.rdata..MV.b.ff........P..'....Z7A-Bh...y..[........$......?........w....@....pdata..pA.......B...~..............@..@.rsrc...............................@..@.reloc..X...........................@..B..b..b..X......P..'....Z7AmBhL...a.[......\.$......9........w..................................................................................................................................b..b..X......P..'....Z7AmBhL...a.[..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_base_non_fips.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):399674
                              Entropy (8bit):7.1522974509747606
                              Encrypted:false
                              SSDEEP:
                              MD5:4244E4BB3531D534F15B2051CBF0957E
                              SHA1:5DED27667F22364EA5511AA239F26ACEECC7766D
                              SHA-256:42624F0545C4BE980A2542CB99DCC32463E41FDF6858C68913C098A59E7131F3
                              SHA-512:A52ED5143451673AD5C4C0E5AA93BFD6464D8DC7A19726ECF9B0C861C204163B82C17449B84AAEA09DDC6AC65DEEEFFE4B8C03EB790DD34264B626FA44E2BF62
                              Malicious:false
                              Preview:U......^.}..u.?.........Y?yQ..4.^x........A4V..7.'.."V...s.........!..L.!This program cannot be run in DOS mode....$........v...n...n...n.`...n...o...n..F....n..F....n..F....n..F....n....C$..t...L.....J)....^...n?}uq..........6.r.4V..7.'.."V...s.PE..d...e.[V.........." .....@..........,G.......................................P............`...................................>.....z-x.J..?.}......Y.zQ...^.%.......A4....'.."V...s......................... d..p............P..P............................text....>.......@.................. ..`.rdata...V...P....?.....Z.}.*..?...........-^yQ....^x........K.A4V..7.'.."V...sy.pdata...;.......<..................@..@.rsrc........0......................@..@.reloc.......@......................@..B..........>.....Z.}.*..?........Y?yQ..4.^x........A4V..7.'.."V...s...................................................................................................................................>.....Z.}.*..?........Y?yQ..4.^x...

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_base_non_fips.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):399674
                              Entropy (8bit):7.1522974509747606
                              Encrypted:false
                              SSDEEP:
                              MD5:4244E4BB3531D534F15B2051CBF0957E
                              SHA1:5DED27667F22364EA5511AA239F26ACEECC7766D
                              SHA-256:42624F0545C4BE980A2542CB99DCC32463E41FDF6858C68913C098A59E7131F3
                              SHA-512:A52ED5143451673AD5C4C0E5AA93BFD6464D8DC7A19726ECF9B0C861C204163B82C17449B84AAEA09DDC6AC65DEEEFFE4B8C03EB790DD34264B626FA44E2BF62
                              Malicious:false
                              Preview:U......^.}..u.?.........Y?yQ..4.^x........A4V..7.'.."V...s.........!..L.!This program cannot be run in DOS mode....$........v...n...n...n.`...n...o...n..F....n..F....n..F....n..F....n....C$..t...L.....J)....^...n?}uq..........6.r.4V..7.'.."V...s.PE..d...e.[V.........." .....@..........,G.......................................P............`...................................>.....z-x.J..?.}......Y.zQ...^.%.......A4....'.."V...s......................... d..p............P..P............................text....>.......@.................. ..`.rdata...V...P....?.....Z.}.*..?...........-^yQ....^x........K.A4V..7.'.."V...sy.pdata...;.......<..................@..@.rsrc........0......................@..@.reloc.......@......................@..B..........>.....Z.}.*..?........Y?yQ..4.^x........A4V..7.'.."V...s...................................................................................................................................>.....Z.}.*..?........Y?yQ..4.^x...

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_ecc.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):561978
                              Entropy (8bit):6.870383876901143
                              Encrypted:false
                              SSDEEP:
                              MD5:8B7CFA7A17EED20BA6F1A75B6832C3BB
                              SHA1:D6972D1B2CB12FB8FBC68EA994C9E33373FF8AAA
                              SHA-256:C4C4BF757CE3D15C561DEF54A615F9518E53BF6C9640CE7DA5BFD99B59CF5E98
                              SHA-512:03908E7024BF7E01D803D4041663830387B4DE6935C94AD3D1FC9F078153A41A169E0DB1865CDA63DEC588206A61347B02AC5763EF00D0F8C6E351AE5B7A1ADA
                              Malicious:false
                              Preview:..S]0..wenM.*J.Zq....T.E.)`..2.m=.{.E).O.....21,.................!..L.!This program cannot be run in DOS mode....$.........M..#..#..#..B...#.."..#.....#.....#.....#.....#.iU.^...s.u......9..._..\w.o.h.C.et.....,J..l.....21,......0..f.[V.........." .....l...(......Lr....................................................`..........................................(..]0.y.qe...*.\Rq8..$.E..`..2.m=.{.!.W.....21,......d.......................p............................................text...+j.......l.................. ..`.rdata..&............p......P]0..we..j.;....,d.E..f..0.m%.{.E).O.....2q,........<?...p...@...D..............@..@.rsrc...............................@..@.reloc..............................@..B....................P]0..we...*..Zq...T.E.)`..2.m=.{.E).O.....21,......d.......................................................................................................................................P]0..we...*..Zq...T.E.)`..2.m=.{

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\ccme_ecc.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):561978
                              Entropy (8bit):6.870383876901143
                              Encrypted:false
                              SSDEEP:
                              MD5:8B7CFA7A17EED20BA6F1A75B6832C3BB
                              SHA1:D6972D1B2CB12FB8FBC68EA994C9E33373FF8AAA
                              SHA-256:C4C4BF757CE3D15C561DEF54A615F9518E53BF6C9640CE7DA5BFD99B59CF5E98
                              SHA-512:03908E7024BF7E01D803D4041663830387B4DE6935C94AD3D1FC9F078153A41A169E0DB1865CDA63DEC588206A61347B02AC5763EF00D0F8C6E351AE5B7A1ADA
                              Malicious:false
                              Preview:..S]0..wenM.*J.Zq....T.E.)`..2.m=.{.E).O.....21,.................!..L.!This program cannot be run in DOS mode....$.........M..#..#..#..B...#.."..#.....#.....#.....#.....#.iU.^...s.u......9..._..\w.o.h.C.et.....,J..l.....21,......0..f.[V.........." .....l...(......Lr....................................................`..........................................(..]0.y.qe...*.\Rq8..$.E..`..2.m=.{.!.W.....21,......d.......................p............................................text...+j.......l.................. ..`.rdata..&............p......P]0..we..j.;....,d.E..f..0.m%.{.E).O.....2q,........<?...p...@...D..............@..@.rsrc...............................@..@.reloc..............................@..B....................P]0..we...*..Zq...T.E.)`..2.m=.{.E).O.....21,......d.......................................................................................................................................P]0..we...*..Zq...T.E.)`..2.m=.{

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\cr_win_client_config.cfg

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):513
                              Entropy (8bit):6.788060606723089
                              Encrypted:false
                              SSDEEP:
                              MD5:C7CCBECCA0645EA92A46636BCD7A139F
                              SHA1:AB5C48781EEBCECA2E244D7CE1304532B0BB9168
                              SHA-256:81DFEF7F8B20A1043C92A48C9540E221775276A5827425DAB881D0EBFD362AE9
                              SHA-512:7C61D41702B91F715B29E215223DEB5A7897EC9187BB54617FF9D2591B696F7A79C8D7931FEBF8CE3C5FE20F18F76ED411BD7534E3DCD7C4CE98C591A4099CAC
                              Malicious:false
                              Preview:y....,r....)...l`o<s.#..b.Z......S.....w..rP.i...s..9.+...}Mh...../$....+U..6u{ +."..h.N......F7...3..r..D..q../.$...4Wx.....V}....4..V%4+{z....fLJ...[..Y....0..q].J....>.5...?Jt = 443....)..U....\...;..";w...+..z*...a......l....._>...hb.Jr}.......W....{..-9.p...i%B......;b...$qq.......U....y...aP..J.on.Kw..4...G..Qg...5Q..3ET76.....v.GD.1....@..G.N.....D..h#.=./..q..d.AN}..-,Q..............................................................................................tmrk2oxcouu.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\cr_win_client_config.cfg.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):513
                              Entropy (8bit):6.788060606723089
                              Encrypted:false
                              SSDEEP:
                              MD5:C7CCBECCA0645EA92A46636BCD7A139F
                              SHA1:AB5C48781EEBCECA2E244D7CE1304532B0BB9168
                              SHA-256:81DFEF7F8B20A1043C92A48C9540E221775276A5827425DAB881D0EBFD362AE9
                              SHA-512:7C61D41702B91F715B29E215223DEB5A7897EC9187BB54617FF9D2591B696F7A79C8D7931FEBF8CE3C5FE20F18F76ED411BD7534E3DCD7C4CE98C591A4099CAC
                              Malicious:false
                              Preview:y....,r....)...l`o<s.#..b.Z......S.....w..rP.i...s..9.+...}Mh...../$....+U..6u{ +."..h.N......F7...3..r..D..q../.$...4Wx.....V}....4..V%4+{z....fLJ...[..Y....0..q].J....>.5...?Jt = 443....)..U....\...;..";w...+..z*...a......l....._>...hb.Jr}.......W....{..-9.p...i%B......;b...$qq.......U....y...aP..J.on.Kw..4...G..Qg...5Q..3ET76.....v.GD.1....@..G.N.....D..h#.=./..q..d.AN}..-,Q..............................................................................................tmrk2oxcouu.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\cryptocme.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):292666
                              Entropy (8bit):7.1094597124941155
                              Encrypted:false
                              SSDEEP:
                              MD5:2B2D46FCC29C18201CFBD1BCF9292368
                              SHA1:4801ED8C1767DDF55B708A1B71A43DD2C28BF672
                              SHA-256:A0D7E046DD7672744B5F26FDFBA8D39441E76990C4E25A82EEC5AD306944E9A8
                              SHA-512:F69508B5325352EE17CA69F34CDD4FD36F47F9AB70932C57B87AA10E6B27CD0898328C6D0197A6E900BC90095633AAE1E6A72094A056E5253F808BBAF9A156D3
                              Malicious:false
                              Preview:..~x..WFl...J.fq...}.&.WQ.d....jN.../..S..G.,.......)+...Ay...Cm........!..L.!This program cannot be run in DOS mode....$........=...\@..\@..\@.(....\@..\A.\@.....\@.....\@.....\@.....\@.>.q.TZ.......<&...l..z..........eG...b$..UX....)+....y.4~Emr.[V.........." .........j......T!....................................................`.........................................F5.x..WF.@...bfqM&.}G%.W..`.Q..jN.../..S.C.x.......)+...Ay.P.Cm................0...p............0..(............................text............................... ..`.rdata..(....0.............x..WFh....bf1c...&.W..d....jN3../a.S..G.,.......i+.l.1.~$.Cm.F...P...H..................@..@.rsrc................f..............@..@.reloc..T............j..............@..B...................x..WFh....bfqM..}.&.W..d....jN.../..S..G.,.......)+...Ay.P.Cm...................................................................................................................................x..WFh....bfqM..}.&.W..d....jN.../..S

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\cryptocme.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):292666
                              Entropy (8bit):7.1094597124941155
                              Encrypted:false
                              SSDEEP:
                              MD5:2B2D46FCC29C18201CFBD1BCF9292368
                              SHA1:4801ED8C1767DDF55B708A1B71A43DD2C28BF672
                              SHA-256:A0D7E046DD7672744B5F26FDFBA8D39441E76990C4E25A82EEC5AD306944E9A8
                              SHA-512:F69508B5325352EE17CA69F34CDD4FD36F47F9AB70932C57B87AA10E6B27CD0898328C6D0197A6E900BC90095633AAE1E6A72094A056E5253F808BBAF9A156D3
                              Malicious:false
                              Preview:..~x..WFl...J.fq...}.&.WQ.d....jN.../..S..G.,.......)+...Ay...Cm........!..L.!This program cannot be run in DOS mode....$........=...\@..\@..\@.(....\@..\A.\@.....\@.....\@.....\@.....\@.>.q.TZ.......<&...l..z..........eG...b$..UX....)+....y.4~Emr.[V.........." .........j......T!....................................................`.........................................F5.x..WF.@...bfqM&.}G%.W..`.Q..jN.../..S.C.x.......)+...Ay.P.Cm................0...p............0..(............................text............................... ..`.rdata..(....0.............x..WFh....bf1c...&.W..d....jN3../a.S..G.,.......i+.l.1.~$.Cm.F...P...H..................@..@.rsrc................f..............@..@.reloc..T............j..............@..B...................x..WFh....bfqM..}.&.W..d....jN.../..S..G.,.......)+...Ay.P.Cm...................................................................................................................................x..WFh....bfqM..}.&.W..d....jN.../..S

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\cryptocme.sig

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3246
                              Entropy (8bit):7.865590762825166
                              Encrypted:false
                              SSDEEP:
                              MD5:7835AD20FC7DD082D1206E3CCFE8790B
                              SHA1:4326FE372676A17A2F7AC9870BAF2B2E26E0F4B6
                              SHA-256:BD51955724F39F1DBFF9F95D6E1003479EB89EB2552B7AC3340D9B4E1D701CBE
                              SHA-512:D35F66AE496AA476AE5F1370CABF292FFA93CA257498086853B32E000090BA223FE237E32BC038E3A102961E0999F4E1D22247CE717E8948A1DD9B7FE2E27997
                              Malicious:false
                              Preview:s..!......$D.u..(.[..Xo....%.D.'...../...W8MS@...B.T&l.b.u^9.o..o......".#h..$.s.p.Z...v.c........./..iJ0.b......o.b. F#.k.b......BZ}.\g..t..........tMP.$......]..(.r........b...|.pX?....l...2.=o.<..$.E.<N|..E.!8...........7V{NQ..K.*.x.9FCx..F.}.....*C.v....5..Dm...%.\.2........v]2].....^.,Vn..Z>{(.+..&....%.#_.%..O.D..Cb...Y&"8.}.........7V1.m...M.'...-DrH7.... .....".^+..c....Y~...$.}.#......e..UW=J@S..H.|L3.u9p^".*.. ...I..F....~....Dc..7qJC.3..... ..k_-A.h..O.3J..q.t.d.,......KO.B.:....s.p?0...jQ..%........t.a[BL.._.3...y.cJ(.q.[......,Y.h..;....SS...{KT...........F[<[~@...@.8F .,I]B8....l...K,$I.)..&...[Uo....{..."......C..{L>JX....%..F2.q.h...r..1.....(t.'..`...[.o....y[T./......P..p\-YSX...%.bc9.b.cRz.+.1......t.+..j....ij....E{K\..........wQ1gGH.....7M".b./!S.F..;....@.O]j..k.&..US....qXB..........vP.^HQ..`.<]1.iX."S.`..3.....s!iA.r....FO....&"8.H.......VP.W@E...I.8{5.dX."S.`..3...4.#M./....V..Xx....q..b.&......

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\cryptocme.sig.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3246
                              Entropy (8bit):7.865590762825166
                              Encrypted:false
                              SSDEEP:
                              MD5:7835AD20FC7DD082D1206E3CCFE8790B
                              SHA1:4326FE372676A17A2F7AC9870BAF2B2E26E0F4B6
                              SHA-256:BD51955724F39F1DBFF9F95D6E1003479EB89EB2552B7AC3340D9B4E1D701CBE
                              SHA-512:D35F66AE496AA476AE5F1370CABF292FFA93CA257498086853B32E000090BA223FE237E32BC038E3A102961E0999F4E1D22247CE717E8948A1DD9B7FE2E27997
                              Malicious:false
                              Preview:s..!......$D.u..(.[..Xo....%.D.'...../...W8MS@...B.T&l.b.u^9.o..o......".#h..$.s.p.Z...v.c........./..iJ0.b......o.b. F#.k.b......BZ}.\g..t..........tMP.$......]..(.r........b...|.pX?....l...2.=o.<..$.E.<N|..E.!8...........7V{NQ..K.*.x.9FCx..F.}.....*C.v....5..Dm...%.\.2........v]2].....^.,Vn..Z>{(.+..&....%.#_.%..O.D..Cb...Y&"8.}.........7V1.m...M.'...-DrH7.... .....".^+..c....Y~...$.}.#......e..UW=J@S..H.|L3.u9p^".*.. ...I..F....~....Dc..7qJC.3..... ..k_-A.h..O.3J..q.t.d.,......KO.B.:....s.p?0...jQ..%........t.a[BL.._.3...y.cJ(.q.[......,Y.h..;....SS...{KT...........F[<[~@...@.8F .,I]B8....l...K,$I.)..&...[Uo....{..."......C..{L>JX....%..F2.q.h...r..1.....(t.'..`...[.o....y[T./......P..p\-YSX...%.bc9.b.cRz.+.1......t.+..j....ij....E{K\..........wQ1gGH.....7M".b./!S.F..;....@.O]j..k.&..US....qXB..........vP.^HQ..`.<]1.iX."S.`..3.....s!iA.r....FO....&"8.H.......VP.W@E...I.8{5.dX."S.`..3...4.#M./....V..Xx....q..b.&......

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icucnv58.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):7.403279338866556
                              Encrypted:false
                              SSDEEP:
                              MD5:BEE81BB2C149B301CA9DCB4F4A34208E
                              SHA1:8A9F729EE0264DA6BA7F7B41916D29B0E1DF8774
                              SHA-256:3C2102FAF3A28DF811EF7BFFA71E115EBD839D5CC7C1128DED10486D12693152
                              SHA-512:9E2AE69A5825A076ADEEA70D0902D9300AE490BD77E7531DCA7866FA6275D7B35C4F4401BD7E55D56D9D515C10966C62F9AE1D934D7EC21D84D951A5EE78133D
                              Malicious:false
                              Preview:.@......z.h.G...0....".....E/p.WP6..|Z.H_........W.......b....................................................................................................................................W.'.FP...n.a^m..p.*.?H...E.....^..#...y,/%.X..N#.tUW.@K.....................................................................................................................................W.'.FP...n.a^m..p.*.?H...E.....^..#...y,/%.X..N#.tUW.@K..................................................................................................................................3SQ'.(.M..z.|.G...0...."...*.&p.WP6..|A.H_.y,/%.X..N#.tUW.@K.....................................................................................................................................W.'.FP...n.a^m..p.*.?H...E.....^..#...y,/%.X..N#.tUW.@K.....................................................................................................................................W.'.FP...n.a^m..p.*.?H...E.....^.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icucnv58.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):7.403279338866556
                              Encrypted:false
                              SSDEEP:
                              MD5:BEE81BB2C149B301CA9DCB4F4A34208E
                              SHA1:8A9F729EE0264DA6BA7F7B41916D29B0E1DF8774
                              SHA-256:3C2102FAF3A28DF811EF7BFFA71E115EBD839D5CC7C1128DED10486D12693152
                              SHA-512:9E2AE69A5825A076ADEEA70D0902D9300AE490BD77E7531DCA7866FA6275D7B35C4F4401BD7E55D56D9D515C10966C62F9AE1D934D7EC21D84D951A5EE78133D
                              Malicious:false
                              Preview:.@......z.h.G...0....".....E/p.WP6..|Z.H_........W.......b....................................................................................................................................W.'.FP...n.a^m..p.*.?H...E.....^..#...y,/%.X..N#.tUW.@K.....................................................................................................................................W.'.FP...n.a^m..p.*.?H...E.....^..#...y,/%.X..N#.tUW.@K..................................................................................................................................3SQ'.(.M..z.|.G...0...."...*.&p.WP6..|A.H_.y,/%.X..N#.tUW.@K.....................................................................................................................................W.'.FP...n.a^m..p.*.?H...E.....^..#...y,/%.X..N#.tUW.@K.....................................................................................................................................W.'.FP...n.a^m..p.*.?H...E.....^.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icucnv67.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):7.395074531273169
                              Encrypted:false
                              SSDEEP:
                              MD5:E66ECC4011DEC3CBB6BD729787B0F0A2
                              SHA1:A920E3445A39521746C0AFA5BD3F95C84446A6F2
                              SHA-256:70BC8FE82198E88A31D9AD556EF81BDDF204177D3EB7B778E32B9303D5821B37
                              SHA-512:686F3940EE91EEEF3416CDCCE73BB389A2FAAFCDD5803785C13BC5103EB39CBB032E2317C010A7642924EC703033778266AE1E3E3388560F064D965B40A178BE
                              Malicious:false
                              Preview:by...z..a.[Os.....E....z..&=...h...6>...U..G.o....*.A...2...vP<................................................................................................................................MIE..4..........yS....3x.o..<.d\......hVG.h.../&>........A.\...................................................................................................................................MIE..4..........yS....3x.o..<.d\......hVG.h.../&>........A.\.......................................................................................................................................B...r.[Og.....E...S..&....w...,>...U...../&>........A.\...................................................................................................................................MIE..4..........yS....3x.o..<.d\......hVG.h.../&>........A.\...................................................................................................................................MIE..4..........yS....3x.o..<.d\......hV

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icucnv67.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):7.395074531273169
                              Encrypted:false
                              SSDEEP:
                              MD5:E66ECC4011DEC3CBB6BD729787B0F0A2
                              SHA1:A920E3445A39521746C0AFA5BD3F95C84446A6F2
                              SHA-256:70BC8FE82198E88A31D9AD556EF81BDDF204177D3EB7B778E32B9303D5821B37
                              SHA-512:686F3940EE91EEEF3416CDCCE73BB389A2FAAFCDD5803785C13BC5103EB39CBB032E2317C010A7642924EC703033778266AE1E3E3388560F064D965B40A178BE
                              Malicious:false
                              Preview:by...z..a.[Os.....E....z..&=...h...6>...U..G.o....*.A...2...vP<................................................................................................................................MIE..4..........yS....3x.o..<.d\......hVG.h.../&>........A.\...................................................................................................................................MIE..4..........yS....3x.o..<.d\......hVG.h.../&>........A.\.......................................................................................................................................B...r.[Og.....E...S..&....w...,>...U...../&>........A.\...................................................................................................................................MIE..4..........yS....3x.o..<.d\......hVG.h.../&>........A.\...................................................................................................................................MIE..4..........yS....3x.o..<.d\......hV

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icucnv69.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2005530
                              Entropy (8bit):7.236391439198382
                              Encrypted:false
                              SSDEEP:
                              MD5:4C4FED11E266B48FA881B1BC0A75BFA2
                              SHA1:045B90827A330DB5083987B714F016CD482A1D0E
                              SHA-256:CD03EDD889C2E020AA9990FAA790BF19CEAE0B9B1EB81F893E327D442F7EE601
                              SHA-512:721F0732DDDA1C7AB6038D9A1FCB1BB10F3529249C8FDDD40520C16A809CDE6050328ED0D4640B56BA8AD817E96DB621B182C4F51C049BA51DDF399F1710993B
                              Malicious:false
                              Preview:.u....t.Hv..Nx..g.KS@...'.....YM&~?..\...pS..@)...9....^.e...........!..L.!This program cannot be run in DOS mode....$........3y&.R.u.R.u.R.u.:.t.R.u.:.t.R.u.:.t0R.uq?.t.R.uq?.t.R.uq?.t.R.u<.e...c.rJ....Y...q.a.W`.5~....gq1....)..r.._.5.B.....b...[..Rich.R.u........................PE..d....?.`.........." .....H...`...........................................................`A./c...t.Lf..PNx..w.KS@..'.....YM&~/..\m..p...@q...i..............`....|...........3.. 1..T....................2..(....1...............`...............................text....G.......H......./s...t.Lv.6PN.....?2@...-.....Y.,~?..\...pS..@)...y....:..$...@........d..................@....pdata..`............L..............@..@_RDATA...............>..............@..@.rsrc...P........'s...j.Lv..PNx..g..S@U..Bf..Y~&~?..\...pSE.@)...9....^....................................................................................................................................../s...t.Lv..PNx..g.KS@..'.....YM&~?..\

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icucnv69.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2005530
                              Entropy (8bit):7.236391439198382
                              Encrypted:false
                              SSDEEP:
                              MD5:4C4FED11E266B48FA881B1BC0A75BFA2
                              SHA1:045B90827A330DB5083987B714F016CD482A1D0E
                              SHA-256:CD03EDD889C2E020AA9990FAA790BF19CEAE0B9B1EB81F893E327D442F7EE601
                              SHA-512:721F0732DDDA1C7AB6038D9A1FCB1BB10F3529249C8FDDD40520C16A809CDE6050328ED0D4640B56BA8AD817E96DB621B182C4F51C049BA51DDF399F1710993B
                              Malicious:false
                              Preview:.u....t.Hv..Nx..g.KS@...'.....YM&~?..\...pS..@)...9....^.e...........!..L.!This program cannot be run in DOS mode....$........3y&.R.u.R.u.R.u.:.t.R.u.:.t.R.u.:.t0R.uq?.t.R.uq?.t.R.uq?.t.R.u<.e...c.rJ....Y...q.a.W`.5~....gq1....)..r.._.5.B.....b...[..Rich.R.u........................PE..d....?.`.........." .....H...`...........................................................`A./c...t.Lf..PNx..w.KS@..'.....YM&~/..\m..p...@q...i..............`....|...........3.. 1..T....................2..(....1...............`...............................text....G.......H......./s...t.Lv.6PN.....?2@...-.....Y.,~?..\...pS..@)...y....:..$...@........d..................@....pdata..`............L..............@..@_RDATA...............>..............@..@.rsrc...P........'s...j.Lv..PNx..g..S@U..Bf..Y~&~?..\...pSE.@)...9....^....................................................................................................................................../s...t.Lv..PNx..g.KS@..'.....YM&~?..\

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icudt58.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):7.386998202174793
                              Encrypted:false
                              SSDEEP:
                              MD5:9E2F2C398DD04B1F3FFFB0DC0BBAD9B4
                              SHA1:20DA153295D7681FB24FF9FCBAFB67D8828FD90D
                              SHA-256:2D87A25E9DCDF03795AE8B28ED87304C0F38640D99DEBD198C1F0DC6024F3AC5
                              SHA-512:AB83BE9CFBE6F7DDC5DCD8E8768B550429D289E9E71186D993E39FFE9D61E5D8F130ADF08AB5C1C4434F6AABFA314D69BAFEE5965C94B066619F25D2AD63FC6B
                              Malicious:false
                              Preview:?~.M.......H..3..i.j..:p.p.q....../.&..'.<.e.......4j.a..e8.................................................................................................................................N.R.R...2$.a.......[p.=."}p.4.d......{s....n..^'.u...X.l.=...................................................................................................................................N.R.R...2$.a.......[p.=."}p.4.d......{s....n..^'.u...X.l.=......................................................................................................................................r../...H..3..i.j..:p.p..;...../.&..'..n..^'.u...X.l.=...................................................................................................................................N.R.R...2$.a.......[p.=."}p.4.d......{s....n..^'.u...X.l.=...................................................................................................................................N.R.R...2$.a.......[p.=."}p.4.d......{

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icudt58.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):7.386998202174793
                              Encrypted:false
                              SSDEEP:
                              MD5:9E2F2C398DD04B1F3FFFB0DC0BBAD9B4
                              SHA1:20DA153295D7681FB24FF9FCBAFB67D8828FD90D
                              SHA-256:2D87A25E9DCDF03795AE8B28ED87304C0F38640D99DEBD198C1F0DC6024F3AC5
                              SHA-512:AB83BE9CFBE6F7DDC5DCD8E8768B550429D289E9E71186D993E39FFE9D61E5D8F130ADF08AB5C1C4434F6AABFA314D69BAFEE5965C94B066619F25D2AD63FC6B
                              Malicious:false
                              Preview:?~.M.......H..3..i.j..:p.p.q....../.&..'.<.e.......4j.a..e8.................................................................................................................................N.R.R...2$.a.......[p.=."}p.4.d......{s....n..^'.u...X.l.=...................................................................................................................................N.R.R...2$.a.......[p.=."}p.4.d......{s....n..^'.u...X.l.=......................................................................................................................................r../...H..3..i.j..:p.p..;...../.&..'..n..^'.u...X.l.=...................................................................................................................................N.R.R...2$.a.......[p.=."}p.4.d......{s....n..^'.u...X.l.=...................................................................................................................................N.R.R...2$.a.......[p.=."}p.4.d......{

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icudt67.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):7.390175720236415
                              Encrypted:false
                              SSDEEP:
                              MD5:E9118AA5BDB829877F55A9245C355FE9
                              SHA1:95E5494AC870324E10BE55F34933E3026C189200
                              SHA-256:B689C9E0EC90FB22BDF633C503E3765EC70D1B632109F2595A440C338DFA2566
                              SHA-512:D7F0DB096278E4C74637181C87DDB918CFC9AE0EC24236E15FBC2EC99199F06839FD50B12725A32D948E49B63EA0816792683EC1E4B6B0B91BEEEA63771C4709
                              Malicious:false
                              Preview:Y...E...)R...{..b.`.i...q.....pf."...@.2.;x.H.`..!.._..|..gx................................................................................................................................v,....F..a.{..8...=g...b..R..GL..]......6...T.....az.@q.>...................................................................................................................................v,....F..a.{..8...=g...b..R..GL..]......6...T.....az.@q.>........................................................................................................................................L.c:R...{..w.`.i...q..."..of."...@.2.;...T.....az.@q.>...................................................................................................................................v,....F..a.{..8...=g...b..R..GL..]......6...T.....az.@q.>...................................................................................................................................v,....F..a.{..8...=g...b..R..GL..]....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icudt67.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):7.390175720236415
                              Encrypted:false
                              SSDEEP:
                              MD5:E9118AA5BDB829877F55A9245C355FE9
                              SHA1:95E5494AC870324E10BE55F34933E3026C189200
                              SHA-256:B689C9E0EC90FB22BDF633C503E3765EC70D1B632109F2595A440C338DFA2566
                              SHA-512:D7F0DB096278E4C74637181C87DDB918CFC9AE0EC24236E15FBC2EC99199F06839FD50B12725A32D948E49B63EA0816792683EC1E4B6B0B91BEEEA63771C4709
                              Malicious:false
                              Preview:Y...E...)R...{..b.`.i...q.....pf."...@.2.;x.H.`..!.._..|..gx................................................................................................................................v,....F..a.{..8...=g...b..R..GL..]......6...T.....az.@q.>...................................................................................................................................v,....F..a.{..8...=g...b..R..GL..]......6...T.....az.@q.>........................................................................................................................................L.c:R...{..w.`.i...q..."..of."...@.2.;...T.....az.@q.>...................................................................................................................................v,....F..a.{..8...=g...b..R..GL..]......6...T.....az.@q.>...................................................................................................................................v,....F..a.{..8...=g...b..R..GL..]....

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icudt69.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):28863002
                              Entropy (8bit):6.982174832505875
                              Encrypted:false
                              SSDEEP:
                              MD5:CE0B7BAF35F497B85317662399E2D56F
                              SHA1:6611902C1C9B26C046DA9456A4C007A1FD72285A
                              SHA-256:10AE2E021D59694701076D7FD55192E8506C01D461A32E848BCAEF40218A8D46
                              SHA-512:9A2B8160B9964769912F6B986C11ED10D6E2FEC9D7833CE36DDEB7C4BCDD4693A7030B43DF00B20A60D493FDC8341DEC712F4B6FB0FB0140A91182D840FB2680
                              Malicious:false
                              Preview:.1....IU...3Y.......k.H+..N..(S..t\".`i...#v..!*.....Zi.............!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S.'.S...S.'.....S.'.Q...S.Rich..S...........{..VKU...S.9......k.h`..N..(S.n.t\".`i...3v..!......Ji......................p............`.........................................PQ..L............`...............L..............0Q.......k{...IU...3.9......k.Hk..N..(S..t\".`i...#v..!*.....Zi..............rdata...B.......B..................@..@.rsrc........`.......F..............@..@.........................................k{...IU...3.9......k.Hk..N..(S..t\".`i...#v..!*.....Zi......................................................................................................................................k{...IU...3.9......k.Hk..N..(S..t\".`i...#v..!*.....Zi......................................................................................................................................k{...IU...3.9......k.Hk..N..(S..t\".

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icudt69.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):28863002
                              Entropy (8bit):6.982174832505875
                              Encrypted:false
                              SSDEEP:
                              MD5:CE0B7BAF35F497B85317662399E2D56F
                              SHA1:6611902C1C9B26C046DA9456A4C007A1FD72285A
                              SHA-256:10AE2E021D59694701076D7FD55192E8506C01D461A32E848BCAEF40218A8D46
                              SHA-512:9A2B8160B9964769912F6B986C11ED10D6E2FEC9D7833CE36DDEB7C4BCDD4693A7030B43DF00B20A60D493FDC8341DEC712F4B6FB0FB0140A91182D840FB2680
                              Malicious:false
                              Preview:.1....IU...3Y.......k.H+..N..(S..t\".`i...#v..!*.....Zi.............!..L.!This program cannot be run in DOS mode....$.........=..S...S...S...S...S.'.S...S.'.....S.'.Q...S.Rich..S...........{..VKU...S.9......k.h`..N..(S.n.t\".`i...3v..!......Ji......................p............`.........................................PQ..L............`...............L..............0Q.......k{...IU...3.9......k.Hk..N..(S..t\".`i...#v..!*.....Zi..............rdata...B.......B..................@..@.rsrc........`.......F..............@..@.........................................k{...IU...3.9......k.Hk..N..(S..t\".`i...#v..!*.....Zi......................................................................................................................................k{...IU...3.9......k.Hk..N..(S..t\".`i...#v..!*.....Zi......................................................................................................................................k{...IU...3.9......k.Hk..N..(S..t\".

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icuuc58.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):7.381357949318154
                              Encrypted:false
                              SSDEEP:
                              MD5:F21B33EC9184FD9D387EF8EBFAC5EF36
                              SHA1:BD74D56F7383F2B0AF600AFDD1A5E2B5FFEF01B6
                              SHA-256:C6C751103E0707B00676916CC6B2017178B5E748970B13C91E91C725A0903A0D
                              SHA-512:9764514C37A45EAA3F5E51C3CD5C96230C7E94B6B7E995D0535E85343E32EF171D01459F96CBAD6879702B2B5B4C757AE8A3602430BAEEDFD824F1B1E40220CD
                              Malicious:false
                              Preview:yCO.X...>8...."'C72..S.:.(.67..E...T.`..a-.....:......O.-..x................................................................................................................................Vs...E9....R2R7dV....._.p.`).....]]..O.VI......[.)+.K.`..R.9.................................................................................................................................Vs...E9....R2R7dV....._.p.`).....]]..O.VI......[.)+.K.`..R.9...................................................................................................................................^"..$-8...."'C!2..z.9...?7..E...T.{..a.....[.)+.K.`..R.9.................................................................................................................................Vs...E9....R2R7dV....._.p.`).....]]..O.VI......[.)+.K.`..R.9.................................................................................................................................Vs...E9....R2R7dV....._.p.`).....]]..O

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icuuc58.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):7.381357949318154
                              Encrypted:false
                              SSDEEP:
                              MD5:F21B33EC9184FD9D387EF8EBFAC5EF36
                              SHA1:BD74D56F7383F2B0AF600AFDD1A5E2B5FFEF01B6
                              SHA-256:C6C751103E0707B00676916CC6B2017178B5E748970B13C91E91C725A0903A0D
                              SHA-512:9764514C37A45EAA3F5E51C3CD5C96230C7E94B6B7E995D0535E85343E32EF171D01459F96CBAD6879702B2B5B4C757AE8A3602430BAEEDFD824F1B1E40220CD
                              Malicious:false
                              Preview:yCO.X...>8...."'C72..S.:.(.67..E...T.`..a-.....:......O.-..x................................................................................................................................Vs...E9....R2R7dV....._.p.`).....]]..O.VI......[.)+.K.`..R.9.................................................................................................................................Vs...E9....R2R7dV....._.p.`).....]]..O.VI......[.)+.K.`..R.9...................................................................................................................................^"..$-8...."'C!2..z.9...?7..E...T.{..a.....[.)+.K.`..R.9.................................................................................................................................Vs...E9....R2R7dV....._.p.`).....]]..O.VI......[.)+.K.`..R.9.................................................................................................................................Vs...E9....R2R7dV....._.p.`).....]]..O

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icuuc67.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):7.389695835312079
                              Encrypted:false
                              SSDEEP:
                              MD5:003D7079F202ACFF570688E05C04B4AB
                              SHA1:5EE3AD1775B9E0B8740DC51C65DF73F6625B55A3
                              SHA-256:FC7FC689F75D2835ED10F7A9A29847D4C5665E8DDE74F10FE5721C38D9A0B118
                              SHA-512:3E1D47517730D50D101201CFA2D210E757F5F2D7D17F886A0A0B26736CFD2F660BC8A747BB578A7915129C2FFD7DC206CB166414E7094CE4696B1617C0E915C9
                              Malicious:false
                              Preview:.;S..c..i.x...P.q\.Yw. .3."f?.&Y-gxU{..O..9..7+,q]v.L..S.9`".....................................................................................................................................-...1..vt....f..T.....>......S%.9...\S2.......;p(u./.......................................................................................................................................-...1..vt....f..T.....>......S%.9...\S2.......;p(u./....................................................................................................................................B.u..az.x...P.d\.Ya. ...!f.B/Y2gxUa..O..9.]S2.......;p(u./.......................................................................................................................................-...1..vt....f..T.....>......S%.9...\S2.......;p(u./.......................................................................................................................................-...1..vt....f..T.....>......S%.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icuuc67.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15162
                              Entropy (8bit):7.389695835312079
                              Encrypted:false
                              SSDEEP:
                              MD5:003D7079F202ACFF570688E05C04B4AB
                              SHA1:5EE3AD1775B9E0B8740DC51C65DF73F6625B55A3
                              SHA-256:FC7FC689F75D2835ED10F7A9A29847D4C5665E8DDE74F10FE5721C38D9A0B118
                              SHA-512:3E1D47517730D50D101201CFA2D210E757F5F2D7D17F886A0A0B26736CFD2F660BC8A747BB578A7915129C2FFD7DC206CB166414E7094CE4696B1617C0E915C9
                              Malicious:false
                              Preview:.;S..c..i.x...P.q\.Yw. .3."f?.&Y-gxU{..O..9..7+,q]v.L..S.9`".....................................................................................................................................-...1..vt....f..T.....>......S%.9...\S2.......;p(u./.......................................................................................................................................-...1..vt....f..T.....>......S%.9...\S2.......;p(u./....................................................................................................................................B.u..az.x...P.d\.Ya. ...!f.B/Y2gxUa..O..9.]S2.......;p(u./.......................................................................................................................................-...1..vt....f..T.....>......S%.9...\S2.......;p(u./.......................................................................................................................................-...1..vt....f..T.....>......S%.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icuuc69.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2587162
                              Entropy (8bit):7.222431700231677
                              Encrypted:false
                              SSDEEP:
                              MD5:93D289AD74C6C786D51B337CA47B5257
                              SHA1:BB8EB79C6B6054DE559676063448DBC96B5E9551
                              SHA-256:ECEE0B7145F5198E4F4B93109B10D221952C373A07C678B97B3BBB53B4F3AB94
                              SHA-512:B306F1473678BDBE80F097554E454BDE7AC31D36E4E3F0D3F09EA40C3517681DAE0D3B7ADB44301E72293FE9E9A06AA16E4DC0BEF8532309BEB4229D2C8CF62E
                              Malicious:false
                              Preview:..............}.........K..`.` /eL............:.*....]....Yuc.........!..L.!This program cannot be run in DOS mode....$....... .u.d...d...d...?...k...?...j...?...........k.......l.............|......N2f+.3...C.^.Z..R.;....'.M...F.G...w^............x.Richd...........................PE..d....;.`.........." ................p.........................................'.......(...`A.Lv.........).}.k..........`.` /eL.......S..WW..NV.....]....)rc...&..^...\'.......'.L;......T...................(...(... ................................................text...................Lf...........}.E.g.u...I_.`..8/e............:.*......r...tc.0....`%..z...<%.............@....pdata...^....&..`....%.............@..@_RDATA.......p'.......'.............@..@.rsrc...P.....'..Df.........).}.k...A...%.n... /)w...........:.*....]....9tc..................................................................................................................................Lf.........).}.k..........`.` /eL......

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\icuuc69.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2587162
                              Entropy (8bit):7.222431700231677
                              Encrypted:false
                              SSDEEP:
                              MD5:93D289AD74C6C786D51B337CA47B5257
                              SHA1:BB8EB79C6B6054DE559676063448DBC96B5E9551
                              SHA-256:ECEE0B7145F5198E4F4B93109B10D221952C373A07C678B97B3BBB53B4F3AB94
                              SHA-512:B306F1473678BDBE80F097554E454BDE7AC31D36E4E3F0D3F09EA40C3517681DAE0D3B7ADB44301E72293FE9E9A06AA16E4DC0BEF8532309BEB4229D2C8CF62E
                              Malicious:false
                              Preview:..............}.........K..`.` /eL............:.*....]....Yuc.........!..L.!This program cannot be run in DOS mode....$....... .u.d...d...d...?...k...?...j...?...........k.......l.............|......N2f+.3...C.^.Z..R.;....'.M...F.G...w^............x.Richd...........................PE..d....;.`.........." ................p.........................................'.......(...`A.Lv.........).}.k..........`.` /eL.......S..WW..NV.....]....)rc...&..^...\'.......'.L;......T...................(...(... ................................................text...................Lf...........}.E.g.u...I_.`..8/e............:.*......r...tc.0....`%..z...<%.............@....pdata...^....&..`....%.............@..@_RDATA.......p'.......'.............@..@.rsrc...P.....'..Df.........).}.k...A...%.n... /)w...........:.*....]....9tc..................................................................................................................................Lf.........).}.k..........`.` /eL......

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\logsession.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2905354
                              Entropy (8bit):7.219476324459372
                              Encrypted:false
                              SSDEEP:
                              MD5:E69D9988AE045739601448F8300D554F
                              SHA1:CB07FC464A0559D3FEBCB2F457AC2540BB85EEBD
                              SHA-256:C625180DD50A4EF1174FAF7B8D0340CC4CDC448B0FD4963AA8F6BAEB2BC02F6B
                              SHA-512:93CBF94D3BCD3C415BFA3269A1AC569EBD22EAF9DC709D84BA2EB69844A9875BFCCB1D9DF3834EDFAD8B637E6B393F57E5A3C61C34CFEB4488EA3D79767CA818
                              Malicious:false
                              Preview:.Y..........A..}.8..K.<2..q#.....i.].z.,N...fr..ig.............!..L.!This program cannot be run in DOS mode....$........9..^Xx.^Xx.^Xx.W ..HXx.7}.QXx..-y.XXx.87..\Xx..-}..Xx..-|.VXx....x.b<.....4..Xqv.!.@-.zx.j...t....'..B..{T.T.b..E.>.:.D.R..m..-p.eXx..-x._Xx..-.._Xx.^X.._Xx..-z._Xx.Rich^Xx.................PE..d......c.........." ......"..2................................`........Yl..].$.}.8.'.)<0..Kq#.....i.M.z.,N.....fr..yg..............8)..B...z)......@,.`.....*.HY...*,..)...P,..'..._%.p....................a%.(...._%.8............0".......................`........-l...Q*.}.8.XY'<2..q#.....i.].Z.,......r..`...7.......".............@..@.data...h.....).......).............@....pdata..HY....*..Z....*.............@..@.rsrc...`....@,.......+...`.........l..s3m...8..l.<2...q....}.i.].z.,N....fr..ig.......................................................................................................................................`........Yl..]A..}.8.XK.<2..q#.....i

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\logsession.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2905354
                              Entropy (8bit):7.219476324459372
                              Encrypted:false
                              SSDEEP:
                              MD5:E69D9988AE045739601448F8300D554F
                              SHA1:CB07FC464A0559D3FEBCB2F457AC2540BB85EEBD
                              SHA-256:C625180DD50A4EF1174FAF7B8D0340CC4CDC448B0FD4963AA8F6BAEB2BC02F6B
                              SHA-512:93CBF94D3BCD3C415BFA3269A1AC569EBD22EAF9DC709D84BA2EB69844A9875BFCCB1D9DF3834EDFAD8B637E6B393F57E5A3C61C34CFEB4488EA3D79767CA818
                              Malicious:false
                              Preview:.Y..........A..}.8..K.<2..q#.....i.].z.,N...fr..ig.............!..L.!This program cannot be run in DOS mode....$........9..^Xx.^Xx.^Xx.W ..HXx.7}.QXx..-y.XXx.87..\Xx..-}..Xx..-|.VXx....x.b<.....4..Xqv.!.@-.zx.j...t....'..B..{T.T.b..E.>.:.D.R..m..-p.eXx..-x._Xx..-.._Xx.^X.._Xx..-z._Xx.Rich^Xx.................PE..d......c.........." ......"..2................................`........Yl..].$.}.8.'.)<0..Kq#.....i.M.z.,N.....fr..yg..............8)..B...z)......@,.`.....*.HY...*,..)...P,..'..._%.p....................a%.(...._%.8............0".......................`........-l...Q*.}.8.XY'<2..q#.....i.].Z.,......r..`...7.......".............@..@.data...h.....).......).............@....pdata..HY....*..Z....*.............@..@.rsrc...`....@,.......+...`.........l..s3m...8..l.<2...q....}.i.].z.,N....fr..ig.......................................................................................................................................`........Yl..]A..}.8.XK.<2..q#.....i

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\pe.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1631202
                              Entropy (8bit):6.883834558068182
                              Encrypted:false
                              SSDEEP:
                              MD5:63951B1164E267FA1978BD22976BF98C
                              SHA1:464FD49A0C783DB7244A4D233233F9EE7F32F74A
                              SHA-256:248758DE511C36F3DC109BCF2D701C14214D99A9FDAF2BA52086761A000137C0
                              SHA-512:333B817D1B353211710692BE6776B3EDE77DCFF6EA40BFE246A671578449B35CAF31160E5D03719DA4CB0975A4F65E81C5BDAC1BBEF59BCC061B42D4A8FF3298
                              Malicious:false
                              Preview:w2.W.kf...&..i....y.L.Q......8.3.o..c,...0...........?..$........!..L.!This program cannot be run in DOS mode....$.........K..y%..y%..y%......y%.4.$..y%.4. ..y%.4.!..y%.4.&..y%..$..y%...=.Z.N....D.=.].!G..iel., I......p....Q.%.NI.w....&.M..7..$........PE..d......`.........." ................0.....................................................`A........................:x.W.kf...&%w.i....y.L..M.....8T+....c,.......J..o....Q.....$....T........................... ................................................text............................... ..`.rdata..n4.W.ef.&5..i ...y.L.......L..R....ct...P...........7..$....@....pdata...O.......P...f..............@..@.rsrc...............................@..@.reloc..$...........................@..B:h.W.kf...&5w.i ...y.L........8.3.o..c,...0...........7..$................................................................................................................................:h.W.kf...&5w.i ...y.L........8.3.o..c

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\pe.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1631202
                              Entropy (8bit):6.883834558068182
                              Encrypted:false
                              SSDEEP:
                              MD5:63951B1164E267FA1978BD22976BF98C
                              SHA1:464FD49A0C783DB7244A4D233233F9EE7F32F74A
                              SHA-256:248758DE511C36F3DC109BCF2D701C14214D99A9FDAF2BA52086761A000137C0
                              SHA-512:333B817D1B353211710692BE6776B3EDE77DCFF6EA40BFE246A671578449B35CAF31160E5D03719DA4CB0975A4F65E81C5BDAC1BBEF59BCC061B42D4A8FF3298
                              Malicious:false
                              Preview:w2.W.kf...&..i....y.L.Q......8.3.o..c,...0...........?..$........!..L.!This program cannot be run in DOS mode....$.........K..y%..y%..y%......y%.4.$..y%.4. ..y%.4.!..y%.4.&..y%..$..y%...=.Z.N....D.=.].!G..iel., I......p....Q.%.NI.w....&.M..7..$........PE..d......`.........." ................0.....................................................`A........................:x.W.kf...&%w.i....y.L..M.....8T+....c,.......J..o....Q.....$....T........................... ................................................text............................... ..`.rdata..n4.W.ef.&5..i ...y.L.......L..R....ct...P...........7..$....@....pdata...O.......P...f..............@..@.rsrc...............................@..@.reloc..$...........................@..B:h.W.kf...&5w.i ...y.L........8.3.o..c,...0...........7..$................................................................................................................................:h.W.kf...&5w.i ...y.L........8.3.o..c

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\pmd.cer

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):734
                              Entropy (8bit):7.244239917079647
                              Encrypted:false
                              SSDEEP:
                              MD5:EDAF13D6BAE136CA4BE80A64D0BE3EB6
                              SHA1:52A53E89C7B85065B5191B7E22B4C8C679A15A26
                              SHA-256:E88824FE76255588CEFE5466F6E67CCC50AA446A6D933AA81F64F6B78F69A268
                              SHA-512:53E16524E71C508D3F42869673D2BAFCCB8D37243C408F5B0B65C9F0C3B5027DB6443A0DD5D178F3366AEAD17EF78A942E7E49A987A199E43682DD0938963466
                              Malicious:false
                              Preview:.A.,.j..!....rmy......eH..1.t-u...... .*^.]..........G.C.*..............@7o)...P.....DPY...`..q.:YZ}....V.....K.3.1........2(......Xw...........D.n...`.. .zcK2.2.5......b.E..........mA....#....e.h.p..c8.Y'.]...O...ZI.l..%.\.`.r.2..Uq.....Q..M4!....BmH)...))J....1.w.....]p349........I4.oCdOrt..a3.#.}..+:.0..7.w.U.=..2g.6P^.<..j..bx..?f.r.......?g...=.....K.8..L..7..c..1.r.Zc.\p._"L......G..J.b.....b.ui..<.H..@jk..664) b].....}....!`..h...A.J..l......'.9.F...\k.z<c0..1....).......-q....A.....f..^.;./...xc$s .....4_....-.\6.&..R[.SE.m...O.vW..j...%.W. .....5yn.~..DD.N.Q.QT..7..x..H.............................................................................................tmrk2oxcouu.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\pmd.cer.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):734
                              Entropy (8bit):7.244239917079647
                              Encrypted:false
                              SSDEEP:
                              MD5:EDAF13D6BAE136CA4BE80A64D0BE3EB6
                              SHA1:52A53E89C7B85065B5191B7E22B4C8C679A15A26
                              SHA-256:E88824FE76255588CEFE5466F6E67CCC50AA446A6D933AA81F64F6B78F69A268
                              SHA-512:53E16524E71C508D3F42869673D2BAFCCB8D37243C408F5B0B65C9F0C3B5027DB6443A0DD5D178F3366AEAD17EF78A942E7E49A987A199E43682DD0938963466
                              Malicious:false
                              Preview:.A.,.j..!....rmy......eH..1.t-u...... .*^.]..........G.C.*..............@7o)...P.....DPY...`..q.:YZ}....V.....K.3.1........2(......Xw...........D.n...`.. .zcK2.2.5......b.E..........mA....#....e.h.p..c8.Y'.]...O...ZI.l..%.\.`.r.2..Uq.....Q..M4!....BmH)...))J....1.w.....]p349........I4.oCdOrt..a3.#.}..+:.0..7.w.U.=..2g.6P^.<..j..bx..?f.r.......?g...=.....K.8..L..7..c..1.r.Zc.\p._"L......G..J.b.....b.ui..<.H..@jk..664) b].....}....!`..h...A.J..l......'.9.F...\k.z<c0..1....).......-q....A.....f..^.;./...xc$s .....4_....-.\6.&..R[.SE.m...O.vW..j...%.W. .....5yn.~..DD.N.Q.QT..7..x..H.............................................................................................tmrk2oxcouu.

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\rt3d.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2041106
                              Entropy (8bit):7.186058026240084
                              Encrypted:false
                              SSDEEP:
                              MD5:5D6B78F36C082CC77128960016D1608B
                              SHA1:55EB061CF21AE0AD7CD02570214D29067A412307
                              SHA-256:35E084A897E8DFA2A7C2F1122C69CF14F3D83E70A845586246433ACA394340C7
                              SHA-512:F669126B423B3EBA343B90EFCBB85B7B4D5A40190F4DA4C2E53C805FED5CE1B5AD87BAA27A2286129A5C4684B219EE3653B93E5D352581FAFABE5EB56227CC58
                              Malicious:false
                              Preview:.....}4.<.....|Q.\..U.......Y#R.8;..U.=}&9.. Rz...X..4.^...........!..L.!This program cannot be run in DOS mode....$..........A....................\......\......\......\......^.......G..[...YO...en...L....@.t..K.e...r.x*.n..0.....bT....L.(B.^..[...^......^.i.............^......Rich............PE..d......d.........." .....$....k.....P.................................i..}4.8r]..{.|..C..5.T.....Y#B.8;..U.-}&9.. Bz...X..4.^...0#......@............................)......@M..h...T.......................(.......8............@...................................}4.d....o.|.8K..U.T.....Y#R..;.{.Y.RX.....O....^................@..@.data....ld..0......................@....pdata..............................@..@.rsrc.............................i.}4......|.Q\..&.T^.....Y#R.8;..U.=}f9.. Rz...X..4.^......................................................................................................................................i..}4.8......|..\..U.T.....Y#R.8;..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\rt3d.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2041106
                              Entropy (8bit):7.186058026240084
                              Encrypted:false
                              SSDEEP:
                              MD5:5D6B78F36C082CC77128960016D1608B
                              SHA1:55EB061CF21AE0AD7CD02570214D29067A412307
                              SHA-256:35E084A897E8DFA2A7C2F1122C69CF14F3D83E70A845586246433ACA394340C7
                              SHA-512:F669126B423B3EBA343B90EFCBB85B7B4D5A40190F4DA4C2E53C805FED5CE1B5AD87BAA27A2286129A5C4684B219EE3653B93E5D352581FAFABE5EB56227CC58
                              Malicious:false
                              Preview:.....}4.<.....|Q.\..U.......Y#R.8;..U.=}&9.. Rz...X..4.^...........!..L.!This program cannot be run in DOS mode....$..........A....................\......\......\......\......^.......G..[...YO...en...L....@.t..K.e...r.x*.n..0.....bT....L.(B.^..[...^......^.i.............^......Rich............PE..d......d.........." .....$....k.....P.................................i..}4.8r]..{.|..C..5.T.....Y#B.8;..U.-}&9.. Bz...X..4.^...0#......@............................)......@M..h...T.......................(.......8............@...................................}4.d....o.|.8K..U.T.....Y#R..;.{.Y.RX.....O....^................@..@.data....ld..0......................@....pdata..............................@..@.rsrc.............................i.}4......|.Q\..&.T^.....Y#R.8;..U.=}f9.. Rz...X..4.^......................................................................................................................................i..}4.8......|..\..U.T.....Y#R.8;..

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\sqlite.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):683786
                              Entropy (8bit):7.248659815087198
                              Encrypted:false
                              SSDEEP:
                              MD5:E9ECB676F1F0409A1601C9936024A681
                              SHA1:47CACE3FEDCB10DCA25A9AB4872F48081FBCB877
                              SHA-256:07339122E7E0FCF9C3DE86767975CB920C888DACE847A8229E78E381239C5AE0
                              SHA-512:316464F7E109E778AABD0A5C0EBC0B14EC71FDBB04B29412F683CC8986151B30906A447F3546235191FA40D1C4BB0ADE6F297AB3FCAC26FCAB2BDC0116783D52
                              Malicious:false
                              Preview:..[..M.r(e~.s..V..<.......2+..4..El..BbQ..m2HB..l.7.>..Y...\:.........!..L.!This program cannot be run in DOS mode....$........65..W[..W[..W[../...W[.w#Z..W[.w#^..W[.w#_..W[.w#X..W[..<Z..W[.#..UF...YF!.#Z.......PQ..G.C../.......r...e......Weq.Y...]:.PE..d...%..d.........." ................P...............................................7.....`A....................................M.r.+w.@..V...<......2...4..E0..Bb.....HB.\f...>..z..I]:..........................#..8............................................text............................... ..`.rdata..N........R....r,e~....Vm..<P......FJ..4.n.El..Bb...m~AB..l.7.>..Y..]]:Y.pdata..\C... ...D..................@..@.rsrc........p.......4..............@..@.reloc...............:..............@..B............M.r,e~....Vm..<.......2+..4..El..BbQ..m2HB..l.7.>..Y...]:.....................................................................................................................................M.r,e~....Vm..<.......2+..4..El..B

                              C:\Program Files\Adobe\Acrobat DC\Acrobat\sqlite.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):683786
                              Entropy (8bit):7.248659815087198
                              Encrypted:false
                              SSDEEP:
                              MD5:E9ECB676F1F0409A1601C9936024A681
                              SHA1:47CACE3FEDCB10DCA25A9AB4872F48081FBCB877
                              SHA-256:07339122E7E0FCF9C3DE86767975CB920C888DACE847A8229E78E381239C5AE0
                              SHA-512:316464F7E109E778AABD0A5C0EBC0B14EC71FDBB04B29412F683CC8986151B30906A447F3546235191FA40D1C4BB0ADE6F297AB3FCAC26FCAB2BDC0116783D52
                              Malicious:false
                              Preview:..[..M.r(e~.s..V..<.......2+..4..El..BbQ..m2HB..l.7.>..Y...\:.........!..L.!This program cannot be run in DOS mode....$........65..W[..W[..W[../...W[.w#Z..W[.w#^..W[.w#_..W[.w#X..W[..<Z..W[.#..UF...YF!.#Z.......PQ..G.C../.......r...e......Weq.Y...]:.PE..d...%..d.........." ................P...............................................7.....`A....................................M.r.+w.@..V...<......2...4..E0..Bb.....HB.\f...>..z..I]:..........................#..8............................................text............................... ..`.rdata..N........R....r,e~....Vm..<P......FJ..4.n.El..Bb...m~AB..l.7.>..Y..]]:Y.pdata..\C... ...D..................@..@.rsrc........p.......4..............@..@.reloc...............:..............@..B............M.r,e~....Vm..<.......2+..4..El..BbQ..m2HB..l.7.>..Y...]:.....................................................................................................................................M.r,e~....Vm..<.......2+..4..El..B

                              C:\Program Files\Adobe\Acrobat DC\Esl\Aiod.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):747794
                              Entropy (8bit):7.163403104037727
                              Encrypted:false
                              SSDEEP:
                              MD5:D3122B74598F780CDBD28256428DFD2B
                              SHA1:878D2DDAD093294EE326A5FB4408AA96568BA9C6
                              SHA-256:C1207C2B88A7A5AF44C0DD637C65E65C2D74BC000A907BFCEE82E30EB0DFDEC5
                              SHA-512:A4684A9D073D131C193ECC37D15DE51FA2D73B5964B72AB6C8F49C30DE5ABE0085B6FD65CC8FD66A5EE57539C163AA50B1A66EEA1F2461A644D454D2042E14B7
                              Malicious:false
                              Preview:..C.u.m......Q.rf..w8..k.Y.v~L.8?:..0Z.yp wZ...C.....R...2.N,.........!..L.!This program cannot be run in DOS mode....$........_...>nK.>nK.>nK.UmJ.>nK.UkJ.>nKOJjJ.>nKOJmJ.>nKOJkJ.>nK.UjJ.>nKm!.....E......9H8.<`....!...H...rQp..^..3.k.d.@.}.......D.x.qB.Rich.>nK........PE..d......d.........." .....h..........0.....................................................`A.................t..v.m.....5..r...w(....Y.r~L..5: .0Z..{ ._........R.0.2Zf,.............T........................... ...8............................................text...pg.......h.................. ..`......m..4..5..r.:.w8....k.Y.v~L.8?:..0....T.Z...h...b.R...2..&.............@....pdata...p.......r..................@..@_RDATA.......p.......,..............@..@.rsrc............................t..6.m.|.Z..rb..w8{...a.Y.BuL.8?:..0Z.yp 7Z.I.C.....R...2.O,..................................................................................................................................t..v.m.....5..r...w8..k.Y.v~L.8?:..0Z

                              C:\Program Files\Adobe\Acrobat DC\Esl\Aiod.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):747794
                              Entropy (8bit):7.163403104037727
                              Encrypted:false
                              SSDEEP:
                              MD5:D3122B74598F780CDBD28256428DFD2B
                              SHA1:878D2DDAD093294EE326A5FB4408AA96568BA9C6
                              SHA-256:C1207C2B88A7A5AF44C0DD637C65E65C2D74BC000A907BFCEE82E30EB0DFDEC5
                              SHA-512:A4684A9D073D131C193ECC37D15DE51FA2D73B5964B72AB6C8F49C30DE5ABE0085B6FD65CC8FD66A5EE57539C163AA50B1A66EEA1F2461A644D454D2042E14B7
                              Malicious:false
                              Preview:..C.u.m......Q.rf..w8..k.Y.v~L.8?:..0Z.yp wZ...C.....R...2.N,.........!..L.!This program cannot be run in DOS mode....$........_...>nK.>nK.>nK.UmJ.>nK.UkJ.>nKOJjJ.>nKOJmJ.>nKOJkJ.>nK.UjJ.>nKm!.....E......9H8.<`....!...H...rQp..^..3.k.d.@.}.......D.x.qB.Rich.>nK........PE..d......d.........." .....h..........0.....................................................`A.................t..v.m.....5..r...w(....Y.r~L..5: .0Z..{ ._........R.0.2Zf,.............T........................... ...8............................................text...pg.......h.................. ..`......m..4..5..r.:.w8....k.Y.v~L.8?:..0....T.Z...h...b.R...2..&.............@....pdata...p.......r..................@..@_RDATA.......p.......,..............@..@.rsrc............................t..6.m.|.Z..rb..w8{...a.Y.BuL.8?:..0Z.yp 7Z.I.C.....R...2.O,..................................................................................................................................t..v.m.....5..r...w8..k.Y.v~L.8?:..0Z

                              C:\Program Files\Adobe\Acrobat DC\Esl\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Adobe\Acrobat DC\Resource\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Adobe\Acrobat DC\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Adobe\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\Adobe\Acrobat\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\Adobe\HelpCfg\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\Adobe\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\Services\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\System\Ole DB\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\System\ado\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\System\en-GB\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\System\en-US\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\System\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\System\msadc\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):196870
                              Entropy (8bit):6.63656512030205
                              Encrypted:false
                              SSDEEP:
                              MD5:9E1B52543A8648DB4D845FC563A0A754
                              SHA1:AD58F3112276331FAC734B8B55B89CAA59A44664
                              SHA-256:E46F4B9855694A2D7F2D5738EE51B9C0353804C37AFD8BE61D67B963D9D78997
                              SHA-512:44D13BD88DB9C156E9F0B08C669D882DAA454959CAA7F021C80F23F8BDABB995DFB71266393A7C8D221C3B6BD1E82882F37F81A3527400F9C57593191DE67178
                              Malicious:false
                              Preview:.!.....-....`...^.....*....&.R. .M..N.(?.*...../W..{......PgmentationManifest.. xmlns="http://schemas.microsoft.com/win/2004/08/events".. xmlns:win="http://manifests.microsoft.com/.w.R..|...yK.X.......:.../!.&r-..W.I.>(.d.....QeS._ka......"01/XMLSchema">.. <instrumentation>.. <counters xmlns="http://schemas.microsoft.com/win/2005/12/counters" schemaVersion="1.1"...]..h....aT.X.......n..!.v"a..Z.S.(..#....ChE.X3s....Lfres.dll".. providerGuid="{2EA0B998-E7E8-41C6-8ABC-093083EA21D7}".. providerType="userMode".. symbol=".W./........^t..<........pO.C.^.T6...f{.f..S...$P.Z.s......2 description="Size of data streamed to disk for each package on the system.".. guid="{687D8F80-FFEA-4DE5-A41F-3./.E..p...,/..P.....n..Kr.g<n....W.*/.6.M..^j...e6....C.e="AppV Client Streamed Data Percentage".. symbol="PERF_COUNTER_CLIENT_STREAMSIZESET".. uri="Microsoft.App.0.....<...ha.I........<...vh.c.b..O.H.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClient.man.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):196870
                              Entropy (8bit):6.63656512030205
                              Encrypted:false
                              SSDEEP:
                              MD5:9E1B52543A8648DB4D845FC563A0A754
                              SHA1:AD58F3112276331FAC734B8B55B89CAA59A44664
                              SHA-256:E46F4B9855694A2D7F2D5738EE51B9C0353804C37AFD8BE61D67B963D9D78997
                              SHA-512:44D13BD88DB9C156E9F0B08C669D882DAA454959CAA7F021C80F23F8BDABB995DFB71266393A7C8D221C3B6BD1E82882F37F81A3527400F9C57593191DE67178
                              Malicious:false
                              Preview:.!.....-....`...^.....*....&.R. .M..N.(?.*...../W..{......PgmentationManifest.. xmlns="http://schemas.microsoft.com/win/2004/08/events".. xmlns:win="http://manifests.microsoft.com/.w.R..|...yK.X.......:.../!.&r-..W.I.>(.d.....QeS._ka......"01/XMLSchema">.. <instrumentation>.. <counters xmlns="http://schemas.microsoft.com/win/2005/12/counters" schemaVersion="1.1"...]..h....aT.X.......n..!.v"a..Z.S.(..#....ChE.X3s....Lfres.dll".. providerGuid="{2EA0B998-E7E8-41C6-8ABC-093083EA21D7}".. providerType="userMode".. symbol=".W./........^t..<........pO.C.^.T6...f{.f..S...$P.Z.s......2 description="Size of data streamed to disk for each package on the system.".. guid="{687D8F80-FFEA-4DE5-A41F-3./.E..p...,/..P.....n..Kr.g<n....W.*/.6.M..^j...e6....C.e="AppV Client Streamed Data Percentage".. symbol="PERF_COUNTER_CLIENT_STREAMSIZESET".. uri="Microsoft.App.0.....<...ha.I........<...vh.c.b..O.H.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):187635
                              Entropy (8bit):6.701038380851118
                              Encrypted:false
                              SSDEEP:
                              MD5:E8057E2871A6956C1D6E1F97C7480D51
                              SHA1:160F394CAA214430A03EB892F4CC0A3AB1BC80E6
                              SHA-256:0B31CCF27DBA9AC68D332C8DF0C0F082BC5C3A32C3DE77554783CA40A49B3A12
                              SHA-512:9CAD15BC6686CC6A6C817D25F5B0F77075606080574BB3E546A313EC6242D8CF303A4C9A6661344A93806CA0FB2965C3A3EC852A6DC45F49CC69EED44E0D86DC
                              Malicious:false
                              Preview:..}.gFg...t}..V...V..b.;...:V........f...AB].+.U5._..f....FrvmentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/.Bk.d.bH..x|..V.)J...6.'......U-..G.CPg.......&.}.......[..8 #<instrumentation>.. <counters schemaVersion="1.1" xmlns="http://schemas.microsoft.com/win/2005/12/counters">.. <provider.Ju.g.r...r|....%N..U..$......k..D..^.d...^^W.`.U4....Q...s0A998-E7E8-41C6-8ABC-093083EA21D7}" providerType="userMode" symbol="MICROSOFT_APPV_CLIENT_PERFCOUNTERS">.. <counterSet desc.Bu.b..Z..th....qC...,. .....Ov..T..P.g...OOP.y.S-......Y..W pystem." guid="{687D8F80-FFEA-4DE5-A41F-3E1C83378839}" instances="multiple" name="AppV Client Streamed Data Percentage" symbol="P.yC.H)D)..OM..=..s+.<^%..%...*V..E...R3a...]C^.'.@6.N.......beqfCounters.StreamSizeCounterSet">.. <counter defaultScale="1" description="The percentage of data streamed from the prim.Y|.m.p...x2..T.9BT..o.5.B....v..\....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVClientIsv.man.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):187635
                              Entropy (8bit):6.701038380851118
                              Encrypted:false
                              SSDEEP:
                              MD5:E8057E2871A6956C1D6E1F97C7480D51
                              SHA1:160F394CAA214430A03EB892F4CC0A3AB1BC80E6
                              SHA-256:0B31CCF27DBA9AC68D332C8DF0C0F082BC5C3A32C3DE77554783CA40A49B3A12
                              SHA-512:9CAD15BC6686CC6A6C817D25F5B0F77075606080574BB3E546A313EC6242D8CF303A4C9A6661344A93806CA0FB2965C3A3EC852A6DC45F49CC69EED44E0D86DC
                              Malicious:false
                              Preview:..}.gFg...t}..V...V..b.;...:V........f...AB].+.U5._..f....FrvmentationManifest xmlns="http://schemas.microsoft.com/win/2004/08/events" xmlns:win="http://manifests.microsoft.com/win/2004/08/.Bk.d.bH..x|..V.)J...6.'......U-..G.CPg.......&.}.......[..8 #<instrumentation>.. <counters schemaVersion="1.1" xmlns="http://schemas.microsoft.com/win/2005/12/counters">.. <provider.Ju.g.r...r|....%N..U..$......k..D..^.d...^^W.`.U4....Q...s0A998-E7E8-41C6-8ABC-093083EA21D7}" providerType="userMode" symbol="MICROSOFT_APPV_CLIENT_PERFCOUNTERS">.. <counterSet desc.Bu.b..Z..th....qC...,. .....Ov..T..P.g...OOP.y.S-......Y..W pystem." guid="{687D8F80-FFEA-4DE5-A41F-3E1C83378839}" instances="multiple" name="AppV Client Streamed Data Percentage" symbol="P.yC.H)D)..OM..=..s+.<^%..%...*V..E...R3a...]C^.'.@6.N.......beqfCounters.StreamSizeCounterSet">.. <counter defaultScale="1" description="The percentage of data streamed from the prim.Y|.m.p...x2..T.9BT..o.5.B....v..\....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystems64_msix.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):161490
                              Entropy (8bit):7.173251418453449
                              Encrypted:false
                              SSDEEP:
                              MD5:F818DF39FE044896198C8E2A8BEFDCBB
                              SHA1:7C46E9D45A398A409B0FE0B791AE8A385851E0CB
                              SHA-256:8B150924996AEFC63E21BA8AFE172994C9A389948DA01B63854ECC7A244F41AF
                              SHA-512:4F53AA381DEE3A8FBBFBD3A03A8E1922C93A6064B78C2341239E69A675847CA3175C3E59D4B981C625C2D3A21BD22E65CF75F886AB72E070C61F9EBC5C46F9FA
                              Malicious:false
                              Preview:..be'.g$.?K]...<|.7'.Z........+(.....C.Z.b.P..eU.....~..{.R.........!..L.!This program cannot be run in DOS mode....$.........*.P.D.P.D.P.D.G.[.D.A...D.@.B.D.0.@.^.D.0.G.Z.D.0.A...D.c...wN#........+%.1.p....c...U....K.O.S..3p....*.eU.....~..{.R.PE..d....".e.........." ... .....................................................p......bo....`A...................................e4.g$..J]pL...l~..'.Z........+...:..C.r.b[....W.3...h.../.R.....................(...0...@............@..`............................text...\-.......................... ..`.rdata.......@...P.e$.f$.?K](L...<|.w'.........7.....C.V.b...eU.....~..;.R..pdata..$.... ......................@..@_RDATA..\....@......................@..@.c2r.c..f....P...........................reloc..l..e$.e$.9K](Z...<|.7'.Z.......Y+(.....C.Z.b.P..eU.....~..{.R....................................................................................................................................e$.g$.?K](L...<|.7'.Z........+(.....C

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvSubsystems64_msix.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):161490
                              Entropy (8bit):7.173251418453449
                              Encrypted:false
                              SSDEEP:
                              MD5:F818DF39FE044896198C8E2A8BEFDCBB
                              SHA1:7C46E9D45A398A409B0FE0B791AE8A385851E0CB
                              SHA-256:8B150924996AEFC63E21BA8AFE172994C9A389948DA01B63854ECC7A244F41AF
                              SHA-512:4F53AA381DEE3A8FBBFBD3A03A8E1922C93A6064B78C2341239E69A675847CA3175C3E59D4B981C625C2D3A21BD22E65CF75F886AB72E070C61F9EBC5C46F9FA
                              Malicious:false
                              Preview:..be'.g$.?K]...<|.7'.Z........+(.....C.Z.b.P..eU.....~..{.R.........!..L.!This program cannot be run in DOS mode....$.........*.P.D.P.D.P.D.G.[.D.A...D.@.B.D.0.@.^.D.0.G.Z.D.0.A...D.c...wN#........+%.1.p....c...U....K.O.S..3p....*.eU.....~..{.R.PE..d....".e.........." ... .....................................................p......bo....`A...................................e4.g$..J]pL...l~..'.Z........+...:..C.r.b[....W.3...h.../.R.....................(...0...@............@..`............................text...\-.......................... ..`.rdata.......@...P.e$.f$.?K](L...<|.w'.........7.....C.V.b...eU.....~..;.R..pdata..$.... ......................@..@_RDATA..\....@......................@..@.c2r.c..f....P...........................reloc..l..e$.e$.9K](Z...<|.7'.Z.......Y+(.....C.Z.b.P..eU.....~..{.R....................................................................................................................................e$.g$.?K](L...<|.7'.Z........+(.....C

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):423690
                              Entropy (8bit):6.9278159884010435
                              Encrypted:false
                              SSDEEP:
                              MD5:A169382CFB28856802EA43827BC58507
                              SHA1:AECA4B2490260E577F4294A26F8C57533E3B5761
                              SHA-256:CC3247257B5CF207CECE6969EFA8BF8799DB5448166AC0CE8204A3547C3CD718
                              SHA-512:B1F5188C689BD89941EEF40862E115C3792412225784DD7ED55F761194BDD0F4216C11CAC982EF587758A9BBBA86E68BCB3F9BEEC9F9ADD93D1BAD9411B16A73
                              Malicious:false
                              Preview:..GJ..>..o...._".Y.I+....o...f.b:.~r......f..ZM....t.K.... ........!..L.!This program cannot be run in DOS mode....$.........M...M...M......Y...D.g.D...M........G......I......U....$...^....0V..[y..K...x`..)W.\.......w.....kZM....t.K.... PE..d...f3.s.........." .........@...............................................`............`A..................................;GY..>(@j..q....Y.H+...o...f.d:.Xr..N.._C..Z...-.t...... ....................(...P...8............................................text...L........................... ..`.rdata..@.... ...p9GI..>..o._q...".YDI+C.......F.b:..w.........ZM....t.K......pdata...&.......0..................@..@.rsrc...X....0....... ..............@..@.reloc.. ....@... ...0..............@..B..........;GI..>..o._q...".Y.I+...o...f.b:.~r......f..ZM....t.K.... ..................................................................................................................................;GI..>..o._q...".Y.I+...o...f.b:.~r.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVScripting.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):423690
                              Entropy (8bit):6.9278159884010435
                              Encrypted:false
                              SSDEEP:
                              MD5:A169382CFB28856802EA43827BC58507
                              SHA1:AECA4B2490260E577F4294A26F8C57533E3B5761
                              SHA-256:CC3247257B5CF207CECE6969EFA8BF8799DB5448166AC0CE8204A3547C3CD718
                              SHA-512:B1F5188C689BD89941EEF40862E115C3792412225784DD7ED55F761194BDD0F4216C11CAC982EF587758A9BBBA86E68BCB3F9BEEC9F9ADD93D1BAD9411B16A73
                              Malicious:false
                              Preview:..GJ..>..o...._".Y.I+....o...f.b:.~r......f..ZM....t.K.... ........!..L.!This program cannot be run in DOS mode....$.........M...M...M......Y...D.g.D...M........G......I......U....$...^....0V..[y..K...x`..)W.\.......w.....kZM....t.K.... PE..d...f3.s.........." .........@...............................................`............`A..................................;GY..>(@j..q....Y.H+...o...f.d:.Xr..N.._C..Z...-.t...... ....................(...P...8............................................text...L........................... ..`.rdata..@.... ...p9GI..>..o._q...".YDI+C.......F.b:..w.........ZM....t.K......pdata...&.......0..................@..@.rsrc...X....0....... ..............@..@.reloc.. ....@... ...0..............@..B..........;GI..>..o._q...".Y.I+...o...f.b:.~r......f..ZM....t.K.... ..................................................................................................................................;GI..>..o._q...".Y.I+...o...f.b:.~r.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):268058
                              Entropy (8bit):6.778409425588098
                              Encrypted:false
                              SSDEEP:
                              MD5:C8E400597FFD462A99929E1E074D9E3A
                              SHA1:CE2CCB470A302AC6ABFB0B1C63D4CE5C31FB78BE
                              SHA-256:4B8909876E5761491ADE76CC755D93B753EB4EF72F9C924E28A5E2842D94261A
                              SHA-512:3E828ABA9C0444445B5FD886FBEDE07507BCD62000F07D3ACC003A869EB25CD0277148F724322AFE2D9CBF4EAB21A7E8BB320910564BBC85CC7AB848EA30BBA0
                              Malicious:false
                              Preview:.{...]..\.D.O.|8..cC..pat?....K.....WC..Tx.....r....B.D...#d.........!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...wq.M1s..........&.g..'7X.m...."`k|.$.C..Tx....r.w;.B.e0..#d......."......`..........0C.........@.........................................`.......... .......................................MT.@.]....Dj..|.r..W..0.w?H......t..W...T,.....r....B.D...#d.8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p...........!W...]L&8.0S..|`..c...0qt?.f..K.....WC..T8.......g.B.P...g.. ..................@..@.rsrc...X...........................@..@.reloc........... ..................@..B.........................!W...]..\.D2..|...cC..0at?....K.....WC..Tx.....r....B.D...#d..................................................................................................................................!W...]..\.D2..|...cC..0at?....K.....W

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):268058
                              Entropy (8bit):6.778409425588098
                              Encrypted:false
                              SSDEEP:
                              MD5:C8E400597FFD462A99929E1E074D9E3A
                              SHA1:CE2CCB470A302AC6ABFB0B1C63D4CE5C31FB78BE
                              SHA-256:4B8909876E5761491ADE76CC755D93B753EB4EF72F9C924E28A5E2842D94261A
                              SHA-512:3E828ABA9C0444445B5FD886FBEDE07507BCD62000F07D3ACC003A869EB25CD0277148F724322AFE2D9CBF4EAB21A7E8BB320910564BBC85CC7AB848EA30BBA0
                              Malicious:false
                              Preview:.{...]..\.D.O.|8..cC..pat?....K.....WC..Tx.....r....B.D...#d.........!..L.!This program cannot be run in DOS mode....$........E@..$...$...$...\...$...V*..$...V-..$...V+..$...V/..$...$/.0 ...wq.M1s..........&.g..'7X.m...."`k|.$.C..Tx....r.w;.B.e0..#d......."......`..........0C.........@.........................................`.......... .......................................MT.@.]....Dj..|.r..W..0.w?H......t..W...T,.....r....B.D...#d.8...(.......8...........`...`............................text...(X.......`.................. ..`.rdata..z....p... ...p...........!W...]L&8.0S..|`..c...0qt?.f..K.....WC..T8.......g.B.P...g.. ..................@..@.rsrc...X...........................@..@.reloc........... ..................@..B.........................!W...]..\.D2..|...cC..0at?....K.....WC..Tx.....r....B.D...#d..................................................................................................................................!W...]..\.D2..|...cC..0at?....K.....W

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1401018
                              Entropy (8bit):7.288072130775244
                              Encrypted:false
                              SSDEEP:
                              MD5:B45718B0F03C93E2E42CAA752045861D
                              SHA1:88916C91C1FDC43AB949E1910EE72923522D9109
                              SHA-256:7A92578CE73B434536DECFDDFC2403EDFD4606C4106C1E8A5E17ACAB6A104666
                              SHA-512:AF39E0AD33FEFF11AA401DF5D3A8E1BD01D87CB7BC6A8421FC04A1773166FEE0BEF57D86064AFC497E9F58A34C82000ABE8DC118D8347E72BCBE404885AC3E87
                              Malicious:false
                              Preview:n..Z....>.E>r8Q.(......}..p......3....c8.=..Z..n1.=.@dg...........!..L.!This program cannot be run in DOS mode....$.......................#.............#.......#...*...#.......#...........dQuF...=K4...0.>4..O.....H.K...3....c8.=..Z..n1.mK@d... ..............!.........P............................................................@A.................................`......#.GZ....>...r8.=.E...D...h......g....c8.=..Z..n1...@d........@............................................text............................... ..`.data...............................@.....7;.......1a8.(..L..D}..p......s..6..\.I|.J..N%.=.@d.}..............@....detourd.....0......................@....detourc.....@......................@..@.c2r.........`..................#.SZ.....L....r8..(....D{..pO.....3....c8.=..t.....1.%.Ad.'......................@..B........................................................................................................#.SZ....>...r8.(.....D}..p......3..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1401018
                              Entropy (8bit):7.288072130775244
                              Encrypted:false
                              SSDEEP:
                              MD5:B45718B0F03C93E2E42CAA752045861D
                              SHA1:88916C91C1FDC43AB949E1910EE72923522D9109
                              SHA-256:7A92578CE73B434536DECFDDFC2403EDFD4606C4106C1E8A5E17ACAB6A104666
                              SHA-512:AF39E0AD33FEFF11AA401DF5D3A8E1BD01D87CB7BC6A8421FC04A1773166FEE0BEF57D86064AFC497E9F58A34C82000ABE8DC118D8347E72BCBE404885AC3E87
                              Malicious:false
                              Preview:n..Z....>.E>r8Q.(......}..p......3....c8.=..Z..n1.=.@dg...........!..L.!This program cannot be run in DOS mode....$.......................#.............#.......#...*...#.......#...........dQuF...=K4...0.>4..O.....H.K...3....c8.=..Z..n1.mK@d... ..............!.........P............................................................@A.................................`......#.GZ....>...r8.=.E...D...h......g....c8.=..Z..n1...@d........@............................................text............................... ..`.data...............................@.....7;.......1a8.(..L..D}..p......s..6..\.I|.J..N%.=.@d.}..............@....detourd.....0......................@....detourc.....@......................@..@.c2r.........`..................#.SZ.....L....r8..(....D{..pO.....3....c8.=..t.....1.%.Ad.'......................@..B........................................................................................................#.SZ....>...r8.(.....D}..p......3..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32_msix.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):119650
                              Entropy (8bit):7.297383601142891
                              Encrypted:false
                              SSDEEP:
                              MD5:782AC3C9669683657A638E89A8E22E65
                              SHA1:43AC292811D97BE04BDA6091967EC0D4DF7D4D8F
                              SHA-256:9FA8D923A53A33535249CE652D9DB2AA03EA9DCB59E5F0EFC3EC9914B521F2E2
                              SHA-512:1CDFAEF7DA8394D0BBF9110914AA5206E8BC0195F12E1F49A59DD6C2D1AA786BA069AD30D2BAD49ECD8ED3E18D14FF273CE244350416AC1723CE50EAD8E412C3
                              Malicious:false
                              Preview:]........4[..8..Yi....G...#<?K>].b..RL|..|.f.C..L{.(s}..a.>Q<.........!..L.!This program cannot be run in DOS mode....$..............D...D...D...E...D...E\..D...E...D...E...D...E...D...E...D>k..5.......X.y.........y.....v.r..8...g.<..L{.(s}.a.P9....e...........!... .............................................................M....@.........................hd..X.......<.....?......4[.........MG..."<.E>]....RL|..|.f.C..L{.(s}!.`..Q<..Y..@............................................text...8........................... ..`.rdata..@...........................@..@>.^....![......e...YF...#<?K>].b...RL..N}f.C..L{.r}..a..7=..................reloc...............h..............@..B..........................................................................?......4[.....i....G...#<?K>].b..RL|..|.f.C..L{.(s}..a..Q<...................................................................................................................................?......4[.....i....G...#<?K>].b..RL|

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems32_msix.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):119650
                              Entropy (8bit):7.297383601142891
                              Encrypted:false
                              SSDEEP:
                              MD5:782AC3C9669683657A638E89A8E22E65
                              SHA1:43AC292811D97BE04BDA6091967EC0D4DF7D4D8F
                              SHA-256:9FA8D923A53A33535249CE652D9DB2AA03EA9DCB59E5F0EFC3EC9914B521F2E2
                              SHA-512:1CDFAEF7DA8394D0BBF9110914AA5206E8BC0195F12E1F49A59DD6C2D1AA786BA069AD30D2BAD49ECD8ED3E18D14FF273CE244350416AC1723CE50EAD8E412C3
                              Malicious:false
                              Preview:]........4[..8..Yi....G...#<?K>].b..RL|..|.f.C..L{.(s}..a.>Q<.........!..L.!This program cannot be run in DOS mode....$..............D...D...D...E...D...E\..D...E...D...E...D...E...D...E...D>k..5.......X.y.........y.....v.r..8...g.<..L{.(s}.a.P9....e...........!... .............................................................M....@.........................hd..X.......<.....?......4[.........MG..."<.E>]....RL|..|.f.C..L{.(s}!.`..Q<..Y..@............................................text...8........................... ..`.rdata..@...........................@..@>.^....![......e...YF...#<?K>].b...RL..N}f.C..L{.r}..a..7=..................reloc...............h..............@..B..........................................................................?......4[.....i....G...#<?K>].b..RL|..|.f.C..L{.(s}..a..Q<...................................................................................................................................?......4[.....i....G...#<?K>].b..RL|

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2010882
                              Entropy (8bit):7.019251391121862
                              Encrypted:false
                              SSDEEP:
                              MD5:852B5777D0ECD22F392E29533417999B
                              SHA1:B4F819F4266514BEABB4010FC9B1F0C2B87026C1
                              SHA-256:767B9E16CEDBEBC134A0367A8BD3E63CC5E3A328BF368CE7AFBD4E8A0ED6D4E9
                              SHA-512:7C279A57077B5335D5D2108B6716812B2374DC3E0EAE428FEA844EBE07CA3E5894F3AE5F272F9FBCB7C93F03E45EF4BE6BAAFD19BF481E1CC18EC9725800D6D9
                              Malicious:false
                              Preview:..6.50..N..V.......q...r#.#.F.8vAS"...=....@.?a...)SX"............!..L.!This program cannot be run in DOS mode....$........$..XE.EXE.EXE.E.7.DME.EXE.E-D.E.7.DKE.E.7.DrE.E.7.D.E.E.7.DYE.ECpz..u<...e....@...W..o4....*f.f.F.8vAS"....Y...LA..a...)SX"..<......P... ............................................................`A................................................. .......w..v4..S..c..s...-..q....jd.#Z<.8.AS"...=....@.?a...q6K"Q... d..8............e..X............................text...|A.......P.................. ..`.rdata...m...`...p...`..............@..@.#.W0....O.Hy5.s....0.q....r#.#.F.86AS...I.....?a...).X"yO..............@..@.mrdata.............................@....detourc !.......0..................@..@.detourd.........................G..v0.#..|.H..........q....r..#.F.8vAS"...=....2.M....iWX"y.......................@..@.reloc...G...@...P..................@..B.................................................................G..60..N.H...s.....q....r#.#.F.8vAS"

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2010882
                              Entropy (8bit):7.019251391121862
                              Encrypted:false
                              SSDEEP:
                              MD5:852B5777D0ECD22F392E29533417999B
                              SHA1:B4F819F4266514BEABB4010FC9B1F0C2B87026C1
                              SHA-256:767B9E16CEDBEBC134A0367A8BD3E63CC5E3A328BF368CE7AFBD4E8A0ED6D4E9
                              SHA-512:7C279A57077B5335D5D2108B6716812B2374DC3E0EAE428FEA844EBE07CA3E5894F3AE5F272F9FBCB7C93F03E45EF4BE6BAAFD19BF481E1CC18EC9725800D6D9
                              Malicious:false
                              Preview:..6.50..N..V.......q...r#.#.F.8vAS"...=....@.?a...)SX"............!..L.!This program cannot be run in DOS mode....$........$..XE.EXE.EXE.E.7.DME.EXE.E-D.E.7.DKE.E.7.DrE.E.7.D.E.E.7.DYE.ECpz..u<...e....@...W..o4....*f.f.F.8vAS"....Y...LA..a...)SX"..<......P... ............................................................`A................................................. .......w..v4..S..c..s...-..q....jd.#Z<.8.AS"...=....@.?a...q6K"Q... d..8............e..X............................text...|A.......P.................. ..`.rdata...m...`...p...`..............@..@.#.W0....O.Hy5.s....0.q....r#.#.F.86AS...I.....?a...).X"yO..............@..@.mrdata.............................@....detourc !.......0..................@..@.detourd.........................G..v0.#..|.H..........q....r..#.F.8vAS"...=....2.M....iWX"y.......................@..@.reloc...G...@...P..................@..B.................................................................G..60..N.H...s.....q....r#.#.F.8vAS"

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64_arm64x.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2118418
                              Entropy (8bit):7.000270770638372
                              Encrypted:false
                              SSDEEP:
                              MD5:B6741D713E8877CBA1FD27E67DA24C0F
                              SHA1:EA61855E040169CA15AAB39AB6133E857B32D4ED
                              SHA-256:C80F4BC1F5AD1217A704FA99CCE4CAF2DFCB1C41B8441206C5A2B66FE0B8B8C0
                              SHA-512:2F3BA1386AB2B459C8649FE8C01F33F6FDBD415F479EF6C73CDF54823080992A17593485D9D806DED22A1924635207562813B4C8E47B3AC02E1CDBCF3E5BC343
                              Malicious:false
                              Preview:..Y_.............s...=q....t%m....#>.."...~....J;8j.D..y.lh..........!..L.!This program cannot be run in DOS mode....$.......>..fz..5z..5z..5...4o..5z..5...5...4...5...4L..5...4u..5...4...55^Xm$..b..;.......G.C4.c...d..X....#>.."...~.....;8.B.D..?..h........" ................`......................................... ....... ...`A...................................................Y...............s...=1....9%m.{...r..V...*....J;8j.D..y.h......(......8............................................hexpthkp........................... ..`.text...".... ....................Y|......o.t...I.s.9.=1.....1m....#>.."...>.....ZL..D..x.x......................@....pdata.......@......................@..@.mrdata.............................@....detourc !.... .."........Y\..........tt....Y)....D.m....#..."...~....J;8*....O...s.@....@ .....................@..@.c2r.........P ..........................rsrc...@....` .....................@..@.reloc..(L...p ....Y\.............s....1....t%m....#>..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\AppvIsvSubsystems64_arm64x.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2118418
                              Entropy (8bit):7.000270770638372
                              Encrypted:false
                              SSDEEP:
                              MD5:B6741D713E8877CBA1FD27E67DA24C0F
                              SHA1:EA61855E040169CA15AAB39AB6133E857B32D4ED
                              SHA-256:C80F4BC1F5AD1217A704FA99CCE4CAF2DFCB1C41B8441206C5A2B66FE0B8B8C0
                              SHA-512:2F3BA1386AB2B459C8649FE8C01F33F6FDBD415F479EF6C73CDF54823080992A17593485D9D806DED22A1924635207562813B4C8E47B3AC02E1CDBCF3E5BC343
                              Malicious:false
                              Preview:..Y_.............s...=q....t%m....#>.."...~....J;8j.D..y.lh..........!..L.!This program cannot be run in DOS mode....$.......>..fz..5z..5z..5...4o..5z..5...5...4...5...4L..5...4u..5...4...55^Xm$..b..;.......G.C4.c...d..X....#>.."...~.....;8.B.D..?..h........" ................`......................................... ....... ...`A...................................................Y...............s...=1....9%m.{...r..V...*....J;8j.D..y.h......(......8............................................hexpthkp........................... ..`.text...".... ....................Y|......o.t...I.s.9.=1.....1m....#>.."...>.....ZL..D..x.x......................@....pdata.......@......................@..@.mrdata.............................@....detourc !.... .."........Y\..........tt....Y)....D.m....#..."...~....J;8*....O...s.@....@ .....................@..@.c2r.........P ..........................rsrc...@....` .....................@..@.reloc..(L...p ....Y\.............s....1....t%m....#>..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1899466
                              Entropy (8bit):7.211185416876856
                              Encrypted:false
                              SSDEEP:
                              MD5:9AFC328CBC08F3700CE53FFF43892F51
                              SHA1:6A1F64E9CD002751871CACA9DC5EC92C9236BB2D
                              SHA-256:70139EBE9B579A536A2DD345104230794AFA18EEA002BC0E56348309BFFECC57
                              SHA-512:AB7934E1810A1932A394D48CC80732678A2DEC1DD339AB3A95D861CBC4CF608F07522910D52A8919C932E05BF0CE672F757CE1BB018B38DFF62EEB15D01D5311
                              Malicious:false
                              Preview:T...@.!FwQH....E.c...b.`...#I.v%...;...A.....b\R6g.*.....<I..co........!..L.!This program cannot be run in DOS mode....$.........l.;...;...;......."..........[...)...[... ....+o.<....+..9....ZP!#...KK*.......x..n..~...ZF.G.1....`...lx...h..>..^a.^...:...^...:...Rich;...........................PE..L...b..e...........!... .L...p......sm..........................................C.!F.TU..{.DJc...r.`...#Y.v%...+.......;.b\..}.N....'IU.co.............N......0'......8....................s.......+..@............`..D............................text...!J.......L.......I..C.!FsQH.&{.%d..b...`.Z..#).v%F..;...A.....b\R6g.j....g]=D.coH...........................@....rsrc...p............~..............@..@.reloc..0'.......(..................@..B.................I..C.!FsQH..{.EJc...b.`...#I.v%...;...A.....b\R6g.*.....<I%.co.................................................................................................................................I..C.!FsQH..{.EJc...b.`...#I.v%...;...

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1899466
                              Entropy (8bit):7.211185416876856
                              Encrypted:false
                              SSDEEP:
                              MD5:9AFC328CBC08F3700CE53FFF43892F51
                              SHA1:6A1F64E9CD002751871CACA9DC5EC92C9236BB2D
                              SHA-256:70139EBE9B579A536A2DD345104230794AFA18EEA002BC0E56348309BFFECC57
                              SHA-512:AB7934E1810A1932A394D48CC80732678A2DEC1DD339AB3A95D861CBC4CF608F07522910D52A8919C932E05BF0CE672F757CE1BB018B38DFF62EEB15D01D5311
                              Malicious:false
                              Preview:T...@.!FwQH....E.c...b.`...#I.v%...;...A.....b\R6g.*.....<I..co........!..L.!This program cannot be run in DOS mode....$.........l.;...;...;......."..........[...)...[... ....+o.<....+..9....ZP!#...KK*.......x..n..~...ZF.G.1....`...lx...h..>..^a.^...:...^...:...Rich;...........................PE..L...b..e...........!... .L...p......sm..........................................C.!F.TU..{.DJc...r.`...#Y.v%...+.......;.b\..}.N....'IU.co.............N......0'......8....................s.......+..@............`..D............................text...!J.......L.......I..C.!FsQH.&{.%d..b...`.Z..#).v%F..;...A.....b\R6g.j....g]=D.coH...........................@....rsrc...p............~..............@..@.reloc..0'.......(..................@..B.................I..C.!FsQH..{.EJc...b.`...#I.v%...;...A.....b\R6g.*.....<I%.co.................................................................................................................................I..C.!FsQH..{.EJc...b.`...#I.v%...;...

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2376066
                              Entropy (8bit):7.074926152519097
                              Encrypted:false
                              SSDEEP:
                              MD5:885CEFEC3975006DEB67DF8AF87F9195
                              SHA1:EDC4CB8BE238B1A3D0EEA00A74655F5ED522EA51
                              SHA-256:C4361008B105795DC7DB037BBB8CE6521D4E3814961DB88129D2CE95D3176B3E
                              SHA-512:536F16BAC0CFC1BC1DE733DAE0D531F2527776FC52D38DDF33BB60CD5C0FCA21F0F6B9D74FD43723C489B77F7C4D8485CFA442BC1CAF7F8B1EB0499CAA951EEA
                              Malicious:false
                              Preview:.:.%~..,W.D...Oj..}_j...H...).....WR.Az....Hx..uR9q..F..|..........!..L.!This program cannot be run in DOS mode....$........o..X.@.X.@.X.@.|C.H.@.|E...@.8tD.H.@.8tC.T.@...-.P.@...=.Y.@...6........-.....;.3.I9P......7...?............u...[\y....!vp..=t@.Y.@.=t..Y.@.=tB.Y.@.RichX.@.........................PE..d....".e.........." ... .v...........w..............................J`s%}..,S.`.b.Oj..Y_i.i.....).....WR.Qz....Hh..uR9q..F..}..T=.......Y..d.....#.p....P"..g....#.HN....#.`[..py..T.......................(.......@....................J......................b..]...,..R.b.Oj..k_j.......).....W2..%.......u./q.(L.................@..@.data.........!......^!.............@....pdata...g...P"..h..."".............@..@.didat........#.......#.........L`r%=......S6@OjN.}_j2*.....)0....WR.Az...Of....R9q..F...........#.............@..@.reloc..`[....#..\....#.............@..B................................................................L`r%}..,S.D.b.Oj..}_j.......).....WR

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R64.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2376066
                              Entropy (8bit):7.074926152519097
                              Encrypted:false
                              SSDEEP:
                              MD5:885CEFEC3975006DEB67DF8AF87F9195
                              SHA1:EDC4CB8BE238B1A3D0EEA00A74655F5ED522EA51
                              SHA-256:C4361008B105795DC7DB037BBB8CE6521D4E3814961DB88129D2CE95D3176B3E
                              SHA-512:536F16BAC0CFC1BC1DE733DAE0D531F2527776FC52D38DDF33BB60CD5C0FCA21F0F6B9D74FD43723C489B77F7C4D8485CFA442BC1CAF7F8B1EB0499CAA951EEA
                              Malicious:false
                              Preview:.:.%~..,W.D...Oj..}_j...H...).....WR.Az....Hx..uR9q..F..|..........!..L.!This program cannot be run in DOS mode....$........o..X.@.X.@.X.@.|C.H.@.|E...@.8tD.H.@.8tC.T.@...-.P.@...=.Y.@...6........-.....;.3.I9P......7...?............u...[\y....!vp..=t@.Y.@.=t..Y.@.=tB.Y.@.RichX.@.........................PE..d....".e.........." ... .v...........w..............................J`s%}..,S.`.b.Oj..Y_i.i.....).....WR.Qz....Hh..uR9q..F..}..T=.......Y..d.....#.p....P"..g....#.HN....#.`[..py..T.......................(.......@....................J......................b..]...,..R.b.Oj..k_j.......).....W2..%.......u./q.(L.................@..@.data.........!......^!.............@....pdata...g...P"..h..."".............@..@.didat........#.......#.........L`r%=......S6@OjN.}_j2*.....)0....WR.Az...Of....R9q..F...........#.............@..@.reloc..`[....#..\....#.............@..B................................................................L`r%}..,S.D.b.Oj..}_j.......).....WR

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4418
                              Entropy (8bit):7.076594636876226
                              Encrypted:false
                              SSDEEP:
                              MD5:D3C042AD2B0CFB78DDD5B64BB8F433B3
                              SHA1:687B3CFA039C480303A088A720B61F5BF69D20BD
                              SHA-256:306F55419315313CE5C1C8A7FC31F864F0A3B2D8D295407EE3929239FBA3D74A
                              SHA-512:B6B17BB5C07E36167523D7A272C880CE14C91396881FDBC3078CCAB56C669102AF81534C94001D1614163B1210C9022DC98E2905AE66F7C6B45AC92D7D090887
                              Malicious:false
                              Preview:\....;..]>:.=k...{$...M?.m}.ah.q....Wr"i~y."WK.E.....].......g...;V..>t."k..t{\....M1.p}Vaj.6.....rkity.|W........].......g...;Z..>>.ik...{l....M#.`}Ua/.-....[roiry.3WK.R.....].......g...;..^>2.rk...{y....M`.7}.az.r......rvi4y. WW.J.....]......g...;..Y>%.ik...{"...M>.J}Sa,./.....r"i;y..aW..e.....]......g...;W..>{.-k..-{f....M`.3}.az.p....1rcioy..W).+......].......g...;..B>h.Pk...{$...M?.e}Iaj........rai~y..nWe.T.....]......g...;G..>j.Kk...{%...M>.=}.a..n....Er>i4y..$WV.R.....]......g...;G..>..xk...{$...M$.j}Ra$.~.....rii;y.2WA.E.....].......g...;...>".uk...{v...M5.#}pa#.#......rmi}y.aWk.G.....].......g...;..B>?.mk...{9...M<.j}^a/........rei;y.2W..B.....]......g...;#.U>%.~k...{&...M?.m}.aG.J....Ir-iIy.&WM.R.....].......g...;.._>h..k..Y{v....M".j}Za-.%....Kr.i.y..aW........].......g...;3.B>?.zk...{$....MZ.#}.aj.`....IrQioy.3WP.c.....].......g...;W..>f.0k..H{{....M..&}na.......*rViRy..W........].......g...;..T>7.ok..G{[....Mp.#}.aj.`.....r

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RHeartbeatConfig.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4418
                              Entropy (8bit):7.076594636876226
                              Encrypted:false
                              SSDEEP:
                              MD5:D3C042AD2B0CFB78DDD5B64BB8F433B3
                              SHA1:687B3CFA039C480303A088A720B61F5BF69D20BD
                              SHA-256:306F55419315313CE5C1C8A7FC31F864F0A3B2D8D295407EE3929239FBA3D74A
                              SHA-512:B6B17BB5C07E36167523D7A272C880CE14C91396881FDBC3078CCAB56C669102AF81534C94001D1614163B1210C9022DC98E2905AE66F7C6B45AC92D7D090887
                              Malicious:false
                              Preview:\....;..]>:.=k...{$...M?.m}.ah.q....Wr"i~y."WK.E.....].......g...;V..>t."k..t{\....M1.p}Vaj.6.....rkity.|W........].......g...;Z..>>.ik...{l....M#.`}Ua/.-....[roiry.3WK.R.....].......g...;..^>2.rk...{y....M`.7}.az.r......rvi4y. WW.J.....]......g...;..Y>%.ik...{"...M>.J}Sa,./.....r"i;y..aW..e.....]......g...;W..>{.-k..-{f....M`.3}.az.p....1rcioy..W).+......].......g...;..B>h.Pk...{$...M?.e}Iaj........rai~y..nWe.T.....]......g...;G..>j.Kk...{%...M>.=}.a..n....Er>i4y..$WV.R.....]......g...;G..>..xk...{$...M$.j}Ra$.~.....rii;y.2WA.E.....].......g...;...>".uk...{v...M5.#}pa#.#......rmi}y.aWk.G.....].......g...;..B>?.mk...{9...M<.j}^a/........rei;y.2W..B.....]......g...;#.U>%.~k...{&...M?.m}.aG.J....Ir-iIy.&WM.R.....].......g...;.._>h..k..Y{v....M".j}Za-.%....Kr.i.y..aW........].......g...;3.B>?.zk...{$....MZ.#}.aj.`....IrQioy.3WP.c.....].......g...;W..>f.0k..H{{....M..&}na.......*rViRy..W........].......g...;..T>7.ok..G{[....Mp.#}.aj.`.....r

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):52938
                              Entropy (8bit):7.569856889048713
                              Encrypted:false
                              SSDEEP:
                              MD5:41949E72D8BE8F2277A48977C9DC4696
                              SHA1:F363F3D2A1A6C95AE2D1065F7922BB6B7EBFC921
                              SHA-256:5848D8AB9AD6EBE4C7D040B05F1C00AE845081693CA3290BE855E5E11AA02CC2
                              SHA-512:FC8E112243929AEF5D7BAB182B1F9EBB452582EC130179100214D385186F5D476441A5638498C33663E61AF5EDE5188B252E149CF1B1A602A990D05303646587
                              Malicious:false
                              Preview:i/p)O*.@e;...:9pqFq>......+G...J.y.....]....dZ...'..xT..+.5..........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............t0.)(..@...V.9p.Fq> .%....G...J.y.....]....dZ...&..xT..+.7..........................g6....`A........................................@...4............ ...y...............M..............8...$u.)L*.@a;..V.9p.Fq>......+G...J.y.....]....dZ...'..xT..+.5...........rdata..............................@..@.rsrc....y... ...z..................@..@........................................$u.)L*.@a;..V.9p.Fq>......+G...J.y.....]....dZ...'..xT..+.5..................................................................................................................................$u.)L*.@a;..V.9p.Fq>......+G...J.y.....]....dZ...'..xT..+.5..................................................................................................................................$u.)L*.@a;..V.9p.Fq>......+G...J.y....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ar-sa.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):52938
                              Entropy (8bit):7.569856889048713
                              Encrypted:false
                              SSDEEP:
                              MD5:41949E72D8BE8F2277A48977C9DC4696
                              SHA1:F363F3D2A1A6C95AE2D1065F7922BB6B7EBFC921
                              SHA-256:5848D8AB9AD6EBE4C7D040B05F1C00AE845081693CA3290BE855E5E11AA02CC2
                              SHA-512:FC8E112243929AEF5D7BAB182B1F9EBB452582EC130179100214D385186F5D476441A5638498C33663E61AF5EDE5188B252E149CF1B1A602A990D05303646587
                              Malicious:false
                              Preview:i/p)O*.@e;...:9pqFq>......+G...J.y.....]....dZ...'..xT..+.5..........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............t0.)(..@...V.9p.Fq> .%....G...J.y.....]....dZ...&..xT..+.7..........................g6....`A........................................@...4............ ...y...............M..............8...$u.)L*.@a;..V.9p.Fq>......+G...J.y.....]....dZ...'..xT..+.5...........rdata..............................@..@.rsrc....y... ...z..................@..@........................................$u.)L*.@a;..V.9p.Fq>......+G...J.y.....]....dZ...'..xT..+.5..................................................................................................................................$u.)L*.@a;..V.9p.Fq>......+G...J.y.....]....dZ...'..xT..+.5..................................................................................................................................$u.)L*.@a;..V.9p.Fq>......+G...J.y....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):57146
                              Entropy (8bit):7.591859664656778
                              Encrypted:false
                              SSDEEP:
                              MD5:8FE10736480AF243E5F3C6F1915E2E9C
                              SHA1:82F4AAF4E65B008A49834987C1B580467E0BD885
                              SHA-256:A825DFFAE7C14A5CC764613F28BD7CA336BD3BE4257CA40DCA72CEC878C121F6
                              SHA-512:BC808206D60F5667EA9915541A99031CE46C7E23A443E5102F81BAA264EEFA80223CF8EC49AE7DFDF028B38544686101E588C9831253E76584413B61A3E54264
                              Malicious:false
                              Preview:..H3........a....{.K$....b6B.....}.u|..0)..Y...^..:.._......E.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich...............3l^..\'k.....Y.{..$...l.B....R.}.u|..0)..I...^.n;.._......E...............................`A........................................@...4............ ...................N..............8.....3...........Y.{.K$...b6B.....}.u|..0)..Y...^..:.._......E..........rdata..............................@..@.rsrc........ ......................@..@..........................................3...........Y.{.K$...b6B.....}.u|..0)..Y...^..:.._......E...................................................................................................................................3...........Y.{.K$...b6B.....}.u|..0)..Y...^..:.._......E...................................................................................................................................3...........Y.{.K$...b6B.....}.u|.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.bg-bg.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):57146
                              Entropy (8bit):7.591859664656778
                              Encrypted:false
                              SSDEEP:
                              MD5:8FE10736480AF243E5F3C6F1915E2E9C
                              SHA1:82F4AAF4E65B008A49834987C1B580467E0BD885
                              SHA-256:A825DFFAE7C14A5CC764613F28BD7CA336BD3BE4257CA40DCA72CEC878C121F6
                              SHA-512:BC808206D60F5667EA9915541A99031CE46C7E23A443E5102F81BAA264EEFA80223CF8EC49AE7DFDF028B38544686101E588C9831253E76584413B61A3E54264
                              Malicious:false
                              Preview:..H3........a....{.K$....b6B.....}.u|..0)..Y...^..:.._......E.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich...............3l^..\'k.....Y.{..$...l.B....R.}.u|..0)..I...^.n;.._......E...............................`A........................................@...4............ ...................N..............8.....3...........Y.{.K$...b6B.....}.u|..0)..Y...^..:.._......E..........rdata..............................@..@.rsrc........ ......................@..@..........................................3...........Y.{.K$...b6B.....}.u|..0)..Y...^..:.._......E...................................................................................................................................3...........Y.{.K$...b6B.....}.u|..0)..Y...^..:.._......E...................................................................................................................................3...........Y.{.K$...b6B.....}.u|.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):58066
                              Entropy (8bit):7.418409953846738
                              Encrypted:false
                              SSDEEP:
                              MD5:7D89613C80246E11144AF5071DF140EA
                              SHA1:4521A3966249B176DA41CE099D25EC907E28550D
                              SHA-256:67D1F5CBF2994EA3ADCB51DF272329FE848EF87355170787A6D9120D08D8B0CE
                              SHA-512:CD46D8187A4D4479A809C4D94E7CBF55051DB40FB97BC56594D9D9F170C0A1F8B3452D7873B45F50AF2819F8B1AC524761688FFDB3784DA3836AC1A9196DE9D8
                              Malicious:false
                              Preview:-.y.'.R"~~.".H^_C.r&...:......4d9...!..n..Fr...`w.B.LF_.oM..............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............0...@GP"...F..^_..r&...._.....4d9M..!..n..Fr...`w.B.MF_.o]..3.................................`A........................................@...4............ ..4................M..............8...`H..$.R"z~."..^_..r&...:T.....4d9...!..n..Fr...`w.B.LF_.oM..3............rdata..............................@..@.rsrc...4.... ......................@..@........................................`H..$.R"z~."..^_..r&...:T.....4d9...!..n..Fr...`w.B.LF_.oM..3...................................................................................................................................`H..$.R"z~."..^_..r&...:T.....4d9...!..n..Fr...`w.B.LF_.oM..3...................................................................................................................................`H..$.R"z~."..^_..r&...:T.....4d9...!..n

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.cs-cz.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):58066
                              Entropy (8bit):7.418409953846738
                              Encrypted:false
                              SSDEEP:
                              MD5:7D89613C80246E11144AF5071DF140EA
                              SHA1:4521A3966249B176DA41CE099D25EC907E28550D
                              SHA-256:67D1F5CBF2994EA3ADCB51DF272329FE848EF87355170787A6D9120D08D8B0CE
                              SHA-512:CD46D8187A4D4479A809C4D94E7CBF55051DB40FB97BC56594D9D9F170C0A1F8B3452D7873B45F50AF2819F8B1AC524761688FFDB3784DA3836AC1A9196DE9D8
                              Malicious:false
                              Preview:-.y.'.R"~~.".H^_C.r&...:......4d9...!..n..Fr...`w.B.LF_.oM..............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............0...@GP"...F..^_..r&...._.....4d9M..!..n..Fr...`w.B.MF_.o]..3.................................`A........................................@...4............ ..4................M..............8...`H..$.R"z~."..^_..r&...:T.....4d9...!..n..Fr...`w.B.LF_.oM..3............rdata..............................@..@.rsrc...4.... ......................@..@........................................`H..$.R"z~."..^_..r&...:T.....4d9...!..n..Fr...`w.B.LF_.oM..3...................................................................................................................................`H..$.R"z~."..^_..r&...:T.....4d9...!..n..Fr...`w.B.LF_.oM..3...................................................................................................................................`H..$.R"z~."..^_..r&...:T.....4d9...!..n

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):53458
                              Entropy (8bit):7.629687513718678
                              Encrypted:false
                              SSDEEP:
                              MD5:95064F808D99D9AF51A0870901074331
                              SHA1:B048CC373240B74535AF17BFF46190723D019B72
                              SHA-256:CEFF20CDE41A97DCD4D4E398B0F219C9F685A4375C583A91411C1D52F8BD7E8A
                              SHA-512:5DAD8600800D3B3CC6918538F844507F362F26979112E8D8CA4A41BD9C04929E72EFA390052887537D8E8542CE937932FB868D52AC55A7C6D80F1C334F3C3547
                              Malicious:false
                              Preview:{....D...X&Br.U.C..`...g>}..,a6.pS..yB....V...<........h|.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............f./.....:..&.MU......e0]..,aH.pS..yB....F...<.3.......j|...............................`A........................................@...4............ ...{...............M..............8...6./..D...X&B.MU....`..g>}..,a6.pS..yB....V...<........h|..........rdata..............................@..@.rsrc....{... ...|..................@..@........................................6./..D...X&B.MU....`..g>}..,a6.pS..yB....V...<........h|.................................................................................................................................6./..D...X&B.MU....`..g>}..,a6.pS..yB....V...<........h|.................................................................................................................................6./..D...X&B.MU....`..g>}..,a6.pS..y

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.da-dk.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):53458
                              Entropy (8bit):7.629687513718678
                              Encrypted:false
                              SSDEEP:
                              MD5:95064F808D99D9AF51A0870901074331
                              SHA1:B048CC373240B74535AF17BFF46190723D019B72
                              SHA-256:CEFF20CDE41A97DCD4D4E398B0F219C9F685A4375C583A91411C1D52F8BD7E8A
                              SHA-512:5DAD8600800D3B3CC6918538F844507F362F26979112E8D8CA4A41BD9C04929E72EFA390052887537D8E8542CE937932FB868D52AC55A7C6D80F1C334F3C3547
                              Malicious:false
                              Preview:{....D...X&Br.U.C..`...g>}..,a6.pS..yB....V...<........h|.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............f./.....:..&.MU......e0]..,aH.pS..yB....F...<.3.......j|...............................`A........................................@...4............ ...{...............M..............8...6./..D...X&B.MU....`..g>}..,a6.pS..yB....V...<........h|..........rdata..............................@..@.rsrc....{... ...|..................@..@........................................6./..D...X&B.MU....`..g>}..,a6.pS..yB....V...<........h|.................................................................................................................................6./..D...X&B.MU....`..g>}..,a6.pS..yB....V...<........h|.................................................................................................................................6./..D...X&B.MU....`..g>}..,a6.pS..y

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):60218
                              Entropy (8bit):7.504580021647666
                              Encrypted:false
                              SSDEEP:
                              MD5:254BF42404C35C110FB88C49D7F67822
                              SHA1:87832D8011595600CFF050CD7A700EF094F74B30
                              SHA-256:4C6EC6F930662AB0CB3FC90A3AA171A804DC1047F6B698A62511DF16138CF5A1
                              SHA-512:27CFF4DB7923BD728BEA2FC168F9A3D40F7D059D8A0FE52D1F35959A2DC8F8D124B4DA70D81575DB5664CB60E93F231C5E531C4A660BD1FC6725B19EAE1DCA15
                              Malicious:false
                              Preview:kO....uGx-.Am....Kv"n'Y.Vd...T.....*o..9..4..p=....i...BEV].;$.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............vP...-wG...%.[...Kv".'{..f...T.....*o..9..4..p=....h...BUV].9$.........................>.....`A........................................@...4............ ..t................N..............8...&.....uG|-.A.[...Kv"n'Y..d...T.....*o..9..4..p=....i...BEV].;$..........rdata..............................@..@.rsrc...t.... ......................@..@........................................&.....uG|-.A.[...Kv"n'Y..d...T.....*o..9..4..p=....i...BEV].;$.................................................................................................................................&.....uG|-.A.[...Kv"n'Y..d...T.....*o..9..4..p=....i...BEV].;$.................................................................................................................................&.....uG|-.A.[...Kv"n'Y..d...T.....*o..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.de-de.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):60218
                              Entropy (8bit):7.504580021647666
                              Encrypted:false
                              SSDEEP:
                              MD5:254BF42404C35C110FB88C49D7F67822
                              SHA1:87832D8011595600CFF050CD7A700EF094F74B30
                              SHA-256:4C6EC6F930662AB0CB3FC90A3AA171A804DC1047F6B698A62511DF16138CF5A1
                              SHA-512:27CFF4DB7923BD728BEA2FC168F9A3D40F7D059D8A0FE52D1F35959A2DC8F8D124B4DA70D81575DB5664CB60E93F231C5E531C4A660BD1FC6725B19EAE1DCA15
                              Malicious:false
                              Preview:kO....uGx-.Am....Kv"n'Y.Vd...T.....*o..9..4..p=....i...BEV].;$.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............vP...-wG...%.[...Kv".'{..f...T.....*o..9..4..p=....h...BUV].9$.........................>.....`A........................................@...4............ ..t................N..............8...&.....uG|-.A.[...Kv"n'Y..d...T.....*o..9..4..p=....i...BEV].;$..........rdata..............................@..@.rsrc...t.... ......................@..@........................................&.....uG|-.A.[...Kv"n'Y..d...T.....*o..9..4..p=....i...BEV].;$.................................................................................................................................&.....uG|-.A.[...Kv"n'Y..d...T.....*o..9..4..p=....i...BEV].;$.................................................................................................................................&.....uG|-.A.[...Kv"n'Y..d...T.....*o..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):61242
                              Entropy (8bit):7.57007312717607
                              Encrypted:false
                              SSDEEP:
                              MD5:8EC146E37AE985ABCCB489944179DA6E
                              SHA1:7D0F2D68C090E431C0C5633FBF477381AE5D7A35
                              SHA-256:D9D8AF0C5D417906F9AC19F2AEA38E06F31FD5A2DE75D528C01C3BF8622883B9
                              SHA-512:16E0F3A2B06567AA6F88CFCF04E9FE911F5DFA4A6EE0C4203E43BC82F00AA685BA5EC4A114530547190938EA2A737A95C022FDCA230D3EBBA44CC60E527FCD22
                              Malicious:false
                              Preview:S.- <K.....ww5Eof...>.........y..%%.JRT.1.c..g)....h..a%Aj59{........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............N. [..^.....Eo.............y...%%.JRT.1.c..g).w..h..q%A.79{.........................M....`A........................................@...4............ ..................N..............8...... ?K.....w..Eo...>..........y..%%.JRT.1.c..g)....h..a%A.59{.........rdata..............................@..@.rsrc....... ......................@..@........................................... ?K.....w..Eo...>..........y..%%.JRT.1.c..g)....h..a%A.59{................................................................................................................................... ?K.....w..Eo...>..........y..%%.JRT.1.c..g)....h..a%A.59{................................................................................................................................... ?K.....w..Eo...>..........y..%%.JR

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.el-gr.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):61242
                              Entropy (8bit):7.57007312717607
                              Encrypted:false
                              SSDEEP:
                              MD5:8EC146E37AE985ABCCB489944179DA6E
                              SHA1:7D0F2D68C090E431C0C5633FBF477381AE5D7A35
                              SHA-256:D9D8AF0C5D417906F9AC19F2AEA38E06F31FD5A2DE75D528C01C3BF8622883B9
                              SHA-512:16E0F3A2B06567AA6F88CFCF04E9FE911F5DFA4A6EE0C4203E43BC82F00AA685BA5EC4A114530547190938EA2A737A95C022FDCA230D3EBBA44CC60E527FCD22
                              Malicious:false
                              Preview:S.- <K.....ww5Eof...>.........y..%%.JRT.1.c..g)....h..a%Aj59{........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............N. [..^.....Eo.............y...%%.JRT.1.c..g).w..h..q%A.79{.........................M....`A........................................@...4............ ..................N..............8...... ?K.....w..Eo...>..........y..%%.JRT.1.c..g)....h..a%A.59{.........rdata..............................@..@.rsrc....... ......................@..@........................................... ?K.....w..Eo...>..........y..%%.JRT.1.c..g)....h..a%A.59{................................................................................................................................... ?K.....w..Eo...>..........y..%%.JRT.1.c..g)....h..a%A.59{................................................................................................................................... ?K.....w..Eo...>..........y..%%.JR

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-gb.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):52026
                              Entropy (8bit):7.655280067904759
                              Encrypted:false
                              SSDEEP:
                              MD5:FC768513D06CBB5F9CA80ABD2668B93A
                              SHA1:5AA179973C4830691975673672734B3B43E750C3
                              SHA-256:DCE7584F46845CC1BD9D3D86B721F6D7EA2FF6CFE727E9D2D6DA06D4B14E17B9
                              SHA-512:125EEA8097FCBED21427BAD4798B00859715418DA66B51F673087E5760106B9C4A3698055BCCC8091D9871DD4A6B5888D31B1B0E31DC9EB170FDD0C1BFD8F6B8
                              Malicious:false
                              Preview:.FQ$.-.d!\....62........m5..+......r.9{9].V..x.....K..=...D...........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich...............QCT/..qAN.6......(..o;:.+...h..r.9{9].V..x....2.K..=................................S....`A........................................@...4............ ..0u...........|...N..............8......Q'.-.`!\.AN.6.........m5..+......r.9{9].V..x.....K..=................rdata..............................@..@.rsrc...0u... ...v..................@..@...........................................Q'.-.`!\.AN.6.........m5..+......r.9{9].V..x.....K..=..........................................................................................................................................Q'.-.`!\.AN.6.........m5..+......r.9{9].V..x.....K..=..........................................................................................................................................Q'.-.`!\.AN.6.........m5..+......r.9{

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-gb.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):52026
                              Entropy (8bit):7.655280067904759
                              Encrypted:false
                              SSDEEP:
                              MD5:FC768513D06CBB5F9CA80ABD2668B93A
                              SHA1:5AA179973C4830691975673672734B3B43E750C3
                              SHA-256:DCE7584F46845CC1BD9D3D86B721F6D7EA2FF6CFE727E9D2D6DA06D4B14E17B9
                              SHA-512:125EEA8097FCBED21427BAD4798B00859715418DA66B51F673087E5760106B9C4A3698055BCCC8091D9871DD4A6B5888D31B1B0E31DC9EB170FDD0C1BFD8F6B8
                              Malicious:false
                              Preview:.FQ$.-.d!\....62........m5..+......r.9{9].V..x.....K..=...D...........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich...............QCT/..qAN.6......(..o;:.+...h..r.9{9].V..x....2.K..=................................S....`A........................................@...4............ ..0u...........|...N..............8......Q'.-.`!\.AN.6.........m5..+......r.9{9].V..x.....K..=................rdata..............................@..@.rsrc...0u... ...v..................@..@...........................................Q'.-.`!\.AN.6.........m5..+......r.9{9].V..x.....K..=..........................................................................................................................................Q'.-.`!\.AN.6.........m5..+......r.9{9].V..x.....K..=..........................................................................................................................................Q'.-.`!\.AN.6.........m5..+......r.9{

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):51618
                              Entropy (8bit):7.6427844221812595
                              Encrypted:false
                              SSDEEP:
                              MD5:E80CDFCC255402C5BAE554F1CD31BB9C
                              SHA1:1A237F2C7E847100DDD06322100EB28D4744812E
                              SHA-256:7443B6309BA373F6FBD5218EA4B8EEC373EB7CEBB9929212F204BE0661AACE22
                              SHA-512:5237CFA4600D33F43124EC33CA8C97DF55AEB4D1577262D1FA0D31F7A882BC741B127DA04945BFAA1CB5C5EA45FEBF489DECB3237C53BEB90247359A1CB371DB
                              Malicious:false
                              Preview:/.o....../.#.t..fr.@.......~..P..a.......t.r..=.....b..r.C.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............2........7G.....r.@C......~..P..a.......t.b..=..?...b..r^A..........................p....`A........................................@...4............ ...s...........z..hN..............8...b.......*/.#.....r.@......~..P..a.......t.r..=.....b..r^C..........rdata..............................@..@.rsrc....s... ...t..................@..@........................................b.......*/.#.....r.@......~..P..a.......t.r..=.....b..r^C.................................................................................................................................b.......*/.#.....r.@......~..P..a.......t.r..=.....b..r^C.................................................................................................................................b.......*/.#.....r.@......~..P..a....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.en-us.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):51618
                              Entropy (8bit):7.6427844221812595
                              Encrypted:false
                              SSDEEP:
                              MD5:E80CDFCC255402C5BAE554F1CD31BB9C
                              SHA1:1A237F2C7E847100DDD06322100EB28D4744812E
                              SHA-256:7443B6309BA373F6FBD5218EA4B8EEC373EB7CEBB9929212F204BE0661AACE22
                              SHA-512:5237CFA4600D33F43124EC33CA8C97DF55AEB4D1577262D1FA0D31F7A882BC741B127DA04945BFAA1CB5C5EA45FEBF489DECB3237C53BEB90247359A1CB371DB
                              Malicious:false
                              Preview:/.o....../.#.t..fr.@.......~..P..a.......t.r..=.....b..r.C.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............2........7G.....r.@C......~..P..a.......t.b..=..?...b..r^A..........................p....`A........................................@...4............ ...s...........z..hN..............8...b.......*/.#.....r.@......~..P..a.......t.r..=.....b..r^C..........rdata..............................@..@.rsrc....s... ...t..................@..@........................................b.......*/.#.....r.@......~..P..a.......t.r..=.....b..r^C.................................................................................................................................b.......*/.#.....r.@......~..P..a.......t.r..=.....b..r^C.................................................................................................................................b.......*/.#.....r.@......~..P..a....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55506
                              Entropy (8bit):7.643244198390481
                              Encrypted:false
                              SSDEEP:
                              MD5:8D214B98002B56679C72BCD2B9A2BD63
                              SHA1:2262058AE73EC64F30C977D96EFFE3DFCCCE242F
                              SHA-256:3DC8862AAD0A8CA18087608AF70EF8E7D1655EF2BAAD3F32789F76F43539B038
                              SHA-512:086C07DE4CEF28BFA4ADCC3C2DA83ACC2360A0AF0A4AB5AC8E27E44B23B0C3914F4134E5481C0631E6757E582EF55E97BA61AA87BE05B8CCC7819B7B91E2E92B
                              Malicious:false
                              Preview:6.....I\w..}$......~d.......+.`O.a1....IF.a'........?j.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............+.8..g.I..P.M.$.j...,..^/......7+.`O.a1....IF.a'C...... =j..............................`A........................................@...4............ ..t................M..............8...{.8...IXw..M.$.j.....~$.......+.`O.a1....IF.a'....... ?j..........rdata..............................@..@.rsrc...t.... ......................@..@........................................{.8...IXw..M.$.j.....~$.......+.`O.a1....IF.a'....... ?j.................................................................................................................................{.8...IXw..M.$.j.....~$.......+.`O.a1....IF.a'....... ?j.................................................................................................................................{.8...IXw..M.$.j.....~$.......+.`O.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-es.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55506
                              Entropy (8bit):7.643244198390481
                              Encrypted:false
                              SSDEEP:
                              MD5:8D214B98002B56679C72BCD2B9A2BD63
                              SHA1:2262058AE73EC64F30C977D96EFFE3DFCCCE242F
                              SHA-256:3DC8862AAD0A8CA18087608AF70EF8E7D1655EF2BAAD3F32789F76F43539B038
                              SHA-512:086C07DE4CEF28BFA4ADCC3C2DA83ACC2360A0AF0A4AB5AC8E27E44B23B0C3914F4134E5481C0631E6757E582EF55E97BA61AA87BE05B8CCC7819B7B91E2E92B
                              Malicious:false
                              Preview:6.....I\w..}$......~d.......+.`O.a1....IF.a'........?j.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............+.8..g.I..P.M.$.j...,..^/......7+.`O.a1....IF.a'C...... =j..............................`A........................................@...4............ ..t................M..............8...{.8...IXw..M.$.j.....~$.......+.`O.a1....IF.a'....... ?j..........rdata..............................@..@.rsrc...t.... ......................@..@........................................{.8...IXw..M.$.j.....~$.......+.`O.a1....IF.a'....... ?j.................................................................................................................................{.8...IXw..M.$.j.....~$.......+.`O.a1....IF.a'....... ?j.................................................................................................................................{.8...IXw..M.$.j.....~$.......+.`O.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-mx.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55498
                              Entropy (8bit):7.641920689769047
                              Encrypted:false
                              SSDEEP:
                              MD5:7AAB826565375820A873EBD6D89C2008
                              SHA1:F312B3387B4403A9BFD8197D1337D8BF979C5C61
                              SHA-256:C97572906F479EFD7EC3823B2677F0BBA8AF48E00DC6635BF0618BDBECD32C16
                              SHA-512:6E4BB0DE86BDA6EF78CC74EFA78895FAFE04130922A54B6ACC92A799D4CE3599B6F13C9A3D4A7E0D5B47C0D8ACED239498A528C118CA756C08316877326946B6
                              Malicious:false
                              Preview:.. .@P2....3....X..i...7...U.$]...7...7......@.\.O..9@.T..........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich................'.0.+;.W/W...X.....'|...U.$]...7...7........@...O..)@..................................`A........................................@...4............ ...................M..............8.......CP2....3/W...X..i...w...U.$]...7...7......@.\.O..9@.............rdata..............................@..@.rsrc........ ......................@..@............................................CP2....3/W...X..i...w...U.$]...7...7......@.\.O..9@........................................................................................................................................CP2....3/W...X..i...w...U.$]...7...7......@.\.O..9@........................................................................................................................................CP2....3/W...X..i...w...U.$]...7...

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.es-mx.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55498
                              Entropy (8bit):7.641920689769047
                              Encrypted:false
                              SSDEEP:
                              MD5:7AAB826565375820A873EBD6D89C2008
                              SHA1:F312B3387B4403A9BFD8197D1337D8BF979C5C61
                              SHA-256:C97572906F479EFD7EC3823B2677F0BBA8AF48E00DC6635BF0618BDBECD32C16
                              SHA-512:6E4BB0DE86BDA6EF78CC74EFA78895FAFE04130922A54B6ACC92A799D4CE3599B6F13C9A3D4A7E0D5B47C0D8ACED239498A528C118CA756C08316877326946B6
                              Malicious:false
                              Preview:.. .@P2....3....X..i...7...U.$]...7...7......@.\.O..9@.T..........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich................'.0.+;.W/W...X.....'|...U.$]...7...7........@...O..)@..................................`A........................................@...4............ ...................M..............8.......CP2....3/W...X..i...w...U.$]...7...7......@.\.O..9@.............rdata..............................@..@.rsrc........ ......................@..@............................................CP2....3/W...X..i...w...U.$]...7...7......@.\.O..9@........................................................................................................................................CP2....3/W...X..i...w...U.$]...7...7......@.\.O..9@........................................................................................................................................CP2....3/W...X..i...w...U.$]...7...

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):53162
                              Entropy (8bit):7.695057784105365
                              Encrypted:false
                              SSDEEP:
                              MD5:626F581FACC7EEEA8D40C8AB025914BB
                              SHA1:DA8832AD11B08ADDCD9801E72D1C77E69C9CAFD1
                              SHA-256:C8FC933F08396E3CCF9D6F97A24A0BBD5A2C6CD23964775F942166B303E2993D
                              SHA-512:F75AE9F17FE08D72B4C3AC549A8ED048B6445337DFB62EF4620A67B1CC331693BF9C43256388C1C07E23C0DC5F91F2CB838859930ABF85634F28FBC26420589E
                              Malicious:false
                              Preview:.Z(..Q.W.8...J/.;K.M../..........18.O.i..l.cX......{t.e...2B^........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............E.....Ws.|.8./..K.M............18.O.i..l.cX.....{t.u...0B^..............................`A........................................@...4............ ..|y..............pN..............8........Q.W.8..8./..K.M../..........18.O.i..l.cX......{t.e...2B^.........rdata..............................@..@.rsrc...|y... ...z..................@..@.............................................Q.W.8..8./..K.M../..........18.O.i..l.cX......{t.e...2B^.....................................................................................................................................Q.W.8..8./..K.M../..........18.O.i..l.cX......{t.e...2B^.....................................................................................................................................Q.W.8..8./..K.M../..........18.O.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.et-ee.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):53162
                              Entropy (8bit):7.695057784105365
                              Encrypted:false
                              SSDEEP:
                              MD5:626F581FACC7EEEA8D40C8AB025914BB
                              SHA1:DA8832AD11B08ADDCD9801E72D1C77E69C9CAFD1
                              SHA-256:C8FC933F08396E3CCF9D6F97A24A0BBD5A2C6CD23964775F942166B303E2993D
                              SHA-512:F75AE9F17FE08D72B4C3AC549A8ED048B6445337DFB62EF4620A67B1CC331693BF9C43256388C1C07E23C0DC5F91F2CB838859930ABF85634F28FBC26420589E
                              Malicious:false
                              Preview:.Z(..Q.W.8...J/.;K.M../..........18.O.i..l.cX......{t.e...2B^........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............E.....Ws.|.8./..K.M............18.O.i..l.cX.....{t.u...0B^..............................`A........................................@...4............ ..|y..............pN..............8........Q.W.8..8./..K.M../..........18.O.i..l.cX......{t.e...2B^.........rdata..............................@..@.rsrc...|y... ...z..................@..@.............................................Q.W.8..8./..K.M../..........18.O.i..l.cX......{t.e...2B^.....................................................................................................................................Q.W.8..8./..K.M../..........18.O.i..l.cX......{t.e...2B^.....................................................................................................................................Q.W.8..8./..K.M../..........18.O.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):52026
                              Entropy (8bit):7.666592930660708
                              Encrypted:false
                              SSDEEP:
                              MD5:864F5986C6028B85EE9058D3351A1F37
                              SHA1:376ECBC5FBF1483A7B1A14067CC726293C6642C7
                              SHA-256:E631ADB86D129B045231BB9F813FB760E82D539175AC6899F56F1AC577EDE7CC
                              SHA-512:5052BD88F3EA2FC5D9FA9091A40A0B8E3FE629287C52C181F7C1578958DDC2C18BEC02AEBFA51C4B52CDF236B3D6BD2CA749EA8ED027849318EB82E5B7F94A82
                              Malicious:false
                              Preview:.V{ ....t.'..:}.Z..1-k..X.&..O.Uf9..s..qS....5<.9C...~...........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............I. .K...3..@j.:..Z..1.K.V.&..O.-f9..s..qS.....5..9C....~:...........................k....`A........................................@...4............ ...t...........|...N..............8...... ....p.'.@j.:..Z..1-k.X.&..O.Uf9..s..qS....5<.9C...~:...........rdata..............................@..@.rsrc....t... ...v..................@..@........................................... ....p.'.@j.:..Z..1-k.X.&..O.Uf9..s..qS....5<.9C...~:..................................................................................................................................... ....p.'.@j.:..Z..1-k.X.&..O.Uf9..s..qS....5<.9C...~:..................................................................................................................................... ....p.'.@j.:..Z..1-k.X.&..O.Uf9..s.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fi-fi.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):52026
                              Entropy (8bit):7.666592930660708
                              Encrypted:false
                              SSDEEP:
                              MD5:864F5986C6028B85EE9058D3351A1F37
                              SHA1:376ECBC5FBF1483A7B1A14067CC726293C6642C7
                              SHA-256:E631ADB86D129B045231BB9F813FB760E82D539175AC6899F56F1AC577EDE7CC
                              SHA-512:5052BD88F3EA2FC5D9FA9091A40A0B8E3FE629287C52C181F7C1578958DDC2C18BEC02AEBFA51C4B52CDF236B3D6BD2CA749EA8ED027849318EB82E5B7F94A82
                              Malicious:false
                              Preview:.V{ ....t.'..:}.Z..1-k..X.&..O.Uf9..s..qS....5<.9C...~...........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............I. .K...3..@j.:..Z..1.K.V.&..O.-f9..s..qS.....5..9C....~:...........................k....`A........................................@...4............ ...t...........|...N..............8...... ....p.'.@j.:..Z..1-k.X.&..O.Uf9..s..qS....5<.9C...~:...........rdata..............................@..@.rsrc....t... ...v..................@..@........................................... ....p.'.@j.:..Z..1-k.X.&..O.Uf9..s..qS....5<.9C...~:..................................................................................................................................... ....p.'.@j.:..Z..1-k.X.&..O.Uf9..s..qS....5<.9C...~:..................................................................................................................................... ....p.'.@j.:..Z..1-k.X.&..O.Uf9..s.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-ca.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):60322
                              Entropy (8bit):7.535490112311848
                              Encrypted:false
                              SSDEEP:
                              MD5:23DAD0F098DD7A8E53F7BBEDC19AB8BC
                              SHA1:9C762984569CADBFCD40D7677F1358BB77794660
                              SHA-256:5AA6106FB62195490187AC00CEA85A52DB17E7D5A46EF2231F5A74B6E4F811F7
                              SHA-512:23075A5E168E703A527B94A7B04414156525F68306DB9AE2D75CBBCA61D0373F626014EEE0EA5DD16B40D4CFD461492A304A22B4D96F81B1F27FAEF5755C9BCA
                              Malicious:false
                              Preview:....6..~#5..'{#..s....8p5.Z...k>.......!(.....A..S......I.HzW........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich................Qm.~....j.{#f.s.....;7.Z...k........!(.....A.BR....o.IkJzW........................2.....`A........................................@...4............ ..................hN..............8....F..5..~'5..j.{#f.s....805.Z...k>.......!(.....A..S......IkHzW.........rdata..............................@..@.rsrc........ ......................@..@.........................................F..5..~'5..j.{#f.s....805.Z...k>.......!(.....A..S......IkHzW.................................................................................................................................F..5..~'5..j.{#f.s....805.Z...k>.......!(.....A..S......IkHzW.................................................................................................................................F..5..~'5..j.{#f.s....805.Z...k>......

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-ca.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):60322
                              Entropy (8bit):7.535490112311848
                              Encrypted:false
                              SSDEEP:
                              MD5:23DAD0F098DD7A8E53F7BBEDC19AB8BC
                              SHA1:9C762984569CADBFCD40D7677F1358BB77794660
                              SHA-256:5AA6106FB62195490187AC00CEA85A52DB17E7D5A46EF2231F5A74B6E4F811F7
                              SHA-512:23075A5E168E703A527B94A7B04414156525F68306DB9AE2D75CBBCA61D0373F626014EEE0EA5DD16B40D4CFD461492A304A22B4D96F81B1F27FAEF5755C9BCA
                              Malicious:false
                              Preview:....6..~#5..'{#..s....8p5.Z...k>.......!(.....A..S......I.HzW........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich................Qm.~....j.{#f.s.....;7.Z...k........!(.....A.BR....o.IkJzW........................2.....`A........................................@...4............ ..................hN..............8....F..5..~'5..j.{#f.s....805.Z...k>.......!(.....A..S......IkHzW.........rdata..............................@..@.rsrc........ ......................@..@.........................................F..5..~'5..j.{#f.s....805.Z...k>.......!(.....A..S......IkHzW.................................................................................................................................F..5..~'5..j.{#f.s....805.Z...k>.......!(.....A..S......IkHzW.................................................................................................................................F..5..~'5..j.{#f.s....805.Z...k>......

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):60738
                              Entropy (8bit):7.522195382935407
                              Encrypted:false
                              SSDEEP:
                              MD5:1F7CFEBC104B0D2D67BD806D672BBE68
                              SHA1:BCE7D78C6FF36B4B551475B74A98138133F50F35
                              SHA-256:133793C6EF8EE3BD957FF3265B8B6522620FDEB6117ECB80DDFF0D69DA6512A4
                              SHA-512:8DE94007D0435105F407DEF2653F9DB5396CD7EF80B1751731DBD249C7DF9B763E05C8892E4D2C1C841B8552CD2977B16B0AEB772B9E4E400524D0C52A608002
                              Malicious:false
                              Preview:..5..&..hMUq(.!T...8..W.a"..R....1md..s...\+...%.(...l..P.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich...............5..$....1..!........U.A"..R....1md..s...L+...%.)...l.T.P..............................`A........................................@...4............ ..t................N..............8......5..&..hMU..!....8...W.a"..R....1md..s...\+...%.(...l.T.P..........rdata..............................@..@.rsrc...t.... ......................@..@...........................................5..&..hMU..!....8...W.a"..R....1md..s...\+...%.(...l.T.P....................................................................................................................................5..&..hMU..!....8...W.a"..R....1md..s...\+...%.(...l.T.P....................................................................................................................................5..&..hMU..!....8...W.a"..R....1md.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.fr-fr.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):60738
                              Entropy (8bit):7.522195382935407
                              Encrypted:false
                              SSDEEP:
                              MD5:1F7CFEBC104B0D2D67BD806D672BBE68
                              SHA1:BCE7D78C6FF36B4B551475B74A98138133F50F35
                              SHA-256:133793C6EF8EE3BD957FF3265B8B6522620FDEB6117ECB80DDFF0D69DA6512A4
                              SHA-512:8DE94007D0435105F407DEF2653F9DB5396CD7EF80B1751731DBD249C7DF9B763E05C8892E4D2C1C841B8552CD2977B16B0AEB772B9E4E400524D0C52A608002
                              Malicious:false
                              Preview:..5..&..hMUq(.!T...8..W.a"..R....1md..s...\+...%.(...l..P.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich...............5..$....1..!........U.A"..R....1md..s...L+...%.)...l.T.P..............................`A........................................@...4............ ..t................N..............8......5..&..hMU..!....8...W.a"..R....1md..s...\+...%.(...l.T.P..........rdata..............................@..@.rsrc...t.... ......................@..@...........................................5..&..hMU..!....8...W.a"..R....1md..s...\+...%.(...l.T.P....................................................................................................................................5..&..hMU..!....8...W.a"..R....1md..s...\+...%.(...l.T.P....................................................................................................................................5..&..hMU..!....8...W.a"..R....1md.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):50594
                              Entropy (8bit):7.619457027919481
                              Encrypted:false
                              SSDEEP:
                              MD5:C1E36A0DB421BF53919C295E133C60EE
                              SHA1:1C5C3BC04731354DE0DFE404CC571986EB1873B2
                              SHA-256:955124A10B26C77D1DCEB459937AB2A30C3AD097681FC95B007A478198A38738
                              SHA-512:1C3E7A1989B4E7B895ADAA8CA791C5A73CA996B4E1D9C93E50AB74D3953FDADE6829DA43E4E5E673F334E824297A13377933EB699FFEC18A69082FFF619EC68B
                              Malicious:false
                              Preview:.x...'.... .....K..?...m..x..j.....v. ...J.Lw...}=......u..(.R........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............g.........S.........&..X..j....v. ...J.\w...}.......u.Z*.R..............................`A........................................@...4............ ...n...........v..hN..............8...."...'.... ..S.....?...-..x..j.....v. ...J.Lw...}=......u.Z(.R.........rdata..............................@..@.rsrc....n... ...p..................@..@........................................."...'.... ..S.....?...-..x..j.....v. ...J.Lw...}=......u.Z(.R................................................................................................................................."...'.... ..S.....?...-..x..j.....v. ...J.Lw...}=......u.Z(.R................................................................................................................................."...'.... ..S.....?...-..x..j.....v. .

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.he-il.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):50594
                              Entropy (8bit):7.619457027919481
                              Encrypted:false
                              SSDEEP:
                              MD5:C1E36A0DB421BF53919C295E133C60EE
                              SHA1:1C5C3BC04731354DE0DFE404CC571986EB1873B2
                              SHA-256:955124A10B26C77D1DCEB459937AB2A30C3AD097681FC95B007A478198A38738
                              SHA-512:1C3E7A1989B4E7B895ADAA8CA791C5A73CA996B4E1D9C93E50AB74D3953FDADE6829DA43E4E5E673F334E824297A13377933EB699FFEC18A69082FFF619EC68B
                              Malicious:false
                              Preview:.x...'.... .....K..?...m..x..j.....v. ...J.Lw...}=......u..(.R........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............g.........S.........&..X..j....v. ...J.\w...}.......u.Z*.R..............................`A........................................@...4............ ...n...........v..hN..............8...."...'.... ..S.....?...-..x..j.....v. ...J.Lw...}=......u.Z(.R.........rdata..............................@..@.rsrc....n... ...p..................@..@........................................."...'.... ..S.....?...-..x..j.....v. ...J.Lw...}=......u.Z(.R................................................................................................................................."...'.... ..S.....?...-..x..j.....v. ...J.Lw...}=......u.Z(.R................................................................................................................................."...'.... ..S.....?...-..x..j.....v. .

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):60218
                              Entropy (8bit):7.492840599521737
                              Encrypted:false
                              SSDEEP:
                              MD5:A77065D4782C2E5E7C0AC625D7E54F64
                              SHA1:173196A989F95ABEC50D6E9A155FF9FBC5301D14
                              SHA-256:6404A4E9C29AD8D96FD95A679E1106A684960271DF3C272F7C4998901C2A3714
                              SHA-512:564C663BAF42BF42978E880C7BD6BA1EF4D52C86CE03FC9AFBD3A703DEBD63171E8B24070442F8FE91F5385FB8E96ECA5855F43D06AA01EBDCCE8CBE16BCD530
                              Malicious:false
                              Preview:../I.n...dKY.3g....j*.P>..*H.._...C..D....s+.>J..B.X..............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............../..l.^../.a3g>...*'pu...H.._....C..D....c+.>J.}C.X.............................k'....`A........................................@...4............ ..D................N..............8....../J.n...dK.a3g>...j*.P~..*H.._...C..D....s+.>J..B.X..............rdata..............................@..@.rsrc...D.... ......................@..@.........................................../J.n...dK.a3g>...j*.P~..*H.._...C..D....s+.>J..B.X......................................................................................................................................../J.n...dK.a3g>...j*.P~..*H.._...C..D....s+.>J..B.X......................................................................................................................................../J.n...dK.a3g>...j*.P~..*H.._...C..D

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hi-in.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):60218
                              Entropy (8bit):7.492840599521737
                              Encrypted:false
                              SSDEEP:
                              MD5:A77065D4782C2E5E7C0AC625D7E54F64
                              SHA1:173196A989F95ABEC50D6E9A155FF9FBC5301D14
                              SHA-256:6404A4E9C29AD8D96FD95A679E1106A684960271DF3C272F7C4998901C2A3714
                              SHA-512:564C663BAF42BF42978E880C7BD6BA1EF4D52C86CE03FC9AFBD3A703DEBD63171E8B24070442F8FE91F5385FB8E96ECA5855F43D06AA01EBDCCE8CBE16BCD530
                              Malicious:false
                              Preview:../I.n...dKY.3g....j*.P>..*H.._...C..D....s+.>J..B.X..............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............../..l.^../.a3g>...*'pu...H.._....C..D....c+.>J.}C.X.............................k'....`A........................................@...4............ ..D................N..............8....../J.n...dK.a3g>...j*.P~..*H.._...C..D....s+.>J..B.X..............rdata..............................@..@.rsrc...D.... ......................@..@.........................................../J.n...dK.a3g>...j*.P~..*H.._...C..D....s+.>J..B.X......................................................................................................................................../J.n...dK.a3g>...j*.P~..*H.._...C..D....s+.>J..B.X......................................................................................................................................../J.n...dK.a3g>...j*.P~..*H.._...C..D

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):54586
                              Entropy (8bit):7.686918526808934
                              Encrypted:false
                              SSDEEP:
                              MD5:A9C0DBA126B1BF4E5A94C7DED29C8B21
                              SHA1:8351BE6FB63512595D34E20F28D9241C0808931A
                              SHA-256:0FCD01BACD58F5656A2DEBD92DAE3F5CB9ECC50299A22FCC0C08595807096110
                              SHA-512:23741BF1106C937F638D7B283FD53CA8A884A8D3F12875EC5675E3376D7732CC5C6C1B58C0EE1E5C86E5868268CFC77D40C91C44A5A42C4BBE0DB32E2D8E2304
                              Malicious:false
                              Preview:hw.n.<.......vU;..i?...+#Q...n.=...HA|.E.d...+......Y%.+.(..r.. ........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............uhTng....n7g..U;..i?b...hS...n.=.m.HA|.E.d...;.....OX%.+.8..... .........................4....`A........................................@...4............ ...................N..............8...%-Tn.<........U;..i?...+cQ...n.=...HA|.E.d...+......Y%.+.(..... .........rdata..............................@..@.rsrc........ ......................@..@........................................%-Tn.<........U;..i?...+cQ...n.=...HA|.E.d...+......Y%.+.(..... ................................................................................................................................%-Tn.<........U;..i?...+cQ...n.=...HA|.E.d...+......Y%.+.(..... ................................................................................................................................%-Tn.<........U;..i?...+cQ...n.=...HA|.E

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hr-hr.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):54586
                              Entropy (8bit):7.686918526808934
                              Encrypted:false
                              SSDEEP:
                              MD5:A9C0DBA126B1BF4E5A94C7DED29C8B21
                              SHA1:8351BE6FB63512595D34E20F28D9241C0808931A
                              SHA-256:0FCD01BACD58F5656A2DEBD92DAE3F5CB9ECC50299A22FCC0C08595807096110
                              SHA-512:23741BF1106C937F638D7B283FD53CA8A884A8D3F12875EC5675E3376D7732CC5C6C1B58C0EE1E5C86E5868268CFC77D40C91C44A5A42C4BBE0DB32E2D8E2304
                              Malicious:false
                              Preview:hw.n.<.......vU;..i?...+#Q...n.=...HA|.E.d...+......Y%.+.(..r.. ........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............uhTng....n7g..U;..i?b...hS...n.=.m.HA|.E.d...;.....OX%.+.8..... .........................4....`A........................................@...4............ ...................N..............8...%-Tn.<........U;..i?...+cQ...n.=...HA|.E.d...+......Y%.+.(..... .........rdata..............................@..@.rsrc........ ......................@..@........................................%-Tn.<........U;..i?...+cQ...n.=...HA|.E.d...+......Y%.+.(..... ................................................................................................................................%-Tn.<........U;..i?...+cQ...n.=...HA|.E.d...+......Y%.+.(..... ................................................................................................................................%-Tn.<........U;..i?...+cQ...n.=...HA|.E

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):57554
                              Entropy (8bit):7.558199106412047
                              Encrypted:false
                              SSDEEP:
                              MD5:16F50938D1878D2D42FFD109059AF571
                              SHA1:DD788A112CF3D13239306388F2B7E1BC6F40680B
                              SHA-256:60D171F9037C6CCDF75C9682400F2F018981F9891B3A70C5E1903516F1366B37
                              SHA-512:51A366FF690D800BD4B3AB5377D3B63BC226659495E4300D9913D13AB5906093BA95A6088C867D5564CFF304E1BF5829F3F3572646709B0311C6F69D8A189571
                              Malicious:false
                              Preview:..2..s...^.$...*.).0.._^...^Hy)8...,K...II.w1...z#O.'K.v..7 ..........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich................i...f.2..*....).........^Hy)8n..,K...II.g1...z.N.'K.f..."................................`A........................................@...4............ ..................M..............8....X...s...^..*....).0.._....^Hy)8...,K...II.w1...z#O.'K.v... ...........rdata..............................@..@.rsrc....... ......................@..@.........................................X...s...^..*....).0.._....^Hy)8...,K...II.w1...z#O.'K.v... ...................................................................................................................................X...s...^..*....).0.._....^Hy)8...,K...II.w1...z#O.'K.v... ...................................................................................................................................X...s...^..*....).0.._....^Hy)8...,K..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):57554
                              Entropy (8bit):7.558199106412047
                              Encrypted:false
                              SSDEEP:
                              MD5:16F50938D1878D2D42FFD109059AF571
                              SHA1:DD788A112CF3D13239306388F2B7E1BC6F40680B
                              SHA-256:60D171F9037C6CCDF75C9682400F2F018981F9891B3A70C5E1903516F1366B37
                              SHA-512:51A366FF690D800BD4B3AB5377D3B63BC226659495E4300D9913D13AB5906093BA95A6088C867D5564CFF304E1BF5829F3F3572646709B0311C6F69D8A189571
                              Malicious:false
                              Preview:..2..s...^.$...*.).0.._^...^Hy)8...,K...II.w1...z#O.'K.v..7 ..........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich................i...f.2..*....).........^Hy)8n..,K...II.g1...z.N.'K.f..."................................`A........................................@...4............ ..................M..............8....X...s...^..*....).0.._....^Hy)8...,K...II.w1...z#O.'K.v... ...........rdata..............................@..@.rsrc....... ......................@..@.........................................X...s...^..*....).0.._....^Hy)8...,K...II.w1...z#O.'K.v... ...................................................................................................................................X...s...^..*....).0.._....^Hy)8...,K...II.w1...z#O.'K.v... ...................................................................................................................................X...s...^..*....).0.._....^Hy)8...,K..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):52946
                              Entropy (8bit):7.612643129449282
                              Encrypted:false
                              SSDEEP:
                              MD5:6760A620999E190E65A9ADD4B95FC82A
                              SHA1:F19176031F6009D6CBBCBDB81D69C3429CB65A22
                              SHA-256:DC595DE297DEC7048B1883DED62E3399BDFC8C3DA6A84DD10A63AC1FF952A71A
                              SHA-512:02D28721A6C95792148C53B43A8436ACC8B3044D91341EFB170C00DF686127ACFF8E32703D58AC51727279EE3CC981114CAD971A02CD6942BD04E6CA3161EE1E
                              Malicious:false
                              Preview:z....P..n......7...M..J..w..x.&.x=WD.!*...s..p..'...]hc.c.;.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............g......1\...;..L7...M.....W..x.Z.x=WD.!*...s..p..&...]xc...;...............................`A........................................@...4............ ..4y...............M..............8...7D...P..n..;..L7...M.....w..x.&.x=WD.!*...s..p..'...]hc...;..........rdata..............................@..@.rsrc...4y... ...z..................@..@........................................7D...P..n..;..L7...M.....w..x.&.x=WD.!*...s..p..'...]hc...;.................................................................................................................................7D...P..n..;..L7...M.....w..x.&.x=WD.!*...s..p..'...]hc...;.................................................................................................................................7D...P..n..;..L7...M.....w..x.&.x=WD.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.id-id.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):52946
                              Entropy (8bit):7.612643129449282
                              Encrypted:false
                              SSDEEP:
                              MD5:6760A620999E190E65A9ADD4B95FC82A
                              SHA1:F19176031F6009D6CBBCBDB81D69C3429CB65A22
                              SHA-256:DC595DE297DEC7048B1883DED62E3399BDFC8C3DA6A84DD10A63AC1FF952A71A
                              SHA-512:02D28721A6C95792148C53B43A8436ACC8B3044D91341EFB170C00DF686127ACFF8E32703D58AC51727279EE3CC981114CAD971A02CD6942BD04E6CA3161EE1E
                              Malicious:false
                              Preview:z....P..n......7...M..J..w..x.&.x=WD.!*...s..p..'...]hc.c.;.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............g......1\...;..L7...M.....W..x.Z.x=WD.!*...s..p..&...]xc...;...............................`A........................................@...4............ ..4y...............M..............8...7D...P..n..;..L7...M.....w..x.&.x=WD.!*...s..p..'...]hc...;..........rdata..............................@..@.rsrc...4y... ...z..................@..@........................................7D...P..n..;..L7...M.....w..x.&.x=WD.!*...s..p..'...]hc...;.................................................................................................................................7D...P..n..;..L7...M.....w..x.&.x=WD.!*...s..p..'...]hc...;.................................................................................................................................7D...P..n..;..L7...M.....w..x.&.x=WD.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):54986
                              Entropy (8bit):7.65584970856715
                              Encrypted:false
                              SSDEEP:
                              MD5:9CD72BB8B5FBD0CC70E83EB1AD4595B1
                              SHA1:C5E6E3AC736074ABC00E3F079391C5BF3A5B91D7
                              SHA-256:44E847F68401C67956EEC690C004C6507EF3FBF6ECF9C9C50E79AAF60B76DA16
                              SHA-512:C18FA0CF23C4D092DEE91AB57A92CBBE2145E23DCF6AE070086219656624ABCCCA28198BD9D3F08CE63757814BF09244D08169A8FE63870FE5EB36DF666EE22C
                              Malicious:false
                              Preview:.......9...f.U...ZD.....q..D.N;W..e]....F..P.w.n.=...QZ.jD..- ........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich..............K.I0.9LU..Q....ZD.R...:...D.N;W..e]....F..P.w.n.=...QZ.jD..- ........................i~....`A........................................@...4............ ..0................M..............8.....K.-..9...fQ....ZD.....1..D.N;W..e]....F..P.w.n.=...QZ.jD..- .........rdata..............................@..@.rsrc...0.... ......................@..@..........................................K.-..9...fQ....ZD.....1..D.N;W..e]....F..P.w.n.=...QZ.jD..- ..................................................................................................................................K.-..9...fQ....ZD.....1..D.N;W..e]....F..P.w.n.=...QZ.jD..- ..................................................................................................................................K.-..9...fQ....ZD.....1..D.N;W..e]...

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.it-it.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):54986
                              Entropy (8bit):7.65584970856715
                              Encrypted:false
                              SSDEEP:
                              MD5:9CD72BB8B5FBD0CC70E83EB1AD4595B1
                              SHA1:C5E6E3AC736074ABC00E3F079391C5BF3A5B91D7
                              SHA-256:44E847F68401C67956EEC690C004C6507EF3FBF6ECF9C9C50E79AAF60B76DA16
                              SHA-512:C18FA0CF23C4D092DEE91AB57A92CBBE2145E23DCF6AE070086219656624ABCCCA28198BD9D3F08CE63757814BF09244D08169A8FE63870FE5EB36DF666EE22C
                              Malicious:false
                              Preview:.......9...f.U...ZD.....q..D.N;W..e]....F..P.w.n.=...QZ.jD..- ........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich..............K.I0.9LU..Q....ZD.R...:...D.N;W..e]....F..P.w.n.=...QZ.jD..- ........................i~....`A........................................@...4............ ..0................M..............8.....K.-..9...fQ....ZD.....1..D.N;W..e]....F..P.w.n.=...QZ.jD..- .........rdata..............................@..@.rsrc...0.... ......................@..@..........................................K.-..9...fQ....ZD.....1..D.N;W..e]....F..P.w.n.=...QZ.jD..- ..................................................................................................................................K.-..9...fQ....ZD.....1..D.N;W..e]....F..P.w.n.=...QZ.jD..- ..................................................................................................................................K.-..9...fQ....ZD.....1..D.N;W..e]...

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):59706
                              Entropy (8bit):7.316615267638971
                              Encrypted:false
                              SSDEEP:
                              MD5:33AB97AABF6F16BAC9A9CA59342A493A
                              SHA1:D781013D9566808CAC145848C847DDF800F1DED6
                              SHA-256:B4FA76E69ABD7100FB34CACBD30989FDFCA81804D27248B657165EE67B37C0B5
                              SHA-512:6C552EE021F57B336A72BDA61AA6E73DB974A788DCBF05C206379FF5AE78E6BFCC4B2DB71C6A48F967F269EAC4048ADAC27D07C1318EFE7955FE048C643C9EBE
                              Malicious:false
                              Preview:.\)....{.^.|....T..@..C.Z..R.......'.\. D...=.....N...h.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............C.......xV:..Z.T.b...M.Z..R.......'.\. T...=./....>N...h..........................5....`A........................................@...4............ ..................N..............8...^........^..Z.T..@...C.Z..R.......'.\. D...=.....N...h..........rdata..............................@..@.rsrc....... ......................@..@........................................^........^..Z.T..@...C.Z..R.......'.\. D...=.....N...h.................................................................................................................................^........^..Z.T..@...C.Z..R.......'.\. D...=.....N...h.................................................................................................................................^........^..Z.T..@...C.Z..R.......'

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ja-jp.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):59706
                              Entropy (8bit):7.316615267638971
                              Encrypted:false
                              SSDEEP:
                              MD5:33AB97AABF6F16BAC9A9CA59342A493A
                              SHA1:D781013D9566808CAC145848C847DDF800F1DED6
                              SHA-256:B4FA76E69ABD7100FB34CACBD30989FDFCA81804D27248B657165EE67B37C0B5
                              SHA-512:6C552EE021F57B336A72BDA61AA6E73DB974A788DCBF05C206379FF5AE78E6BFCC4B2DB71C6A48F967F269EAC4048ADAC27D07C1318EFE7955FE048C643C9EBE
                              Malicious:false
                              Preview:.\)....{.^.|....T..@..C.Z..R.......'.\. D...=.....N...h.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............C.......xV:..Z.T.b...M.Z..R.......'.\. T...=./....>N...h..........................5....`A........................................@...4............ ..................N..............8...^........^..Z.T..@...C.Z..R.......'.\. D...=.....N...h..........rdata..............................@..@.rsrc....... ......................@..@........................................^........^..Z.T..@...C.Z..R.......'.\. D...=.....N...h.................................................................................................................................^........^..Z.T..@...C.Z..R.......'.\. D...=.....N...h.................................................................................................................................^........^..Z.T..@...C.Z..R.......'

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):58786
                              Entropy (8bit):7.3533515478220925
                              Encrypted:false
                              SSDEEP:
                              MD5:354E1DF36267B0CEE533568E40804C70
                              SHA1:0C465E11AC2645826FB37E161B78282765F18B33
                              SHA-256:A270B3D45F3D53139116D46940E854B53606EE8BF79E98AD1392A64C4798F156
                              SHA-512:18B1C7A1115EC7E616F52BFDBF028E81CEDFCB8911158E52589F661319AAEC370C5900A923C73211EB474082D9A62C970DE2BCA1127B2A7A55EDC5B0D4B20D7F
                              Malicious:false
                              Preview:.H.y.sU.m...t.=Q........=X.H..<.e..F?.. .*4d...T..<...-r....O:.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............Wqyd.W..k.."=Q,.....+.vZ.h..<....F?.. .*4d...T......-r...GM:...............................`A........................................@...4............ ..................hN..............8.....qy.sU.i..."=Q,.......}X.H..<.e..F?.. .*4d...T..<...-r...GO:..........rdata..............................@..@.rsrc........ ......................@..@..........................................qy.sU.i..."=Q,.......}X.H..<.e..F?.. .*4d...T..<...-r...GO:...................................................................................................................................qy.sU.i..."=Q,.......}X.H..<.e..F?.. .*4d...T..<...-r...GO:...................................................................................................................................qy.sU.i..."=Q,.......}X.H..<.e..F?..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.kk-kz.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):58786
                              Entropy (8bit):7.3533515478220925
                              Encrypted:false
                              SSDEEP:
                              MD5:354E1DF36267B0CEE533568E40804C70
                              SHA1:0C465E11AC2645826FB37E161B78282765F18B33
                              SHA-256:A270B3D45F3D53139116D46940E854B53606EE8BF79E98AD1392A64C4798F156
                              SHA-512:18B1C7A1115EC7E616F52BFDBF028E81CEDFCB8911158E52589F661319AAEC370C5900A923C73211EB474082D9A62C970DE2BCA1127B2A7A55EDC5B0D4B20D7F
                              Malicious:false
                              Preview:.H.y.sU.m...t.=Q........=X.H..<.e..F?.. .*4d...T..<...-r....O:.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............Wqyd.W..k.."=Q,.....+.vZ.h..<....F?.. .*4d...T......-r...GM:...............................`A........................................@...4............ ..................hN..............8.....qy.sU.i..."=Q,.......}X.H..<.e..F?.. .*4d...T..<...-r...GO:..........rdata..............................@..@.rsrc........ ......................@..@..........................................qy.sU.i..."=Q,.......}X.H..<.e..F?.. .*4d...T..<...-r...GO:...................................................................................................................................qy.sU.i..."=Q,.......}X.H..<.e..F?.. .*4d...T..<...-r...GO:...................................................................................................................................qy.sU.i..."=Q,.......}X.H..<.e..F?..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55106
                              Entropy (8bit):7.465943413405951
                              Encrypted:false
                              SSDEEP:
                              MD5:B66C0D86BDFF7CBD409D570466935AAD
                              SHA1:90EDC2F0510F33728F4527936AA0C307C0580EDB
                              SHA-256:487CF5A6F85BB9F987840CD5814D076E4B233A1FC1531D6C1605C5846E400C97
                              SHA-512:810EB48B191F96766FC408B059D68CDEA7A7CC3C1378D51C00F9BFEAD626A61DEB697E251E4AAC41737DBD0AF4FD5FDA490E96BEB22BCEBB6C1CB01B3D92EAE3
                              Malicious:false
                              Preview:VG...j.....o].phJw'.a....D.plI.........|....`...k..1......?[7..........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............KXE...h..'K....p.Jw'.a...J.plI..F......|....p...k.#0......?.5..........................p.....`A........................................@...4............ ..................N..............8.....E...j.......p.Jw'.a...D.plI.........|....`...k..1......?.7...........rdata..............................@..@.rsrc....... ......................@..@..........................................E...j.......p.Jw'.a...D.plI.........|....`...k..1......?.7....................................................................................................................................E...j.......p.Jw'.a...D.plI.........|....`...k..1......?.7....................................................................................................................................E...j.......p.Jw'.a...D.plI.........

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ko-kr.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55106
                              Entropy (8bit):7.465943413405951
                              Encrypted:false
                              SSDEEP:
                              MD5:B66C0D86BDFF7CBD409D570466935AAD
                              SHA1:90EDC2F0510F33728F4527936AA0C307C0580EDB
                              SHA-256:487CF5A6F85BB9F987840CD5814D076E4B233A1FC1531D6C1605C5846E400C97
                              SHA-512:810EB48B191F96766FC408B059D68CDEA7A7CC3C1378D51C00F9BFEAD626A61DEB697E251E4AAC41737DBD0AF4FD5FDA490E96BEB22BCEBB6C1CB01B3D92EAE3
                              Malicious:false
                              Preview:VG...j.....o].phJw'.a....D.plI.........|....`...k..1......?[7..........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............KXE...h..'K....p.Jw'.a...J.plI..F......|....p...k.#0......?.5..........................p.....`A........................................@...4............ ..................N..............8.....E...j.......p.Jw'.a...D.plI.........|....`...k..1......?.7...........rdata..............................@..@.rsrc....... ......................@..@..........................................E...j.......p.Jw'.a...D.plI.........|....`...k..1......?.7....................................................................................................................................E...j.......p.Jw'.a...D.plI.........|....`...k..1......?.7....................................................................................................................................E...j.......p.Jw'.a...D.plI.........

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55610
                              Entropy (8bit):7.71404049820035
                              Encrypted:false
                              SSDEEP:
                              MD5:1E15A2E5961CA3E897806C2DE44E7D8F
                              SHA1:91643E7FA02AFD42467C4554926B256793652F8C
                              SHA-256:2CD84E81B60F388D421DF60587FFF48877BC0334C5887041B715CF4BA370D5ED
                              SHA-512:25F3B271C6864A7E65C4013F3B84893F98E9BEBCBC17D50E10626544AFF0EB4B8CDC63AF7D82EA076CF3E3FCC005584EF7692D239F0DF1D81DD5C3D273154F5B
                              Malicious:false
                              Preview:..W.h.C..c.......F..LJ.2.$.-....Kpn.F......qi..6.[X.}....6.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich..............W...C[.-.`..#......l..<0$.-....Kpn.F......qi..67ZX.}......6...............................`A........................................@...4............ ...................N..............8.....W.h.C..c`..#...F..L..2.$.-....Kpn.F......qi..6.[X.}....6..........rdata..............................@..@.rsrc........ ......................@..@..........................................W.h.C..c`..#...F..L..2.$.-....Kpn.F......qi..6.[X.}....6...................................................................................................................................W.h.C..c`..#...F..L..2.$.-....Kpn.F......qi..6.[X.}....6...................................................................................................................................W.h.C..c`..#...F..L..2.$.-....Kpn.F

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lt-lt.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55610
                              Entropy (8bit):7.71404049820035
                              Encrypted:false
                              SSDEEP:
                              MD5:1E15A2E5961CA3E897806C2DE44E7D8F
                              SHA1:91643E7FA02AFD42467C4554926B256793652F8C
                              SHA-256:2CD84E81B60F388D421DF60587FFF48877BC0334C5887041B715CF4BA370D5ED
                              SHA-512:25F3B271C6864A7E65C4013F3B84893F98E9BEBCBC17D50E10626544AFF0EB4B8CDC63AF7D82EA076CF3E3FCC005584EF7692D239F0DF1D81DD5C3D273154F5B
                              Malicious:false
                              Preview:..W.h.C..c.......F..LJ.2.$.-....Kpn.F......qi..6.[X.}....6.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich..............W...C[.-.`..#......l..<0$.-....Kpn.F......qi..67ZX.}......6...............................`A........................................@...4............ ...................N..............8.....W.h.C..c`..#...F..L..2.$.-....Kpn.F......qi..6.[X.}....6..........rdata..............................@..@.rsrc........ ......................@..@..........................................W.h.C..c`..#...F..L..2.$.-....Kpn.F......qi..6.[X.}....6...................................................................................................................................W.h.C..c`..#...F..L..2.$.-....Kpn.F......qi..6.[X.}....6...................................................................................................................................W.h.C..c`..#...F..L..2.$.-....Kpn.F

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55618
                              Entropy (8bit):7.681754608014781
                              Encrypted:false
                              SSDEEP:
                              MD5:94F8EB1EC2BE652AF5BF30E53F7A8B88
                              SHA1:F0A8BC70DCB8D3CCA22BFC8548837BCB8E456452
                              SHA-256:F12095F84756C93C2EB86A851054FDEBC1B8B739F4FA5D9A9A177B99833F84C6
                              SHA-512:90125B43837FDE0382FA6BC6834F3F368E559B66D637264C384C94BFC125CF7F0367D6F2AD9C96E98CCDA724E18C80821B08F835D9943691EECEA696D4978753
                              Malicious:false
                              Preview:q....Y...Ec..)V.x&._~#..cud.Q....bL.. .....$.YD,.5m3t...............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............l._...Y..j!.\.).x&._\.T.mUd.Q...bL.. .....$.YD..5m3t.....................................`A........................................@...4............ ...................N..............8...<._..Y...E.\.).x&._~#_.cud.Q....bL.. .....$.YD,.5m3t................rdata..............................@..@.rsrc........ ......................@..@........................................<._..Y...E.\.).x&._~#_.cud.Q....bL.. .....$.YD,.5m3t.......................................................................................................................................<._..Y...E.\.).x&._~#_.cud.Q....bL.. .....$.YD,.5m3t.......................................................................................................................................<._..Y...E.\.).x&._~#_.cud.Q....bL..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.lv-lv.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55618
                              Entropy (8bit):7.681754608014781
                              Encrypted:false
                              SSDEEP:
                              MD5:94F8EB1EC2BE652AF5BF30E53F7A8B88
                              SHA1:F0A8BC70DCB8D3CCA22BFC8548837BCB8E456452
                              SHA-256:F12095F84756C93C2EB86A851054FDEBC1B8B739F4FA5D9A9A177B99833F84C6
                              SHA-512:90125B43837FDE0382FA6BC6834F3F368E559B66D637264C384C94BFC125CF7F0367D6F2AD9C96E98CCDA724E18C80821B08F835D9943691EECEA696D4978753
                              Malicious:false
                              Preview:q....Y...Ec..)V.x&._~#..cud.Q....bL.. .....$.YD,.5m3t...............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............l._...Y..j!.\.).x&._\.T.mUd.Q...bL.. .....$.YD..5m3t.....................................`A........................................@...4............ ...................N..............8...<._..Y...E.\.).x&._~#_.cud.Q....bL.. .....$.YD,.5m3t................rdata..............................@..@.rsrc........ ......................@..@........................................<._..Y...E.\.).x&._~#_.cud.Q....bL.. .....$.YD,.5m3t.......................................................................................................................................<._..Y...E.\.).x&._~#_.cud.Q....bL.. .....$.YD,.5m3t.......................................................................................................................................<._..Y...E.\.).x&._~#_.cud.Q....bL..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):54482
                              Entropy (8bit):7.626134314420013
                              Encrypted:false
                              SSDEEP:
                              MD5:5FADB90FB7E55C1E649C5499483362F6
                              SHA1:152DB2680B3B84CB4835AD4C4062C948163CE928
                              SHA-256:E27B70E458AF2653114DB639BDFF329F4106CB9C333A7C47CDAFD7CE31900514
                              SHA-512:2EC4E6F74CBC0B28947B0148B92EEA5B0F72268AED2D82AF3B56EB03C70D12D020071B7B48728E9FC9C4197773FCC650FDB0C135A4D197B045F9664BDC5578C7
                              Malicious:false
                              Preview:.Rn...(4....n[.&fWW....oz..^>..H.....a./..._..Z.`.......B.2........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich...............n.T....C..5n[R..&.Wu9...oz..^...H.....a./.._...`......u@.2..............................`A........................................@...4............ ...~...............M..............8......n...,4...5n[R..&fWW....oz..^>..H.....a./..._..Z.`......uB.2.........rdata..............................@..@.rsrc....~... ......................@..@...........................................n...,4...5n[R..&fWW....oz..^>..H.....a./..._..Z.`......uB.2...................................................................................................................................n...,4...5n[R..&fWW....oz..^>..H.....a./..._..Z.`......uB.2...................................................................................................................................n...,4...5n[R..&fWW....oz..^>..H...

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ms-my.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):54482
                              Entropy (8bit):7.626134314420013
                              Encrypted:false
                              SSDEEP:
                              MD5:5FADB90FB7E55C1E649C5499483362F6
                              SHA1:152DB2680B3B84CB4835AD4C4062C948163CE928
                              SHA-256:E27B70E458AF2653114DB639BDFF329F4106CB9C333A7C47CDAFD7CE31900514
                              SHA-512:2EC4E6F74CBC0B28947B0148B92EEA5B0F72268AED2D82AF3B56EB03C70D12D020071B7B48728E9FC9C4197773FCC650FDB0C135A4D197B045F9664BDC5578C7
                              Malicious:false
                              Preview:.Rn...(4....n[.&fWW....oz..^>..H.....a./..._..Z.`.......B.2........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich...............n.T....C..5n[R..&.Wu9...oz..^...H.....a./.._...`......u@.2..............................`A........................................@...4............ ...~...............M..............8......n...,4...5n[R..&fWW....oz..^>..H.....a./..._..Z.`......uB.2.........rdata..............................@..@.rsrc....~... ......................@..@...........................................n...,4...5n[R..&fWW....oz..^>..H.....a./..._..Z.`......uB.2...................................................................................................................................n...,4...5n[R..&fWW....oz..^>..H.....a./..._..Z.`......uB.2...................................................................................................................................n...,4...5n[R..&fWW....oz..^>..H...

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):53674
                              Entropy (8bit):7.603074964066734
                              Encrypted:false
                              SSDEEP:
                              MD5:9A0893A7F7BAE8C7A134B8E8BFF1A772
                              SHA1:667FF7852867CE71DA44187067397A2B52A1D321
                              SHA-256:48B11C9DDA8C672FD621805994436D166F910DAA1C2F088E20CD4B4B0AA374FD
                              SHA-512:4710847A58EED79913E59DA9602FE71D7FDBB2E5B69D243EB3352BDF9218D6CFD2FF719599946D716D613245AC5175DAF046DDEB9F69B992556BEF974621CCEB
                              Malicious:false
                              Preview:.zq.....).8b.;0.;..t...n..".8.......0.1:+y.d..w....oN..OL...........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............e.......&..,o;0f.;.St.&.lq.".8......0.1:+y.t..w.o...oN..O..................................`A........................................@...4............ ...z..............pN..............8.... ......-.8b,o;0f.;..t...n..".8.......0.1:+y.d..w....oN..O.............rdata..............................@..@.rsrc....z... ...|..................@..@......................................... ......-.8b,o;0f.;..t...n..".8.......0.1:+y.d..w....oN..O..................................................................................................................................... ......-.8b,o;0f.;..t...n..".8.......0.1:+y.d..w....oN..O..................................................................................................................................... ......-.8b,o;0f.;..t...n..".8.......0.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nb-no.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):53674
                              Entropy (8bit):7.603074964066734
                              Encrypted:false
                              SSDEEP:
                              MD5:9A0893A7F7BAE8C7A134B8E8BFF1A772
                              SHA1:667FF7852867CE71DA44187067397A2B52A1D321
                              SHA-256:48B11C9DDA8C672FD621805994436D166F910DAA1C2F088E20CD4B4B0AA374FD
                              SHA-512:4710847A58EED79913E59DA9602FE71D7FDBB2E5B69D243EB3352BDF9218D6CFD2FF719599946D716D613245AC5175DAF046DDEB9F69B992556BEF974621CCEB
                              Malicious:false
                              Preview:.zq.....).8b.;0.;..t...n..".8.......0.1:+y.d..w....oN..OL...........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............e.......&..,o;0f.;.St.&.lq.".8......0.1:+y.t..w.o...oN..O..................................`A........................................@...4............ ...z..............pN..............8.... ......-.8b,o;0f.;..t...n..".8.......0.1:+y.d..w....oN..O.............rdata..............................@..@.rsrc....z... ...|..................@..@......................................... ......-.8b,o;0f.;..t...n..".8.......0.1:+y.d..w....oN..O..................................................................................................................................... ......-.8b,o;0f.;..t...n..".8.......0.1:+y.d..w....oN..O..................................................................................................................................... ......-.8b,o;0f.;..t...n..".8.......0.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55098
                              Entropy (8bit):7.616905085489604
                              Encrypted:false
                              SSDEEP:
                              MD5:8EE32FF462868BA2841DD96E3E8F5E95
                              SHA1:8215FE24C41505F5A768D8F087F7557D2C810EEB
                              SHA-256:B17AD11BCC810EE88FA67D6B426477AE766C3D5F6B1DF4BDF884D74617750A11
                              SHA-512:2F1824C37446F0153E7493D021702886534547D2D2626867B340F59DA2DE827AB48FDB915930E85041F30A70768DCDA3CABF32EEC5F4CA41E31D898C4D679308
                              Malicious:false
                              Preview:bAd]...y[^...t...... ..^.&.4..Z....0.....T._l%....7W. )U............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............^.].b.......t.....r ...(.4..Z.N..0.....T.Ol%...n..7W.0)U5.................................`A........................................@...4............ ..l................N..............8.../..]...}[^...t...... ....&.4..Z....0.....T._l%....7W. )U5............rdata..............................@..@.rsrc...l.... ......................@..@......................................../..]...}[^...t...... ....&.4..Z....0.....T._l%....7W. )U5.................................................................................................................................../..]...}[^...t...... ....&.4..Z....0.....T._l%....7W. )U5.................................................................................................................................../..]...}[^...t...... ....&.4..Z....0..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.nl-nl.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55098
                              Entropy (8bit):7.616905085489604
                              Encrypted:false
                              SSDEEP:
                              MD5:8EE32FF462868BA2841DD96E3E8F5E95
                              SHA1:8215FE24C41505F5A768D8F087F7557D2C810EEB
                              SHA-256:B17AD11BCC810EE88FA67D6B426477AE766C3D5F6B1DF4BDF884D74617750A11
                              SHA-512:2F1824C37446F0153E7493D021702886534547D2D2626867B340F59DA2DE827AB48FDB915930E85041F30A70768DCDA3CABF32EEC5F4CA41E31D898C4D679308
                              Malicious:false
                              Preview:bAd]...y[^...t...... ..^.&.4..Z....0.....T._l%....7W. )U............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............^.].b.......t.....r ...(.4..Z.N..0.....T.Ol%...n..7W.0)U5.................................`A........................................@...4............ ..l................N..............8.../..]...}[^...t...... ....&.4..Z....0.....T._l%....7W. )U5............rdata..............................@..@.rsrc...l.... ......................@..@......................................../..]...}[^...t...... ....&.4..Z....0.....T._l%....7W. )U5.................................................................................................................................../..]...}[^...t...... ....&.4..Z....0.....T._l%....7W. )U5.................................................................................................................................../..]...}[^...t...... ....&.4..Z....0..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):59818
                              Entropy (8bit):7.684977584860136
                              Encrypted:false
                              SSDEEP:
                              MD5:6BB17A38B52B569C4D04DC3084C19C28
                              SHA1:8E1216CFABB3345B77A2EB9213AD8F8E84914A7C
                              SHA-256:ACE4A98901EDC96EA0518A58ABE8F540AE8FE6D508A6E927054268CF5FEE986E
                              SHA-512:F6871C7FA933EC11704B70AC52C1D5D71CB127636F8D5591678695440565E6C667EA0163536E39295B58C718214CA77406519181E2035101EA8BAAFB23095773
                              Malicious:false
                              Preview:.....'....PA..1..V.d.....y.hQ..^....w....d..fS..S.TH~..Q.}.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.................}.'%.r......V(d......y.hQ..^....w....d..fS..S.THn...}..............................`A........................................@...4............ ..P...............pN..............8..........'...........V.d.....y.hQ..^....w....d..fS..S.TH~...}..........rdata..............................@..@.rsrc...P.... ......................@..@...............................................'...........V.d.....y.hQ..^....w....d..fS..S.TH~...}........................................................................................................................................'...........V.d.....y.hQ..^....w....d..fS..S.TH~...}........................................................................................................................................'...........V.d.....y.hQ..^....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pl-pl.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):59818
                              Entropy (8bit):7.684977584860136
                              Encrypted:false
                              SSDEEP:
                              MD5:6BB17A38B52B569C4D04DC3084C19C28
                              SHA1:8E1216CFABB3345B77A2EB9213AD8F8E84914A7C
                              SHA-256:ACE4A98901EDC96EA0518A58ABE8F540AE8FE6D508A6E927054268CF5FEE986E
                              SHA-512:F6871C7FA933EC11704B70AC52C1D5D71CB127636F8D5591678695440565E6C667EA0163536E39295B58C718214CA77406519181E2035101EA8BAAFB23095773
                              Malicious:false
                              Preview:.....'....PA..1..V.d.....y.hQ..^....w....d..fS..S.TH~..Q.}.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.................}.'%.r......V(d......y.hQ..^....w....d..fS..S.THn...}..............................`A........................................@...4............ ..P...............pN..............8..........'...........V.d.....y.hQ..^....w....d..fS..S.TH~...}..........rdata..............................@..@.rsrc...P.... ......................@..@...............................................'...........V.d.....y.hQ..^....w....d..fS..S.TH~...}........................................................................................................................................'...........V.d.....y.hQ..^....w....d..fS..S.TH~...}........................................................................................................................................'...........V.d.....y.hQ..^....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):54994
                              Entropy (8bit):7.612833884881558
                              Encrypted:false
                              SSDEEP:
                              MD5:ACC0C01DC9D4BD9C1AA892F432F33743
                              SHA1:367F83261D7EBCA562CA1AB4FE89F22B3E875208
                              SHA-256:74F3D8C7E2B794AC44EB3796AFA2A8D76538769BA79709C5F457F0635C39CE58
                              SHA-512:6DFBCFA9870B6A37626EA00E83D319E34ED2BAA151D98A57FBC59DC7C13089A93A2D3D47853DB5DA1F60F28F1B720069E148FF21C559122251BD0E18B01C8C3D
                              Malicious:false
                              Preview:@h.d*Ik...P..;...."M.@.2.......+QDy46...W...o.....%....;..!.|8+........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............]w.dM.i.x..rJ...T.."..b.y.."....+.Dy46...W..............;..!\~8+.........................a....`A........................................@...4............ ..8................M..............8....2.d)Ik...P.J...T.."M.@.r.......+QDy46...W...o.....%....;..!\|8+.........rdata..............................@..@.rsrc...8.... ......................@..@.........................................2.d)Ik...P.J...T.."M.@.r.......+QDy46...W...o.....%....;..!\|8+.................................................................................................................................2.d)Ik...P.J...T.."M.@.r.......+QDy46...W...o.....%....;..!\|8+.................................................................................................................................2.d)Ik...P.J...T.."M.@.r.......+QDy46..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-br.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):54994
                              Entropy (8bit):7.612833884881558
                              Encrypted:false
                              SSDEEP:
                              MD5:ACC0C01DC9D4BD9C1AA892F432F33743
                              SHA1:367F83261D7EBCA562CA1AB4FE89F22B3E875208
                              SHA-256:74F3D8C7E2B794AC44EB3796AFA2A8D76538769BA79709C5F457F0635C39CE58
                              SHA-512:6DFBCFA9870B6A37626EA00E83D319E34ED2BAA151D98A57FBC59DC7C13089A93A2D3D47853DB5DA1F60F28F1B720069E148FF21C559122251BD0E18B01C8C3D
                              Malicious:false
                              Preview:@h.d*Ik...P..;...."M.@.2.......+QDy46...W...o.....%....;..!.|8+........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............]w.dM.i.x..rJ...T.."..b.y.."....+.Dy46...W..............;..!\~8+.........................a....`A........................................@...4............ ..8................M..............8....2.d)Ik...P.J...T.."M.@.r.......+QDy46...W...o.....%....;..!\|8+.........rdata..............................@..@.rsrc...8.... ......................@..@.........................................2.d)Ik...P.J...T.."M.@.r.......+QDy46...W...o.....%....;..!\|8+.................................................................................................................................2.d)Ik...P.J...T.."M.@.r.......+QDy46...W...o.....%....;..!\|8+.................................................................................................................................2.d)Ik...P.J...T.."M.@.r.......+QDy46..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55506
                              Entropy (8bit):7.610961935733364
                              Encrypted:false
                              SSDEEP:
                              MD5:C7005B9B1D530BD89DE24E38D2A170EA
                              SHA1:E01076541A77DCC71C05E6E9F73A49FB40A79084
                              SHA-256:DEB5713290BD9CDA255410EAC69DA1287642842C62BE56D00C2342A0453D747E
                              SHA-512:34C62D5663BB351B6BC49153AA80DA204340396FAEFA36C9494A23D1397226E519195AF47F77153755A633C428071FF6BC1EF026A851B15839DBBED87AC088E6
                              Malicious:false
                              Preview:?.HELp..U...t...(.>}q.~.r>=.A...W...5./..!q.,...{.C....7.&..<A,........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............"..E+.....B.....@(.>.q.^.p0..A......5./..!q.<...{......7.&..>A,..............................`A........................................@...4............ ...................M..............8...r..EOp..U......@(.>}q.~.r>=.A...W...5./..!q.,...{.C....7.&..<A,.........rdata..............................@..@.rsrc........ ......................@..@........................................r..EOp..U......@(.>}q.~.r>=.A...W...5./..!q.,...{.C....7.&..<A,................................................................................................................................r..EOp..U......@(.>}q.~.r>=.A...W...5./..!q.,...{.C....7.&..<A,................................................................................................................................r..EOp..U......@(.>}q.~.r>=.A...W...5./

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.pt-pt.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55506
                              Entropy (8bit):7.610961935733364
                              Encrypted:false
                              SSDEEP:
                              MD5:C7005B9B1D530BD89DE24E38D2A170EA
                              SHA1:E01076541A77DCC71C05E6E9F73A49FB40A79084
                              SHA-256:DEB5713290BD9CDA255410EAC69DA1287642842C62BE56D00C2342A0453D747E
                              SHA-512:34C62D5663BB351B6BC49153AA80DA204340396FAEFA36C9494A23D1397226E519195AF47F77153755A633C428071FF6BC1EF026A851B15839DBBED87AC088E6
                              Malicious:false
                              Preview:?.HELp..U...t...(.>}q.~.r>=.A...W...5./..!q.,...{.C....7.&..<A,........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............"..E+.....B.....@(.>.q.^.p0..A......5./..!q.<...{......7.&..>A,..............................`A........................................@...4............ ...................M..............8...r..EOp..U......@(.>}q.~.r>=.A...W...5./..!q.,...{.C....7.&..<A,.........rdata..............................@..@.rsrc........ ......................@..@........................................r..EOp..U......@(.>}q.~.r>=.A...W...5./..!q.,...{.C....7.&..<A,................................................................................................................................r..EOp..U......@(.>}q.~.r>=.A...W...5./..!q.,...{.C....7.&..<A,................................................................................................................................r..EOp..U......@(.>}q.~.r>=.A...W...5./

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):59194
                              Entropy (8bit):7.411719118568673
                              Encrypted:false
                              SSDEEP:
                              MD5:461560EBC61C6D875E037BBAE78A4FA9
                              SHA1:E702C51B1A017D468298D5310EFA54DFDD77EC0D
                              SHA-256:07554AEC2808AE66FAD55B5EE51613A18DFFDE6C2C7B327C3D07D8EADD9D1DF9
                              SHA-512:EEB9A91393AFE693294A9E91F960F4A3F7D930A786732D17D26D2C2252608C8F796008A0DCEA2ACC1C323F0BDF463B05385B33B2232A6E99010A34A0F2B141A6
                              Malicious:false
                              Preview:.....l..Z..z..[C.'>...>....g/C...w."...|.i.6u.o..LX.rqy$`C........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich..............8.....XB.....C.'.....<....g/CA..w."...|.i.6u../.LX.rq.&`C.........................7....`A........................................@...4............ ..................N..............8...Z.8..l..^.....C.'>....>....g/C...w."...|.i.6u.o..LX.rq.$`C.........rdata..............................@..@.rsrc....... ......................@..@........................................Z.8..l..^.....C.'>....>....g/C...w."...|.i.6u.o..LX.rq.$`C................................................................................................................................Z.8..l..^.....C.'>....>....g/C...w."...|.i.6u.o..LX.rq.$`C................................................................................................................................Z.8..l..^.....C.'>....>....g/C...w."

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ro-ro.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):59194
                              Entropy (8bit):7.411719118568673
                              Encrypted:false
                              SSDEEP:
                              MD5:461560EBC61C6D875E037BBAE78A4FA9
                              SHA1:E702C51B1A017D468298D5310EFA54DFDD77EC0D
                              SHA-256:07554AEC2808AE66FAD55B5EE51613A18DFFDE6C2C7B327C3D07D8EADD9D1DF9
                              SHA-512:EEB9A91393AFE693294A9E91F960F4A3F7D930A786732D17D26D2C2252608C8F796008A0DCEA2ACC1C323F0BDF463B05385B33B2232A6E99010A34A0F2B141A6
                              Malicious:false
                              Preview:.....l..Z..z..[C.'>...>....g/C...w."...|.i.6u.o..LX.rqy$`C........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich..............8.....XB.....C.'.....<....g/CA..w."...|.i.6u../.LX.rq.&`C.........................7....`A........................................@...4............ ..................N..............8...Z.8..l..^.....C.'>....>....g/C...w."...|.i.6u.o..LX.rq.$`C.........rdata..............................@..@.rsrc....... ......................@..@........................................Z.8..l..^.....C.'>....>....g/C...w."...|.i.6u.o..LX.rq.$`C................................................................................................................................Z.8..l..^.....C.'>....>....g/C...w."...|.i.6u.o..LX.rq.$`C................................................................................................................................Z.8..l..^.....C.'>....>....g/C...w."

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):56634
                              Entropy (8bit):7.604642477141267
                              Encrypted:false
                              SSDEEP:
                              MD5:D9D15873678BE84832564C63A4FFAA39
                              SHA1:16B89BB8543015B52787B3B06E78556D9287D438
                              SHA-256:AC0D31E5FBCC8964B9B8DEABA96D58F72E295168D7E29E5DCF69D06EA5197262
                              SHA-512:F08A382BF0F2465318A3CB867F341DD19A2C5FC17006B850CA92DDAC8A0B5DD89C03527C43FE5F48F60E4B471735CE307772F7A5348BD70BBC9BD498A557838B
                              Malicious:false
                              Preview:.N.*...X....^....-.6_Y.BI6sF..sz..Vp.x..4. ..^,W..c0?...j...........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............QT.M....a._.^..........Li6sF...z..Vp.x..4o ..^,..c0?..............................>....`A........................................@...4............ ..D................N..............8.....T.)...X.._.^....-.6_..BI6sF..sz..Vp.x..4. ..^,W..c0?..............rdata..............................@..@.rsrc...D.... ......................@..@..........................................T.)...X.._.^....-.6_..BI6sF..sz..Vp.x..4. ..^,W..c0?.......................................................................................................................................T.)...X.._.^....-.6_..BI6sF..sz..Vp.x..4. ..^,W..c0?.......................................................................................................................................T.)...X.._.^....-.6_..BI6sF..sz..Vp.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.ru-ru.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):56634
                              Entropy (8bit):7.604642477141267
                              Encrypted:false
                              SSDEEP:
                              MD5:D9D15873678BE84832564C63A4FFAA39
                              SHA1:16B89BB8543015B52787B3B06E78556D9287D438
                              SHA-256:AC0D31E5FBCC8964B9B8DEABA96D58F72E295168D7E29E5DCF69D06EA5197262
                              SHA-512:F08A382BF0F2465318A3CB867F341DD19A2C5FC17006B850CA92DDAC8A0B5DD89C03527C43FE5F48F60E4B471735CE307772F7A5348BD70BBC9BD498A557838B
                              Malicious:false
                              Preview:.N.*...X....^....-.6_Y.BI6sF..sz..Vp.x..4. ..^,W..c0?...j...........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............QT.M....a._.^..........Li6sF...z..Vp.x..4o ..^,..c0?..............................>....`A........................................@...4............ ..D................N..............8.....T.)...X.._.^....-.6_..BI6sF..sz..Vp.x..4. ..^,W..c0?..............rdata..............................@..@.rsrc...D.... ......................@..@..........................................T.)...X.._.^....-.6_..BI6sF..sz..Vp.x..4. ..^,W..c0?.......................................................................................................................................T.)...X.._.^....-.6_..BI6sF..sz..Vp.x..4. ..^,W..c0?.......................................................................................................................................T.)...X.._.^....-.6_..BI6sF..sz..Vp.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):58570
                              Entropy (8bit):7.451105800406997
                              Encrypted:false
                              SSDEEP:
                              MD5:CC0AC31091A8BD28C795B8CE81C730D6
                              SHA1:E3B9251C69407DD20EE8627F4918048834D9E706
                              SHA-256:8FB81B92F1CC19E9AF7CE68C3C273BB1C6E1D23C8607A6F825D46A6CB8C3A4A3
                              SHA-512:79D5020717EB0128DD196403DDB620517A18BB52EE4E6FE8FE29A6BE9B174A2CBD29209A419E8F956AF0BD74901E1ABCDFB9BB9AF3B6B24A3A028217CC851DAA
                              Malicious:false
                              Preview:.6.:0...%..n...Qd......{......./...(..Q?$Pd.y....a...J..~........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............)I.]...1.XA]Vn.J.Qd..*...u....../...(..Q?4Pd.y.}..a...J..~..............................`A........................................@...4............ ..H................M..............8....lI.90...%]Vn.J.Qd......{......./...(..Q?$Pd.y....a...J..~.........rdata..............................@..@.rsrc...H.... ......................@..@.........................................lI.90...%]Vn.J.Qd......{......./...(..Q?$Pd.y....a...J..~.................................................................................................................................lI.90...%]Vn.J.Qd......{......./...(..Q?$Pd.y....a...J..~.................................................................................................................................lI.90...%]Vn.J.Qd......{......./...(.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sk-sk.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):58570
                              Entropy (8bit):7.451105800406997
                              Encrypted:false
                              SSDEEP:
                              MD5:CC0AC31091A8BD28C795B8CE81C730D6
                              SHA1:E3B9251C69407DD20EE8627F4918048834D9E706
                              SHA-256:8FB81B92F1CC19E9AF7CE68C3C273BB1C6E1D23C8607A6F825D46A6CB8C3A4A3
                              SHA-512:79D5020717EB0128DD196403DDB620517A18BB52EE4E6FE8FE29A6BE9B174A2CBD29209A419E8F956AF0BD74901E1ABCDFB9BB9AF3B6B24A3A028217CC851DAA
                              Malicious:false
                              Preview:.6.:0...%..n...Qd......{......./...(..Q?$Pd.y....a...J..~........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............)I.]...1.XA]Vn.J.Qd..*...u....../...(..Q?4Pd.y.}..a...J..~..............................`A........................................@...4............ ..H................M..............8....lI.90...%]Vn.J.Qd......{......./...(..Q?$Pd.y....a...J..~.........rdata..............................@..@.rsrc...H.... ......................@..@.........................................lI.90...%]Vn.J.Qd......{......./...(..Q?$Pd.y....a...J..~.................................................................................................................................lI.90...%]Vn.J.Qd......{......./...(..Q?$Pd.y....a...J..~.................................................................................................................................lI.90...%]Vn.J.Qd......{......./...(.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55722
                              Entropy (8bit):7.733902177054966
                              Encrypted:false
                              SSDEEP:
                              MD5:7E38ABF348C281BD4257FE66D6CDE57A
                              SHA1:365F4FDC654C538549DE4328251963B54C5D36D4
                              SHA-256:038295B827342EEBEC2EC74379A446C0F4C2EF77E0CE8358DFFDC587A075D11C
                              SHA-512:03566954213F56D36ADD379CF36F9036B6FBBA3D05D50EC9EBE86CA274E54A8E354A0744CBA83ABA7E807EC0329A6954D41B1074861EC75D853C3050048BCD3F
                              Malicious:false
                              Preview:4.G...%...&.....i..LGY.....!....h.}..d.?.a0O\.I.....Wz..D=rP.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............)...j'.\M.f.?......G{..../.!...Dh.}..d.?.a0_\.I.....Wz..D.pP...............................`A........................................@...4............ ..L...............pN..............8...y....%...&..?.....LGY......!....h.}..d.?.a0O\.I.....Wz..D.rP..........rdata..............................@..@.rsrc...L.... ......................@..@........................................y....%...&..?.....LGY......!....h.}..d.?.a0O\.I.....Wz..D.rP.................................................................................................................................y....%...&..?.....LGY......!....h.}..d.?.a0O\.I.....Wz..D.rP.................................................................................................................................y....%...&..?.....LGY......!....h.}..d

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sl-si.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55722
                              Entropy (8bit):7.733902177054966
                              Encrypted:false
                              SSDEEP:
                              MD5:7E38ABF348C281BD4257FE66D6CDE57A
                              SHA1:365F4FDC654C538549DE4328251963B54C5D36D4
                              SHA-256:038295B827342EEBEC2EC74379A446C0F4C2EF77E0CE8358DFFDC587A075D11C
                              SHA-512:03566954213F56D36ADD379CF36F9036B6FBBA3D05D50EC9EBE86CA274E54A8E354A0744CBA83ABA7E807EC0329A6954D41B1074861EC75D853C3050048BCD3F
                              Malicious:false
                              Preview:4.G...%...&.....i..LGY.....!....h.}..d.?.a0O\.I.....Wz..D=rP.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............)...j'.\M.f.?......G{..../.!...Dh.}..d.?.a0_\.I.....Wz..D.pP...............................`A........................................@...4............ ..L...............pN..............8...y....%...&..?.....LGY......!....h.}..d.?.a0O\.I.....Wz..D.rP..........rdata..............................@..@.rsrc...L.... ......................@..@........................................y....%...&..?.....LGY......!....h.}..d.?.a0O\.I.....Wz..D.rP.................................................................................................................................y....%...&..?.....LGY......!....h.}..d.?.a0O\.I.....Wz..D.rP.................................................................................................................................y....%...&..?.....LGY......!....h.}..d

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):54994
                              Entropy (8bit):7.72957705825928
                              Encrypted:false
                              SSDEEP:
                              MD5:968835EB7EB1073027A5421DF01BE05E
                              SHA1:15A8E1412AA9A2E11DC9DFC7BF67A2DA60D3502F
                              SHA-256:AEE7EBCE07F7F96F16D9CB938EDBC7795D9E4F0342E4515C978FFA652648A68D
                              SHA-512:20FA7946464FE06B9AA65FE99F2022168841CB1D3C28A569A0F1A9342A70550192E08576988176FB2D3C6610B10191195DE22DCD84B6F272C90FD79DD9C7FC82
                              Malicious:false
                              Preview:....*.o....iQ#..u.|.M.ZR.]_..b..&.. .g.cD..>8.T...E".\..ho............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............. .Msm..tVg..#.du.|.M.z..S...b.K&.. .g.cD...8.T..FD".\..ho?...........................6,....`A........................................@...4............ ...................M..............8...OL .).o.*....#.du.|.M.Z..]_..b..&.. .g.cD..>8.T...E".\..ho?............rdata..............................@..@.rsrc........ ......................@..@........................................OL .).o.*....#.du.|.M.Z..]_..b..&.. .g.cD..>8.T...E".\..ho?...................................................................................................................................OL .).o.*....#.du.|.M.Z..]_..b..&.. .g.cD..>8.T...E".\..ho?...................................................................................................................................OL .).o.*....#.du.|.M.Z..]_..b..&.. .g

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sr-latn-rs.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):54994
                              Entropy (8bit):7.72957705825928
                              Encrypted:false
                              SSDEEP:
                              MD5:968835EB7EB1073027A5421DF01BE05E
                              SHA1:15A8E1412AA9A2E11DC9DFC7BF67A2DA60D3502F
                              SHA-256:AEE7EBCE07F7F96F16D9CB938EDBC7795D9E4F0342E4515C978FFA652648A68D
                              SHA-512:20FA7946464FE06B9AA65FE99F2022168841CB1D3C28A569A0F1A9342A70550192E08576988176FB2D3C6610B10191195DE22DCD84B6F272C90FD79DD9C7FC82
                              Malicious:false
                              Preview:....*.o....iQ#..u.|.M.ZR.]_..b..&.. .g.cD..>8.T...E".\..ho............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich.............. .Msm..tVg..#.du.|.M.z..S...b.K&.. .g.cD...8.T..FD".\..ho?...........................6,....`A........................................@...4............ ...................M..............8...OL .).o.*....#.du.|.M.Z..]_..b..&.. .g.cD..>8.T...E".\..ho?............rdata..............................@..@.rsrc........ ......................@..@........................................OL .).o.*....#.du.|.M.Z..]_..b..&.. .g.cD..>8.T...E".\..ho?...................................................................................................................................OL .).o.*....#.du.|.M.Z..]_..b..&.. .g.cD..>8.T...E".\..ho?...................................................................................................................................OL .).o.*....#.du.|.M.Z..]_..b..&.. .g

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):52434
                              Entropy (8bit):7.634706121500657
                              Encrypted:false
                              SSDEEP:
                              MD5:31F819E399E407279B9EA32E52C4A9C6
                              SHA1:F6D0812E4CB390B495612F2EBACD9A46574DD879
                              SHA-256:ACB3B8A25BE52843BE257594D8B094C9FAC35868569FDE111D9CDB64CA7CA96F
                              SHA-512:2BE9142B66E2F868B00640C00C970F44DAB2C23C22DD377BF717503CA549EFB8BF0C7887022F66142768B10202B2CD7365399AC92B79C0D656B10D6EE966581D
                              Malicious:false
                              Preview:6.*T'..?..v...P.....3~..ao...M........ ...AN.W:....0{.b!.e...........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............+.T@..?......P......~..*m...M......... ...QN.W:.H..0{.r!..}..........................8(....`A........................................@...4............ ...w...........~...M..............8...{..T$..?..v...P.....3~..!o...M........ ...AN.W:....0{.b!..............rdata..............................@..@.rsrc....w... ...x..................@..@........................................{..T$..?..v...P.....3~..!o...M........ ...AN.W:....0{.b!.....................................................................................................................................{..T$..?..v...P.....3~..!o...M........ ...AN.W:....0{.b!.....................................................................................................................................{..T$..?..v...P.....3~..!o...M........

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.sv-se.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):52434
                              Entropy (8bit):7.634706121500657
                              Encrypted:false
                              SSDEEP:
                              MD5:31F819E399E407279B9EA32E52C4A9C6
                              SHA1:F6D0812E4CB390B495612F2EBACD9A46574DD879
                              SHA-256:ACB3B8A25BE52843BE257594D8B094C9FAC35868569FDE111D9CDB64CA7CA96F
                              SHA-512:2BE9142B66E2F868B00640C00C970F44DAB2C23C22DD377BF717503CA549EFB8BF0C7887022F66142768B10202B2CD7365399AC92B79C0D656B10D6EE966581D
                              Malicious:false
                              Preview:6.*T'..?..v...P.....3~..ao...M........ ...AN.W:....0{.b!.e...........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............+.T@..?......P......~..*m...M......... ...QN.W:.H..0{.r!..}..........................8(....`A........................................@...4............ ...w...........~...M..............8...{..T$..?..v...P.....3~..!o...M........ ...AN.W:....0{.b!..............rdata..............................@..@.rsrc....w... ...x..................@..@........................................{..T$..?..v...P.....3~..!o...M........ ...AN.W:....0{.b!.....................................................................................................................................{..T$..?..v...P.....3~..!o...M........ ...AN.W:....0{.b!.....................................................................................................................................{..T$..?..v...P.....3~..!o...M........

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55714
                              Entropy (8bit):7.539102187977402
                              Encrypted:false
                              SSDEEP:
                              MD5:9C9F8D1C1A17794E41F216A66C3414A7
                              SHA1:D08CF34FB9A9019984578ECBBC70377EABADC6FF
                              SHA-256:3CE6A06F2DB7BE222F75C95C07C010C9C611957D043E7FEFF71348A252555C46
                              SHA-512:581225A697FCDB5B26F116D637BD113C40FFC2A1EBF03CDB819806D385E6ADC27C906985B5E20DC6EC1619C8483DB5AE9885A6D4443FA47C9A457A874FD670A8
                              Malicious:false
                              Preview:....?n...T......S...o.0:.=.m7|..N..*.QFU.,.;."........pf/............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich..............{.X..>..Xw...S.7.M.{8...m7|...N..*.QFU.,.;."........`f/8.................................`A........................................@...4............ ..<...............hN..............8.....{.<n...T.Xw...S...o.p:.=.m7|..N..*.QFU.,.;."........pf/8............rdata..............................@..@.rsrc...<.... ......................@..@..........................................{.<n...T.Xw...S...o.p:.=.m7|..N..*.QFU.,.;."........pf/8.....................................................................................................................................{.<n...T.Xw...S...o.p:.=.m7|..N..*.QFU.,.;."........pf/8.....................................................................................................................................{.<n...T.Xw...S...o.p:.=.m7|..N..*.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.th-th.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):55714
                              Entropy (8bit):7.539102187977402
                              Encrypted:false
                              SSDEEP:
                              MD5:9C9F8D1C1A17794E41F216A66C3414A7
                              SHA1:D08CF34FB9A9019984578ECBBC70377EABADC6FF
                              SHA-256:3CE6A06F2DB7BE222F75C95C07C010C9C611957D043E7FEFF71348A252555C46
                              SHA-512:581225A697FCDB5B26F116D637BD113C40FFC2A1EBF03CDB819806D385E6ADC27C906985B5E20DC6EC1619C8483DB5AE9885A6D4443FA47C9A457A874FD670A8
                              Malicious:false
                              Preview:....?n...T......S...o.0:.=.m7|..N..*.QFU.,.;."........pf/............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich..............{.X..>..Xw...S.7.M.{8...m7|...N..*.QFU.,.;."........`f/8.................................`A........................................@...4............ ..<...............hN..............8.....{.<n...T.Xw...S...o.p:.=.m7|..N..*.QFU.,.;."........pf/8............rdata..............................@..@.rsrc...<.... ......................@..@..........................................{.<n...T.Xw...S...o.p:.=.m7|..N..*.QFU.,.;."........pf/8.....................................................................................................................................{.<n...T.Xw...S...o.p:.=.m7|..N..*.QFU.,.;."........pf/8.....................................................................................................................................{.<n...T.Xw...S...o.p:.=.m7|..N..*.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):57554
                              Entropy (8bit):7.430581538823191
                              Encrypted:false
                              SSDEEP:
                              MD5:8C4D877562E7FBB40CF137F02F4B9F06
                              SHA1:36A0018C14F3F2724AA28F68375E87D445F2EFF2
                              SHA-256:E9AF9933A4FB1E8E0D67D5C8388110EA9A3ECFDBF73B7AE55699A206E0CEA640
                              SHA-512:90F1A1562042C215CEBA8C78B031161E9649E4BEE780B43E29D45F66444B3148BE531DC2EF5640D7DCF6EB4D05E5F6908D53969DCF46AD025F7AB153FB5E4A94
                              Malicious:false
                              Preview:\..>TUv.+.0d...b...I.Kl..H..2......(.X..qY.D.j6 ..<....(..B.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............A..>3.t.@..UI.b...I9.iL..F..2...U..(.X..qY.D.j6 ..$.<....(:.B...............................`A........................................@...4............ ..p................M..............8......>WUv./.0dUI.b...I.Kl..H..2......(.X..qY.D.j6 ..<....(:.B..........rdata..............................@..@.rsrc...p.... ......................@..@...........................................>WUv./.0dUI.b...I.Kl..H..2......(.X..qY.D.j6 ..<....(:.B....................................................................................................................................>WUv./.0dUI.b...I.Kl..H..2......(.X..qY.D.j6 ..<....(:.B....................................................................................................................................>WUv./.0dUI.b...I.Kl..H..2......(.X.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.tr-tr.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):57554
                              Entropy (8bit):7.430581538823191
                              Encrypted:false
                              SSDEEP:
                              MD5:8C4D877562E7FBB40CF137F02F4B9F06
                              SHA1:36A0018C14F3F2724AA28F68375E87D445F2EFF2
                              SHA-256:E9AF9933A4FB1E8E0D67D5C8388110EA9A3ECFDBF73B7AE55699A206E0CEA640
                              SHA-512:90F1A1562042C215CEBA8C78B031161E9649E4BEE780B43E29D45F66444B3148BE531DC2EF5640D7DCF6EB4D05E5F6908D53969DCF46AD025F7AB153FB5E4A94
                              Malicious:false
                              Preview:\..>TUv.+.0d...b...I.Kl..H..2......(.X..qY.D.j6 ..<....(..B.........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............A..>3.t.@..UI.b...I9.iL..F..2...U..(.X..qY.D.j6 ..$.<....(:.B...............................`A........................................@...4............ ..p................M..............8......>WUv./.0dUI.b...I.Kl..H..2......(.X..qY.D.j6 ..<....(:.B..........rdata..............................@..@.rsrc...p.... ......................@..@...........................................>WUv./.0dUI.b...I.Kl..H..2......(.X..qY.D.j6 ..<....(:.B....................................................................................................................................>WUv./.0dUI.b...I.Kl..H..2......(.X..qY.D.j6 ..<....(:.B....................................................................................................................................>WUv./.0dUI.b...I.Kl..H..2......(.X.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):57762
                              Entropy (8bit):7.637564685786951
                              Encrypted:false
                              SSDEEP:
                              MD5:0715477BC54DE32E89DEDE50B6CE3682
                              SHA1:AF0062BCFE4594E1510134361F1CC23DAE6F5B43
                              SHA-256:E0213EC46AC847D137251E888EF3FFCD34FC3A3972AD79E4652E928601D21C05
                              SHA-512:C9F98DD636E3B52F6EB8EE830666291FB9A50DB7E43E486D79B49D637EEC5A1DD8A178B11C1759E15314834DDB8F8738DD32A43426E49CFE43FC8988A0DE04D8
                              Malicious:false
                              Preview:>.Dy.|.Z....v...e....\}..)10O..5.:.9......[....6...Q..[.k=.jX...........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............#..y...ZU...N.......\_..+?.O..5.9......[....6.....[.k-.j..................................`A........................................@...4............ ..,...............hN..............8...sC.y.|.Z.....N.......\}..)10O..5.:.9......[....6...Q..[.k=.j.............rdata..............................@..@.rsrc...,.... ......................@..@........................................sC.y.|.Z.....N.......\}..)10O..5.:.9......[....6...Q..[.k=.j....................................................................................................................................sC.y.|.Z.....N.......\}..)10O..5.:.9......[....6...Q..[.k=.j....................................................................................................................................sC.y.|.Z.....N.......\}..)10O..5.:.9....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.uk-ua.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):57762
                              Entropy (8bit):7.637564685786951
                              Encrypted:false
                              SSDEEP:
                              MD5:0715477BC54DE32E89DEDE50B6CE3682
                              SHA1:AF0062BCFE4594E1510134361F1CC23DAE6F5B43
                              SHA-256:E0213EC46AC847D137251E888EF3FFCD34FC3A3972AD79E4652E928601D21C05
                              SHA-512:C9F98DD636E3B52F6EB8EE830666291FB9A50DB7E43E486D79B49D637EEC5A1DD8A178B11C1759E15314834DDB8F8738DD32A43426E49CFE43FC8988A0DE04D8
                              Malicious:false
                              Preview:>.Dy.|.Z....v...e....\}..)10O..5.:.9......[....6...Q..[.k=.jX...........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............#..y...ZU...N.......\_..+?.O..5.9......[....6.....[.k-.j..................................`A........................................@...4............ ..,...............hN..............8...sC.y.|.Z.....N.......\}..)10O..5.:.9......[....6...Q..[.k=.j.............rdata..............................@..@.rsrc...,.... ......................@..@........................................sC.y.|.Z.....N.......\}..)10O..5.:.9......[....6...Q..[.k=.j....................................................................................................................................sC.y.|.Z.....N.......\}..)10O..5.:.9......[....6...Q..[.k=.j....................................................................................................................................sC.y.|.Z.....N.......\}..)10O..5.:.9....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):59298
                              Entropy (8bit):7.3941326146469
                              Encrypted:false
                              SSDEEP:
                              MD5:6616A49AC3341E195654DCF8007CEA1B
                              SHA1:9EC8AC46826DE0F1A0FD08DEE1F103A6D15D4BAE
                              SHA-256:6C200343FD715C3F8DCC98B51185BF6FC7D87C7B022F4F81869A42C3EA884CFF
                              SHA-512:2CA48F82868D3AC1C1044EAC3091CE4DB5C3EAC324815F347E1DA6003DBA1D43F4A59800C57E01250127C903343DFEC87E19941396864FC38925671A66F4001A
                              Malicious:false
                              Preview:*^..B='Se.........(..,...7e.Co.3...:....G.#...U+..O.Pyd............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............7A..%.%S.(.xj..{...........7e..o.3...:....W.#....*..O.@ydL...........................K.....`A........................................@...4............ ..d...............hN..............8...g...A='Sa...xj..{...(...,...7e.Co.3...:....G.#...U+..O.PydL............rdata..............................@..@.rsrc...d.... ......................@..@........................................g...A='Sa...xj..{...(...,...7e.Co.3...:....G.#...U+..O.PydL...................................................................................................................................g...A='Sa...xj..{...(...,...7e.Co.3...:....G.#...U+..O.PydL...................................................................................................................................g...A='Sa...xj..{...(...,...7e.Co.3...

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.vi-vn.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):59298
                              Entropy (8bit):7.3941326146469
                              Encrypted:false
                              SSDEEP:
                              MD5:6616A49AC3341E195654DCF8007CEA1B
                              SHA1:9EC8AC46826DE0F1A0FD08DEE1F103A6D15D4BAE
                              SHA-256:6C200343FD715C3F8DCC98B51185BF6FC7D87C7B022F4F81869A42C3EA884CFF
                              SHA-512:2CA48F82868D3AC1C1044EAC3091CE4DB5C3EAC324815F347E1DA6003DBA1D43F4A59800C57E01250127C903343DFEC87E19941396864FC38925671A66F4001A
                              Malicious:false
                              Preview:*^..B='Se.........(..,...7e.Co.3...:....G.#...U+..O.Pyd............!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............7A..%.%S.(.xj..{...........7e..o.3...:....W.#....*..O.@ydL...........................K.....`A........................................@...4............ ..d...............hN..............8...g...A='Sa...xj..{...(...,...7e.Co.3...:....G.#...U+..O.PydL............rdata..............................@..@.rsrc...d.... ......................@..@........................................g...A='Sa...xj..{...(...,...7e.Co.3...:....G.#...U+..O.PydL...................................................................................................................................g...A='Sa...xj..{...(...,...7e.Co.3...:....G.#...U+..O.PydL...................................................................................................................................g...A='Sa...xj..{...(...,...7e.Co.3...

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):50378
                              Entropy (8bit):7.528463270768167
                              Encrypted:false
                              SSDEEP:
                              MD5:19458C2C08831C4B84AD4519B53A8BFC
                              SHA1:7D35E11DF83CDBF0B12BDE2A9267D880CDDFC6A1
                              SHA-256:9B9E32863CE8C3317AB1B2F90C144188F5FED97D49269316AFDA11B1B86FD751
                              SHA-512:6FF0FE1F4E5C8C744F71F948C9CA2065C2B1775F2B519C9BAAF04D4273C4FEDC0AEAB5F49A30CE6CACF514EC4C12DD72EAFB9FCF45557A77CB3C854B554EF6A3
                              Malicious:false
                              Preview:.0.e.:...Q....>,...QN.u BL.p+...Bd...J.-E....$J...O.^.y\..].........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............./&e.....^..F.>...&.sn..{.BL.p+...Bd...J.-E....$J...O.^.y\..].........................n.....`A........................................@...4............ ...n...........v...M..............8....j&e.:...Q...F.>....QN..u BL.p+...Bd...J.-E....$J...O.^.y\..]..........rdata..............................@..@.rsrc....n... ...p..................@..@.........................................j&e.:...Q...F.>....QN..u BL.p+...Bd...J.-E....$J...O.^.y\..]..................................................................................................................................j&e.:...Q...F.>....QN..u BL.p+...Bd...J.-E....$J...O.^.y\..]..................................................................................................................................j&e.:...Q...F.>....QN..u BL.p+...Bd..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-cn.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):50378
                              Entropy (8bit):7.528463270768167
                              Encrypted:false
                              SSDEEP:
                              MD5:19458C2C08831C4B84AD4519B53A8BFC
                              SHA1:7D35E11DF83CDBF0B12BDE2A9267D880CDDFC6A1
                              SHA-256:9B9E32863CE8C3317AB1B2F90C144188F5FED97D49269316AFDA11B1B86FD751
                              SHA-512:6FF0FE1F4E5C8C744F71F948C9CA2065C2B1775F2B519C9BAAF04D4273C4FEDC0AEAB5F49A30CE6CACF514EC4C12DD72EAFB9FCF45557A77CB3C854B554EF6A3
                              Malicious:false
                              Preview:.0.e.:...Q....>,...QN.u BL.p+...Bd...J.-E....$J...O.^.y\..].........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............./&e.....^..F.>...&.sn..{.BL.p+...Bd...J.-E....$J...O.^.y\..].........................n.....`A........................................@...4............ ...n...........v...M..............8....j&e.:...Q...F.>....QN..u BL.p+...Bd...J.-E....$J...O.^.y\..]..........rdata..............................@..@.rsrc....n... ...p..................@..@.........................................j&e.:...Q...F.>....QN..u BL.p+...Bd...J.-E....$J...O.^.y\..]..................................................................................................................................j&e.:...Q...F.>....QN..u BL.p+...Bd...J.-E....$J...O.^.y\..]..................................................................................................................................j&e.:...Q...F.>....QN..u BL.p+...Bd..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):51106
                              Entropy (8bit):7.544996281004697
                              Encrypted:false
                              SSDEEP:
                              MD5:C13B10E0C944B27684BCEE451EDF4A24
                              SHA1:0D656B70294B9CB193F9E1DF03D5B3B17EB1B23D
                              SHA-256:4CA525140A4C0B1FEB7541198350668B16A5757A1029FADECE2A080074D32B18
                              SHA-512:9E418E9AAA1A87DCA9ACC6FB8B790809078823624424425F26EDEC20610EFA9FEEC9A11A1C97A5F2B5C37D3599D50452F715A3580FDBB705B6AFF586F6B90FDA
                              Malicious:false
                              Preview:.0.\.u......8h.J=F...X..........v.....y.....jCH.f..........#yU........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............./?\..gM....J.F....z>..............y.....jCH.fl........4!yU..............................`A........................................@...4............ ..Tp...........x..hN..............8....j?\.u........J.F...X.........v.....y.....jCH.f.........4#yU.........rdata..............................@..@.rsrc...Tp... ...r..................@..@.........................................j?\.u........J.F...X.........v.....y.....jCH.f.........4#yU.................................................................................................................................j?\.u........J.F...X.........v.....y.....jCH.f.........4#yU.................................................................................................................................j?\.u........J.F...X.........v.....y

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.zh-tw.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):51106
                              Entropy (8bit):7.544996281004697
                              Encrypted:false
                              SSDEEP:
                              MD5:C13B10E0C944B27684BCEE451EDF4A24
                              SHA1:0D656B70294B9CB193F9E1DF03D5B3B17EB1B23D
                              SHA-256:4CA525140A4C0B1FEB7541198350668B16A5757A1029FADECE2A080074D32B18
                              SHA-512:9E418E9AAA1A87DCA9ACC6FB8B790809078823624424425F26EDEC20610EFA9FEEC9A11A1C97A5F2B5C37D3599D50452F715A3580FDBB705B6AFF586F6B90FDA
                              Malicious:false
                              Preview:.0.\.u......8h.J=F...X..........v.....y.....jCH.f..........#yU........!..L.!This program cannot be run in DOS mode....$.......;s...............h..~....h}.~.......~....h..~...Rich............./?\..gM....J.F....z>..............y.....jCH.fl........4!yU..............................`A........................................@...4............ ..Tp...........x..hN..............8....j?\.u........J.F...X.........v.....y.....jCH.f.........4#yU.........rdata..............................@..@.rsrc...Tp... ...r..................@..@.........................................j?\.u........J.F...X.........v.....y.....jCH.f.........4#yU.................................................................................................................................j?\.u........J.F...X.........v.....y.....jCH.f.........4#yU.................................................................................................................................j?\.u........J.F...X.........v.....y

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2934130
                              Entropy (8bit):7.068434916031138
                              Encrypted:false
                              SSDEEP:
                              MD5:E973410F1655EBC4289E2B908DFF8982
                              SHA1:98CECC544DFBB95F00EED1702C0DD1B56FA6F179
                              SHA-256:2D0AC2D0086DDA4CF6305147235EE64B499D76457C6B622619C314A271CB365B
                              SHA-512:4039B2BD21A6CF7112E7BD98CA5C72C2E728743A72C37201F7F2B698AFD353840E5FA8C31B8AA1875C25FA08F2CF3D6D80DCF322B4B51318422239D5A79722A9
                              Malicious:false
                              Preview:uK C|..n....a.it..?..{...:.w.....l.Y.{..\I.....H.&..c...x ............!..L.!This program cannot be run in DOS mode....$.........-8..Ck..Ck..Ck..k..Ck..Bj..Ck..Gj..Ck..@j..Ck...k..Ck..>k..Ck...)..J..0.o.E......M...3.P'.W.mW..)...4f.#4H..y.BL_. .F.>J.w....Jjb.Ck..Cj..Ck...k..Ck...k..Ck..Aj..CkRich..Ck................PE..d...&..e.........." ... .X..................................>..C...n....R..i....?..{...:.wt....l.Y.{..\I.....H.&..c...x ...........l.%.9.....%.T....`+..J... *..-...v,.8N....,.ln...!&.T....................4%.(...P...@............p........%.`...........8..C...n...}&..ip...?..{?..:.s.....l.Y.{..\I....:fG.ac.."s ....2...\..............@..@.data....k....(.......(.............@....pdata...-... *.......).............@..@.didat..P....P+.......*.8..C...n.........\..{...:..?....l...{..\I.....H.&..c..`.L...ln....,..p....,.............@..B................................................................................................8..C...n...R..i...?..{?..:.w.....l.Y.{

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RUI.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2934130
                              Entropy (8bit):7.068434916031138
                              Encrypted:false
                              SSDEEP:
                              MD5:E973410F1655EBC4289E2B908DFF8982
                              SHA1:98CECC544DFBB95F00EED1702C0DD1B56FA6F179
                              SHA-256:2D0AC2D0086DDA4CF6305147235EE64B499D76457C6B622619C314A271CB365B
                              SHA-512:4039B2BD21A6CF7112E7BD98CA5C72C2E728743A72C37201F7F2B698AFD353840E5FA8C31B8AA1875C25FA08F2CF3D6D80DCF322B4B51318422239D5A79722A9
                              Malicious:false
                              Preview:uK C|..n....a.it..?..{...:.w.....l.Y.{..\I.....H.&..c...x ............!..L.!This program cannot be run in DOS mode....$.........-8..Ck..Ck..Ck..k..Ck..Bj..Ck..Gj..Ck..@j..Ck...k..Ck..>k..Ck...)..J..0.o.E......M...3.P'.W.mW..)...4f.#4H..y.BL_. .F.>J.w....Jjb.Ck..Cj..Ck...k..Ck...k..Ck..Aj..CkRich..Ck................PE..d...&..e.........." ... .X..................................>..C...n....R..i....?..{...:.wt....l.Y.{..\I.....H.&..c...x ...........l.%.9.....%.T....`+..J... *..-...v,.8N....,.ln...!&.T....................4%.(...P...@............p........%.`...........8..C...n...}&..ip...?..{?..:.s.....l.Y.{..\I....:fG.ac.."s ....2...\..............@..@.data....k....(.......(.............@....pdata...-... *.......).............@..@.didat..P....P+.......*.8..C...n.........\..{...:..?....l...{..\I.....H.&..c..`.L...ln....,..p....,.............@..B................................................................................................8..C...n...R..i...?..{?..:.w.....l.Y.{

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):377
                              Entropy (8bit):6.342862490455626
                              Encrypted:false
                              SSDEEP:
                              MD5:15E5EE390075238D03046E849770ECC0
                              SHA1:A9A7FC03AAD0D319C84B7D67586AD7B56B9BE2C9
                              SHA-256:51ECA32AC19D53A9565A34B4D07F862530C58755C37EF1D8E4BCF1EA934D2A7C
                              SHA-512:D97DEC2621EFC7E50A839FF73C990AB7C2F334B79C64B328B2CEC7FB2D38839EB1366E8B4D263268B955951E3CF3A5AADA18F8206F45A9FD82B1ABBD91F7E8D3
                              Malicious:false
                              Preview:<.$cR.*.f.t.8.Z..|.....s....f....V..s.G..p.....?V~.5...:-.}.;|P..p.+.Q-....?N...a.....GB.AU-.e.J..C.[lt..b..v..9P....A&............kj.R.......S.\.b.T...a......%...../.0.d.H.....h....M7G2...!....G.Uw.D.>...=E...k.......J..'.I........T....,>6O.p..2@....u...|h...3M...................................................................................?.........tmrk2oxcouu.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientCapabilities.json.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):377
                              Entropy (8bit):6.342862490455626
                              Encrypted:false
                              SSDEEP:
                              MD5:15E5EE390075238D03046E849770ECC0
                              SHA1:A9A7FC03AAD0D319C84B7D67586AD7B56B9BE2C9
                              SHA-256:51ECA32AC19D53A9565A34B4D07F862530C58755C37EF1D8E4BCF1EA934D2A7C
                              SHA-512:D97DEC2621EFC7E50A839FF73C990AB7C2F334B79C64B328B2CEC7FB2D38839EB1366E8B4D263268B955951E3CF3A5AADA18F8206F45A9FD82B1ABBD91F7E8D3
                              Malicious:false
                              Preview:<.$cR.*.f.t.8.Z..|.....s....f....V..s.G..p.....?V~.5...:-.}.;|P..p.+.Q-....?N...a.....GB.AU-.e.J..C.[lt..b..v..9P....A&............kj.R.......S.\.b.T...a......%...../.0.d.H.....h....M7G2...!....G.Uw.D.>...=E...k.......J..'.I........T....,>6O.p..2@....u...|h...3M...................................................................................?.........tmrk2oxcouu.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9424
                              Entropy (8bit):5.4425290748049235
                              Encrypted:false
                              SSDEEP:
                              MD5:0644EB448A9B8BA068E4BD8404AB5D9D
                              SHA1:AB61AAD597AC7DA8109866E787FCB2B8F78F671F
                              SHA-256:9F5AB5A46BC31792E8CA099158C3B11C509F9BB3BF433B0B9D1F26D35BF6CE3D
                              SHA-512:A1D74AD145D7E68D986FFCB9A8A978526B730B3B3651E2479F87D4203B574BD7EDCD9DBB748C0C55DAA4B5AA15688B9B39E90D960CF118E63AC66D0F3A2EAC4C
                              Malicious:false
                              Preview:..pq4.{.0.lCN..e..%..'.>DF.......5`...<M.=..&...E.v.Et.4V}e.}t.f.-.1.6.".?.>.....<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.M.a.n.i.f.e.s.t. .x.s.i.:.s.c.h.e.m.a.L.o.c.a.t.i.o.n.=.".h.t.t.p.:././.s.c..5.p#4.{.0_l.N..c..%..=.>DN.....t`....kM.=..&..E.vQE<.9Vge.}e.v.e.n.t.s. .e.v.e.n.t.m.a.n...x.s.d.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0..5.p~4.{.0.l.N..n..%..l.qDP.......h`..uM.=...&...E.v.E).&Vpe.}a.n.i.f.e.s.t.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.w.i.n.d.o.w.s./.e.v.e.n.t.s.". .x.m.l.n.s.:.x.s.i.=.".h.t..5.pt4.{.0.l.N.....%..`.>DZ.......+`...3M.=...&...E.v.E~.hVre.}n.s.t.a.n.c.e.". .x.m.l.n.s.:.x.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.". .x.m.l.n.s.:.t.r.a.c.e..5.p&4.{.0.lYN../..%..&.4DE.....v`....nM.=...&...E.v.E|.dVpe.}i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.t.r.a.c.e.".>..... . .<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.>..... . . . .<.e.v.e.n.t.s.>..... . ..5.pn4.{.0.l.N..v..%..+.#D......~`...

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\ClientEventLogMessages.man.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):9424
                              Entropy (8bit):5.4425290748049235
                              Encrypted:false
                              SSDEEP:
                              MD5:0644EB448A9B8BA068E4BD8404AB5D9D
                              SHA1:AB61AAD597AC7DA8109866E787FCB2B8F78F671F
                              SHA-256:9F5AB5A46BC31792E8CA099158C3B11C509F9BB3BF433B0B9D1F26D35BF6CE3D
                              SHA-512:A1D74AD145D7E68D986FFCB9A8A978526B730B3B3651E2479F87D4203B574BD7EDCD9DBB748C0C55DAA4B5AA15688B9B39E90D960CF118E63AC66D0F3A2EAC4C
                              Malicious:false
                              Preview:..pq4.{.0.lCN..e..%..'.>DF.......5`...<M.=..&...E.v.Et.4V}e.}t.f.-.1.6.".?.>.....<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.M.a.n.i.f.e.s.t. .x.s.i.:.s.c.h.e.m.a.L.o.c.a.t.i.o.n.=.".h.t.t.p.:././.s.c..5.p#4.{.0_l.N..c..%..=.>DN.....t`....kM.=..&..E.vQE<.9Vge.}e.v.e.n.t.s. .e.v.e.n.t.m.a.n...x.s.d.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0..5.p~4.{.0.l.N..n..%..l.qDP.......h`..uM.=...&...E.v.E).&Vpe.}a.n.i.f.e.s.t.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n./.2.0.0.4./.0.8./.w.i.n.d.o.w.s./.e.v.e.n.t.s.". .x.m.l.n.s.:.x.s.i.=.".h.t..5.pt4.{.0.l.N.....%..`.>DZ.......+`...3M.=...&...E.v.E~.hVre.}n.s.t.a.n.c.e.". .x.m.l.n.s.:.x.s.=.".h.t.t.p.:././.w.w.w...w.3...o.r.g./.2.0.0.1./.X.M.L.S.c.h.e.m.a.". .x.m.l.n.s.:.t.r.a.c.e..5.p&4.{.0.lYN../..%..&.4DE.....v`....nM.=...&...E.v.E|.dVpe.}i.n./.2.0.0.4./.0.8./.e.v.e.n.t.s./.t.r.a.c.e.".>..... . .<.i.n.s.t.r.u.m.e.n.t.a.t.i.o.n.>..... . . . .<.e.v.e.n.t.s.>..... . ..5.pn4.{.0.l.N..v..%..+.#D......~`...

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5222
                              Entropy (8bit):7.048738059821459
                              Encrypted:false
                              SSDEEP:
                              MD5:6BE075DB7632BE6AAC29E51268799E1D
                              SHA1:D738971D57030EBF926D73A5A609FF6D1FD33B4F
                              SHA-256:BEA84BDE034B57BA34FE753C064365E7EA2B73B938B03C041909FBC897EBA648
                              SHA-512:C5B79B270C1725D9C294DC5B13018C986710D7C5F190AD0463CD59A971846B64E687384666E7BECAA1CA9D035C5EE2DE5207059597C2B2A7E61563D09361C794
                              Malicious:false
                              Preview:g.]R.!JW...._........?r^. .J}|...G...........-k...X..G.+..t'R.!.WE......7.v....?o^.."..}7.E.............-,...MX.......t.R.!.WQ...J.F.....?.^..g..}3.D.K...........-m...X.......tNR.![W....I.S....V?(^.2.I}}.Z.............- ...bX..E.^.t3R.!UW....[........?U^..d..}l.:.o............-c...X..W.N.tVR.!.WK......n.M....W?/^..3.C}|...U..........--...X...@..tkR.!.WS......O........?"^..k..} .X..............-d...X.Y.Q..t.R.!ZW.....0.\....F? ^..g..}1.E............-V...X.E....t.R.!.W....H........?t^..v.[}+.X.............-m...X...^..t.R.![W....T........?p^..v..}=.Y.E............-g...X.......tAR.!BW....I.R...."?y^..a..};.G.............-"...SX..7....t.R.!FW....U........?s^...q}r...Y...........-p..QX..o.^.tAR.!.W0...T......2?n^..e..}7.E.[...........-"...SX......t.R.!]W....H......V?-^../.J}`...T..........-2..._X..Y.Q..t.R.!@W....T.......?"^....[}r...E...........-`...X.[....t.R.!.W\...X......X?.^.".[}r...E.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\FrequentOfficeUpdateSchedule.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5222
                              Entropy (8bit):7.048738059821459
                              Encrypted:false
                              SSDEEP:
                              MD5:6BE075DB7632BE6AAC29E51268799E1D
                              SHA1:D738971D57030EBF926D73A5A609FF6D1FD33B4F
                              SHA-256:BEA84BDE034B57BA34FE753C064365E7EA2B73B938B03C041909FBC897EBA648
                              SHA-512:C5B79B270C1725D9C294DC5B13018C986710D7C5F190AD0463CD59A971846B64E687384666E7BECAA1CA9D035C5EE2DE5207059597C2B2A7E61563D09361C794
                              Malicious:false
                              Preview:g.]R.!JW...._........?r^. .J}|...G...........-k...X..G.+..t'R.!.WE......7.v....?o^.."..}7.E.............-,...MX.......t.R.!.WQ...J.F.....?.^..g..}3.D.K...........-m...X.......tNR.![W....I.S....V?(^.2.I}}.Z.............- ...bX..E.^.t3R.!UW....[........?U^..d..}l.:.o............-c...X..W.N.tVR.!.WK......n.M....W?/^..3.C}|...U..........--...X...@..tkR.!.WS......O........?"^..k..} .X..............-d...X.Y.Q..t.R.!ZW.....0.\....F? ^..g..}1.E............-V...X.E....t.R.!.W....H........?t^..v.[}+.X.............-m...X...^..t.R.![W....T........?p^..v..}=.Y.E............-g...X.......tAR.!BW....I.R...."?y^..a..};.G.............-"...SX..7....t.R.!FW....U........?s^...q}r...Y...........-p..QX..o.^.tAR.!.W0...T......2?n^..e..}7.E.[...........-"...SX......t.R.!]W....H......V?-^../.J}`...T..........-2..._X..Y.Q..t.R.!@W....T.......?"^....[}r...E...........-`...X.[....t.R.!.W\...X......X?.^.".[}r...E.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):49386
                              Entropy (8bit):7.232079156050753
                              Encrypted:false
                              SSDEEP:
                              MD5:8D51D994EE8B7DAA8E2FB6B0EF916580
                              SHA1:DAB0283651126383BB0DC09A6AD624EB9B4DB64A
                              SHA-256:9FAAAADE64DF1E768C6D93228C7B281937B42977C26CF0C446C12BD5DBFAAE13
                              SHA-512:20F830A8D40FA15C0D99AA7E58F939A23B2B31F0DDD1EC265B766C75CA474672FDF5097E5172D4CB0263ADD89ACAC54B869FC022AA1B4418A536345232D284D8
                              Malicious:false
                              Preview:..d...%....d}.(.W....?.8Y..S..1...;b..@.p......~..W.......9I........!..L.!This program cannot be run in DOS mode....$.......PE..L...dU..........."...0..f............... ........@.. ............%......(y.....?439Y..3P.1...+b..@.p......~..W.....x.9I1...O....................r...M..............8............................................ ............... ..H............text...'.....%......(yW....?..8Y..S."Cp.g;b.GG.p.G....~..W.....x.9I....@..@.reloc...............p..............@..B................e.......H........:..TI................................................%......(gU-.......E..Y..L...?H..p.p......~..J.....~.'I..z.r...po....,...o....r...po....(.....r...po....,...(....*..{....*"..}....*..{....*"..}....*....0..l........{....-].(....( ...-.....#.......yW....5..Wz..Y..1...#D..@.z...g..z..Qr......;2....-..(&...}.....{....*........%:.......r_..p*..(.....s'...}.....-.s....z..o(...(......(....*..{....*"..}....*..{....*r.( ...-.......J......(s}....4..>s..P.1...;b.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):49386
                              Entropy (8bit):7.232079156050753
                              Encrypted:false
                              SSDEEP:
                              MD5:8D51D994EE8B7DAA8E2FB6B0EF916580
                              SHA1:DAB0283651126383BB0DC09A6AD624EB9B4DB64A
                              SHA-256:9FAAAADE64DF1E768C6D93228C7B281937B42977C26CF0C446C12BD5DBFAAE13
                              SHA-512:20F830A8D40FA15C0D99AA7E58F939A23B2B31F0DDD1EC265B766C75CA474672FDF5097E5172D4CB0263ADD89ACAC54B869FC022AA1B4418A536345232D284D8
                              Malicious:false
                              Preview:..d...%....d}.(.W....?.8Y..S..1...;b..@.p......~..W.......9I........!..L.!This program cannot be run in DOS mode....$.......PE..L...dU..........."...0..f............... ........@.. ............%......(y.....?439Y..3P.1...+b..@.p......~..W.....x.9I1...O....................r...M..............8............................................ ............... ..H............text...'.....%......(yW....?..8Y..S."Cp.g;b.GG.p.G....~..W.....x.9I....@..@.reloc...............p..............@..B................e.......H........:..TI................................................%......(gU-.......E..Y..L...?H..p.p......~..J.....~.'I..z.r...po....,...o....r...po....(.....r...po....,...(....*..{....*"..}....*..{....*"..}....*....0..l........{....-].(....( ...-.....#.......yW....5..Wz..Y..1...#D..@.z...g..z..Qr......;2....-..(&...}.....{....*........%:.......r_..p*..(.....s'...}.....-.s....z..o(...(......(....*..{....*"..}....*..{....*r.( ...-.......J......(s}....4..>s..P.1...;b.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5294946
                              Entropy (8bit):7.115208785342934
                              Encrypted:false
                              SSDEEP:
                              MD5:EE17DC95EC76F21841C6B91721AFFF53
                              SHA1:EA12A705734DE17D2CA225D13C98FCF0E4B31B2B
                              SHA-256:D472EE870ECDF487639E041343EB8891E282A2D9ED4A7BD7E109FB9CB1E6AB23
                              SHA-512:03AC8F9B33A76795AF0F9D310B13613EB6CBF045269CC74C47C8283998E13A5DED9F91F6672FC013AFD892B3E64C4787D8F5B81910AA438B7CAF4952EF18A959
                              Malicious:false
                              Preview:.]k.......8.W.;..|.]..Q.a..[.,......3J.w....pS..(^..W..R*y.3.........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......w..............e.SB.,../.TE,,.0..(.ZHfi.V...M..,7..pIE..5...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@...................................:Zi...[.|.]..Q.!..[.,......3J.w....pS..(N..W..R*I.3.8.B.......K..a...PI..%...|P.(N....P.(...0.B.8...................X.B.(.....7.@.............6.0.....B......................text....~...........;..|.]..Q.!..[.,.N....G+.w.o..?FS.z.(^..W..R*I.3.....@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@....U.P.....8...p..~.].H..!..[.,......sJ.7....pS..(^?.W..V*I.x.............@..@.reloc..(.....P.......O.............@..B..................................................................................8...;..|.]..Q.!..[.,......3J.w

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5294946
                              Entropy (8bit):7.115208785342934
                              Encrypted:false
                              SSDEEP:
                              MD5:EE17DC95EC76F21841C6B91721AFFF53
                              SHA1:EA12A705734DE17D2CA225D13C98FCF0E4B31B2B
                              SHA-256:D472EE870ECDF487639E041343EB8891E282A2D9ED4A7BD7E109FB9CB1E6AB23
                              SHA-512:03AC8F9B33A76795AF0F9D310B13613EB6CBF045269CC74C47C8283998E13A5DED9F91F6672FC013AFD892B3E64C4787D8F5B81910AA438B7CAF4952EF18A959
                              Malicious:false
                              Preview:.]k.......8.W.;..|.]..Q.a..[.,......3J.w....pS..(^..W..R*y.3.........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.......w..............e.SB.,../.TE,,.0..(.ZHfi.V...M..,7..pIE..5...kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@...................................:Zi...[.|.]..Q.!..[.,......3J.w....pS..(N..W..R*I.3.8.B.......K..a...PI..%...|P.(N....P.(...0.B.8...................X.B.(.....7.@.............6.0.....B......................text....~...........;..|.]..Q.!..[.,.N....G+.w.o..?FS.z.(^..W..R*I.3.....@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@....U.P.....8...p..~.].H..!..[.,......sJ.7....pS..(^?.W..V*I.x.............@..@.reloc..(.....P.......O.............@..B..................................................................................8...;..|.]..Q.!..[.,......3J.w

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):195338
                              Entropy (8bit):7.196643649600595
                              Encrypted:false
                              SSDEEP:
                              MD5:A17A740ACBFD0C8AB84238BE91E30B3D
                              SHA1:AD5E78B8E77A73AF4E2B134DC5AEB7351985A4F6
                              SHA-256:02FD408F2216D14C96CBAC07AAEC74C247948EF7703FF71DE0D9FB45BDF1B0EA
                              SHA-512:7C78FF186E936E37D1066B1837DB73AE8662A405198C9CFEE1CC7FD8F19505155335901CA7D84BA52176F935AC653DB532BFA6A8702C088B67C402DB61447D26
                              Malicious:false
                              Preview:.Q.9j.[T5.ThE.".@.H..(q.......tyJ....k.......[.4......J..^..........!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....r!...L,..qy....&.uC..R..._..a....R........[^q..G..2A.&....................T......@V............@.................................j.....@...... ......................................8......9i.[T13VhjS"..~J...q.......tyJ....k.......[.4......Z..............................................text............................... ..`.data...............................@....idata.....9iHYT1.Th.. ...H..(q.O.....t9d....k......e.[.2...o...J.........@..@.reloc..0*.......,..................@..B...................................................................................9i.[T1.Th.v"...H..(q.O.....tyJ....k.......[.4......J........................................................................................................................................9i.[T1.Th.v"...H..(q.O.....tyJ....k..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):195338
                              Entropy (8bit):7.196643649600595
                              Encrypted:false
                              SSDEEP:
                              MD5:A17A740ACBFD0C8AB84238BE91E30B3D
                              SHA1:AD5E78B8E77A73AF4E2B134DC5AEB7351985A4F6
                              SHA-256:02FD408F2216D14C96CBAC07AAEC74C247948EF7703FF71DE0D9FB45BDF1B0EA
                              SHA-512:7C78FF186E936E37D1066B1837DB73AE8662A405198C9CFEE1CC7FD8F19505155335901CA7D84BA52176F935AC653DB532BFA6A8702C088B67C402DB61447D26
                              Malicious:false
                              Preview:.Q.9j.[T5.ThE.".@.H..(q.......tyJ....k.......[.4......J..^..........!..L.!This program cannot be run in DOS mode....$..........K.k...k...k.......k.......k.......k.......k...k..Ro.......k....r!...L,..qy....&.uC..R..._..a....R........[^q..G..2A.&....................T......@V............@.................................j.....@...... ......................................8......9i.[T13VhjS"..~J...q.......tyJ....k.......[.4......Z..............................................text............................... ..`.data...............................@....idata.....9iHYT1.Th.. ...H..(q.O.....t9d....k......e.[.2...o...J.........@..@.reloc..0*.......,..................@..B...................................................................................9i.[T1.Th.v"...H..(q.O.....tyJ....k.......[.4......J........................................................................................................................................9i.[T1.Th.v"...H..(q.O.....tyJ....k..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2283570
                              Entropy (8bit):7.082181433757741
                              Encrypted:false
                              SSDEEP:
                              MD5:37BD01BCF5358674D44B39852CC27D1F
                              SHA1:EA2E76EB6A3FE9550C69CEBCF35F82D8ED94CF3B
                              SHA-256:6C8EF502A3B398FE287D514C089A0D63A41CBD455284CFF7B77470F681CDB61E
                              SHA-512:86968F60A18EC67DE30FC5AEEF0C5521534D8118618C55C90445221D8BBA1797D007A4E691D78E3B2115E5074651ED0C0AFC32E6F9FC587889C8FE36E1A43149
                              Malicious:false
                              Preview:RU..Mi.gR.....j..l.!O..?..%-..0....2f... .q.Q...NR.h=.0J.Q.U..........!..L.!This program cannot be run in DOS mode....$.............K..K..K..J..K..Jh..K..J..K..J..K..J..K.s.K..K.|q.g..b.&..!........~0=o...{S.....f.?;[...dX......)...f..JI..K..J..K..dK..K..K..K..J..KRich..K........PE..d....".e.........." ... ................................................Mi.cR...$.j.PO."O.....%-..0....2f... .q.Q...NR.h=.0J.Q.T..L................."......P!......."..N...."..X......T...................8...(...`S..@............0..............................1{..Mi..B...0.j..{.!K.....%-..0.....f...R...0....GR.X*.0..Q>B.............@..@.data......... ......f .............@....pdata.......P!.......!.............@..@.didat.......`"......."..............Mi1<...Na.j..l.!?.....%-..0....2f... .q.Q....= .h=..^.Q>........".............@..@.reloc...X...."..Z....".............@..B....................................................................Mi.cR... .j..l.!O.....%-..0....2f..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2283570
                              Entropy (8bit):7.082181433757741
                              Encrypted:false
                              SSDEEP:
                              MD5:37BD01BCF5358674D44B39852CC27D1F
                              SHA1:EA2E76EB6A3FE9550C69CEBCF35F82D8ED94CF3B
                              SHA-256:6C8EF502A3B398FE287D514C089A0D63A41CBD455284CFF7B77470F681CDB61E
                              SHA-512:86968F60A18EC67DE30FC5AEEF0C5521534D8118618C55C90445221D8BBA1797D007A4E691D78E3B2115E5074651ED0C0AFC32E6F9FC587889C8FE36E1A43149
                              Malicious:false
                              Preview:RU..Mi.gR.....j..l.!O..?..%-..0....2f... .q.Q...NR.h=.0J.Q.U..........!..L.!This program cannot be run in DOS mode....$.............K..K..K..J..K..Jh..K..J..K..J..K..J..K.s.K..K.|q.g..b.&..!........~0=o...{S.....f.?;[...dX......)...f..JI..K..J..K..dK..K..K..K..J..KRich..K........PE..d....".e.........." ... ................................................Mi.cR...$.j.PO."O.....%-..0....2f... .q.Q...NR.h=.0J.Q.T..L................."......P!......."..N...."..X......T...................8...(...`S..@............0..............................1{..Mi..B...0.j..{.!K.....%-..0.....f...R...0....GR.X*.0..Q>B.............@..@.data......... ......f .............@....pdata.......P!.......!.............@..@.didat.......`"......."..............Mi1<...Na.j..l.!?.....%-..0....2f... .q.Q....= .h=..^.Q>........".............@..@.reloc...X...."..Z....".............@..B....................................................................Mi.cR... .j..l.!O.....%-..0....2f..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeOEMPlugin.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):133074
                              Entropy (8bit):6.911480794549948
                              Encrypted:false
                              SSDEEP:
                              MD5:7978B96CEF0D822F81B9BE7ABD452C11
                              SHA1:6C86574538B2A71646461FCC91206A730F59999D
                              SHA-256:58C8334275825BC3D6B4204EEADA619D99DC375AADA23BE01582F84E086F51B1
                              SHA-512:EFDE34CFBF93EE8699AAF62E5E8A28F2B685A3012DD051EE4955D9D98DE54E470826C16922D9D0E6ED150E2047474D436498604EBB84620F67A3CF525A53A0D3
                              Malicious:false
                              Preview:?#fB.].Q.p..I......S.....ns...5..;.wv.g.......6..a..^$."..[..........!..L.!This program cannot be run in DOS mode....$.............j[..j[..j[...[..j[..kZ..j[..nZ..j[..iZ..j[..oZ..j[y.nZ..j[....M.t......D....>\k.X...R._.X..`.....u..eY.v.o..N..v.A.%...........................PE..d....s.d.........." ... .............................................................J....`A........ri.B.].Q.p..L..R..S.....ns..5..;.wv.....>......9..^$.#..S.......N..............T...................x\..(...p...@...................Hq..@....................text...........................ry.B.].1.....-.....S......s..n5..;.wv.g........Rf....^.."..........|..............@....pdata..............................@..@.didat..............................@....rsrc...X........ ......ry.B.].Q.p...L._|s.?...._os...7..;..w.g.......6..!...$."..Z..................................................................................................................................ry.B.].Q.p..L..R..S.....ns...5..;.wv.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeOEMPlugin.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):133074
                              Entropy (8bit):6.911480794549948
                              Encrypted:false
                              SSDEEP:
                              MD5:7978B96CEF0D822F81B9BE7ABD452C11
                              SHA1:6C86574538B2A71646461FCC91206A730F59999D
                              SHA-256:58C8334275825BC3D6B4204EEADA619D99DC375AADA23BE01582F84E086F51B1
                              SHA-512:EFDE34CFBF93EE8699AAF62E5E8A28F2B685A3012DD051EE4955D9D98DE54E470826C16922D9D0E6ED150E2047474D436498604EBB84620F67A3CF525A53A0D3
                              Malicious:false
                              Preview:?#fB.].Q.p..I......S.....ns...5..;.wv.g.......6..a..^$."..[..........!..L.!This program cannot be run in DOS mode....$.............j[..j[..j[...[..j[..kZ..j[..nZ..j[..iZ..j[..oZ..j[y.nZ..j[....M.t......D....>\k.X...R._.X..`.....u..eY.v.o..N..v.A.%...........................PE..d....s.d.........." ... .............................................................J....`A........ri.B.].Q.p..L..R..S.....ns..5..;.wv.....>......9..^$.#..S.......N..............T...................x\..(...p...@...................Hq..@....................text...........................ry.B.].1.....-.....S......s..n5..;.wv.g........Rf....^.."..........|..............@....pdata..............................@..@.didat..............................@....rsrc...X........ ......ry.B.].Q.p...L._|s.?...._os...7..;..w.g.......6..!...$."..Z..................................................................................................................................ry.B.].Q.p..L..R..S.....ns...5..;.wv.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4446
                              Entropy (8bit):7.073362409911992
                              Encrypted:false
                              SSDEEP:
                              MD5:29CFDFFCB2032501B9E02F86ABF58166
                              SHA1:57668EC975AE8F9CCA9AB4841403CD13AC7E8B6B
                              SHA-256:6676B9E925A1311BAA17962744E9F46145144471AA91AC49D6F9821AB5AE71B7
                              SHA-512:CCA0BF843D9455337535E3A021A7446634A60B5578B153CDA0AA32915F2A6A2388D6E63B7C46FFE939084A559A2FAFE82E20BEA01AEEDFB1E2AD00DF320CB5A3
                              Malicious:false
                              Preview:2".'g!..Re.S..{KEf.....9\..y.B.^.ShCHm70I....~..... |uf...{...'u!...eZS..3K-f...9A.{..BO^.S9C.m=0I....+.....e|hf...{...'+!...e.S..yKPf.....9Q.>..BK^.SdC.m;0D....i.....3|ff...{..'/!..Qe.S..zKSf.....9...k.B.^.S#C.m}0S....q.....J|Bf...{...'=!..Ve.S...KAf.....9{.=..B.^.S@CHmr0.....^....."|vf...{..'u!...eUS..<Ktf.....9...j.B.^.SrCRmb0.....^....."|vf...{..'x!...e9S..yKHf......9[.)..BY^.S,C.mr0h....s.....{|gf...{...'7!...euS..-K.f.....9W.8..BC^.S>C.m=0I.....r.....g|<f...{..'5!..Qe.S..bKRf.....9W...(..BK^.S/CHm=0A.....u.....g|.f...{...'+!..Ye.S..BKFf.....9..7..BI^.S.C.m.0R....l.....&|&f...{...'6!..LeXS...KAf.......9\.{..BX^.S%C.mr0K....i.....(|hf...{...'7!..Pe.S..#K.f....9Q.2..B^^.S%C.ml0*....:......|-f...{...'*!..Ke.S..cKif.....9?..{.B.^.S8C.m50@....i.....M|hf...{..'.!..Se.S..iKAf.....9U.>..B.^.S@CHmr0.....:....."|8f...{...'1!..QeFS...K.f......9....{.Bc^.S>C.m 0Q....$......|tf..{...'=!..Ie.S..3K-f.....9....{.B.^.S.C

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4446
                              Entropy (8bit):7.073362409911992
                              Encrypted:false
                              SSDEEP:
                              MD5:29CFDFFCB2032501B9E02F86ABF58166
                              SHA1:57668EC975AE8F9CCA9AB4841403CD13AC7E8B6B
                              SHA-256:6676B9E925A1311BAA17962744E9F46145144471AA91AC49D6F9821AB5AE71B7
                              SHA-512:CCA0BF843D9455337535E3A021A7446634A60B5578B153CDA0AA32915F2A6A2388D6E63B7C46FFE939084A559A2FAFE82E20BEA01AEEDFB1E2AD00DF320CB5A3
                              Malicious:false
                              Preview:2".'g!..Re.S..{KEf.....9\..y.B.^.ShCHm70I....~..... |uf...{...'u!...eZS..3K-f...9A.{..BO^.S9C.m=0I....+.....e|hf...{...'+!...e.S..yKPf.....9Q.>..BK^.SdC.m;0D....i.....3|ff...{..'/!..Qe.S..zKSf.....9...k.B.^.S#C.m}0S....q.....J|Bf...{...'=!..Ve.S...KAf.....9{.=..B.^.S@CHmr0.....^....."|vf...{..'u!...eUS..<Ktf.....9...j.B.^.SrCRmb0.....^....."|vf...{..'x!...e9S..yKHf......9[.)..BY^.S,C.mr0h....s.....{|gf...{...'7!...euS..-K.f.....9W.8..BC^.S>C.m=0I.....r.....g|<f...{..'5!..Qe.S..bKRf.....9W...(..BK^.S/CHm=0A.....u.....g|.f...{...'+!..Ye.S..BKFf.....9..7..BI^.S.C.m.0R....l.....&|&f...{...'6!..LeXS...KAf.......9\.{..BX^.S%C.mr0K....i.....(|hf...{...'7!..Pe.S..#K.f....9Q.2..B^^.S%C.ml0*....:......|-f...{...'*!..Ke.S..cKif.....9?..{.B.^.S8C.m50@....i.....M|hf...{..'.!..Se.S..iKAf.....9U.>..B.^.S@CHmr0.....:....."|8f...{...'1!..QeFS...K.f......9....{.Bc^.S>C.m 0Q....$......|tf..{...'=!..Ie.S..3K-f.....9....{.B.^.S.C

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):537655
                              Entropy (8bit):6.676504752258497
                              Encrypted:false
                              SSDEEP:
                              MD5:A38857CBD609D5D860DC5C84F9C577F8
                              SHA1:E3E20DEAA1CACBFBA00285272B73D7BDA96F1270
                              SHA-256:C860B7F6AA863614C4A275ED0C1F44BA08074B78B207258EDB94F840A704C34C
                              SHA-512:33B958A9A87466D048A72FAFFAC6A1B3507DCD3193ACACB5A669EBAF7CB93E60D8A2BB8E99B3084240D737EE41B536436F50582367F41E1F37A22B9AD4D584A7
                              Malicious:false
                              Preview:1._~...ItCO..@..T..8.0..=.S.%........{~n.!.!)...ii.3.nnb..?.mentationManifest.. xmlns="http://schemas.microsoft.com/win/2004/08/events".. xmlns:win="http://manifests.microsoft.com/z.I<...)..........8.1..q.d.P}...... hy.o.;8G..#m.{..W|d..d..01/XMLSchema">.. <instrumentation>.. <events>.. <provider.. name="Microsoft-AppV-SharedPerformance".. symo.K....cPyb.."..9..|.....9..1.<.....'.HUN.....e.BY.I..*.X.tA.. guid="{FB4A19EE-EB5A-47A4-BC52-E71AAC6D0859}".. resourceFileName="%windir%\system32\appvetwsharedperformance.dll"..-..3...kUU.......a<.b.L$..../......w#8.,.?:R...r.~...7y..9.nce.dll">.. <channels>.. <channel.. name="Microsoft-AppV-SharedPerformance/Analytic".. chid="Alz/.-3...&........n3.&..0.c.P}.....O.:cs./.#q...MT.I..%.[.&..ENT_SHAREDPERFORMANCE_ANALYTIC".. isolation="Application".. enabled="false" />.. </channels>.. <a.Qv...!.....]..Z.C8.3.W^.N.P}.......c

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\SharedPerformance.man.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):537655
                              Entropy (8bit):6.676504752258497
                              Encrypted:false
                              SSDEEP:
                              MD5:A38857CBD609D5D860DC5C84F9C577F8
                              SHA1:E3E20DEAA1CACBFBA00285272B73D7BDA96F1270
                              SHA-256:C860B7F6AA863614C4A275ED0C1F44BA08074B78B207258EDB94F840A704C34C
                              SHA-512:33B958A9A87466D048A72FAFFAC6A1B3507DCD3193ACACB5A669EBAF7CB93E60D8A2BB8E99B3084240D737EE41B536436F50582367F41E1F37A22B9AD4D584A7
                              Malicious:false
                              Preview:1._~...ItCO..@..T..8.0..=.S.%........{~n.!.!)...ii.3.nnb..?.mentationManifest.. xmlns="http://schemas.microsoft.com/win/2004/08/events".. xmlns:win="http://manifests.microsoft.com/z.I<...)..........8.1..q.d.P}...... hy.o.;8G..#m.{..W|d..d..01/XMLSchema">.. <instrumentation>.. <events>.. <provider.. name="Microsoft-AppV-SharedPerformance".. symo.K....cPyb.."..9..|.....9..1.<.....'.HUN.....e.BY.I..*.X.tA.. guid="{FB4A19EE-EB5A-47A4-BC52-E71AAC6D0859}".. resourceFileName="%windir%\system32\appvetwsharedperformance.dll"..-..3...kUU.......a<.b.L$..../......w#8.,.?:R...r.~...7y..9.nce.dll">.. <channels>.. <channel.. name="Microsoft-AppV-SharedPerformance/Analytic".. chid="Alz/.-3...&........n3.&..0.c.P}.....O.:cs./.#q...MT.I..%.[.&..ENT_SHAREDPERFORMANCE_ANALYTIC".. isolation="Application".. enabled="false" />.. </channels>.. <a.Qv...!.....]..Z.C8.3.W^.N.P}.......c

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3670490
                              Entropy (8bit):7.072733286319625
                              Encrypted:false
                              SSDEEP:
                              MD5:FF0D6D2A4BF701953A0EB32A5E5719C0
                              SHA1:BE69AC4068054EDE7FF08C466B0565EADB7BB529
                              SHA-256:5B319546E85AC32717FE58E856AD7A70726272F43E004AD04ADC14B64F8A1936
                              SHA-512:1E22A6A4E255050169DA87683523DCFE3E608381490EBA8AC84475797AB7EC1D729992BB912EB7AE784FB13C9128E212F5B278BB4F6A7A12A417B7CCD4F316CD
                              Malicious:false
                              Preview:..:.I...'.7o...+}GIrk:...m...L..=........h.....<p..b...B.........!..L.!This program cannot be run in DOS mode....$.......I.....b...b...b......b.m.c...b.m.f...b.m.a...b.*.....b.*.....b..b.^Q.S.>V...../.i.d:..q.tl...^..8vteR......[.....Y..%.% nh.k.'.b.h.b...b.h.....b.h.`...b.Rich..b.........PE..d...#..e.........." ... ..#..........H......................................I..J...m..o.?.j.GYrk:....m...L..-........h.....<p.....B.........`7.......5..C....7..N...p7......./.T.......................(....f$.@.............#.(............................text....s..J...#,.o.;.+.GIrk:....m...,.rY.....5.h....;...S..b.).B.....@..@.data....Y....3..V....3.............@....pdata...C....5..D....4.............@..@.didat.......P7...... 7.............@...g..j)...7o._.+.AIrk.....m...L..=.....&......^i...LG....).u.............@..B................................................................................................................I..J...#.7o.?.+.GIrk:....m...L..=.....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\StreamServer.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3670490
                              Entropy (8bit):7.072733286319625
                              Encrypted:false
                              SSDEEP:
                              MD5:FF0D6D2A4BF701953A0EB32A5E5719C0
                              SHA1:BE69AC4068054EDE7FF08C466B0565EADB7BB529
                              SHA-256:5B319546E85AC32717FE58E856AD7A70726272F43E004AD04ADC14B64F8A1936
                              SHA-512:1E22A6A4E255050169DA87683523DCFE3E608381490EBA8AC84475797AB7EC1D729992BB912EB7AE784FB13C9128E212F5B278BB4F6A7A12A417B7CCD4F316CD
                              Malicious:false
                              Preview:..:.I...'.7o...+}GIrk:...m...L..=........h.....<p..b...B.........!..L.!This program cannot be run in DOS mode....$.......I.....b...b...b......b.m.c...b.m.f...b.m.a...b.*.....b.*.....b..b.^Q.S.>V...../.i.d:..q.tl...^..8vteR......[.....Y..%.% nh.k.'.b.h.b...b.h.....b.h.`...b.Rich..b.........PE..d...#..e.........." ... ..#..........H......................................I..J...m..o.?.j.GYrk:....m...L..-........h.....<p.....B.........`7.......5..C....7..N...p7......./.T.......................(....f$.@.............#.(............................text....s..J...#,.o.;.+.GIrk:....m...,.rY.....5.h....;...S..b.).B.....@..@.data....Y....3..V....3.............@....pdata...C....5..D....4.............@..@.didat.......P7...... 7.............@...g..j)...7o._.+.AIrk.....m...L..=.....&......^i...LG....).u.............@..B................................................................................................................I..J...#.7o.?.+.GIrk:....m...L..=.....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):27871
                              Entropy (8bit):6.7473772373403715
                              Encrypted:false
                              SSDEEP:
                              MD5:5FC589095901926A00E84953F18DCD34
                              SHA1:094FD679862FEE402235AF0338148101D8883A55
                              SHA-256:D97E171344BDD0B63321A0C0F03AE492898A14B77602C77D3AED8E82389EE4E6
                              SHA-512:95C4189420702B9B55F530EC760BB6AF26EEE5B5DA46C6BABCE6A31AAF3B6825AB7C08E2DDA10C7430415BE3CA899EE5DE82820B1112F965F590F6B146573734
                              Malicious:false
                              Preview:..e.U`...2.$.../9i..@..P.`...u.r....H...q."...2{:.M"%.2N..... xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd" xmlns="http://schemas.microsoft.com/win/2004/..2.O%...c.3...m-.e_..tK.y...:.h.@..@...m.%....?`6.S$%.a....../windows/events" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:trace=".i..o..).&...s~:~^V.zK.j... .hT...Y....i.8.....n8..sF.Z.....umentation>....<events>.....<provider name="Microsoft-AppV-Client-SubsystemController" guid="{D49E7F7D-2036-451A-9EE6-6EF93BD216..`..3.....v...QA.Htw.Qv.[....Y:v..k5...K......[..{....r...." resourceFileName="%windir%\system32\appv_etw_subsystem_controller.dll" messageFileName="%windir%\system32\appv_etw_subsystem_c.i.V,...o.'...sr*.PB.!..!...>.aUu..G.....\.8...0j).t?$.:D....me)">......<channels>.......<channel name="Microsoft-AppV-Client-SubsystemController/Debug" chid="Dbg" symbol="CHANNEL_APPV_CLIE..B.l..........PC.C}i.N`.L..u.r.V...2..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\SubsystemController.man.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):27871
                              Entropy (8bit):6.7473772373403715
                              Encrypted:false
                              SSDEEP:
                              MD5:5FC589095901926A00E84953F18DCD34
                              SHA1:094FD679862FEE402235AF0338148101D8883A55
                              SHA-256:D97E171344BDD0B63321A0C0F03AE492898A14B77602C77D3AED8E82389EE4E6
                              SHA-512:95C4189420702B9B55F530EC760BB6AF26EEE5B5DA46C6BABCE6A31AAF3B6825AB7C08E2DDA10C7430415BE3CA899EE5DE82820B1112F965F590F6B146573734
                              Malicious:false
                              Preview:..e.U`...2.$.../9i..@..P.`...u.r....H...q."...2{:.M"%.2N..... xsi:schemaLocation="http://schemas.microsoft.com/win/2004/08/events eventman.xsd" xmlns="http://schemas.microsoft.com/win/2004/..2.O%...c.3...m-.e_..tK.y...:.h.@..@...m.%....?`6.S$%.a....../windows/events" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:trace=".i..o..).&...s~:~^V.zK.j... .hT...Y....i.8.....n8..sF.Z.....umentation>....<events>.....<provider name="Microsoft-AppV-Client-SubsystemController" guid="{D49E7F7D-2036-451A-9EE6-6EF93BD216..`..3.....v...QA.Htw.Qv.[....Y:v..k5...K......[..{....r...." resourceFileName="%windir%\system32\appv_etw_subsystem_controller.dll" messageFileName="%windir%\system32\appv_etw_subsystem_c.i.V,...o.'...sr*.PB.!..!...>.aUu..G.....\.8...0j).t?$.:D....me)">......<channels>.......<channel name="Microsoft-AppV-Client-SubsystemController/Debug" chid="Dbg" symbol="CHANNEL_APPV_CLIE..B.l..........PC.C}i.N`.L..u.r.V...2..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18938
                              Entropy (8bit):7.4486816490673124
                              Encrypted:false
                              SSDEEP:
                              MD5:BA72CEB512A788447F085B76317D78A4
                              SHA1:41B417697B47755A3DCC14C5A6A0D202EA570063
                              SHA-256:80EE3A63B8A9D0DBB4E9FDA4335DE44FB1199BF90D9003857E3790890D426FE0
                              SHA-512:CF466EFC90194314A875C6AD18462119FECBD1C8557997D37131F10BA99174D20747E0805412C099085BD43C5CC98886313554A830CA6333A7A1C7CED51C6672
                              Malicious:false
                              Preview:.P0..T.Q^2.VD..ma.v.c.)).|.f.....m...*X^X%?.5F.nB....>.(&.5........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S.............0..T.U^2.....$.v...)].!).f.....m.#.(TTX%?.5N.nB....>..6.5.................................0............`.........................................`...L............ ...................<.....0..T.UN2......a.v.c.)i.|.f.....m...*X^X%?.5F.nB....>..&.5.........................rdata..\...........................@..@.rsrc........ ......................@..@...........................0..T.U^2......a.v.c.)i.|.f.....m...*X^X%?.5F.nB....>..&.5...................................................................................................................................0..T.U^2......a.v.c.)i.|.f.....m...*X^X%?.5F.nB....>..&.5...................................................................................................................................0..T.U^2......a.v.c.)i.|.f.....m..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l1-2-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18938
                              Entropy (8bit):7.4486816490673124
                              Encrypted:false
                              SSDEEP:
                              MD5:BA72CEB512A788447F085B76317D78A4
                              SHA1:41B417697B47755A3DCC14C5A6A0D202EA570063
                              SHA-256:80EE3A63B8A9D0DBB4E9FDA4335DE44FB1199BF90D9003857E3790890D426FE0
                              SHA-512:CF466EFC90194314A875C6AD18462119FECBD1C8557997D37131F10BA99174D20747E0805412C099085BD43C5CC98886313554A830CA6333A7A1C7CED51C6672
                              Malicious:false
                              Preview:.P0..T.Q^2.VD..ma.v.c.)).|.f.....m...*X^X%?.5F.nB....>.(&.5........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S.............0..T.U^2.....$.v...)].!).f.....m.#.(TTX%?.5N.nB....>..6.5.................................0............`.........................................`...L............ ...................<.....0..T.UN2......a.v.c.)i.|.f.....m...*X^X%?.5F.nB....>..&.5.........................rdata..\...........................@..@.rsrc........ ......................@..@...........................0..T.U^2......a.v.c.)i.|.f.....m...*X^X%?.5F.nB....>..&.5...................................................................................................................................0..T.U^2......a.v.c.)i.|.f.....m...*X^X%?.5F.nB....>..&.5...................................................................................................................................0..T.U^2......a.v.c.)i.|.f.....m..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18938
                              Entropy (8bit):7.467756532309771
                              Encrypted:false
                              SSDEEP:
                              MD5:EA9A9E170E12D5F5A1D05816908A0A73
                              SHA1:B3BBF159EE889A3188CBDBB353037D0B8FF4DBFD
                              SHA-256:E81D62780A906F4BA4B81BF4EC8BA6E5F2EC2CEDF54418F10DCB4A95344BE179
                              SHA-512:D4869AB50B3513A3F85FAEB37F754053F4773086CF5A0120481351709E6AD6ABE88134351448E68EA91A3FDD184472ED4915635C762FA34901295C0CFC0F61E6
                              Malicious:false
                              Preview:<..*..b;d..K...N.....?5...H.VO...T^.y .@...=.^.U.U-.OOd'<....3.........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........q..*..b;`..KX:.NxS...#=5.>...VO...T^Vy..K...=.^.U.U-.OOd'<..;.3..................................0......{r....`.........................................`................ ...................<..q..*..b;`..K`:.N(....?5...H.VO...T^.y .@...=.^.U.U-.OOd'<..;.3..........................rdata..............................@..@.rsrc........ ......................@..@........................q..*..b;`..KX:.N(....?5...H.VO...T^.y .@...=.^.U.U-.OOd'<..;.3.................................................................................................................................q..*..b;`..KX:.N(....?5...H.VO...T^.y .@...=.^.U.U-.OOd'<..;.3.................................................................................................................................q..*..b;`..KX:.N(....?5...H.VO...T^.y .

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-file-l2-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18938
                              Entropy (8bit):7.467756532309771
                              Encrypted:false
                              SSDEEP:
                              MD5:EA9A9E170E12D5F5A1D05816908A0A73
                              SHA1:B3BBF159EE889A3188CBDBB353037D0B8FF4DBFD
                              SHA-256:E81D62780A906F4BA4B81BF4EC8BA6E5F2EC2CEDF54418F10DCB4A95344BE179
                              SHA-512:D4869AB50B3513A3F85FAEB37F754053F4773086CF5A0120481351709E6AD6ABE88134351448E68EA91A3FDD184472ED4915635C762FA34901295C0CFC0F61E6
                              Malicious:false
                              Preview:<..*..b;d..K...N.....?5...H.VO...T^.y .@...=.^.U.U-.OOd'<....3.........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........q..*..b;`..KX:.NxS...#=5.>...VO...T^Vy..K...=.^.U.U-.OOd'<..;.3..................................0......{r....`.........................................`................ ...................<..q..*..b;`..K`:.N(....?5...H.VO...T^.y .@...=.^.U.U-.OOd'<..;.3..........................rdata..............................@..@.rsrc........ ......................@..@........................q..*..b;`..KX:.N(....?5...H.VO...T^.y .@...=.^.U.U-.OOd'<..;.3.................................................................................................................................q..*..b;`..KX:.N(....?5...H.VO...T^.y .@...=.^.U.U-.OOd'<..;.3.................................................................................................................................q..*..b;`..KX:.N(....?5...H.VO...T^.y .

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):21498
                              Entropy (8bit):7.483070515939285
                              Encrypted:false
                              SSDEEP:
                              MD5:984627B6521EFE8FFCD916FA7582FA57
                              SHA1:8A8C823839AE0236E660BF2BE45BFEAEE7BFCFB0
                              SHA-256:C8AE3F18CF2934CE2E0FD0254BE43D3310B934D871F0ED0676DA978B446C4FC0
                              SHA-512:5FF552AC739223343D54FD6EA3A5FA271AF863ED52B541ABED64664C860A2552F4269CC15327A13987796E0CA8C31E1E6DA98AA600BD59F7A69CB96CC7220F62
                              Malicious:false
                              Preview:xoD'9@.5....6..._S.5.r z...f..sg..a.j3+P..OLW......,&.....\q.y........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........55.':@.5.....}....5|."z...3..sg..a.rj..[..ELW......,&......a.y.................................0......w.....`.........................................`................ ...................<..55.':@.5.....}...S.5.r z...f..sg..a.j3+P..OLW......,&......q.y.........................rdata..............................@..@.rsrc........ ......................@..@........................55.':@.5.....}...S.5.r z...f..sg..a.j3+P..OLW......,&......q.y................................................................................................................................55.':@.5.....}...S.5.r z...f..sg..a.j3+P..OLW......,&......q.y................................................................................................................................55.':@.5.....}...S.5.r z...f..sg..a.j3+

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-localization-l1-2-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):21498
                              Entropy (8bit):7.483070515939285
                              Encrypted:false
                              SSDEEP:
                              MD5:984627B6521EFE8FFCD916FA7582FA57
                              SHA1:8A8C823839AE0236E660BF2BE45BFEAEE7BFCFB0
                              SHA-256:C8AE3F18CF2934CE2E0FD0254BE43D3310B934D871F0ED0676DA978B446C4FC0
                              SHA-512:5FF552AC739223343D54FD6EA3A5FA271AF863ED52B541ABED64664C860A2552F4269CC15327A13987796E0CA8C31E1E6DA98AA600BD59F7A69CB96CC7220F62
                              Malicious:false
                              Preview:xoD'9@.5....6..._S.5.r z...f..sg..a.j3+P..OLW......,&.....\q.y........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........55.':@.5.....}....5|."z...3..sg..a.rj..[..ELW......,&......a.y.................................0......w.....`.........................................`................ ...................<..55.':@.5.....}...S.5.r z...f..sg..a.j3+P..OLW......,&......q.y.........................rdata..............................@..@.rsrc........ ......................@..@........................55.':@.5.....}...S.5.r z...f..sg..a.j3+P..OLW......,&......q.y................................................................................................................................55.':@.5.....}...S.5.r z...f..sg..a.j3+P..OLW......,&......q.y................................................................................................................................55.':@.5.....}...S.5.r z...f..sg..a.j3+

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19450
                              Entropy (8bit):7.463904065172402
                              Encrypted:false
                              SSDEEP:
                              MD5:C46FF3994AA476E1DA4187BDF5091F9D
                              SHA1:C3FDF731125C3428A505C48220953F18F7BAEF15
                              SHA-256:106FE946F0B630C5052DCF136E907AD1FB0532303FDF6882E5894C83CD5F34F9
                              SHA-512:72FF3ADCF6D0A61EEDFE24779985C40CCD3BB01271D12E3CD176477A45174E1CAC26332908208C2769B16C32AFD11AD07F641EDBE8BCCE0225642A9E508D61B7
                              Malicious:false
                              Preview:._.6-{.U..c..),..MZ.>....GZ...C.r@`.).TY.....V?.*...@........@........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S.............6.{.U..c'.),..MZ...........C.r@...._[.....V?.*...@.....w..@.................................0.......[....`.........................................`................ ...................<.....6.{.U..c..),..MZ.>....GZ...C.r@`.).TY.....V?.*...@.....w..@.........................rdata..............................@..@.rsrc........ ......................@..@...........................6.{.U..c'.),..MZ.>....GZ...C.r@`.).TY.....V?.*...@.....w..@...................................................................................................................................6.{.U..c'.),..MZ.>....GZ...C.r@`.).TY.....V?.*...@.....w..@...................................................................................................................................6.{.U..c'.),..MZ.>....GZ...C.r@`.).

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-processthreads-l1-1-1.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19450
                              Entropy (8bit):7.463904065172402
                              Encrypted:false
                              SSDEEP:
                              MD5:C46FF3994AA476E1DA4187BDF5091F9D
                              SHA1:C3FDF731125C3428A505C48220953F18F7BAEF15
                              SHA-256:106FE946F0B630C5052DCF136E907AD1FB0532303FDF6882E5894C83CD5F34F9
                              SHA-512:72FF3ADCF6D0A61EEDFE24779985C40CCD3BB01271D12E3CD176477A45174E1CAC26332908208C2769B16C32AFD11AD07F641EDBE8BCCE0225642A9E508D61B7
                              Malicious:false
                              Preview:._.6-{.U..c..),..MZ.>....GZ...C.r@`.).TY.....V?.*...@........@........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S.............6.{.U..c'.),..MZ...........C.r@...._[.....V?.*...@.....w..@.................................0.......[....`.........................................`................ ...................<.....6.{.U..c..),..MZ.>....GZ...C.r@`.).TY.....V?.*...@.....w..@.........................rdata..............................@..@.rsrc........ ......................@..@...........................6.{.U..c'.),..MZ.>....GZ...C.r@`.).TY.....V?.*...@.....w..@...................................................................................................................................6.{.U..c'.),..MZ.>....GZ...C.r@`.).TY.....V?.*...@.....w..@...................................................................................................................................6.{.U..c'.),..MZ.>....GZ...C.r@`.).

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):19450
                              Entropy (8bit):7.494079016425733
                              Encrypted:false
                              SSDEEP:
                              MD5:8B4398FAC845A1A54497FAAD2D152ECD
                              SHA1:B89BF8C1FE126B19A7107AA83649BCDB270236BA
                              SHA-256:7987F02F0492FB134AAF6D90417DEE65FEB2B97831E1AC18C16B9FEDD977C459
                              SHA-512:A72248ADAF70F5F41559134F5B42E9E8BA46E2E5B7578B9DECD8A6C22037BDF8D0335D0801C839A036177AE0DEA39894E323878D6A8C85CECE06D42709AF33ED
                              Malicious:false
                              Preview:.......:..VC:.u.....1...y.1/bx...x.W4(F8......_..%sa}%q 87..........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........A]....:..VC........`.1.9,.1/bx.....u.#D4......_..%sa}%q .'...................................0.......!....`.........................................`...v............ ...................<...A]....:..VC.........1.y.1/bx...x.W4(F8......_..%sa}%q .7...........................rdata..............................@..@.rsrc........ ......................@..@.........................A]....:..VC.........1.y.1/bx...x.W4(F8......_..%sa}%q .7...................................................................................................................................A]....:..VC.........1.y.1/bx...x.W4(F8......_..%sa}%q .7...................................................................................................................................A]....:..VC.........1.y.1/bx...x.W4

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-synch-l1-2-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):19450
                              Entropy (8bit):7.494079016425733
                              Encrypted:false
                              SSDEEP:
                              MD5:8B4398FAC845A1A54497FAAD2D152ECD
                              SHA1:B89BF8C1FE126B19A7107AA83649BCDB270236BA
                              SHA-256:7987F02F0492FB134AAF6D90417DEE65FEB2B97831E1AC18C16B9FEDD977C459
                              SHA-512:A72248ADAF70F5F41559134F5B42E9E8BA46E2E5B7578B9DECD8A6C22037BDF8D0335D0801C839A036177AE0DEA39894E323878D6A8C85CECE06D42709AF33ED
                              Malicious:false
                              Preview:.......:..VC:.u.....1...y.1/bx...x.W4(F8......_..%sa}%q 87..........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........A]....:..VC........`.1.9,.1/bx.....u.#D4......_..%sa}%q .'...................................0.......!....`.........................................`...v............ ...................<...A]....:..VC.........1.y.1/bx...x.W4(F8......_..%sa}%q .7...........................rdata..............................@..@.rsrc........ ......................@..@.........................A]....:..VC.........1.y.1/bx...x.W4(F8......_..%sa}%q .7...................................................................................................................................A]....:..VC.........1.y.1/bx...x.W4(F8......_..%sa}%q .7...................................................................................................................................A]....:..VC.........1.y.1/bx...x.W4

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18938
                              Entropy (8bit):7.502475215007546
                              Encrypted:false
                              SSDEEP:
                              MD5:C637E54B526BB332437E53E94918E1C3
                              SHA1:DD5378D0D3522FB6122C9BFBE668C364ED9328A0
                              SHA-256:4678A07F2C48D5A9455395DC33BC2897FB33894BC14F5CFB64ADEDAD50CD521B
                              SHA-512:88FFDE48804543BFBAC3A28EF7A2F3B9E67A4EB8DFE12F190C3AED1847E550B03ECC239AA035EF05FAAE4B63FBB2AB1F1175F353C68B4DA984B0ADF04FB0C160
                              Malicious:false
                              Preview:.,..mE.P.......z... ..=AK...._6w..Q..Q`T..U.X...{L.....>~A.Vz..........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........vE.nE.P....L..zL.. .}?A?...._6w..Q.S.s@_.._.X...sL.....>~A.j...................................0............`.........................................`................ ...................<...vE.nE.P....t..z... ..=A....._6w..Q..Q`T..U.X...{L.....>~A.z...........................rdata..............................@..@.rsrc........ ......................@..@.........................vE.nE.P....L..z... ..=A....._6w..Q..Q`T..U.X...{L.....>~A.z...................................................................................................................................vE.nE.P....L..z... ..=A....._6w..Q..Q`T..U.X...{L.....>~A.z...................................................................................................................................vE.nE.P....L..z... ..=A....._6w..Q..Q`

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-timezone-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):18938
                              Entropy (8bit):7.502475215007546
                              Encrypted:false
                              SSDEEP:
                              MD5:C637E54B526BB332437E53E94918E1C3
                              SHA1:DD5378D0D3522FB6122C9BFBE668C364ED9328A0
                              SHA-256:4678A07F2C48D5A9455395DC33BC2897FB33894BC14F5CFB64ADEDAD50CD521B
                              SHA-512:88FFDE48804543BFBAC3A28EF7A2F3B9E67A4EB8DFE12F190C3AED1847E550B03ECC239AA035EF05FAAE4B63FBB2AB1F1175F353C68B4DA984B0ADF04FB0C160
                              Malicious:false
                              Preview:.,..mE.P.......z... ..=AK...._6w..Q..Q`T..U.X...{L.....>~A.Vz..........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........vE.nE.P....L..zL.. .}?A?...._6w..Q.S.s@_.._.X...sL.....>~A.j...................................0............`.........................................`................ ...................<...vE.nE.P....t..z... ..=A....._6w..Q..Q`T..U.X...{L.....>~A.z...........................rdata..............................@..@.rsrc........ ......................@..@.........................vE.nE.P....L..z... ..=A....._6w..Q..Q`T..U.X...{L.....>~A.z...................................................................................................................................vE.nE.P....L..z... ..=A....._6w..Q..Q`T..U.X...{L.....>~A.z...................................................................................................................................vE.nE.P....L..z... ..=A....._6w..Q..Q`

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11930
                              Entropy (8bit):7.273466036416358
                              Encrypted:false
                              SSDEEP:
                              MD5:475FF1756279DBDE939269A6DA48787A
                              SHA1:8BBBB4C4C1B9F872F0BE944C8CF76A4737AB1642
                              SHA-256:2E4999387E890F59BEEB27295C4D5645B0B140BB743F299800C5683A589ED0B7
                              SHA-512:0F1A6AEB71BECC927C63960ED191884E5DEC74D0314FD1EEEF03A3A793AC6F10DBCAAB0A0C9BEB821F85E1F472161A2838A4A0D70ED3CB19C86E4D21562E5A71
                              Malicious:false
                              Preview:.M..2..%....&..[wg.P.D..Y;.JX....]...ap......sh...=l.....$........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S.........._.x.1..%.....7..2g.4.F....n.JX........c|......sh...=l..H..$.................................0............`.........................................`................ ..................`!.._.x.1..%.....7...wg.P.D...Y;.JX....]...ap......sh...=l..H..$.........................rdata..............................@..@.rsrc........ ......................@..@........................_.x.1..%.....7...wg.P.D...Y;.JX....]...ap......sh...=l..H..$................................................................................................................................_.x.1..%.....7...wg.P.D...Y;.JX....]...ap......sh...=l..H..$................................................................................................................................_.x.1..%.....7...wg.P.D...Y;.JX....]..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-core-xstate-l2-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):11930
                              Entropy (8bit):7.273466036416358
                              Encrypted:false
                              SSDEEP:
                              MD5:475FF1756279DBDE939269A6DA48787A
                              SHA1:8BBBB4C4C1B9F872F0BE944C8CF76A4737AB1642
                              SHA-256:2E4999387E890F59BEEB27295C4D5645B0B140BB743F299800C5683A589ED0B7
                              SHA-512:0F1A6AEB71BECC927C63960ED191884E5DEC74D0314FD1EEEF03A3A793AC6F10DBCAAB0A0C9BEB821F85E1F472161A2838A4A0D70ED3CB19C86E4D21562E5A71
                              Malicious:false
                              Preview:.M..2..%....&..[wg.P.D..Y;.JX....]...ap......sh...=l.....$........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S.........._.x.1..%.....7..2g.4.F....n.JX........c|......sh...=l..H..$.................................0............`.........................................`................ ..................`!.._.x.1..%.....7...wg.P.D...Y;.JX....]...ap......sh...=l..H..$.........................rdata..............................@..@.rsrc........ ......................@..@........................_.x.1..%.....7...wg.P.D...Y;.JX....]...ap......sh...=l..H..$................................................................................................................................_.x.1..%.....7...wg.P.D...Y;.JX....]...ap......sh...=l..H..$................................................................................................................................_.x.1..%.....7...wg.P.D...Y;.JX....]..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19962
                              Entropy (8bit):7.504055639880477
                              Encrypted:false
                              SSDEEP:
                              MD5:471F28F99F697338ADF52A7DA4282190
                              SHA1:9934A92B6CFE9B01F02611D94C7F81D280E05B7B
                              SHA-256:36C74D1C38E984ED48572566BA799FD059573DED50EF8373791641313AE0F412
                              SHA-512:7894BC5782CBC83874C9962F19BC92F12093DBDFB3AC70DD1D9F8BA6F2775B3DF10E9145AFA4E2ADA617693465C0F61740CD9293B7FBD0C59FD8A51BC955B5A1
                              Malicious:false
                              Preview:f.g....I..P..(...7..g....8...n|.m..)`...w.h.V{ZW>8@...wS.....rx........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........+......M..Pd.(...7.i......n|.m...`..u.b.V{ZW28@...wS...A.rx.................................0............`.........................................`................ ...................<..+......M.P\.(..7..g....8...n|.m..)`...w.h.V{ZW>8@...wS...A.rx.........................rdata..............................@..@.rsrc........ ......................@..@........................+......M..Pd.(..7..g....8...n|.m..)`...w.h.V{ZW>8@...wS...A.rx................................................................................................................................+......M..Pd.(..7..g....8...n|.m..)`...w.h.V{ZW>8@...wS...A.rx................................................................................................................................+......M..Pd.(..7..g....8...n|.m..)`..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-conio-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19962
                              Entropy (8bit):7.504055639880477
                              Encrypted:false
                              SSDEEP:
                              MD5:471F28F99F697338ADF52A7DA4282190
                              SHA1:9934A92B6CFE9B01F02611D94C7F81D280E05B7B
                              SHA-256:36C74D1C38E984ED48572566BA799FD059573DED50EF8373791641313AE0F412
                              SHA-512:7894BC5782CBC83874C9962F19BC92F12093DBDFB3AC70DD1D9F8BA6F2775B3DF10E9145AFA4E2ADA617693465C0F61740CD9293B7FBD0C59FD8A51BC955B5A1
                              Malicious:false
                              Preview:f.g....I..P..(...7..g....8...n|.m..)`...w.h.V{ZW>8@...wS.....rx........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........+......M..Pd.(...7.i......n|.m...`..u.b.V{ZW28@...wS...A.rx.................................0............`.........................................`................ ...................<..+......M.P\.(..7..g....8...n|.m..)`...w.h.V{ZW>8@...wS...A.rx.........................rdata..............................@..@.rsrc........ ......................@..@........................+......M..Pd.(..7..g....8...n|.m..)`...w.h.V{ZW>8@...wS...A.rx................................................................................................................................+......M..Pd.(..7..g....8...n|.m..)`...w.h.V{ZW>8@...wS...A.rx................................................................................................................................+......M..Pd.(..7..g....8...n|.m..)`..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):23034
                              Entropy (8bit):7.415408787819322
                              Encrypted:false
                              SSDEEP:
                              MD5:3D438003C7318103673DB23C81C08119
                              SHA1:B9ADD116A8807C31973268A82AD5E89137215ADE
                              SHA-256:24E67A196EF3CC0C0FF696ADB168071C4452159469F4665409E016FE829BB86D
                              SHA-512:12B296AF0352C86FC3F4BD94192AF41FC3AE852FDDC47734FDBDD5AC0E77123D960B352EEE93C7C0BCAFA948899161E0C77EA4852DBFE58E53B4027687D73A32
                              Malicious:false
                              Preview:.......ZO..~{O...Mz.fr._.....KoK.....jr....|$.......;..O.............!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S............y....ZK..~....!.Mz..p.+.zM..KoK...7Jy....|$.......;..O......................................@............`.........................................`................0...................<....y....ZK..~....q.Mz.fr.......KoK.....jr....|$.......;..O..............................rdata..............................@..@.rsrc........0......................@..@..........................y....ZK..~....q.Mz.fr.......KoK.....jr....|$.......;..O.......................................................................................................................................y....ZK..~....q.Mz.fr.......KoK.....jr....|$.......;..O.......................................................................................................................................y....ZK..~....q.Mz.fr.......KoK.....j

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-convert-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):23034
                              Entropy (8bit):7.415408787819322
                              Encrypted:false
                              SSDEEP:
                              MD5:3D438003C7318103673DB23C81C08119
                              SHA1:B9ADD116A8807C31973268A82AD5E89137215ADE
                              SHA-256:24E67A196EF3CC0C0FF696ADB168071C4452159469F4665409E016FE829BB86D
                              SHA-512:12B296AF0352C86FC3F4BD94192AF41FC3AE852FDDC47734FDBDD5AC0E77123D960B352EEE93C7C0BCAFA948899161E0C77EA4852DBFE58E53B4027687D73A32
                              Malicious:false
                              Preview:.......ZO..~{O...Mz.fr._.....KoK.....jr....|$.......;..O.............!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S............y....ZK..~....!.Mz..p.+.zM..KoK...7Jy....|$.......;..O......................................@............`.........................................`................0...................<....y....ZK..~....q.Mz.fr.......KoK.....jr....|$.......;..O..............................rdata..............................@..@.rsrc........0......................@..@..........................y....ZK..~....q.Mz.fr.......KoK.....jr....|$.......;..O.......................................................................................................................................y....ZK..~....q.Mz.fr.......KoK.....jr....|$.......;..O.......................................................................................................................................y....ZK..~....q.Mz.fr.......KoK.....j

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19450
                              Entropy (8bit):7.436291791744706
                              Encrypted:false
                              SSDEEP:
                              MD5:3238F4A36DC7D6F841FF9AA94434F56C
                              SHA1:98EE95A6EBAD1D89DE493232A2DA2E0D9EB04171
                              SHA-256:8632C07FB23AB1CB8673F6F88F1CA9896D0567BC3E3D8506F77044662B732051
                              SHA-512:3B2B65DB68DD39B8E22E5C7328F7A530845DE17889D9A014CA3ED2AAA2D26CE7D5B4785005ECF5A1663988933856A68AB25587D1D5F43C84B878A1949129092F
                              Malicious:false
                              Preview:.'.6.....6RG..:.......]R2...T......}Z.B..^.ts.x.O:I.7.....^.Kc........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........} 6.....6R...::J..~..]&.....T....._}x,I..T.ts.x.O:I.7......Kc.................................0............`.........................................`..."............ ...................<...} 6.....6R...:j......].2...T......}Z.B..^.ts.x.O:I.7......Kc.........................rdata..<...........................@..@.rsrc........ ......................@..@.........................} 6.....6R...:j......].2...T......}Z.B..^.ts.x.O:I.7......Kc.................................................................................................................................} 6.....6R...:j......].2...T......}Z.B..^.ts.x.O:I.7......Kc.................................................................................................................................} 6.....6R...:j......].2...T......}Z.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-environment-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19450
                              Entropy (8bit):7.436291791744706
                              Encrypted:false
                              SSDEEP:
                              MD5:3238F4A36DC7D6F841FF9AA94434F56C
                              SHA1:98EE95A6EBAD1D89DE493232A2DA2E0D9EB04171
                              SHA-256:8632C07FB23AB1CB8673F6F88F1CA9896D0567BC3E3D8506F77044662B732051
                              SHA-512:3B2B65DB68DD39B8E22E5C7328F7A530845DE17889D9A014CA3ED2AAA2D26CE7D5B4785005ECF5A1663988933856A68AB25587D1D5F43C84B878A1949129092F
                              Malicious:false
                              Preview:.'.6.....6RG..:.......]R2...T......}Z.B..^.ts.x.O:I.7.....^.Kc........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........} 6.....6R...::J..~..]&.....T....._}x,I..T.ts.x.O:I.7......Kc.................................0............`.........................................`..."............ ...................<...} 6.....6R...:j......].2...T......}Z.B..^.ts.x.O:I.7......Kc.........................rdata..<...........................@..@.rsrc........ ......................@..@.........................} 6.....6R...:j......].2...T......}Z.B..^.ts.x.O:I.7......Kc.................................................................................................................................} 6.....6R...:j......].2...T......}Z.B..^.ts.x.O:I.7......Kc.................................................................................................................................} 6.....6R...:j......].2...T......}Z.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):20986
                              Entropy (8bit):7.453010450494801
                              Encrypted:false
                              SSDEEP:
                              MD5:0C66CE01B7DA0A510F582165421A0DB2
                              SHA1:B7235894D100E6617752F4A1A483A33381FF441E
                              SHA-256:8562EB78E3183E4DB5A9093BD1284D5FE60B295418539C6AEA254A248835419F
                              SHA-512:154BDA03329B2BDC9720874728CEBB1CA875AE258989B67DBCAAA0F8F2BE9D276F984AD714959FBF97AC1D95704AA2639E572B25B40908330005D312EF3DC4A5
                              Malicious:false
                              Preview:..pW....)k/...Y.&..^..^!..-..]..8.w..;$..~YC..,.&.1...?..x.G..........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........2A.W....-k/.qnY...^.\!.....]..8.w.;...|UI..,.&..1...?..x...................................0......XV....`.........................................`................ ...................<..2A.W....-{/.InY....^..^!..-..]..8.w..;$..~YC..,.&.1...?..x...........................rdata..............................@..@.rsrc........ ......................@..@........................2A.W....-k/.qnY....^..^!..-..]..8.w..;$..~YC..,.&.1...?..x..................................................................................................................................2A.W....-k/.qnY....^..^!..-..]..8.w..;$..~YC..,.&.1...?..x..................................................................................................................................2A.W....-k/.qnY....^..^!..-..]..8.w..;$.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-filesystem-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):20986
                              Entropy (8bit):7.453010450494801
                              Encrypted:false
                              SSDEEP:
                              MD5:0C66CE01B7DA0A510F582165421A0DB2
                              SHA1:B7235894D100E6617752F4A1A483A33381FF441E
                              SHA-256:8562EB78E3183E4DB5A9093BD1284D5FE60B295418539C6AEA254A248835419F
                              SHA-512:154BDA03329B2BDC9720874728CEBB1CA875AE258989B67DBCAAA0F8F2BE9D276F984AD714959FBF97AC1D95704AA2639E572B25B40908330005D312EF3DC4A5
                              Malicious:false
                              Preview:..pW....)k/...Y.&..^..^!..-..]..8.w..;$..~YC..,.&.1...?..x.G..........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........2A.W....-k/.qnY...^.\!.....]..8.w.;...|UI..,.&..1...?..x...................................0......XV....`.........................................`................ ...................<..2A.W....-{/.InY....^..^!..-..]..8.w..;$..~YC..,.&.1...?..x...........................rdata..............................@..@.rsrc........ ......................@..@........................2A.W....-k/.qnY....^..^!..-..]..8.w..;$..~YC..,.&.1...?..x..................................................................................................................................2A.W....-k/.qnY....^..^!..-..]..8.w..;$..~YC..,.&.1...?..x..................................................................................................................................2A.W....-k/.qnY....^..^!..-..]..8.w..;$.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19962
                              Entropy (8bit):7.476271243624618
                              Encrypted:false
                              SSDEEP:
                              MD5:42D9F9A3876C164DA0831EC1C090C4F7
                              SHA1:2BF26932D06BA8EDD02E3E3A7DE0F22C7D2F3289
                              SHA-256:946C4CADF2E72C75353FDFDDA759DD36F917D5227F560EB1DF2358217E29D832
                              SHA-512:B6E1445E7B1E2B1691568CAACC793B1CF07A5575DD3C3DFCFDAEC095F74D2992872E345799629D5BE7CBCA538C6F54F85A49E5130031ECD8121BB7665DF7FD19
                              Malicious:false
                              Preview:.....[....6~...Nf.>..JKXi...wy.....E.....B....|..w.2.;*....40........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........G....[....6~.f.N.[>...IX..d.wy.....FE.....H....|..w.2.;*....40.................................0.......L....`.........................................`................ ...................<..G....[....6~.f.N..>..JKX)...wy.....E.....B....|..w.2.;*....40.........................rdata..(...........................@..@.rsrc........ ......................@..@........................G....[....6~.f.N..>..JKX)...wy.....E.....B....|..w.2.;*....40................................................................................................................................G....[....6~.f.N..>..JKX)...wy.....E.....B....|..w.2.;*....40................................................................................................................................G....[....6~.f.N..>..JKX)...wy.....E..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-heap-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19962
                              Entropy (8bit):7.476271243624618
                              Encrypted:false
                              SSDEEP:
                              MD5:42D9F9A3876C164DA0831EC1C090C4F7
                              SHA1:2BF26932D06BA8EDD02E3E3A7DE0F22C7D2F3289
                              SHA-256:946C4CADF2E72C75353FDFDDA759DD36F917D5227F560EB1DF2358217E29D832
                              SHA-512:B6E1445E7B1E2B1691568CAACC793B1CF07A5575DD3C3DFCFDAEC095F74D2992872E345799629D5BE7CBCA538C6F54F85A49E5130031ECD8121BB7665DF7FD19
                              Malicious:false
                              Preview:.....[....6~...Nf.>..JKXi...wy.....E.....B....|..w.2.;*....40........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........G....[....6~.f.N.[>...IX..d.wy.....FE.....H....|..w.2.;*....40.................................0.......L....`.........................................`................ ...................<..G....[....6~.f.N..>..JKX)...wy.....E.....B....|..w.2.;*....40.........................rdata..(...........................@..@.rsrc........ ......................@..@........................G....[....6~.f.N..>..JKX)...wy.....E.....B....|..w.2.;*....40................................................................................................................................G....[....6~.f.N..>..JKX)...wy.....E.....B....|..w.2.;*....40................................................................................................................................G....[....6~.f.N..>..JKX)...wy.....E..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19450
                              Entropy (8bit):7.479799888082276
                              Encrypted:false
                              SSDEEP:
                              MD5:07E41FA6F55DE04A29A72585135A4853
                              SHA1:5922A51D83360494F1AA57794A09C60C0646C7FB
                              SHA-256:41EC2C9D9FAB19C46A92CE944520946E409471917848148FA82A7735DC4B07D0
                              SHA-512:8F7C494744C33DE8FD43429C1EB2520DA2E136C8F75538F99A2BEE4832CBFEDE3477BD678FAC33513BA8A56958A7503C35482A6D871EBEA698A6342F6683EFCB
                              Malicious:false
                              Preview:.*-&P...Bo........o...w.f.U.....+....Ug.:.5B.."k..P....<...*Z.........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........p.&S...Fo...A..5.o..8u....U....+...\UE.1.9H.."k..P....<...:Z..................................0......gP....`.........................................`...e............ ...................<...p.&S...F....A..e.o...w.&.U.....+....Ug.:.5B.."k..P....<...*Z..........................rdata..|...........................@..@.rsrc........ ......................@..@.........................p.&S...Fo...A..e.o...w.&.U.....+....Ug.:.5B.."k..P....<...*Z..................................................................................................................................p.&S...Fo...A..e.o...w.&.U.....+....Ug.:.5B.."k..P....<...*Z..................................................................................................................................p.&S...Fo...A..e.o...w.&.U.....+....Ug.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-locale-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19450
                              Entropy (8bit):7.479799888082276
                              Encrypted:false
                              SSDEEP:
                              MD5:07E41FA6F55DE04A29A72585135A4853
                              SHA1:5922A51D83360494F1AA57794A09C60C0646C7FB
                              SHA-256:41EC2C9D9FAB19C46A92CE944520946E409471917848148FA82A7735DC4B07D0
                              SHA-512:8F7C494744C33DE8FD43429C1EB2520DA2E136C8F75538F99A2BEE4832CBFEDE3477BD678FAC33513BA8A56958A7503C35482A6D871EBEA698A6342F6683EFCB
                              Malicious:false
                              Preview:.*-&P...Bo........o...w.f.U.....+....Ug.:.5B.."k..P....<...*Z.........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........p.&S...Fo...A..5.o..8u....U....+...\UE.1.9H.."k..P....<...:Z..................................0......gP....`.........................................`...e............ ...................<...p.&S...F....A..e.o...w.&.U.....+....Ug.:.5B.."k..P....<...*Z..........................rdata..|...........................@..@.rsrc........ ......................@..@.........................p.&S...Fo...A..e.o...w.&.U.....+....Ug.:.5B.."k..P....<...*Z..................................................................................................................................p.&S...Fo...A..e.o...w.&.U.....+....Ug.:.5B.."k..P....<...*Z..................................................................................................................................p.&S...Fo...A..e.o...w.&.U.....+....Ug.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):28154
                              Entropy (8bit):7.2536591002956605
                              Encrypted:false
                              SSDEEP:
                              MD5:B98984A61DE70CB778ED0DB337185E3E
                              SHA1:2A1B5A782BB20580BBB9E92CA486E3E1171BFDB6
                              SHA-256:FA43269537ACE4AC139D13E49268C76F887CFE3AAA1D3EF2697A054D0CF9354C
                              SHA-512:95AB2713419D6DFA865F4B3BE99A7FAE9B5F9B82438C9380B6F1611D51523849D3D69B5D2D8CAFF8C02730CEF14F5EE09B4C67027AF287DC31A44FF4527BB315
                              Malicious:false
                              Preview:JA2i.V?..U..p.e..J...KI.........G...../.cd..S..p.3+....tY..9..........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S.............i.V?..U...%e.y.....K.n.......G..{..$.on..S..\.3+....tY..)...................................P......).....`.........................................`....%...........@...............0...<.....i.V?..E...%e.)J...KI.Z.......G...../.cd..S..p.3+....tY..9...........................rdata...&.......(..................@..@.rsrc........@.......,..............@..@...........................i.V?..U...%e.)J...KI.Z.......G...../.cd..S..p.3+....tY..9.....................................................................................................................................i.V?..U...%e.)J...KI.Z.......G...../.cd..S..p.3+....tY..9.....................................................................................................................................i.V?..U...%e.)J...KI.Z.......G.....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-math-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):28154
                              Entropy (8bit):7.2536591002956605
                              Encrypted:false
                              SSDEEP:
                              MD5:B98984A61DE70CB778ED0DB337185E3E
                              SHA1:2A1B5A782BB20580BBB9E92CA486E3E1171BFDB6
                              SHA-256:FA43269537ACE4AC139D13E49268C76F887CFE3AAA1D3EF2697A054D0CF9354C
                              SHA-512:95AB2713419D6DFA865F4B3BE99A7FAE9B5F9B82438C9380B6F1611D51523849D3D69B5D2D8CAFF8C02730CEF14F5EE09B4C67027AF287DC31A44FF4527BB315
                              Malicious:false
                              Preview:JA2i.V?..U..p.e..J...KI.........G...../.cd..S..p.3+....tY..9..........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S.............i.V?..U...%e.y.....K.n.......G..{..$.on..S..\.3+....tY..)...................................P......).....`.........................................`....%...........@...............0...<.....i.V?..E...%e.)J...KI.Z.......G...../.cd..S..p.3+....tY..9...........................rdata...&.......(..................@..@.rsrc........@.......,..............@..@...........................i.V?..U...%e.)J...KI.Z.......G...../.cd..S..p.3+....tY..9.....................................................................................................................................i.V?..U...%e.)J...KI.Z.......G...../.cd..S..p.3+....tY..9.....................................................................................................................................i.V?..U...%e.)J...KI.Z.......G.....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):27130
                              Entropy (8bit):7.28992935894898
                              Encrypted:false
                              SSDEEP:
                              MD5:C869710EE29C9B554ADC1164C93F09DA
                              SHA1:A1A727534BC7BD01E8882E1E33F20BBEFCD99336
                              SHA-256:438954C7D0B7E8C8D355E4921E6A3025CE43749A4D7C1C45494D164087CA3923
                              SHA-512:3CAB97CE9F3239807AE7A4B8FF7EFABDA43F27BCA668DCA63D996934F64299F31B2CFFE7C496CAF1F5CE7E9F131DDA91215354D8CD139C3C896C50C5A63F7A91
                              Malicious:false
                              Preview:W+s....{...".WX..bEZ...[..{.D.P....E.....+.[z6.....a.1P..(s.........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........q.....{....jWX..bE>p../.{..D.P....g.....+.[z6.....a.1P..8s..................................P.......!....`.........................................`.... ...........@...............,...<...q.....{....jWX..bEZ......{.D.P....E.....+.[z6.....a.1P..(s..........................rdata...".......$..................@..@.rsrc........@.......(..............@..@.........................q.....{....jWX..bEZ......{.D.P....E.....+.[z6.....a.1P..(s..................................................................................................................................q.....{....jWX..bEZ......{.D.P....E.....+.[z6.....a.1P..(s..................................................................................................................................q.....{....jWX..bEZ......{.D.P....E.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-multibyte-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):27130
                              Entropy (8bit):7.28992935894898
                              Encrypted:false
                              SSDEEP:
                              MD5:C869710EE29C9B554ADC1164C93F09DA
                              SHA1:A1A727534BC7BD01E8882E1E33F20BBEFCD99336
                              SHA-256:438954C7D0B7E8C8D355E4921E6A3025CE43749A4D7C1C45494D164087CA3923
                              SHA-512:3CAB97CE9F3239807AE7A4B8FF7EFABDA43F27BCA668DCA63D996934F64299F31B2CFFE7C496CAF1F5CE7E9F131DDA91215354D8CD139C3C896C50C5A63F7A91
                              Malicious:false
                              Preview:W+s....{...".WX..bEZ...[..{.D.P....E.....+.[z6.....a.1P..(s.........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........q.....{....jWX..bE>p../.{..D.P....g.....+.[z6.....a.1P..8s..................................P.......!....`.........................................`.... ...........@...............,...<...q.....{....jWX..bEZ......{.D.P....E.....+.[z6.....a.1P..(s..........................rdata...".......$..................@..@.rsrc........@.......(..............@..@.........................q.....{....jWX..bEZ......{.D.P....E.....+.[z6.....a.1P..(s..................................................................................................................................q.....{....jWX..bEZ......{.D.P....E.....+.[z6.....a.1P..(s..................................................................................................................................q.....{....jWX..bEZ......{.D.P....E.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):71162
                              Entropy (8bit):6.828357422701559
                              Encrypted:false
                              SSDEEP:
                              MD5:E11FEFC01FAE55DDD955E094F156B8C8
                              SHA1:A9BE5638C7A5B8B9069241535ECF5B35766284DD
                              SHA-256:32372423360D6535421ADF88994BDF2ED945A68737007A87516E0EFBD9852B5C
                              SHA-512:7AB0D19579CD0579129107489818C957753B33164F7071BC797D5F0C5C63388DF16EDC24C6F4B503E0563B49CCA7693D5C66637C93886F3552C721AA08ABAFCC
                              Malicious:false
                              Preview:.7..&+..eC....Z.X.9.g..K.`\..u.D...|.W.... J.{....@.Zi..L.............!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........mo.%+..aC....Z..T9..;.??....u.D.....u.... J.{.Q..@.Zi..L..................................................`.........................................`....................................<...mo.%+..aS..$.Z...9.g....`\..u.D...|.W.... J.{....@.Zi..L.............................rdata..............................@..@.rsrc...............................@..@.........................mo.%+..aC....Z...9.g....`\..u.D...|.W.... J.{....@.Zi..L.....................................................................................................................................mo.%+..aC....Z...9.g....`\..u.D...|.W.... J.{....@.Zi..L.....................................................................................................................................mo.%+..aC....Z...9.g....`\..u.D...|.W.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-private-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):71162
                              Entropy (8bit):6.828357422701559
                              Encrypted:false
                              SSDEEP:
                              MD5:E11FEFC01FAE55DDD955E094F156B8C8
                              SHA1:A9BE5638C7A5B8B9069241535ECF5B35766284DD
                              SHA-256:32372423360D6535421ADF88994BDF2ED945A68737007A87516E0EFBD9852B5C
                              SHA-512:7AB0D19579CD0579129107489818C957753B33164F7071BC797D5F0C5C63388DF16EDC24C6F4B503E0563B49CCA7693D5C66637C93886F3552C721AA08ABAFCC
                              Malicious:false
                              Preview:.7..&+..eC....Z.X.9.g..K.`\..u.D...|.W.... J.{....@.Zi..L.............!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........mo.%+..aC....Z..T9..;.??....u.D.....u.... J.{.Q..@.Zi..L..................................................`.........................................`....................................<...mo.%+..aS..$.Z...9.g....`\..u.D...|.W.... J.{....@.Zi..L.............................rdata..............................@..@.rsrc...............................@..@.........................mo.%+..aC....Z...9.g....`\..u.D...|.W.... J.{....@.Zi..L.....................................................................................................................................mo.%+..aC....Z...9.g....`\..u.D...|.W.... J.{....@.Zi..L.....................................................................................................................................mo.%+..aC....Z...9.g....`\..u.D...|.W.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19962
                              Entropy (8bit):7.49424670901459
                              Encrypted:false
                              SSDEEP:
                              MD5:EA760CE8CBB9EB7AB7B07AAFB1396706
                              SHA1:62AE356E033C7111D112A6ADAF4E325D5B17AB8D
                              SHA-256:A0CB5BA14A0EA7AB450AE9A222DAA0E8171293AD324521B58AA41F056DAD0D50
                              SHA-512:EC02A45E094D24CD17AFE59118F0C07C16D8379310CFCA335B459FF5F7152F5D3A19E714A951EB3D3734FF626791D950FA32486881EA724A4787A836D52469D7
                              Malicious:false
                              Preview:v.L...A..<\e.:,.?o..[D(..^<...+..5.h.#.~.*_g.?|l.....<..7W..........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........;@....A..<\.R:,.zo...F(..i...+..58h.(.r.*_g.3|l.....<...G...................................0............`.........................................`...x............ ...................<..;@....A..<\.R:,.?o..[D(..^<...+..5.h.#.~.*_g.?|l.....<...W...........................rdata..............................@..@.rsrc........ ......................@..@........................;@....A..<\.R:,.?o..[D(..^<...+..5.h.#.~.*_g.?|l.....<...W..................................................................................................................................;@....A..<\.R:,.?o..[D(..^<...+..5.h.#.~.*_g.?|l.....<...W..................................................................................................................................;@....A..<\.R:,.?o..[D(..^<...+..5.h.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-process-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19962
                              Entropy (8bit):7.49424670901459
                              Encrypted:false
                              SSDEEP:
                              MD5:EA760CE8CBB9EB7AB7B07AAFB1396706
                              SHA1:62AE356E033C7111D112A6ADAF4E325D5B17AB8D
                              SHA-256:A0CB5BA14A0EA7AB450AE9A222DAA0E8171293AD324521B58AA41F056DAD0D50
                              SHA-512:EC02A45E094D24CD17AFE59118F0C07C16D8379310CFCA335B459FF5F7152F5D3A19E714A951EB3D3734FF626791D950FA32486881EA724A4787A836D52469D7
                              Malicious:false
                              Preview:v.L...A..<\e.:,.?o..[D(..^<...+..5.h.#.~.*_g.?|l.....<..7W..........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........;@....A..<\.R:,.zo...F(..i...+..58h.(.r.*_g.3|l.....<...G...................................0............`.........................................`...x............ ...................<..;@....A..<\.R:,.?o..[D(..^<...+..5.h.#.~.*_g.?|l.....<...W...........................rdata..............................@..@.rsrc........ ......................@..@........................;@....A..<\.R:,.?o..[D(..^<...+..5.h.#.~.*_g.?|l.....<...W..................................................................................................................................;@....A..<\.R:,.?o..[D(..^<...+..5.h.#.~.*_g.?|l.....<...W..................................................................................................................................;@....A..<\.R:,.?o..[D(..^<...+..5.h.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):23546
                              Entropy (8bit):7.4005906546004425
                              Encrypted:false
                              SSDEEP:
                              MD5:1B99B9EB9BC8A3070932CEF9D03CC813
                              SHA1:46E18E497D9B77E939BF8C7234677DED16A32A25
                              SHA-256:70F26A34B2B63A68A80611A45F2F9D6BAA8A37CD281AC71F2AA5B44E0CBB9044
                              SHA-512:0886C4A568486B72AB180C2FA87CF8188FA4818FA9A269C0C13432C2B4782AF18724A9FEC82823349F65BBF83F1B3F2356BBBEFA091410E709FC062EF62A676E
                              Malicious:false
                              Preview:YlA?6...<...i`?.N.2V....1.%=.rP...<........LY~...<MS...Y6"R.........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........6.?5...8.....?...2V.}..E..h.rP...<..9.....LY~...<MS...Y6"...................................@.......8....`.........................................`...4............0...................<...6.?5...8.....?...2V....q.%=.rP...<........LY~...<MS...Y6"...........................rdata..H...........................@..@.rsrc........0......................@..@.........................6.?5...8.....?...2V....q.%=.rP...<........LY~...<MS...Y6"...................................................................................................................................6.?5...8.....?...2V....q.%=.rP...<........LY~...<MS...Y6"...................................................................................................................................6.?5...8.....?...2V....q.%=.rP...<....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-runtime-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):23546
                              Entropy (8bit):7.4005906546004425
                              Encrypted:false
                              SSDEEP:
                              MD5:1B99B9EB9BC8A3070932CEF9D03CC813
                              SHA1:46E18E497D9B77E939BF8C7234677DED16A32A25
                              SHA-256:70F26A34B2B63A68A80611A45F2F9D6BAA8A37CD281AC71F2AA5B44E0CBB9044
                              SHA-512:0886C4A568486B72AB180C2FA87CF8188FA4818FA9A269C0C13432C2B4782AF18724A9FEC82823349F65BBF83F1B3F2356BBBEFA091410E709FC062EF62A676E
                              Malicious:false
                              Preview:YlA?6...<...i`?.N.2V....1.%=.rP...<........LY~...<MS...Y6"R.........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S...........6.?5...8.....?...2V.}..E..h.rP...<..9.....LY~...<MS...Y6"...................................@.......8....`.........................................`...4............0...................<...6.?5...8.....?...2V....q.%=.rP...<........LY~...<MS...Y6"...........................rdata..H...........................@..@.rsrc........0......................@..@.........................6.?5...8.....?...2V....q.%=.rP...<........LY~...<MS...Y6"...................................................................................................................................6.?5...8.....?...2V....q.%=.rP...<........LY~...<MS...Y6"...................................................................................................................................6.?5...8.....?...2V....q.%=.rP...<....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25082
                              Entropy (8bit):7.36637091369013
                              Encrypted:false
                              SSDEEP:
                              MD5:0ADB6398BEAD249F860AA83E5B06B226
                              SHA1:9945E8803AF5BA44A5CFE29D1BAB5A93EE4C46B6
                              SHA-256:58DF61690E0CF651F21F9EAA1141B62E7785AD1547281EECF72C5CB307E4D3D5
                              SHA-512:CBE67F82C63C2D331213B9567A4026FD860026E538BA63733A38673B7C75628E6D893877E59743C3E14A6E39A55337C5AB972159E9AFEB9C8C21304DA138365F
                              Malicious:false
                              Preview:.Mj|._.=5.O...K...........Vi-&..]..A.a..q...N....^..-.Pj..g........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........S..|._.95.Ow5.K.H...J......Vi-&..].&.c.j..{...N....^..-.P...g.................................@.......>....`.........................................`...a............0...............$...<..S..|._.9%.OO5.K..........Vi-&..]..A.a..q...N....^..-.P...g.........................rdata..t...........................@..@.rsrc........0....... ..............@..@........................S..|._.95.Ow5.K..........Vi-&..]..A.a..q...N....^..-.P...g................................................................................................................................S..|._.95.Ow5.K..........Vi-&..]..A.a..q...N....^..-.P...g................................................................................................................................S..|._.95.Ow5.K..........Vi-&..]..A.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-stdio-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25082
                              Entropy (8bit):7.36637091369013
                              Encrypted:false
                              SSDEEP:
                              MD5:0ADB6398BEAD249F860AA83E5B06B226
                              SHA1:9945E8803AF5BA44A5CFE29D1BAB5A93EE4C46B6
                              SHA-256:58DF61690E0CF651F21F9EAA1141B62E7785AD1547281EECF72C5CB307E4D3D5
                              SHA-512:CBE67F82C63C2D331213B9567A4026FD860026E538BA63733A38673B7C75628E6D893877E59743C3E14A6E39A55337C5AB972159E9AFEB9C8C21304DA138365F
                              Malicious:false
                              Preview:.Mj|._.=5.O...K...........Vi-&..]..A.a..q...N....^..-.Pj..g........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........S..|._.95.Ow5.K.H...J......Vi-&..].&.c.j..{...N....^..-.P...g.................................@.......>....`.........................................`...a............0...............$...<..S..|._.9%.OO5.K..........Vi-&..]..A.a..q...N....^..-.P...g.........................rdata..t...........................@..@.rsrc........0....... ..............@..@........................S..|._.95.Ow5.K..........Vi-&..]..A.a..q...N....^..-.P...g................................................................................................................................S..|._.95.Ow5.K..........Vi-&..]..A.a..q...N....^..-.P...g................................................................................................................................S..|._.95.Ow5.K..........Vi-&..]..A.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25082
                              Entropy (8bit):7.36734594294327
                              Encrypted:false
                              SSDEEP:
                              MD5:0B41B6BE7F43445EE5B1DA88B8E01C4A
                              SHA1:9D5A559E07FA299862314743904937B19901FEB4
                              SHA-256:B7B7472C16A479C983ABC88443005EC41C087DB91E19305E040403C58E40C3DC
                              SHA-512:6A1E35EAA39B98A0B12D18845EF6D784B8D1626EBB6F05A98C10FC6ADBABA6C90FD285411DED39108E07ED8489116627A900F067C4F7F655E83E71B56F879C8A
                              Malicious:false
                              Preview:-.X.U...9..I#.I.....XhW..C.^...4Bw...$..p.@:nn....x;k.....2M.........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........`..V...=..I..I.i...<.U.z{V....4Bw..'....r.J:nn....x;k....."M..................................@.......3....`.........................................`................0...............$...<..`..V...=..I..I.9...XhW.NC.^...4Bw...$..p.@:nn....x;k.....2M..........................rdata..............................@..@.rsrc........0....... ..............@..@........................`..V...=..I..I.9...XhW.NC.^...4Bw...$..p.@:nn....x;k.....2M.................................................................................................................................`..V...=..I..I.9...XhW.NC.^...4Bw...$..p.@:nn....x;k.....2M.................................................................................................................................`..V...=..I..I.9...XhW.NC.^...4Bw...$.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-string-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25082
                              Entropy (8bit):7.36734594294327
                              Encrypted:false
                              SSDEEP:
                              MD5:0B41B6BE7F43445EE5B1DA88B8E01C4A
                              SHA1:9D5A559E07FA299862314743904937B19901FEB4
                              SHA-256:B7B7472C16A479C983ABC88443005EC41C087DB91E19305E040403C58E40C3DC
                              SHA-512:6A1E35EAA39B98A0B12D18845EF6D784B8D1626EBB6F05A98C10FC6ADBABA6C90FD285411DED39108E07ED8489116627A900F067C4F7F655E83E71B56F879C8A
                              Malicious:false
                              Preview:-.X.U...9..I#.I.....XhW..C.^...4Bw...$..p.@:nn....x;k.....2M.........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........`..V...=..I..I.i...<.U.z{V....4Bw..'....r.J:nn....x;k....."M..................................@.......3....`.........................................`................0...............$...<..`..V...=..I..I.9...XhW.NC.^...4Bw...$..p.@:nn....x;k.....2M..........................rdata..............................@..@.rsrc........0....... ..............@..@........................`..V...=..I..I.9...XhW.NC.^...4Bw...$..p.@:nn....x;k.....2M.................................................................................................................................`..V...=..I..I.9...XhW.NC.^...4Bw...$..p.@:nn....x;k.....2M.................................................................................................................................`..V...=..I..I.9...XhW.NC.^...4Bw...$.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):21498
                              Entropy (8bit):7.4512455020804715
                              Encrypted:false
                              SSDEEP:
                              MD5:7B95B5410CE1AAF3C7F6759F4C606599
                              SHA1:E9D445F0F1C6F9D72E34C6E6C4FA474BE97300C5
                              SHA-256:C84466295D38F18C3EC75D4EA6B50C496DABA54E911C80DB301E881B621D6C94
                              SHA-512:1B2BEFF3AFBDC02EE4ED2727FB2E5938194AE2D251A54D351C43185EF149BFD4928CFA2D9EE127C227401E2F910940588FD9E81D24E37C97BEA50F41C3C95E9D
                              Malicious:false
                              Preview:...T.#c.C.. 9.....1B...".Q.7!.g~...v.(..U.?.X.N.....6..=.........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S............T.#c.G.......Q.1&...V...7!.g~..V.T.*..U.?.X.N.....6O.=..................................0......K.....`.........................................`................ ...................<....T.#c.G.........1B...b.Q.7!.g~...v.(..U.?.X.N.....6O.=..........................rdata..............................@..@.rsrc........ ......................@..@..........................T.#c.G.........1B...b.Q.7!.g~...v.(..U.?.X.N.....6O.=...................................................................................................................................T.#c.G.........1B...b.Q.7!.g~...v.(..U.?.X.N.....6O.=...................................................................................................................................T.#c.G.........1B...b.Q.7!.g~...v.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-time-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):21498
                              Entropy (8bit):7.4512455020804715
                              Encrypted:false
                              SSDEEP:
                              MD5:7B95B5410CE1AAF3C7F6759F4C606599
                              SHA1:E9D445F0F1C6F9D72E34C6E6C4FA474BE97300C5
                              SHA-256:C84466295D38F18C3EC75D4EA6B50C496DABA54E911C80DB301E881B621D6C94
                              SHA-512:1B2BEFF3AFBDC02EE4ED2727FB2E5938194AE2D251A54D351C43185EF149BFD4928CFA2D9EE127C227401E2F910940588FD9E81D24E37C97BEA50F41C3C95E9D
                              Malicious:false
                              Preview:...T.#c.C.. 9.....1B...".Q.7!.g~...v.(..U.?.X.N.....6..=.........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S............T.#c.G.......Q.1&...V...7!.g~..V.T.*..U.?.X.N.....6O.=..................................0......K.....`.........................................`................ ...................<....T.#c.G.........1B...b.Q.7!.g~...v.(..U.?.X.N.....6O.=..........................rdata..............................@..@.rsrc........ ......................@..@..........................T.#c.G.........1B...b.Q.7!.g~...v.(..U.?.X.N.....6O.=...................................................................................................................................T.#c.G.........1B...b.Q.7!.g~...v.(..U.?.X.N.....6O.=...................................................................................................................................T.#c.G.........1B...b.Q.7!.g~...v.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19450
                              Entropy (8bit):7.480884895407726
                              Encrypted:false
                              SSDEEP:
                              MD5:BAC1B947A5CC4B0C06154D3C5CD8B2D7
                              SHA1:81CB137957F6B73A21B45CEF1968D4D2042981ED
                              SHA-256:BB518C4C1F48EC2736EDBD97937BCA5EA1A4939D137B1B8E1475CA64735A3F26
                              SHA-512:C2F076F8581DBA28C316B2DD16F39B6CD75AE0267F7D5DF1C6A056EC03D666979FB30BD0354E9BE255299B264F6D6B98946C74A440A15590DAC4D14CCA847BD7
                              Malicious:false
                              Preview:>...h>Z...J..2.%{W755vX?4o.oB.....X...H...X..b.e..-."....q/<k...........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........s.`.k>Z...J...%..75Q.Z?@W.:B.....X.x.j...T..b.e..-."....q/<.....................................0............`.........................................`...^............ ...................<..s.`.k>Z...J...%.W755vX?to.oB.....X...H...X..b.e..-."....q/<.............................rdata..t...........................@..@.rsrc........ ......................@..@........................s.`.k>Z...J...%.W755vX?to.oB.....X...H...X..b.e..-."....q/<....................................................................................................................................s.`.k>Z...J...%.W755vX?to.oB.....X...H...X..b.e..-."....q/<....................................................................................................................................s.`.k>Z...J...%.W755vX?to.oB.....X...H.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\api-ms-win-crt-utility-l1-1-0.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):19450
                              Entropy (8bit):7.480884895407726
                              Encrypted:false
                              SSDEEP:
                              MD5:BAC1B947A5CC4B0C06154D3C5CD8B2D7
                              SHA1:81CB137957F6B73A21B45CEF1968D4D2042981ED
                              SHA-256:BB518C4C1F48EC2736EDBD97937BCA5EA1A4939D137B1B8E1475CA64735A3F26
                              SHA-512:C2F076F8581DBA28C316B2DD16F39B6CD75AE0267F7D5DF1C6A056EC03D666979FB30BD0354E9BE255299B264F6D6B98946C74A440A15590DAC4D14CCA847BD7
                              Malicious:false
                              Preview:>...h>Z...J..2.%{W755vX?4o.oB.....X...H...X..b.e..-."....q/<k...........!..L.!This program cannot be run in DOS mode....$.......m2..)S..)S..)S....].(S....A.+S....^.(S....C.(S..Rich)S..........s.`.k>Z...J...%..75Q.Z?@W.:B.....X.x.j...T..b.e..-."....q/<.....................................0............`.........................................`...^............ ...................<..s.`.k>Z...J...%.W755vX?to.oB.....X...H...X..b.e..-."....q/<.............................rdata..t...........................@..@.rsrc........ ......................@..@........................s.`.k>Z...J...%.W755vX?to.oB.....X...H...X..b.e..-."....q/<....................................................................................................................................s.`.k>Z...J...%.W755vX?to.oB.....X...H...X..b.e..-."....q/<....................................................................................................................................s.`.k>Z...J...%.W755vX?to.oB.....X...H.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1627970
                              Entropy (8bit):6.952623901630999
                              Encrypted:false
                              SSDEEP:
                              MD5:E5F9B70030E888311268838E12EAF217
                              SHA1:916D6F1F8B6BC521E2042F8150BEFFBA550D677E
                              SHA-256:75DE2FF44CA9041DFD0A1C358C65B7E0F81C28EA18BC591EF42C5932326C0ED3
                              SHA-512:EAF8AAA83F0F67680662E82D1FB65DFA7406FD2E415C7373CBBFDDA9B7873C02D9BE7455E35CCA0E41BBD410A6DF9CC9B493C5014F3EA96CE67FAF49849FE4BA
                              Malicious:false
                              Preview:.^.$~:.....R6IS.`k0t. .0..8c.. ...=.a'...F.@{.:.....{.l..........!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~...v....S#..S......A;.1.....9.I.r|....m.'...F..>.:.......l........"..................$.........@....................................Q.....`.......... ........................................@$.;...l.R..S.(Awk|. Q...0E.. ...v..a.....F.@{.:.....{.l..Xt..(... s..8............t...............................text...6........................... ..`.rdata............................V$=:...xk&..S.hr`k0.. Q...8... ...=.a'....F<n..[.n....{........................@..@.rsrc.... ...p...0...P..............@..@.reloc..h/.......0..................@..B..........................V$}:.....R.S.(.`k0t. Q0..8c.. ...=.a'...F.@{.:.....{.l....................................................................................................................................V$}:.....R.S.(.`k0t. Q0..8c.. ...=.a

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1627970
                              Entropy (8bit):6.952623901630999
                              Encrypted:false
                              SSDEEP:
                              MD5:E5F9B70030E888311268838E12EAF217
                              SHA1:916D6F1F8B6BC521E2042F8150BEFFBA550D677E
                              SHA-256:75DE2FF44CA9041DFD0A1C358C65B7E0F81C28EA18BC591EF42C5932326C0ED3
                              SHA-512:EAF8AAA83F0F67680662E82D1FB65DFA7406FD2E415C7373CBBFDDA9B7873C02D9BE7455E35CCA0E41BBD410A6DF9CC9B493C5014F3EA96CE67FAF49849FE4BA
                              Malicious:false
                              Preview:.^.$~:.....R6IS.`k0t. .0..8c.. ...=.a'...F.@{.:.....{.l..........!..L.!This program cannot be run in DOS mode....$.......D................7......................!..............~...v....S#..S......A;.1.....9.I.r|....m.'...F..>.:.......l........"..................$.........@....................................Q.....`.......... ........................................@$.;...l.R..S.(Awk|. Q...0E.. ...v..a.....F.@{.:.....{.l..Xt..(... s..8............t...............................text...6........................... ..`.rdata............................V$=:...xk&..S.hr`k0.. Q...8... ...=.a'....F<n..[.n....{........................@..@.rsrc.... ...p...0...P..............@..@.reloc..h/.......0..................@..B..........................V$}:.....R.S.(.`k0t. Q0..8c.. ...=.a'...F.@{.:.....{.l....................................................................................................................................V$}:.....R.S.(.`k0t. Q0..8c.. ...=.a

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\c2r32werhandler.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):132842
                              Entropy (8bit):7.304074648944462
                              Encrypted:false
                              SSDEEP:
                              MD5:A273148FBA9A99E7D4FE64A529A16787
                              SHA1:1ADFBCA67F29BAC9430796CADC5377CC8F3967C2
                              SHA-256:A7855C627C0E4A30C5EA517874BF90B4C0D99438053D9EEC9C0881E10AB3E90B
                              SHA-512:3848761CC044597858F65D31907FEEDD62EC39E243F28D3BF01C8523EC42F392CDA731784A6DF798244C0A9CD179BBCAA4E942177A8EC89423290B208104CF22
                              Malicious:false
                              Preview:iN..tP..d..::..G......8-^-@`I...~.!..W."...tf.IE...k.3._..O.6........!..L.!This program cannot be run in DOS mode....$.......(. .l.N.l.N.l.N...M.b.N...K..N...J.z.N...J.c.N...M.z.N...K.+.N......#.....V....V..U..q...-....k2jLa..FK...(EIE...k.3._..N.6........PE..L...%;.d...........!... .............;....... ............................................@..............................P................x-^-@`I..:....W...ef......k.3._..N.6........l...........@...............@.......@....................text............................... ..`.rdata..................$...wP..d.....T.qp.....;^-@.H...~.!h.W."...tf.IE....k...:q~-.6............................@..B................................................................................................$...wP..d.............x-^-@`I...~.!..W."...tf.IE...k.3._..N.6................................................................................................................................$...wP..d.............x-^-@`I...~.!..W

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\c2r32werhandler.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):132842
                              Entropy (8bit):7.304074648944462
                              Encrypted:false
                              SSDEEP:
                              MD5:A273148FBA9A99E7D4FE64A529A16787
                              SHA1:1ADFBCA67F29BAC9430796CADC5377CC8F3967C2
                              SHA-256:A7855C627C0E4A30C5EA517874BF90B4C0D99438053D9EEC9C0881E10AB3E90B
                              SHA-512:3848761CC044597858F65D31907FEEDD62EC39E243F28D3BF01C8523EC42F392CDA731784A6DF798244C0A9CD179BBCAA4E942177A8EC89423290B208104CF22
                              Malicious:false
                              Preview:iN..tP..d..::..G......8-^-@`I...~.!..W."...tf.IE...k.3._..O.6........!..L.!This program cannot be run in DOS mode....$.......(. .l.N.l.N.l.N...M.b.N...K..N...J.z.N...J.c.N...M.z.N...K.+.N......#.....V....V..U..q...-....k2jLa..FK...(EIE...k.3._..N.6........PE..L...%;.d...........!... .............;....... ............................................@..............................P................x-^-@`I..:....W...ef......k.3._..N.6........l...........@...............@.......@....................text............................... ..`.rdata..................$...wP..d.....T.qp.....;^-@.H...~.!h.W."...tf.IE....k...:q~-.6............................@..B................................................................................................$...wP..d.............x-^-@`I...~.!..W."...tf.IE...k.3._..N.6................................................................................................................................$...wP..d.............x-^-@`I...~.!..W

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\c2r64werhandler.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):182986
                              Entropy (8bit):7.155893829550886
                              Encrypted:false
                              SSDEEP:
                              MD5:29AEA4B89968AA598C19491FF30E154C
                              SHA1:5E30B6E49682BECBD674CD27161F2819B8F5EF0B
                              SHA-256:73275FE1869E227B4961EB6A8D383E191506FBE4BDA4F7CA4D87A57D0816F013
                              SHA-512:79B481B0585DFDF0CE9FC55AEDDA7638AF81E2F6F5F52E51D91D2E3ACBA5F3E6447E8DA98E86CD7E92816BBC65FD8D4028DB7594B93227B0C76F591D0A409AE3
                              Malicious:false
                              Preview:P.+..Ux..^..F.q..|dZ...1..v....x.}..I..fs..+U82m...c$.BF&.d&.t%........!..L.!This program cannot be run in DOS mode....$.......V.....y...y...y...z...y...|.y...}...y.r.}...y.r.z...y.r.|.X.y..\.>..,...&Mi...O..._.b,.d...p.U.....q4...9.A.m...c$.BF&.d..t%........PE..d...G..d.........." ... .v...........P...............................................`....`A.............................Ux..^...q.~d......v....x.}..I..f...A82mx...i.BF..d..t%.L..T....................8..(.......@....................A..@....................text....t.......v.................. ..`.rdata...F...Tx.`^....q8.|dZ...q..v....V....I..VR..+%:2m...cj.BF&.d..t%....@....pdata...............\..............@..@.didat.. ............r..............@..._RDATA..\............t..............@..@3...zUx.^..Y.q8.|dZ...q..v....x.}..I..fs..+U82m...c$.BF&.d..t%.....................................................................................................................................Ux..^....q8.|dZ...q..v....x.}..I..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\c2r64werhandler.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):182986
                              Entropy (8bit):7.155893829550886
                              Encrypted:false
                              SSDEEP:
                              MD5:29AEA4B89968AA598C19491FF30E154C
                              SHA1:5E30B6E49682BECBD674CD27161F2819B8F5EF0B
                              SHA-256:73275FE1869E227B4961EB6A8D383E191506FBE4BDA4F7CA4D87A57D0816F013
                              SHA-512:79B481B0585DFDF0CE9FC55AEDDA7638AF81E2F6F5F52E51D91D2E3ACBA5F3E6447E8DA98E86CD7E92816BBC65FD8D4028DB7594B93227B0C76F591D0A409AE3
                              Malicious:false
                              Preview:P.+..Ux..^..F.q..|dZ...1..v....x.}..I..fs..+U82m...c$.BF&.d&.t%........!..L.!This program cannot be run in DOS mode....$.......V.....y...y...y...z...y...|.y...}...y.r.}...y.r.z...y.r.|.X.y..\.>..,...&Mi...O..._.b,.d...p.U.....q4...9.A.m...c$.BF&.d..t%........PE..d...G..d.........." ... .v...........P...............................................`....`A.............................Ux..^...q.~d......v....x.}..I..f...A82mx...i.BF..d..t%.L..T....................8..(.......@....................A..@....................text....t.......v.................. ..`.rdata...F...Tx.`^....q8.|dZ...q..v....V....I..VR..+%:2m...cj.BF&.d..t%....@....pdata...............\..............@..@.didat.. ............r..............@..._RDATA..\............t..............@..@3...zUx.^..Y.q8.|dZ...q..v....x.}..I..fs..+U82m...c$.BF&.d..t%.....................................................................................................................................Ux..^....q8.|dZ...q..v....x.}..I..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):32824
                              Entropy (8bit):7.569764702306335
                              Encrypted:false
                              SSDEEP:
                              MD5:A3E4C9E512BE53C7D9F3AABC06604277
                              SHA1:E7214D861B3FF5FC3C9F610D7796DA2FDF125F33
                              SHA-256:4736EC61C0503FF2FDE6DACC950BD8EF35CEB6D34DBB143892DBCC942F8EF024
                              SHA-512:4D53425C194FF6BF486DD4FF5E4185D16EA9197217ECF9E2FD23C9F895A4B44B01FDF2C2C25A9F9D7E2348D5A54CF81FD9B9A95DC0B893F3B7C19F8DCC32B253
                              Malicious:false
                              Preview:.z.\D..,.,.oH..K./^.....K....AB......+..X.......I.rv....#.W#0...+.....7....."..^..%O.c..?.JM..230928011850Z0...+.....7.....0.V.0*....F.a[.E.....1...&1.0...+.....7...1...0... .j .~.{N..*..10D..9..C..d.........z....JE..................V.J:AM.Kg...Z+.....7...0...........010...`.H.e....... .j .~.{N...&|.r.W~.L.!.n.BU.._..0... .a...!]A........ZS>.w..G......Z1q0...+.....7...1.....D.......~......'.*.a.....s..O........j.Z..4.....sD...(...T .a...!]A........ZS>.w..G......Z0... .~...%T...QF.oa.3.~......C.\.. .1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0.......1.......k)&...R....,.j..j..a.P.k.....*...[d..V`.....e........W$lZ[.SV..B...(...=.....H..A".1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..W$lZ[.SV..B....F~....yd.*.....a.....~u$$.<n...:..+.............y.7G..y..... .........]X...c.7nx.o...0.k....1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .........]y..!,......Z?.K.G,C...lN<...B..uA..:.|.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.cab.cat.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):32824
                              Entropy (8bit):7.569764702306335
                              Encrypted:false
                              SSDEEP:
                              MD5:A3E4C9E512BE53C7D9F3AABC06604277
                              SHA1:E7214D861B3FF5FC3C9F610D7796DA2FDF125F33
                              SHA-256:4736EC61C0503FF2FDE6DACC950BD8EF35CEB6D34DBB143892DBCC942F8EF024
                              SHA-512:4D53425C194FF6BF486DD4FF5E4185D16EA9197217ECF9E2FD23C9F895A4B44B01FDF2C2C25A9F9D7E2348D5A54CF81FD9B9A95DC0B893F3B7C19F8DCC32B253
                              Malicious:false
                              Preview:.z.\D..,.,.oH..K./^.....K....AB......+..X.......I.rv....#.W#0...+.....7....."..^..%O.c..?.JM..230928011850Z0...+.....7.....0.V.0*....F.a[.E.....1...&1.0...+.....7...1...0... .j .~.{N..*..10D..9..C..d.........z....JE..................V.J:AM.Kg...Z+.....7...0...........010...`.H.e....... .j .~.{N...&|.r.W~.L.!.n.BU.._..0... .a...!]A........ZS>.w..G......Z1q0...+.....7...1.....D.......~......'.*.a.....s..O........j.Z..4.....sD...(...T .a...!]A........ZS>.w..G......Z0... .~...%T...QF.oa.3.~......C.\.. .1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0.......1.......k)&...R....,.j..j..a.P.k.....*...[d..V`.....e........W$lZ[.SV..B...(...=.....H..A".1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... ..W$lZ[.SV..B....F~....yd.*.....a.....~u$$.<n...:..+.............y.7G..y..... .........]X...c.7nx.o...0.k....1q0...+.....7...1...0]..+.....7...1O0M0...+.....7...0...........010...`.H.e....... .........]y..!,......Z?.K.G,C...lN<...B..uA..:.|.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):420
                              Entropy (8bit):6.14393324358656
                              Encrypted:false
                              SSDEEP:
                              MD5:7BBF8119C1EF21EB029D52E48F6C7A6B
                              SHA1:70E721CB8E2DBD7CB227B2C8169C10B51EEFD74D
                              SHA-256:640A0736BDCC1574A662B98369B7A8850DF431A1DD53ED6FC309BBADA0321188
                              SHA-512:09D1F739E8A1ECDFAE56B677512E5EA93947C12B34AAA35A4898F2413E8774A66A60FA1231467D863A7F41724F5D5AA6944FE2EB9C9E6ADEA38241FFCFAFBED5
                              Malicious:false
                              Preview:.._h{#:..T..Cs%......p..p.p........Ar.A[,.?9W......3..{....z1.7.....1.6...0...1.6.8.2.7...2.0.1.3.0............k..uR.!j...;(WA.......Ta....q~..U\/"..Ff...v....XU.z.e.JSt..pl...p.67bkHW.+'S....qG...Q1i...e.5CM...D.k,..[.d5.).NU...P......o.P...S.!....<Q<.......B...=....{...(;....Ph....E.%.fQ....$...Z..6I..*4...................................................................................@.........tmrk2oxcouu.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\i640.hash.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):420
                              Entropy (8bit):6.14393324358656
                              Encrypted:false
                              SSDEEP:
                              MD5:7BBF8119C1EF21EB029D52E48F6C7A6B
                              SHA1:70E721CB8E2DBD7CB227B2C8169C10B51EEFD74D
                              SHA-256:640A0736BDCC1574A662B98369B7A8850DF431A1DD53ED6FC309BBADA0321188
                              SHA-512:09D1F739E8A1ECDFAE56B677512E5EA93947C12B34AAA35A4898F2413E8774A66A60FA1231467D863A7F41724F5D5AA6944FE2EB9C9E6ADEA38241FFCFAFBED5
                              Malicious:false
                              Preview:.._h{#:..T..Cs%......p..p.p........Ar.A[,.?9W......3..{....z1.7.....1.6...0...1.6.8.2.7...2.0.1.3.0............k..uR.!j...;(WA.......Ta....q~..U\/"..Ff...v....XU.z.e.JSt..pl...p.67bkHW.+'S....qG...Q1i...e.5CM...D.k,..[.d5.).NU...P......o.P...S.!....<Q<.......B...=....{...(;....Ph....E.%.fQ....$...Z..6I..*4...................................................................................@.........tmrk2oxcouu.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\inventory.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5415850
                              Entropy (8bit):7.184196372092484
                              Encrypted:false
                              SSDEEP:
                              MD5:EEFC859518C31613906C0B30CB04FB1E
                              SHA1:535117F286C02511ADE9DF23D9F01AC2544F74DB
                              SHA-256:188CD774523C798233ACDBB71BBAA449A55EC282F3DC36356EEB84CB228B5FDA
                              SHA-512:46C9A8C541E5F600EEEF641214F3EB2D4DD48398F4B633A2705C74D3A56A5D0C306ADED244DB07AD68AFD1C1F9234B79F75AE40CC3868612E34B0F0FE976AD84
                              Malicious:false
                              Preview:.r.b.......\.7.N......9y...{!.X..-....'...i.......L.H.w..%.........!..L.!This program cannot be run in DOS mode....$...........N}.N}.N}.G.Y.X}....H}....F}....d}....K}....L}.i'.6+..SU.u.T...FH.If...vf|...f.{$.<.J......c.9.0.fb...O}....!+..O}.+.5.O}.N}].L}.+..O}.RichN}.........PE..d....!.e.........." ... ..5..".......74......................................h..a.........fvNN......yi...{!.X..-....'...i.......L...wc.%...I......PR......PP. ....TR.pN...pR.....0LJ.T...................."I.(....g6.@.............5.@.....I......................text.......a....M.....7NN......yy...{!.vt.L....D.>....i.......L.H.w..%.....@..@.data....U....N.......N.............@....pdata.. ....PP.......O.............@..@.didat.......@R......tQ.............@....Z9.....x.....T7N\...aS.yy...{!.X..-......B....i.&...o.L...w.tt.............@..B.................................................................................................................(J.a.........7NN......yy...{!.X..-..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\inventory.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5415850
                              Entropy (8bit):7.184196372092484
                              Encrypted:false
                              SSDEEP:
                              MD5:EEFC859518C31613906C0B30CB04FB1E
                              SHA1:535117F286C02511ADE9DF23D9F01AC2544F74DB
                              SHA-256:188CD774523C798233ACDBB71BBAA449A55EC282F3DC36356EEB84CB228B5FDA
                              SHA-512:46C9A8C541E5F600EEEF641214F3EB2D4DD48398F4B633A2705C74D3A56A5D0C306ADED244DB07AD68AFD1C1F9234B79F75AE40CC3868612E34B0F0FE976AD84
                              Malicious:false
                              Preview:.r.b.......\.7.N......9y...{!.X..-....'...i.......L.H.w..%.........!..L.!This program cannot be run in DOS mode....$...........N}.N}.N}.G.Y.X}....H}....F}....d}....K}....L}.i'.6+..SU.u.T...FH.If...vf|...f.{$.<.J......c.9.0.fb...O}....!+..O}.+.5.O}.N}].L}.+..O}.RichN}.........PE..d....!.e.........." ... ..5..".......74......................................h..a.........fvNN......yi...{!.X..-....'...i.......L...wc.%...I......PR......PP. ....TR.pN...pR.....0LJ.T...................."I.(....g6.@.............5.@.....I......................text.......a....M.....7NN......yy...{!.vt.L....D.>....i.......L.H.w..%.....@..@.data....U....N.......N.............@....pdata.. ....PP.......O.............@..@.didat.......@R......tQ.............@....Z9.....x.....T7N\...aS.yy...{!.X..-......B....i.&...o.L...w.tt.............@..B.................................................................................................................(J.a.........7NN......yy...{!.X..-..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\manageability.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):1507826
                              Entropy (8bit):7.075744788995757
                              Encrypted:false
                              SSDEEP:
                              MD5:979AA5847C47152DB58145ADAF2A668B
                              SHA1:D59AC61530DDDE711DAEE2098366377E01557C6C
                              SHA-256:AFD217B2C9D21ED801AF57FE0BD3942A9D4EB29D8232E6543858396FFDDF9FD3
                              SHA-512:B1F9396BF52A74481E04B059D0B00E12B6653B762ADE6A48D37A5AAA082B6DB7B26240F89EB823DD9C8663C65B4A1BAE28D553A7F4EE7A80B3FACA2DE0646E94
                              Malicious:false
                              Preview:..nh..q.$8..6R.......:...wB........j.K=R.)Pt...;`....@...f........!..L.!This program cannot be run in DOS mode....$.......s...7.b.7.b.7.b.>..#.b.W.c.1.b.W.g...b.W.f.?.b.W.a.3.b..d.6.b.o~B.XY..w.^bB...u...L.&ME.....;.6`r4=....5D..2.6.M..K.R...z.R...6.b.7...6.b.R.`.6.b.Rich7.b.................PE..d....m.d.........." ... .*....................................................4nk..q../.z3.w........z...wB........j.K-R.)Pt...+`.....@"..ft...|........................N......<:..`F..T.......................(...p...@............@...............................text.....,nk..q..7.y7.6........z...WB...e.v.j...T.i_t...;N....@...f....@..@.data...Pv.......P...f..............@....pdata..............................@..@.didat..8............d..............@.....P....qk)8.y.6........z...wB......B.jSeO7..JPt...;.....@...f............@..B..................................................................................................................#nk..q.$8.y3.6........z...wB........j.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\manageability.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):1507826
                              Entropy (8bit):7.075744788995757
                              Encrypted:false
                              SSDEEP:
                              MD5:979AA5847C47152DB58145ADAF2A668B
                              SHA1:D59AC61530DDDE711DAEE2098366377E01557C6C
                              SHA-256:AFD217B2C9D21ED801AF57FE0BD3942A9D4EB29D8232E6543858396FFDDF9FD3
                              SHA-512:B1F9396BF52A74481E04B059D0B00E12B6653B762ADE6A48D37A5AAA082B6DB7B26240F89EB823DD9C8663C65B4A1BAE28D553A7F4EE7A80B3FACA2DE0646E94
                              Malicious:false
                              Preview:..nh..q.$8..6R.......:...wB........j.K=R.)Pt...;`....@...f........!..L.!This program cannot be run in DOS mode....$.......s...7.b.7.b.7.b.>..#.b.W.c.1.b.W.g...b.W.f.?.b.W.a.3.b..d.6.b.o~B.XY..w.^bB...u...L.&ME.....;.6`r4=....5D..2.6.M..K.R...z.R...6.b.7...6.b.R.`.6.b.Rich7.b.................PE..d....m.d.........." ... .*....................................................4nk..q../.z3.w........z...wB........j.K-R.)Pt...+`.....@"..ft...|........................N......<:..`F..T.......................(...p...@............@...............................text.....,nk..q..7.y7.6........z...WB...e.v.j...T.i_t...;N....@...f....@..@.data...Pv.......P...f..............@....pdata..............................@..@.didat..8............d..............@.....P....qk)8.y.6........z...wB......B.jSeO7..JPt...;.....@...f............@..B..................................................................................................................#nk..q.$8.y3.6........z...wB........j.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):660450
                              Entropy (8bit):7.122411931922559
                              Encrypted:false
                              SSDEEP:
                              MD5:E76BDFB2D413139E919B015CD1B62704
                              SHA1:2996D1EF76A509AAFB174D13947296B1FE3AC89B
                              SHA-256:1EDB5F8AC825402378187FEDC46E8591736C45000CE2A5E648752D2D185AB7F2
                              SHA-512:971B1D6F451EC19E83C7AC88A6DBB5A74936021112C38C50B92E7ADA9576BDAB798E7CB14733ED14EDA1AC654AF2807253DFA6D15861A98B86E9A1BF6D9E390A
                              Malicious:false
                              Preview:s....+@.......L....R.W.e).p.&...."J"...4..J..~./...+.$$.O...h;.........!..L.!This program cannot be run in DOS mode....$.......Ca.=...n...n...n..)n...n...n...n.R?n...n..%n...n.R=n...n.R.n4..n4.x..+...Z.....a)..<.W^.cWI. .h..pvL...Z.)..~1A...+.$$......=..aS.........." .....@...................................................`............`.........................................N.}...A.:..#.L.#..R7T.ei.y..S....C"...4..@.ls./....7.$$.O..bh;.....................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..>.z..+@....._.LO...&.W.e..p.&D....J"...4..J..~./...k.$.?.p..;.G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B................>.z..+@.......L.#..R.W.ei.p.&...."J"...4..J..~./...+.$$.O..bh;.................................................................................................................................>.z..+@.......L.#..R.W.ei.p.&...."J"...4

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcp120.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):660450
                              Entropy (8bit):7.122411931922559
                              Encrypted:false
                              SSDEEP:
                              MD5:E76BDFB2D413139E919B015CD1B62704
                              SHA1:2996D1EF76A509AAFB174D13947296B1FE3AC89B
                              SHA-256:1EDB5F8AC825402378187FEDC46E8591736C45000CE2A5E648752D2D185AB7F2
                              SHA-512:971B1D6F451EC19E83C7AC88A6DBB5A74936021112C38C50B92E7ADA9576BDAB798E7CB14733ED14EDA1AC654AF2807253DFA6D15861A98B86E9A1BF6D9E390A
                              Malicious:false
                              Preview:s....+@.......L....R.W.e).p.&...."J"...4..J..~./...+.$$.O...h;.........!..L.!This program cannot be run in DOS mode....$.......Ca.=...n...n...n..)n...n...n...n.R?n...n..%n...n.R=n...n.R.n4..n4.x..+...Z.....a)..<.W^.cWI. .h..pvL...Z.)..~1A...+.$$......=..aS.........." .....@...................................................`............`.........................................N.}...A.:..#.L.#..R7T.ei.y..S....C"...4..@.ls./....7.$$.O..bh;.....................p............P...............................text....>.......@.................. ..`.rdata.......P.......D..>.z..+@....._.LO...&.W.e..p.&D....J"...4..J..~./...k.$.?.p..;.G.......H...z..............@..@.rsrc........@......................@..@.reloc.......P......................@..B................>.z..+@.......L.#..R.W.ei.p.&...."J"...4..J..~./...+.$$.O..bh;.................................................................................................................................>.z..+@.......L.#..R.W.ei.p.&...."J"...4

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):963554
                              Entropy (8bit):7.276246928898348
                              Encrypted:false
                              SSDEEP:
                              MD5:68404286EB387FBC23AE3BAAA743F04B
                              SHA1:B8C098FC8B77CB54B9A78FA3593D61021402099C
                              SHA-256:6CC4BA0ACCA9B9413B615386B17B5932C82A3DD440B3F0F0EF6B720B110B05FD
                              SHA-512:B61393CBF0B55305CD00AF7A176BB599E52D8CEDD744376ACECE119F62493F5449D705D5954CB8D60C4A35C6810C7918EE8B34E1B1FA512FB249AD2A1B5B6C26
                              Malicious:false
                              Preview:..#n.L.{Z...CKQP....5uR.6`.......Yx>..Y............{D.h..._B97........!..L.!This program cannot be run in DOS mode....$........F=&^'Su^'Su^'Su..u]'Su^'Ru.'SuSu.u.%SuSu.uo'SuSu.uh'SuSu.u.'Su..<..k....y...%_.@xjR..$..x. ...Yx>..Y._..?..5n._{D.h...GB.......h...:.......)....................................................`.................................................@...(...B^.n@O.{^...<.QP.....KR.v.........r>..Y............{D.h....B97.2..p............................................text....g.......h.................. ..`.rdata...8.......:...l..............@..@l....L.{6...t\P....5._.v`.......Yx>..Y.!.......u...{..h......47............@..@.rsrc................^..............@..@.reloc..8............b..............@..B................................B..n.L.{^...QP....5uR.v`.......Yx>..Y............{D.h....B97................................................................................................................................B..n.L.{^...QP....5uR.v`.......Yx>..Y.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\msvcr120.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):963554
                              Entropy (8bit):7.276246928898348
                              Encrypted:false
                              SSDEEP:
                              MD5:68404286EB387FBC23AE3BAAA743F04B
                              SHA1:B8C098FC8B77CB54B9A78FA3593D61021402099C
                              SHA-256:6CC4BA0ACCA9B9413B615386B17B5932C82A3DD440B3F0F0EF6B720B110B05FD
                              SHA-512:B61393CBF0B55305CD00AF7A176BB599E52D8CEDD744376ACECE119F62493F5449D705D5954CB8D60C4A35C6810C7918EE8B34E1B1FA512FB249AD2A1B5B6C26
                              Malicious:false
                              Preview:..#n.L.{Z...CKQP....5uR.6`.......Yx>..Y............{D.h..._B97........!..L.!This program cannot be run in DOS mode....$........F=&^'Su^'Su^'Su..u]'Su^'Ru.'SuSu.u.%SuSu.uo'SuSu.uh'SuSu.u.'Su..<..k....y...%_.@xjR..$..x. ...Yx>..Y._..?..5n._{D.h...GB.......h...:.......)....................................................`.................................................@...(...B^.n@O.{^...<.QP.....KR.v.........r>..Y............{D.h....B97.2..p............................................text....g.......h.................. ..`.rdata...8.......:...l..............@..@l....L.{6...t\P....5._.v`.......Yx>..Y.!.......u...{..h......47............@..@.rsrc................^..............@..@.reloc..8............b..............@..B................................B..n.L.{^...QP....5uR.v`.......Yx>..Y............{D.h....B97................................................................................................................................B..n.L.{^...QP....5uR.v`.......Yx>..Y.

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\officeinventory.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):620834
                              Entropy (8bit):7.139709683533142
                              Encrypted:false
                              SSDEEP:
                              MD5:6CC2391A3FC2B17A5DE7DF5990DA90EA
                              SHA1:B92F96AAA32FF23F9D74B5559360BFE6865AF930
                              SHA-256:906A81405040C3068E5083E5FC03DB3CD4650E82891279CA68E9811BB381833B
                              SHA-512:8FD2C4391EF4807DBE41A01D465A9ACED22A25867D2021FD50DC9E4495FA2FB2B1862C7D12B66521004150546A856A49305891359071C81929753994BE735894
                              Malicious:false
                              Preview:...?y.....@.q.~...Y...(...3..H...b..m...]+...r*...\+o8Z...M.........!..L.!This program cannot be run in DOS mode....$.......?BLI{#".{#".{#"....q#".....#"....a#".)V&.u#".)V!.q#"..L..y#"..T$I0......\..~...*2f.L)..j...A....w...G.1,..|.e#~1.n....o.{#..z#"..V .z#".Rich{#".................PE..d...F[.b.........." ................................................................y.y?x.....P...~.P.Y...(...3..H...b..m...];...b..#.\+#.R...M.....8.... ..8O...P...'..........(...T.......................(.......8............................................text............|u?z.....@...~.P.Y...H.i.R..H.z.b..m...]+...r*...\+o8Z..M..data...0/..........................@....pdata..8O... ...P..................@..@_RDATA.......p.......<..............@..@.rsrc.....s?z.....@...w.P.Y...(...3..HT.......m...]+...r&..DU+o8Z...M.....@..B..........................................................................................................................s?z.....@...~.P.Y...(...3..H...b..m

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\officeinventory.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):620834
                              Entropy (8bit):7.139709683533142
                              Encrypted:false
                              SSDEEP:
                              MD5:6CC2391A3FC2B17A5DE7DF5990DA90EA
                              SHA1:B92F96AAA32FF23F9D74B5559360BFE6865AF930
                              SHA-256:906A81405040C3068E5083E5FC03DB3CD4650E82891279CA68E9811BB381833B
                              SHA-512:8FD2C4391EF4807DBE41A01D465A9ACED22A25867D2021FD50DC9E4495FA2FB2B1862C7D12B66521004150546A856A49305891359071C81929753994BE735894
                              Malicious:false
                              Preview:...?y.....@.q.~...Y...(...3..H...b..m...]+...r*...\+o8Z...M.........!..L.!This program cannot be run in DOS mode....$.......?BLI{#".{#".{#"....q#".....#"....a#".)V&.u#".)V!.q#"..L..y#"..T$I0......\..~...*2f.L)..j...A....w...G.1,..|.e#~1.n....o.{#..z#"..V .z#".Rich{#".................PE..d...F[.b.........." ................................................................y.y?x.....P...~.P.Y...(...3..H...b..m...];...b..#.\+#.R...M.....8.... ..8O...P...'..........(...T.......................(.......8............................................text............|u?z.....@...~.P.Y...H.i.R..H.z.b..m...]+...r*...\+o8Z..M..data...0/..........................@....pdata..8O... ...P..................@..@_RDATA.......p.......<..............@..@.rsrc.....s?z.....@...w.P.Y...(...3..HT.......m...]+...r&..DU+o8Z...M.....@..B..........................................................................................................................s?z.....@...~.P.Y...(...3..H...b..m

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4413682
                              Entropy (8bit):7.139618515940765
                              Encrypted:false
                              SSDEEP:
                              MD5:1D570A20E4C019F7B90E14A4F3B7899F
                              SHA1:9B8295365C811AF0D461461570E7E5D04F43F40C
                              SHA-256:375A342DE2FEC8C447D305E615B31620331D2A31504E72F5C71583857F2CC114
                              SHA-512:A78FA42EB321A29A3D56E4D5716D24FE8DBA31010B5235E5B19EB7E9BCE21F103843F6917E95483EA19490FEBCBE233AB35C416D8CD99EDAA19FB411060B31A7
                              Malicious:false
                              Preview:....U.i.u:|I......EC.....^`.i.O...o....EgDVB#jBQ.WU7.L...W............!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{oJ...S....A.'..t...?-....G.$.ad. y........6.*.KX.&".9.9.#v.V8.&.....o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................C.....x.D...`...a.V.i.q*|I....6.UC...F.^`.i.O...o....EgDVB#j..7W.6.L.].Wl&....@.<C....C..O....B.X.....:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-.......q.V.i.q:|I<.....!".~...N`..O.E.o.r..EgDVB#jBQ.W.7..<.#./..x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B...q.VU+.q:|I....6.EC....h.;....OEl.o.8...gDV.ajBQ.WU7.L...W./....................................................................................................................................q.V.i.q:|I....6.EC...F.^`.i.O...o....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4413682
                              Entropy (8bit):7.139618515940765
                              Encrypted:false
                              SSDEEP:
                              MD5:1D570A20E4C019F7B90E14A4F3B7899F
                              SHA1:9B8295365C811AF0D461461570E7E5D04F43F40C
                              SHA-256:375A342DE2FEC8C447D305E615B31620331D2A31504E72F5C71583857F2CC114
                              SHA-512:A78FA42EB321A29A3D56E4D5716D24FE8DBA31010B5235E5B19EB7E9BCE21F103843F6917E95483EA19490FEBCBE233AB35C416D8CD99EDAA19FB411060B31A7
                              Malicious:false
                              Preview:....U.i.u:|I......EC.....^`.i.O...o....EgDVB#jBQ.WU7.L...W............!..L.!This program cannot be run in DOS mode....$.......Eh.<..{o..{o..{o.q.o..{oaszn..{oas~n*.{oas.n..{oasxn..{o.{}n..{oJ...S....A.'..t...?-....G.$.ad. y........6.*.KX.&".9.9.#v.V8.&.....o..{odsyn..{oRich..{o........PE..d...0m.d..........".... ..-.........0p+........@..............................C.....x.D...`...a.V.i.q*|I....6.UC...F.^`.i.O...o....EgDVB#j..7W.6.L.].Wl&....@.<C....C..O....B.X.....:.8...................p.9.(... P..@.............-......H:.@....................text...[.-.......-.......q.V.i.q:|I<.....!".~...N`..O.E.o.r..EgDVB#jBQ.W.7..<.#./..x....`>......>>.............@....pdata..<C....@..D....@.............@..@.didat..`.....B......LB.............@....rsrc.........B...q.VU+.q:|I....6.EC....h.;....OEl.o.8...gDV.ajBQ.WU7.L...W./....................................................................................................................................q.V.i.q:|I....6.EC...F.^`.i.O...o....

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgrschedule.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4980
                              Entropy (8bit):7.002749019806679
                              Encrypted:false
                              SSDEEP:
                              MD5:FE383A13D811F7904B8FD81CAE09785F
                              SHA1:5D2A7F2D8613DB48BF0AC09E6CE91955BD40FC2C
                              SHA-256:F6B67D3C30FF0512125BB556BB46EC859F89261C9C7A546CAC85D89F5DE6403B
                              SHA-512:4F36C67C2B27CF90025091D51F692FEF69BA79AA372ADD1D3C8CEEE3F182E5B6D2F0790C1C506F598C034956EA49E6C33544471F4DD17A29A8E25AED806983B0
                              Malicious:false
                              Preview:..........."...}J}.P%.C}M....\........d..sVB...h...m.Ok".........t........"..}"}.Pj.~}C....\....J....d..yVB...%..*..kg...U.....\........"...}_}.Py..}Q....\....N....d...VO...h...k.Gk1...N............."...}\}.Pd..}.....\........d..9VX...t...&..kH."......`......."...}N}.P?.E}L....\........d..6V....;...e.Uk .................."..}{}.Pn..}.....\........d..&V....;...@.@k1.M..............."...}[}.P9.X}.....\....@....d..bV....a...m.Bk .........F......."..}.}.Pv..}.....\....]....d...VC...9...a.Mk5.[.......G........"...}A}.P%.^}P....\.........d..wVK...'...j.Eke.C.H............."...}@}.P"..}m....\....J...d..pVX...f...a..k0.X..............."..}f}.Pv.^}J....\....N....d...V_...c...w.@k'.D.H.....]........"...}_}.P2..}.....\.........d...VB...t...v.@k1.G._...[......"...}.}.P3..}C....\...[....d..wVB...`...$.lk,.K._.....]......"...}F}.P3..}Q....\....N....d..bVC...l...a.Qke.A.Y...B......."...}[}.Pz..}O....\....A....d..sVO...u...p.Xke.^.X.....W......."...}[}.P3.Y}.....\.........d

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgrschedule.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4980
                              Entropy (8bit):7.002749019806679
                              Encrypted:false
                              SSDEEP:
                              MD5:FE383A13D811F7904B8FD81CAE09785F
                              SHA1:5D2A7F2D8613DB48BF0AC09E6CE91955BD40FC2C
                              SHA-256:F6B67D3C30FF0512125BB556BB46EC859F89261C9C7A546CAC85D89F5DE6403B
                              SHA-512:4F36C67C2B27CF90025091D51F692FEF69BA79AA372ADD1D3C8CEEE3F182E5B6D2F0790C1C506F598C034956EA49E6C33544471F4DD17A29A8E25AED806983B0
                              Malicious:false
                              Preview:..........."...}J}.P%.C}M....\........d..sVB...h...m.Ok".........t........"..}"}.Pj.~}C....\....J....d..yVB...%..*..kg...U.....\........"...}_}.Py..}Q....\....N....d...VO...h...k.Gk1...N............."...}\}.Pd..}.....\........d..9VX...t...&..kH."......`......."...}N}.P?.E}L....\........d..6V....;...e.Uk .................."..}{}.Pn..}.....\........d..&V....;...@.@k1.M..............."...}[}.P9.X}.....\....@....d..bV....a...m.Bk .........F......."..}.}.Pv..}.....\....]....d...VC...9...a.Mk5.[.......G........"...}A}.P%.^}P....\.........d..wVK...'...j.Eke.C.H............."...}@}.P"..}m....\....J...d..pVX...f...a..k0.X..............."..}f}.Pv.^}J....\....N....d...V_...c...w.@k'.D.H.....]........"...}_}.P2..}.....\.........d...VB...t...v.@k1.G._...[......"...}.}.P3..}C....\...[....d..wVB...`...$.lk,.K._.....]......"...}F}.P3..}Q....\....N....d..bVC...l...a.Qke.A.Y...B......."...}[}.Pz..}O....\....A....d..sVO...u...p.Xke.^.X.....W......."...}[}.P3.Y}.....\.........d

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):87298
                              Entropy (8bit):7.196837673111451
                              Encrypted:false
                              SSDEEP:
                              MD5:D88A7B73B6B219C0B68BEB906849311F
                              SHA1:68246824A705EC2F87B83749B58CC85DB248F485
                              SHA-256:FC52B964627979EFA5BDAADDFC9BB7FAE01023479E4AE1CFB535916F7806D8F1
                              SHA-512:4AE29A1475CBA242C0C8C611C373C0FF2F9E5A14555DCBF1747192F4CA3FEB74BABD6D837DE44918CDB2F778FC58E6A27A92BF21BB71E4353262C36938A76DFD
                              Malicious:false
                              Preview:....U..}..p..D..=%.#J...N<....hu.... ...2q..........kh.;.........!..L.!This program cannot be run in DOS mode....$.......EGQ..&?..&?..&?.ZN;..&?.ZN<..&?..&>.k&?.ZN>..&?.ZN?..&?.ZN7.+&?...V..q#....{6.TF."l.FV.N<....hu..R. ..Z5q..........kp............4...................................................... .....`A........................................@1......\3..d....N....y..p.4D..$..k.V.O<......iuF... ...2q..........k..;..%............... ...............................text............................... ..`PAGE....O*.......,.................. ..`..+l".....p..E.#%.#N.V.N<....huR..,.Au..2q.........k..:.............@....pdata.......P.......$..............@..@.rsrc........`.......,..............@..@.reloc.......p.......0............O.....y..p.2D.=%.#J.V.N<....hu.... ...2q..........k..;...................................................................................................................................O.V..y..p.2D.=%.#J.V.N<....hu..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\offreg.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):87298
                              Entropy (8bit):7.196837673111451
                              Encrypted:false
                              SSDEEP:
                              MD5:D88A7B73B6B219C0B68BEB906849311F
                              SHA1:68246824A705EC2F87B83749B58CC85DB248F485
                              SHA-256:FC52B964627979EFA5BDAADDFC9BB7FAE01023479E4AE1CFB535916F7806D8F1
                              SHA-512:4AE29A1475CBA242C0C8C611C373C0FF2F9E5A14555DCBF1747192F4CA3FEB74BABD6D837DE44918CDB2F778FC58E6A27A92BF21BB71E4353262C36938A76DFD
                              Malicious:false
                              Preview:....U..}..p..D..=%.#J...N<....hu.... ...2q..........kh.;.........!..L.!This program cannot be run in DOS mode....$.......EGQ..&?..&?..&?.ZN;..&?.ZN<..&?..&>.k&?.ZN>..&?.ZN?..&?.ZN7.+&?...V..q#....{6.TF."l.FV.N<....hu..R. ..Z5q..........kp............4...................................................... .....`A........................................@1......\3..d....N....y..p.4D..$..k.V.O<......iuF... ...2q..........k..;..%............... ...............................text............................... ..`PAGE....O*.......,.................. ..`..+l".....p..E.#%.#N.V.N<....huR..,.Au..2q.........k..:.............@....pdata.......P.......$..............@..@.rsrc........`.......,..............@..@.reloc.......p.......0............O.....y..p.2D.=%.#J.V.N<....hu.... ...2q..........k..;...................................................................................................................................O.V..y..p.2D.=%.#J.V.N<....hu..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\policy.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1435490
                              Entropy (8bit):7.05075756624006
                              Encrypted:false
                              SSDEEP:
                              MD5:499483EFDF44BE507FC23D98E9285104
                              SHA1:7FF923C15A2CD0AADB559C73636D30967B7D3073
                              SHA-256:419AAEC9C7985B59595646DCFD45347E99002221DD3AB87FC1149797A81941C1
                              SHA-512:2E04F93A77CC9C3D41FC8CE5CB53477D16DAA597FB776984A0D9DB073CEA15E0F1E3DF0806517DC02B78E535C759B5DF176509B9BCD734CEACC8C36D6D8301BB
                              Malicious:false
                              Preview:.PF..p...y....}^h..M.h.N.q.D+T...zA.o...CbJ...+S...z.v...Z6lH........!..L.!This program cannot be run in DOS mode....$........,.~.M.-.M.-.M.-.5j-.M.-.7.,.M.-.7.,.M.-.7.,.M.-.7.,.M.-t?.,.M.-.5,.S=.-.F...RV.YB.D................BB..4o..|.P.......7..z.e.7.-.M.-.Mn-.M.-.7.,.M.-Rich.M.-........PE..d....m.d.........." ... .Z...X...........................................................puA.y..@...-m^h..M.(.^.q.D+T...zA.o...CrJ....A...z.~...&6lH....................(N......09..@:..T......................(......@............p.. ............................text....Y.......P..t...y..@...-}^h..M...*...D+9U..z1.o.1.Cb....+S...z.v...27l..data....o...`...R...N..............@....pdata..............................@..@.didat..0............J..............@....rsrc...........i..@Q..-}^h..M.(.N.1.Dkz...".o!..Cb...S...o.v...r7lH....@..B............................................................................................................................p...y..@...-}^h..M.(.N.q.D+T...zA.o

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\policy.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1435490
                              Entropy (8bit):7.05075756624006
                              Encrypted:false
                              SSDEEP:
                              MD5:499483EFDF44BE507FC23D98E9285104
                              SHA1:7FF923C15A2CD0AADB559C73636D30967B7D3073
                              SHA-256:419AAEC9C7985B59595646DCFD45347E99002221DD3AB87FC1149797A81941C1
                              SHA-512:2E04F93A77CC9C3D41FC8CE5CB53477D16DAA597FB776984A0D9DB073CEA15E0F1E3DF0806517DC02B78E535C759B5DF176509B9BCD734CEACC8C36D6D8301BB
                              Malicious:false
                              Preview:.PF..p...y....}^h..M.h.N.q.D+T...zA.o...CbJ...+S...z.v...Z6lH........!..L.!This program cannot be run in DOS mode....$........,.~.M.-.M.-.M.-.5j-.M.-.7.,.M.-.7.,.M.-.7.,.M.-.7.,.M.-t?.,.M.-.5,.S=.-.F...RV.YB.D................BB..4o..|.P.......7..z.e.7.-.M.-.Mn-.M.-.7.,.M.-Rich.M.-........PE..d....m.d.........." ... .Z...X...........................................................puA.y..@...-m^h..M.(.^.q.D+T...zA.o...CrJ....A...z.~...&6lH....................(N......09..@:..T......................(......@............p.. ............................text....Y.......P..t...y..@...-}^h..M...*...D+9U..z1.o.1.Cb....+S...z.v...27l..data....o...`...R...N..............@....pdata..............................@..@.didat..0............J..............@....rsrc...........i..@Q..-}^h..M.(.N.1.Dkz...".o!..Cb...S...o.v...r7lH....@..B............................................................................................................................p...y..@...-}^h..M.(.N.q.D+T...zA.o

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1124122
                              Entropy (8bit):7.307887001366982
                              Encrypted:false
                              SSDEEP:
                              MD5:37EB2AEA164126F769D835A87BB699C6
                              SHA1:95CA0CCF6919FBD37E713A67E6BBD4920B74D6C6
                              SHA-256:F4C5EB5F23DF70501DE66EAB25C545B1B6A14277EA9BA75B8E455493C4D213BF
                              SHA-512:410C740746B6AEA5A8E09EA699321995A288AF2CA65F0A09DCCACD265BD90C53E4895AE0D1ACDAB6FBA9435177808E50FDCA5559A69D1034C7B3B8A37600E9BE
                              Malicious:false
                              Preview:.-...>....=.Nf..'.P.[/..#..7.E:Y..'..=...)<|.T......\..rv.K.C.N........!..L.!This program cannot be run in DOS mode....$........7=iNVS:NVS:NVS:G..:{VS:NVR:.VS:...:OVS:..S;OVS:..P;}VS:..V;.VS:OY.9.h....`%........y..f.....ic..D.]k..)<|.T......8..r... DC.N......" .....0...........w....................................................`A.....................................................<...>-.......@.k.c..7.`:Y..6.76....1|.T......\..rv.K.DC.N.........Z..@..............(............................text...e%.......0.................. ..`.rdata......@.......@..........Jw..B>...\j...K.P.[..c..7.5Y..'..=...)<|.T.E.h.(k.rF*K.Dc.N....................@..@.rsrc...............................@..@.reloc..$...........................@..B........................Jw...>....=.......P.[/..c..7.E:Y..'..=...)<|.T......\..rv.K.DC.N................................................................................................................................Jw...>....=.......P.[/..c..7.E:Y..'..=..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\ucrtbase.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1124122
                              Entropy (8bit):7.307887001366982
                              Encrypted:false
                              SSDEEP:
                              MD5:37EB2AEA164126F769D835A87BB699C6
                              SHA1:95CA0CCF6919FBD37E713A67E6BBD4920B74D6C6
                              SHA-256:F4C5EB5F23DF70501DE66EAB25C545B1B6A14277EA9BA75B8E455493C4D213BF
                              SHA-512:410C740746B6AEA5A8E09EA699321995A288AF2CA65F0A09DCCACD265BD90C53E4895AE0D1ACDAB6FBA9435177808E50FDCA5559A69D1034C7B3B8A37600E9BE
                              Malicious:false
                              Preview:.-...>....=.Nf..'.P.[/..#..7.E:Y..'..=...)<|.T......\..rv.K.C.N........!..L.!This program cannot be run in DOS mode....$........7=iNVS:NVS:NVS:G..:{VS:NVR:.VS:...:OVS:..S;OVS:..P;}VS:..V;.VS:OY.9.h....`%........y..f.....ic..D.]k..)<|.T......8..r... DC.N......" .....0...........w....................................................`A.....................................................<...>-.......@.k.c..7.`:Y..6.76....1|.T......\..rv.K.DC.N.........Z..@..............(............................text...e%.......0.................. ..`.rdata......@.......@..........Jw..B>...\j...K.P.[..c..7.5Y..'..=...)<|.T.E.h.(k.rF*K.Dc.N....................@..@.rsrc...............................@..@.reloc..$...........................@..B........................Jw...>....=.......P.[/..c..7.E:Y..'..=...)<|.T......\..rv.K.DC.N................................................................................................................................Jw...>....=.......P.[/..c..7.E:Y..'..=..

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):335050
                              Entropy (8bit):6.915844386604767
                              Encrypted:false
                              SSDEEP:
                              MD5:4B5901EB45DB4B731210E9A869268E10
                              SHA1:77E0AE815E4B91756332BEBE37CA1E8347871B6A
                              SHA-256:3E6DFDB7C3757A00F433927E3DBB9DE9F05CDF056C04D173C2D76C004E24EF11
                              SHA-512:1B89932234B2433C75ECAC7FDA48C235BA1D5942CCE136FB9C893A4750DF0B1B9F4980373B27F3BB5277663DB712E8C53387EC1A08C75224978BB80A3F8814A1
                              Malicious:false
                              Preview:...R...9...Y.O......N.-...zb.2.......'...).=...}.k.'.?..>'.{.........!..L.!This program cannot be run in DOS mode....$........)...H..H..H..0|.H...2..H...2..H...2..H...2..H..I:..H....t.....48....TI.C`..L..j.QzF.z.~.5...u...O....}.k.'.?..>'.{.PE..d...I9............" ... .....x......P{.......................................0.......)....`A...................................R...9N..Y........b.-....b.1..=..:...'5.. =...x...'..[.>W.{.............................@............................................text...6~.......................... ..`.rdata..n..........R...9...Y..........-......2...G.....'e..).9...}.k.'.?..>g.{..pdata... ......."..................@..@.rsrc...............................@..@.reloc..............................@..B...........R...9...Y........N.-...zb.2.......'...).=...}.k.'.?..>'.{....................................................................................................................................R...9...Y........N.-...zb.2.......

                              C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):335050
                              Entropy (8bit):6.915844386604767
                              Encrypted:false
                              SSDEEP:
                              MD5:4B5901EB45DB4B731210E9A869268E10
                              SHA1:77E0AE815E4B91756332BEBE37CA1E8347871B6A
                              SHA-256:3E6DFDB7C3757A00F433927E3DBB9DE9F05CDF056C04D173C2D76C004E24EF11
                              SHA-512:1B89932234B2433C75ECAC7FDA48C235BA1D5942CCE136FB9C893A4750DF0B1B9F4980373B27F3BB5277663DB712E8C53387EC1A08C75224978BB80A3F8814A1
                              Malicious:false
                              Preview:...R...9...Y.O......N.-...zb.2.......'...).=...}.k.'.?..>'.{.........!..L.!This program cannot be run in DOS mode....$........)...H..H..H..0|.H...2..H...2..H...2..H...2..H..I:..H....t.....48....TI.C`..L..j.QzF.z.~.5...u...O....}.k.'.?..>'.{.PE..d...I9............" ... .....x......P{.......................................0.......)....`A...................................R...9N..Y........b.-....b.1..=..:...'5.. =...x...'..[.>W.{.............................@............................................text...6~.......................... ..`.rdata..n..........R...9...Y..........-......2...G.....'e..).9...}.k.'.?..>g.{..pdata... ......."..................@..@.rsrc...............................@..@.reloc..............................@..B...........R...9...Y........N.-...zb.2.......'...).=...}.k.'.?..>'.{....................................................................................................................................R...9...Y........N.-...zb.2.......

                              C:\Program Files\Common Files\microsoft shared\MSInfo\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\microsoft shared\Stationery\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\microsoft shared\TextConv\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\microsoft shared\Triedit\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\microsoft shared\VGX\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\microsoft shared\ink\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Common Files\microsoft shared\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):727
                              Entropy (8bit):7.220119530440514
                              Encrypted:false
                              SSDEEP:
                              MD5:A89BB715AF1A0766501FF7016196C066
                              SHA1:F26FCC3524AC449F608430EB60C21EEFEA9C7155
                              SHA-256:EF7B855DB51548A58FEE27AB6841F5D1D3A0C5ADDCBCA7D8084DEFA350A176FB
                              SHA-512:10B2A3D3ABE9B416592C7FCBF0118CE088A9D99730C4C67373E353BA0CD6E15655E92F4B9F73E5D854467EA85007A862944311F38D5B2111B7E0A374EF7002C5
                              Malicious:false
                              Preview:...F.#s...e.....%dI...2.W..."..r.L....6.......5...o.....F.3&.u.;~j0.*.y...,..z...........-..j.,.....h....c..W.Z.m..N.\.PO.r..TjC...x...Y.z"C...`....=..<.Z.....p....:......^.....B.:b.X..Tj0./.....^I3 C...`....=..<.Z.....p....:......^.....~.:*.".QSG..\.*\....*e....;.s..*..2.R...(....%......o....a.<)...Q.d`....v..IYk75...h.P...h..8..........v......m..*.^./x'#5F6368'/>..</Application>......b...C.j[HQ.I.....sd:}.I.T..D...J....BV.}.Vp..+G....Y.......b.....k..t.....>$?..v[38f.v..?P".....X.y......#.}....>..z.Mh$...A..J...7z.~/....:.(Z..O.^.]h..AZ.?.S.. ..aB...Y..........L....S.!.%..n..L..............................................................................................tmrk2oxcouu.

                              C:\Program Files\Google\Chrome\Application\chrome.VisualElementsManifest.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):727
                              Entropy (8bit):7.220119530440514
                              Encrypted:false
                              SSDEEP:
                              MD5:A89BB715AF1A0766501FF7016196C066
                              SHA1:F26FCC3524AC449F608430EB60C21EEFEA9C7155
                              SHA-256:EF7B855DB51548A58FEE27AB6841F5D1D3A0C5ADDCBCA7D8084DEFA350A176FB
                              SHA-512:10B2A3D3ABE9B416592C7FCBF0118CE088A9D99730C4C67373E353BA0CD6E15655E92F4B9F73E5D854467EA85007A862944311F38D5B2111B7E0A374EF7002C5
                              Malicious:false
                              Preview:...F.#s...e.....%dI...2.W..."..r.L....6.......5...o.....F.3&.u.;~j0.*.y...,..z...........-..j.,.....h....c..W.Z.m..N.\.PO.r..TjC...x...Y.z"C...`....=..<.Z.....p....:......^.....B.:b.X..Tj0./.....^I3 C...`....=..<.Z.....p....:......^.....~.:*.".QSG..\.*\....*e....;.s..*..2.R...(....%......o....a.<)...Q.d`....v..IYk75...h.P...h..8..........v......m..*.^./x'#5F6368'/>..</Application>......b...C.j[HQ.I.....sd:}.I.T..D...J....BV.}.Vp..+G....Y.......b.....k..t.....>$?..v[38f.v..?P".....X.y......#.}....>..z.Mh$...A..J...7z.~/....:.(Z..O.^.]h..AZ.?.S.. ..aB...Y..........L....S.!.%..n..L..............................................................................................tmrk2oxcouu.

                              C:\Program Files\Google\Chrome\Application\chrome.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3242586
                              Entropy (8bit):7.262919919675881
                              Encrypted:false
                              SSDEEP:
                              MD5:1367FD1C78B301C74CDC6A35530B9F53
                              SHA1:BF410D778775476495A60A044BEA0DB2B14F9853
                              SHA-256:D9DC2386B4F5FA63D237E4AD041C4989C8C01918438F54F533CD1B2066F75708
                              SHA-512:8D1E82E1D9EE39BCC5AF6945646925F86A3208C92339A4D349BC997C7A4A336ED329AD8684B2F7DA35886E3EFA9AC1F77F9A0AFF71C6F7D86A9119AA1367C7C2
                              Malicious:false
                              Preview:.K)....z..Y.....2...WT,Xm"%.w..kU..&..D.&1.J.+.&..CT.O..R.Z........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......($....................@......................S....z..k......=.UTL.-"..w..kE..&..D.&!.J.+.&..CT.O.aR.Z..(.....^.(.d....@-..C....+......P1. )....2.X%....(.8.....................(.(...PR$.@...........@.(.x.....(.`....................e4~m..z..}.....2.+.WP,X-"%.w..kU.....$!TU.>.+......p.Os..q~.Z............@..@.data...8.....).......).............@....pdata........+.......*.............@..@.00cfg..0.....,.......+...........Q.Y..:..!.c.......W..X-.%.w..kU..&..D.&1...+....../:...q..Z......+..................tls....A.....-.......+.............@...CPADinfo8.....-.......+.............@..._RDATA..\.... -.......+...Q....z..Y.D..A_.c.87s0.'%.w..kS..&f.D.&1.J.+.&..CT.a....R.Z.C...@-..D....+.............@..@.reloc..X%....2..&...*1.............@..B..........................................................Q....z..Y.....2...WT,X-"%.w..kU..&..D

                              C:\Program Files\Google\Chrome\Application\chrome.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3242586
                              Entropy (8bit):7.262919919675881
                              Encrypted:false
                              SSDEEP:
                              MD5:1367FD1C78B301C74CDC6A35530B9F53
                              SHA1:BF410D778775476495A60A044BEA0DB2B14F9853
                              SHA-256:D9DC2386B4F5FA63D237E4AD041C4989C8C01918438F54F533CD1B2066F75708
                              SHA-512:8D1E82E1D9EE39BCC5AF6945646925F86A3208C92339A4D349BC997C7A4A336ED329AD8684B2F7DA35886E3EFA9AC1F77F9A0AFF71C6F7D86A9119AA1367C7C2
                              Malicious:false
                              Preview:.K)....z..Y.....2...WT,Xm"%.w..kU..&..D.&1.J.+.&..CT.O..R.Z........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."......($....................@......................S....z..k......=.UTL.-"..w..kE..&..D.&!.J.+.&..CT.O.aR.Z..(.....^.(.d....@-..C....+......P1. )....2.X%....(.8.....................(.(...PR$.@...........@.(.x.....(.`....................e4~m..z..}.....2.+.WP,X-"%.w..kU.....$!TU.>.+......p.Os..q~.Z............@..@.data...8.....).......).............@....pdata........+.......*.............@..@.00cfg..0.....,.......+...........Q.Y..:..!.c.......W..X-.%.w..kU..&..D.&1...+....../:...q..Z......+..................tls....A.....-.......+.............@...CPADinfo8.....-.......+.............@..._RDATA..\.... -.......+...Q....z..Y.D..A_.c.87s0.'%.w..kS..&f.D.&1.J.+.&..CT.a....R.Z.C...@-..D....+.............@..@.reloc..X%....2..&...*1.............@..B..........................................................Q....z..Y.....2...WT,X-"%.w..kU..&..D

                              C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1210458
                              Entropy (8bit):7.228387944248397
                              Encrypted:false
                              SSDEEP:
                              MD5:E735D623DC6705597F8BF0232BD283F0
                              SHA1:884A12A801ECF85F86E3F7627FA2A1824A00282C
                              SHA-256:4E24799FB0FC96DDEAC1763DD176E42770D925A4B262E0AE75FB40AC5C8CEF8C
                              SHA-512:C8443E4EB0B0FC185439388E5F59A71E4746F779EBD87D44E7E1C804375E39FA6311C58EB911CE02B25F4F84336DC6AB7F67039943680F5261852BA12CD242E9
                              Malicious:false
                              Preview:..e.*s.9...Q[.....c.......`.....lj.1.r/.,\.A...3y.l.z.5"..V........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."..........B.................@......................qe.*s.4*..{Q[<......C.....`.....lj.1.b/.,\.A...3y.l.z.5J..VX...U...............x....p......N.. )......................................(...`2..@...............X...............................r*s.M.7..oQ[.....c.C.....`.....lj....N.M\.m.3Y.l...5Z..V............@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0.........................seF*s...A..Q[.....p.CU...`.....lj.1.r/.,\.o...C....z.5Z..V.....&...................tls.........P.......(..............@..._RDATA..\....`.......*..............@..@malloc_h.....p.......,....se.*s.9...Q;.....c.;v....`.....Bx.1.r/.,\.A...sy.,Q.~Y5..V.............8..............@..B..................................................................................................se.*s.9...Q[.....c.C.....`.....lj.

                              C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1210458
                              Entropy (8bit):7.228387944248397
                              Encrypted:false
                              SSDEEP:
                              MD5:E735D623DC6705597F8BF0232BD283F0
                              SHA1:884A12A801ECF85F86E3F7627FA2A1824A00282C
                              SHA-256:4E24799FB0FC96DDEAC1763DD176E42770D925A4B262E0AE75FB40AC5C8CEF8C
                              SHA-512:C8443E4EB0B0FC185439388E5F59A71E4746F779EBD87D44E7E1C804375E39FA6311C58EB911CE02B25F4F84336DC6AB7F67039943680F5261852BA12CD242E9
                              Malicious:false
                              Preview:..e.*s.9...Q[.....c.......`.....lj.1.r/.,\.A...3y.l.z.5"..V........!..L.!This program cannot be run in DOS mode.$..PE..d....|.e.........."..........B.................@......................qe.*s.4*..{Q[<......C.....`.....lj.1.b/.,\.A...3y.l.z.5J..VX...U...............x....p......N.. )......................................(...`2..@...............X...............................r*s.M.7..oQ[.....c.C.....`.....lj....N.M\.m.3Y.l...5Z..V............@..@.data...............................@....pdata......p.......x..............@..@.00cfg..0.........................seF*s...A..Q[.....p.CU...`.....lj.1.r/.,\.o...C....z.5Z..V.....&...................tls.........P.......(..............@..._RDATA..\....`.......*..............@..@malloc_h.....p.......,....se.*s.9...Q;.....c.;v....`.....Bx.1.r/.,\.A...sy.,Q.~Y5..V.............8..............@..B..................................................................................................se.*s.9...Q[.....c.C.....`.....lj.

                              C:\Program Files\Google\Chrome\Application\initial_preferences

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):547300
                              Entropy (8bit):7.188363693223657
                              Encrypted:false
                              SSDEEP:
                              MD5:BFB523BDE569398496BCFA990D0B3D20
                              SHA1:F014D1B8CFDA712DF742C3879069BFD0C42D3423
                              SHA-256:B6DD1007E32DA3DC1675D1900DC2356FD110AC549723309D6854B39C77B1CBFB
                              SHA-512:4A9123F2A67240DF9C4D8C6AB3083F313F9E8551FF482BB171656F67FC7FA463FD5929493B8F4748FDB2B0A1EB2D287698EBC7F642A29942D0D65C0BBD3F203B
                              Malicious:false
                              Preview:`.Gi$|[X..$|.O{.,..a.f. ..a.[....d.@.B.6.....,".m.}..x*...XCwfSXarZMtS6zYqWfJItlrd1Zfp9i2ei0aati6T7pGsJCStqq4z3eWpruqtqp7RhMCTGDbhEshCSIAQksDCgp1AyAPL8uMO8bLcsj+SACF5+MJyv4QlsPt9FpKF8H3q.y.vwfur..*].Rj.`.#A..e.?...q..R...Mup.Es......Ih.Y.8...p,..Vx7ualp+eGl1c7\/KXFuc1z3eXu3Nxjjx2\/fE2ZG1SrT1642H2M\/QkG3De33Be6sAkFCeqXoCQLK4qwBfUa0zgHTl41YDtCoG2YgqjAdrFQyErigUigRhGwC5pq6pr.c.yRN.h.%#%..G....'.,.....|.rP...z.1.S:G.....JO(.[.....e...WfQKxWfbJpc2yT6W5n93lZbnK+3L8twy4d+7akjZUJcGUNXVBGJhDHV7ja0zjNNh9TrUSkC4KQ7XTy0rifRHSjUfAkSVN70DpitqmSmTHxPtyEcqPgqO28tpatDZH126.o.t^kLF..<o.XT.#..K.B.|...f..p...n%l.6........S.u.A.;..X...qrnOzLr5xH2YlaLX86R5S2QhTwuzPg3hWhC5fVNW1O1Ibmak82WrIJa0xjKVSbfA7safW0zZbQHyjQalNQNdnJNUExoFXTVCTCAlQJbAG6MmGBSG2Ort2cZXfWZ62yV+...bBhly.;hz..x...Fx..r.|../..X...C.*.h"3.......b..G...._p...a7NaZxCtxhmyfLi4fihC1RuwNaomyc6E5wxyJcE4aKmR1rnAE723MdU95AFZsdS9A9B457TS1SzILJxcEsgft9jS4Wh4vBaXLsrmLRanmVeq2UL0xnZsZmmJnMzPjMnT.a.w`lf...>e.HT.}..h.g.....R..q..._%b.

                              C:\Program Files\Google\Chrome\Application\initial_preferences.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):547300
                              Entropy (8bit):7.188363693223657
                              Encrypted:false
                              SSDEEP:
                              MD5:BFB523BDE569398496BCFA990D0B3D20
                              SHA1:F014D1B8CFDA712DF742C3879069BFD0C42D3423
                              SHA-256:B6DD1007E32DA3DC1675D1900DC2356FD110AC549723309D6854B39C77B1CBFB
                              SHA-512:4A9123F2A67240DF9C4D8C6AB3083F313F9E8551FF482BB171656F67FC7FA463FD5929493B8F4748FDB2B0A1EB2D287698EBC7F642A29942D0D65C0BBD3F203B
                              Malicious:false
                              Preview:`.Gi$|[X..$|.O{.,..a.f. ..a.[....d.@.B.6.....,".m.}..x*...XCwfSXarZMtS6zYqWfJItlrd1Zfp9i2ei0aati6T7pGsJCStqq4z3eWpruqtqp7RhMCTGDbhEshCSIAQksDCgp1AyAPL8uMO8bLcsj+SACF5+MJyv4QlsPt9FpKF8H3q.y.vwfur..*].Rj.`.#A..e.?...q..R...Mup.Es......Ih.Y.8...p,..Vx7ualp+eGl1c7\/KXFuc1z3eXu3Nxjjx2\/fE2ZG1SrT1642H2M\/QkG3De33Be6sAkFCeqXoCQLK4qwBfUa0zgHTl41YDtCoG2YgqjAdrFQyErigUigRhGwC5pq6pr.c.yRN.h.%#%..G....'.,.....|.rP...z.1.S:G.....JO(.[.....e...WfQKxWfbJpc2yT6W5n93lZbnK+3L8twy4d+7akjZUJcGUNXVBGJhDHV7ja0zjNNh9TrUSkC4KQ7XTy0rifRHSjUfAkSVN70DpitqmSmTHxPtyEcqPgqO28tpatDZH126.o.t^kLF..<o.XT.#..K.B.|...f..p...n%l.6........S.u.A.;..X...qrnOzLr5xH2YlaLX86R5S2QhTwuzPg3hWhC5fVNW1O1Ibmak82WrIJa0xjKVSbfA7safW0zZbQHyjQalNQNdnJNUExoFXTVCTCAlQJbAG6MmGBSG2Ort2cZXfWZ62yV+...bBhly.;hz..x...Fx..r.|../..X...C.*.h"3.......b..G...._p...a7NaZxCtxhmyfLi4fihC1RuwNaomyc6E5wxyJcE4aKmR1rnAE723MdU95AFZsdS9A9B457TS1SzILJxcEsgft9jS4Wh4vBaXLsrmLRanmVeq2UL0xnZsZmmJnMzPjMnT.a.w`lf...>e.HT.}..h.g.....R..q..._%b.

                              C:\Program Files\Google\Chrome\Application\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Google\Chrome\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Google\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Internet Explorer\SIGNUP\install.ins

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):766
                              Entropy (8bit):6.912820149484207
                              Encrypted:false
                              SSDEEP:
                              MD5:26C513F8D2A351C04B2D39979EE12761
                              SHA1:CFA0E8CE4AF7437A3B539CF24A765E5B8F91B2FB
                              SHA-256:9A4928D0C5A18D16C636566BE9AFC4BAF8FDE6409052AA7EB930D5B9F4CFD0B6
                              SHA-512:4D45979DF7478454DCBFB25AE03106C03955DC5DA540FD5016F3C2931C3B5BD9234F619C9E171F1F1700C8CA50E7715AD70B482AEC7E56FBC7555F40359A8A95
                              Malicious:false
                              Preview:..e..Ekl.gb...].."oF{b%(B.2M.(..v.:`74.gx..4..$........N8...sJ...tkb.{b...]...o"{.%.Bh2*....v.:x7..bx.....$.........8p..s.....k#.8b.....]..Qoz{e%aB32E.*..v.:v7..;x..`..$....V......8u..s....:k..Jb...]...o.{#%.B.2.....v&:K75.Ux..\..$........Q8|..s3...~kH.=b...]...o${.%.BE2m.+..vX:(7w..x..=..$.........8s..s4..bkD.Mb....]..Noz{.%-B 2..u..vT:-7C.+x..`..$....;.....8l..s...vk=.9b.....]..=o.{.%fBo2t.!..v.:$7J..x.....$.........8p.......jj.=t~x.J...4%6?.@....z.Y...d.mD...B...J{.....l.G.'Y.q#.....#.4..;-/..n.X.'J.....V7......}...3.Ls....O..Vm.=...+.a.G.ET.eSYI....&..@./.W..Z.0Q...U]6-....+:-Lw..c!c..d:.&-..:.Hk5:\.Pemx.=.|.].=u.Jz..n..............................................................................................tmrk2oxcouu.

                              C:\Program Files\Internet Explorer\SIGNUP\install.ins.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):766
                              Entropy (8bit):6.912820149484207
                              Encrypted:false
                              SSDEEP:
                              MD5:26C513F8D2A351C04B2D39979EE12761
                              SHA1:CFA0E8CE4AF7437A3B539CF24A765E5B8F91B2FB
                              SHA-256:9A4928D0C5A18D16C636566BE9AFC4BAF8FDE6409052AA7EB930D5B9F4CFD0B6
                              SHA-512:4D45979DF7478454DCBFB25AE03106C03955DC5DA540FD5016F3C2931C3B5BD9234F619C9E171F1F1700C8CA50E7715AD70B482AEC7E56FBC7555F40359A8A95
                              Malicious:false
                              Preview:..e..Ekl.gb...].."oF{b%(B.2M.(..v.:`74.gx..4..$........N8...sJ...tkb.{b...]...o"{.%.Bh2*....v.:x7..bx.....$.........8p..s.....k#.8b.....]..Qoz{e%aB32E.*..v.:v7..;x..`..$....V......8u..s....:k..Jb...]...o.{#%.B.2.....v&:K75.Ux..\..$........Q8|..s3...~kH.=b...]...o${.%.BE2m.+..vX:(7w..x..=..$.........8s..s4..bkD.Mb....]..Noz{.%-B 2..u..vT:-7C.+x..`..$....;.....8l..s...vk=.9b.....]..=o.{.%fBo2t.!..v.:$7J..x.....$.........8p.......jj.=t~x.J...4%6?.@....z.Y...d.mD...B...J{.....l.G.'Y.q#.....#.4..;-/..n.X.'J.....V7......}...3.Ls....O..Vm.=...+.a.G.ET.eSYI....&..@./.W..Z.0Q...U]6-....+:-Lw..c!c..d:.&-..:.Hk5:\.Pemx.=.|.].=u.Jz..n..............................................................................................tmrk2oxcouu.

                              C:\Program Files\Internet Explorer\SIGNUP\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Internet Explorer\en-GB\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Internet Explorer\en-US\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Internet Explorer\images\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Internet Explorer\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\MSBuild\Microsoft\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\MSBuild\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5294946
                              Entropy (8bit):7.102215589773924
                              Encrypted:false
                              SSDEEP:
                              MD5:2E668337EB7B08A84B5630FDEF9AE8FA
                              SHA1:4621B326E56B08C086D5A56BCE300A3CC8DAFDBC
                              SHA-256:2F96BA41F4C22DE2A7A7A188C57F84CE698B5E76FE25DC3BA1A82F15802A31E6
                              SHA-512:52AE4847E87CE61634BBACFC8FDBEF8AA1528B4ED8051214E35738BBCBF7581FFB8393153AAA27D8BB9D4CDB7BAC432809F2F70DFFC285657D9AA423134EA24F
                              Malicious:false
                              Preview:.6.y.Y.....0.h..Ka.uzV..Z#..*..F...^.L.f.B...[.......R.0..p..........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.........f.[..2m./.A...;.zx..OX...*g.(.&.7.......|Ehl:1u.~L.Hx..vQ.kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@............................T.}y.].....0!C...Kq.uzV.AJ#..*..F...^.L.f.B...[.......R.0..q..8.B.......K..a...PI..%...|P.(N....P.(...0.B.8...................X.B.(.....7.@.............6.0.....B......................text...X..y.I...g.0#Gh..Ka.uzV.AZ#..*..h...*.L.S{R.n.[......R.0..q......@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@....>i8......0#.#..Ia.u...AZ#..*..F.....L.H.1....[.u...m.R.R.................@..@.reloc..(.....P.......O.............@..B........................................................................Tl-y.Y.....0#Ch..Ka.uzV.AZ#..*..F...^.L.

                              C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):5294946
                              Entropy (8bit):7.102215589773924
                              Encrypted:false
                              SSDEEP:
                              MD5:2E668337EB7B08A84B5630FDEF9AE8FA
                              SHA1:4621B326E56B08C086D5A56BCE300A3CC8DAFDBC
                              SHA-256:2F96BA41F4C22DE2A7A7A188C57F84CE698B5E76FE25DC3BA1A82F15802A31E6
                              SHA-512:52AE4847E87CE61634BBACFC8FDBEF8AA1528B4ED8051214E35738BBCBF7581FFB8393153AAA27D8BB9D4CDB7BAC432809F2F70DFFC285657D9AA423134EA24F
                              Malicious:false
                              Preview:.6.y.Y.....0.h..Ka.uzV..Z#..*..F...^.L.f.B...[.......R.0..p..........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p.........f.[..2m./.A...;.zx..OX...*g.(.&.7.......|Ehl:1u.~L.Hx..vQ.kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@............................T.}y.].....0!C...Kq.uzV.AJ#..*..F...^.L.f.B...[.......R.0..q..8.B.......K..a...PI..%...|P.(N....P.(...0.B.8...................X.B.(.....7.@.............6.0.....B......................text...X..y.I...g.0#Gh..Ka.uzV.AZ#..*..h...*.L.S{R.n.[......R.0..q......@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@....>i8......0#.#..Ia.u...AZ#..*..F.....L.H.1....[.u...m.R.R.................@..@.reloc..(.....P.......O.............@..B........................................................................Tl-y.Y.....0#Ch..Ka.uzV.AZ#..*..F...^.L.

                              C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):5294946
                              Entropy (8bit):7.101070354592148
                              Encrypted:false
                              SSDEEP:
                              MD5:21B35439945E2ECCB0367779BD2650EA
                              SHA1:97D32DD31523ECAB190698F93EFBB2844F53AA67
                              SHA-256:1FADE44A7E678E7B57E2C1F3DB4C45579008263F4152007B002B5D2285B31C5D
                              SHA-512:3C2A039156FD0721583CE146124093F6C9C4FAFBA184706CE5052B00BA77CEC82CE626CB15C0807283591D209DCA83B16C2E58DBAA5344E1BB4175C1DCAC9A3F
                              Malicious:false
                              Preview:..np....:j..<.It....b..j..+..._.>z..\..!...iZOh...PB..[..k6.........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p........zo......{..x.jq.e1m..t..'...G.1.e...Y...k.Q..M..R.a.#J..m..kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@.............................C.p........z).....b..j....+..._..z..\..1...iZOh...PB..[..j6.8.B.......K..a...PI..%...|P.(N....P.(...0.B.8...................X.B.(.....7.@.............6.0.....B......................text......p....>....~It....b..j........q.Z...\.......lOh....t..[..j6.....@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@......1...bk.....t....b.Jj....+..._.>z.\..S...iZOx.......9....}.............@..@.reloc..(.....P.......O.............@..B..........................................................................p....>j...zIt....b..j....+..._.>z..\.

                              C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):5294946
                              Entropy (8bit):7.101070354592148
                              Encrypted:false
                              SSDEEP:
                              MD5:21B35439945E2ECCB0367779BD2650EA
                              SHA1:97D32DD31523ECAB190698F93EFBB2844F53AA67
                              SHA-256:1FADE44A7E678E7B57E2C1F3DB4C45579008263F4152007B002B5D2285B31C5D
                              SHA-512:3C2A039156FD0721583CE146124093F6C9C4FAFBA184706CE5052B00BA77CEC82CE626CB15C0807283591D209DCA83B16C2E58DBAA5344E1BB4175C1DCAC9A3F
                              Malicious:false
                              Preview:..np....:j..<.It....b..j..+..._.>z..\..!...iZOh...PB..[..k6.........!..L.!This program cannot be run in DOS mode....$.......Jc.M.............p......nx......nx......).......)........p........zo......{..x.jq.e1m..t..'...G.1.e...Y...k.Q..M..R.a.#J..m..kxx.............kx......Rich....................PE..d....".e..........".... .z6..........32........@.............................C.p........z).....b..j....+..._..z..\..1...iZOh...PB..[..j6.8.B.......K..a...PI..%...|P.(N....P.(...0.B.8...................X.B.(.....7.@.............6.0.....B......................text......p....>....~It....b..j........q.Z...\.......lOh....t..[..j6.....@..@.data...`....0G.......G.............@....pdata...%...PI..&...:I.............@..@.didat.. .....K......`K.............@......1...bk.....t....b.Jj....+..._.>z.\..S...iZOx.......9....}.............@..@.reloc..(.....P.......O.............@..B..........................................................................p....>j...zIt....b..j....+..._.>z..\.

                              C:\Program Files\Microsoft Office 15\ClientX64\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Microsoft Office 15\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Microsoft\OneDrive\ListSync\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Microsoft\OneDrive\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Microsoft\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:COM executable for DOS
                              Category:dropped
                              Size (bytes):32474
                              Entropy (8bit):6.827970137491569
                              Encrypted:false
                              SSDEEP:
                              MD5:737A34E3757F3E9CE55B371822A27943
                              SHA1:8406F14D8AF8899733C96AF87B6F2CE61068EB55
                              SHA-256:D16057415D7407463E1011CD9CC6BC0D1F335512E7C7D531BB8B9A205FB9B441
                              SHA-512:A1963DCDC48080235D825B15F152F8D34BC382EF10098C88D3DFAE849560E7B41C2AD6CA740ACE5B145A422DC4DC4096ECFC130BD98C149B38CBE17FA290C374
                              Malicious:true
                              Preview:....m..T.$l..f.J.n...6.......6!....U..~..6..V...q..'..(..B.%.C........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .........<..........................................l..T..l..b.J.}...6.Q^....6!....U..~..&..V..oq..'..(..B.%.C.-.......-..x............P.......T...)...........,............................... ..8............/.....................................T.*l..v.J.~...2..^....6!....u.....R..7...hq.....(..B.1.C............@..@.data...@....@.......,..............@....pdata.......P......................@..@.00cfg..(....`.......0..............,..."K..hf.J.n...F..^....6!....U..~..6..V.....t.Eu.$..B...C.....4...................rsrc................6..............@..@.reloc...............R..............@..B............................l..T.$l..f.J.n...6..^....6!....U..~..6..V...q..'..(..B.%.C....................................................................................................................................l..T.$l..f.J.n...6..^....6!....U..~

                              C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:COM executable for DOS
                              Category:dropped
                              Size (bytes):32474
                              Entropy (8bit):6.827970137491569
                              Encrypted:false
                              SSDEEP:
                              MD5:737A34E3757F3E9CE55B371822A27943
                              SHA1:8406F14D8AF8899733C96AF87B6F2CE61068EB55
                              SHA-256:D16057415D7407463E1011CD9CC6BC0D1F335512E7C7D531BB8B9A205FB9B441
                              SHA-512:A1963DCDC48080235D825B15F152F8D34BC382EF10098C88D3DFAE849560E7B41C2AD6CA740ACE5B145A422DC4DC4096ECFC130BD98C149B38CBE17FA290C374
                              Malicious:false
                              Preview:....m..T.$l..f.J.n...6.......6!....U..~..6..V...q..'..(..B.%.C........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .........<..........................................l..T..l..b.J.}...6.Q^....6!....U..~..&..V..oq..'..(..B.%.C.-.......-..x............P.......T...)...........,............................... ..8............/.....................................T.*l..v.J.~...2..^....6!....u.....R..7...hq.....(..B.1.C............@..@.data...@....@.......,..............@....pdata.......P......................@..@.00cfg..(....`.......0..............,..."K..hf.J.n...F..^....6!....U..~..6..V.....t.Eu.$..B...C.....4...................rsrc................6..............@..@.reloc...............R..............@..B............................l..T.$l..f.J.n...6..^....6!....U..~..6..V...q..'..(..B.%.C....................................................................................................................................l..T.$l..f.J.n...6..^....6!....U..~

                              C:\Program Files\Mozilla Firefox\application.ini

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1213
                              Entropy (8bit):7.594758644738183
                              Encrypted:false
                              SSDEEP:
                              MD5:492F153E79EEABF266C93C80C8712BC8
                              SHA1:39A4C3632DCFCF00F3E54CA7040CF6DA2472CCF7
                              SHA-256:75084612E1393F4B658D49374D7CEC4A785468EE9C9133C3AB02A6540BA65760
                              SHA-512:E811B55E1A6F61EB1AD63324C1A32EDA98C039E2DE0158BF2C05F1BA74502FFCD9898F5BB7360148E9142266088288554FB100FC8792CA950C882F367611BDF0
                              Malicious:false
                              Preview:...d..D.~....>N{..%.V.5.(.U.&."...[..y.t;...%.67.2....}"M.....p.b..Q.....kR4.]4.U.x...g.I[&."..^K.[x.q0...,.bu.5mU.."nW.....3.b....|.....R`.E9.[. .m..Zg.=G..C..".zz...3.'e.;jV..n/P......9.-..E......{U.B..e.u...5.U.o.!..0C..0.|'...<..r.5nO..C/I.W...6.u..G.a..../.,..~.9.n...A..E6.~W.L..H?.'m...1.!r.?jI..y!V.W....#."..E......rA:.@7.A.w...m...i.$......a.t&...+.0t..nG..0x..^...4.;..C.t..../Ew.Qf.../...0._.>.|m.:...n.%f..i.p'.w.... wF.....c.4....*....Egq.Y?.9.r...z.S.h.|V.P..J..t-...7.-y.k+..@#...1...Z.c..N.B....rEY.U".G.i.....y.g.%G..R..y.g....%..r.g+,...8A.?....$.}....q....3Rq.]".@.v...d.[Ye. H..@..y.|1..'.r$.<-..B=/..\...2.h...!....).,.Ov.V.h...5..O(.cV..W..i.qh..w.{%.h)..B5D..+....4.y..(.@....jPg....F...r.V.g."..QW..l.pz.....S..N..U[.v.#....u.X..f.[....\u].v..r.\...'.v8E..".Q..3L.[...a..H..Hu.?Ck..9.....N..c.[....[s1....`.I...\.u9#.h#.-v.2O.A.......D..T...}*E....ml....n...=.Ge.n..=x....CuL}..../.*R.F..p.at......+...$..R..h..S:...*...-Z.....$=-.....}.....g.U]...

                              C:\Program Files\Mozilla Firefox\application.ini.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1213
                              Entropy (8bit):7.594758644738183
                              Encrypted:false
                              SSDEEP:
                              MD5:492F153E79EEABF266C93C80C8712BC8
                              SHA1:39A4C3632DCFCF00F3E54CA7040CF6DA2472CCF7
                              SHA-256:75084612E1393F4B658D49374D7CEC4A785468EE9C9133C3AB02A6540BA65760
                              SHA-512:E811B55E1A6F61EB1AD63324C1A32EDA98C039E2DE0158BF2C05F1BA74502FFCD9898F5BB7360148E9142266088288554FB100FC8792CA950C882F367611BDF0
                              Malicious:false
                              Preview:...d..D.~....>N{..%.V.5.(.U.&."...[..y.t;...%.67.2....}"M.....p.b..Q.....kR4.]4.U.x...g.I[&."..^K.[x.q0...,.bu.5mU.."nW.....3.b....|.....R`.E9.[. .m..Zg.=G..C..".zz...3.'e.;jV..n/P......9.-..E......{U.B..e.u...5.U.o.!..0C..0.|'...<..r.5nO..C/I.W...6.u..G.a..../.,..~.9.n...A..E6.~W.L..H?.'m...1.!r.?jI..y!V.W....#."..E......rA:.@7.A.w...m...i.$......a.t&...+.0t..nG..0x..^...4.;..C.t..../Ew.Qf.../...0._.>.|m.:...n.%f..i.p'.w.... wF.....c.4....*....Egq.Y?.9.r...z.S.h.|V.P..J..t-...7.-y.k+..@#...1...Z.c..N.B....rEY.U".G.i.....y.g.%G..R..y.g....%..r.g+,...8A.?....$.}....q....3Rq.]".@.v...d.[Ye. H..@..y.|1..'.r$.<-..B=/..\...2.h...!....).,.Ov.V.h...5..O(.cV..W..i.qh..w.{%.h)..B5D..+....4.y..(.@....jPg....F...r.V.g."..QW..l.pz.....S..N..U[.v.#....u.X..f.[....\u].v..r.\...'.v8E..".Q..3L.[...a..H..Hu.?Ck..9.....N..c.[....[s1....`.I...\.u9#.h#.-v.2O.A.......D..T...}*E....ml....n...=.Ge.n..=x....CuL}..../.*R.F..p.at......+...$..R..h..S:...*...-Z.....$=-.....}.....g.U]...

                              C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15978
                              Entropy (8bit):7.977594665604727
                              Encrypted:false
                              SSDEEP:
                              MD5:0756CA245E76D245BC5FF4A94DFDF3F7
                              SHA1:CF807AC92E19A6ADD823A9D44E09D7A762B19A03
                              SHA-256:488F3CECE5DFF7B68C7DD823A0C485340F47AEB2FBA7076A9E8463331A7C8D93
                              SHA-512:3F2CB99B48D8BD546E21D4E7FFB8FF42E970AD83DA79B1FD3B7CCBC79790B537A65209D3633676D5530FF5E3314912979DEE06D8DD9C3A1430031FCE92067A05
                              Malicious:false
                              Preview:.y.#..Y....8.^.5+.qh........l/.J.2*.........;.....w..d.._O. ... H....;G...2.l.@..i'...:K:.....M..@#..Z...<....,[6..HY...C..%.-. .B.......k........[U.3.1.~...N.....nwM}.....x<.....x<...q..]Ym.M.....Cv.j..a....}..,..P......kL.g...q1."].u.CP....x<.....x<.....x<.....x<.....x<.....x<.....x<.....x<.....x<..D...i.%..`..r.t.(.. . .v..Q.f>.......me...k.*%..o.'.t3^8z.#....#.S.p..:......\d.-(....................]..j.y../A...z..|....i^.1!G/3..1.c...^8...U..8.v..m..z......:\..,...%.........li:B.H.....82j....cg1[..n`..rg.../...>.Y..b..}.t.^8.....wzw1[.8.%...-..{.(..m#.l.4.!P.%......\Y.-.0.q.4...Q.c..t..zC]...M........I.xa..C.Z..........x.#&,..e..O.P./-....0..x...t).}../..w.=E..>....Ybs...]F...G3..1.v.......rx..2.....s...U`.e<..1./.J....1.:.DA.0.(?O.f9.c...k...`.t.) ..j..}..KF..;.....&V....a....'.)fx../>..:].O[(.<\....H/.C..>....I......"p.X..x:........h<..9...x...>..E.3...Gvu....../..+....,X.....x\..).....x..5^<f`Ay.?.]/dH...r.T...p..y....(c......fc..t.

                              C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_150.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):15978
                              Entropy (8bit):7.977594665604727
                              Encrypted:false
                              SSDEEP:
                              MD5:0756CA245E76D245BC5FF4A94DFDF3F7
                              SHA1:CF807AC92E19A6ADD823A9D44E09D7A762B19A03
                              SHA-256:488F3CECE5DFF7B68C7DD823A0C485340F47AEB2FBA7076A9E8463331A7C8D93
                              SHA-512:3F2CB99B48D8BD546E21D4E7FFB8FF42E970AD83DA79B1FD3B7CCBC79790B537A65209D3633676D5530FF5E3314912979DEE06D8DD9C3A1430031FCE92067A05
                              Malicious:false
                              Preview:.y.#..Y....8.^.5+.qh........l/.J.2*.........;.....w..d.._O. ... H....;G...2.l.@..i'...:K:.....M..@#..Z...<....,[6..HY...C..%.-. .B.......k........[U.3.1.~...N.....nwM}.....x<.....x<...q..]Ym.M.....Cv.j..a....}..,..P......kL.g...q1."].u.CP....x<.....x<.....x<.....x<.....x<.....x<.....x<.....x<.....x<..D...i.%..`..r.t.(.. . .v..Q.f>.......me...k.*%..o.'.t3^8z.#....#.S.p..:......\d.-(....................]..j.y../A...z..|....i^.1!G/3..1.c...^8...U..8.v..m..z......:\..,...%.........li:B.H.....82j....cg1[..n`..rg.../...>.Y..b..}.t.^8.....wzw1[.8.%...-..{.(..m#.l.4.!P.%......\Y.-.0.q.4...Q.c..t..zC]...M........I.xa..C.Z..........x.#&,..e..O.P./-....0..x...t).}../..w.=E..>....Ybs...]F...G3..1.v.......rx..2.....s...U`.e<..1./.J....1.:.DA.0.(?O.f9.c...k...`.t.) ..j..}..KF..;.....&V....a....'.)fx../>..:].O[(.<\....H/.C..>....I......"p.X..x:........h<..9...x...>..E.3...Gvu....../..+....,X.....x\..).....x..5^<f`Ay.?.]/dH...r.T...p..y....(c......fc..t.

                              C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6066
                              Entropy (8bit):7.932656176433746
                              Encrypted:false
                              SSDEEP:
                              MD5:9442C256680B466547322F8C6B5B2BDD
                              SHA1:5C2F978CFFB89D9ABCFBD07D740B334DE6339455
                              SHA-256:FECD9584F651D4294B1FA3CDFF67BBB118DDD977E78471E2AEB38CCF2D781278
                              SHA-512:39735B072A032FA7FA01E6A49CA1F67258F950759416AA871807910C3BD081E74C209AC40257E54C6D2A8C22CFB3A0674109EECBA69A20A05E23463667EADCCD
                              Malicious:false
                              Preview:....D.=p..A......Us=.s....R...p...a..E....:k.z`/mrj.....dW.n9..$.;.,.J\:.e`J.C..iH.)...M...)..3...LK.....a(.......N28.X&.0.....J./....QN..n.v.}...;;..;...~f.{>....~..y..y.w.bbbbbbbbbbbb.>(...<._...j...u.I..R!...^.).!.1.;.(.Y.<U5.XA.@...!.x....G+...].o.v.A...j..E....q...1..kv......pk1b..!....Bp...... ../......G.0.....f.zOXOw.y`..`U........_I....._.,...>...p..".V........1.t..].wq..5.rj ..Y...X......#.fJ.....u..%...=#.h.O.x..W`\....:../..9.\_V>.y`[...d..u&:..<.....$..E...C.o..c.d....Z....y..^O..s./,E.m.x.z.GA6..,.m.>....+.k....=......C.KV.;.}W...-o.#..iC+4...<...K..b.-...Z..n....;..$.[.....p..k...@_.+....c.o.,8{.P+->.......o../.L;..%...H.tF.M20......p...cN.I4D&k...dm..B0.....J.......&..`..n....=l..;.g.)(.%~rd.....$yU..'v..{v.VY|.+...%....../. ...X..8...bi.8.]$......?|/.e...E..=.F&y..$...L..H...-{V.).\.9...b..h...=y>".>..j..L.f...M.~%.<p..u3|p........b..q[......,D....1.....^...P+D[..j......y..H..R....\.Yk.S<...S... .....D9.......

                              C:\Program Files\Mozilla Firefox\browser\VisualElements\PrivateBrowsing_70.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):6066
                              Entropy (8bit):7.932656176433746
                              Encrypted:false
                              SSDEEP:
                              MD5:9442C256680B466547322F8C6B5B2BDD
                              SHA1:5C2F978CFFB89D9ABCFBD07D740B334DE6339455
                              SHA-256:FECD9584F651D4294B1FA3CDFF67BBB118DDD977E78471E2AEB38CCF2D781278
                              SHA-512:39735B072A032FA7FA01E6A49CA1F67258F950759416AA871807910C3BD081E74C209AC40257E54C6D2A8C22CFB3A0674109EECBA69A20A05E23463667EADCCD
                              Malicious:false
                              Preview:....D.=p..A......Us=.s....R...p...a..E....:k.z`/mrj.....dW.n9..$.;.,.J\:.e`J.C..iH.)...M...)..3...LK.....a(.......N28.X&.0.....J./....QN..n.v.}...;;..;...~f.{>....~..y..y.w.bbbbbbbbbbbb.>(...<._...j...u.I..R!...^.).!.1.;.(.Y.<U5.XA.@...!.x....G+...].o.v.A...j..E....q...1..kv......pk1b..!....Bp...... ../......G.0.....f.zOXOw.y`..`U........_I....._.,...>...p..".V........1.t..].wq..5.rj ..Y...X......#.fJ.....u..%...=#.h.O.x..W`\....:../..9.\_V>.y`[...d..u&:..<.....$..E...C.o..c.d....Z....y..^O..s./,E.m.x.z.GA6..,.m.>....+.k....=......C.KV.;.}W...-o.#..iC+4...<...K..b.-...Z..n....;..$.[.....p..k...@_.+....c.o.,8{.P+->.......o../.L;..%...H.tF.M20......p...cN.I4D&k...dm..B0.....J.......&..`..n....=l..;.g.)(.%~rd.....$yU..'v..{v.VY|.+...%....../. ...X..8...bi.8.]$......?|/.e...E..=.F&y..$...L..H...-{V.).\.9...b..h...=y>".>..j..L.f...M.~%.<p..u3|p........b..q[......,D....1.....^...P+D[..j......y..H..R....\.Yk.S<...S... .....D9.......

                              C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):23351
                              Entropy (8bit):7.980214157292412
                              Encrypted:false
                              SSDEEP:
                              MD5:56369CAAD9B56064A237CBEBB26FFC2E
                              SHA1:5C5EE5279AE79061CDB174F11976756EBE36B31B
                              SHA-256:F8000B3405014E83836491AD996F39FAD84A2D0D2EEA4B3E36F9C0AF6E6D9CB7
                              SHA-512:381622E0D8D50E4FB22A61ECD78F5A59E9A0CE69EF108514826BA8085D93F1F424546AE9FC0163A9C6B2E9E17FC55CC4237BF69DEAF27791BFC21F7CC2E79088
                              Malicious:false
                              Preview:U.....g..$.3..<A.d^.#...N..LM..{.c.....RA.......G!,.$..'0X.o..I2..............................q...lI.0..{..c....f.?...$..,?\.33...............\..n..h..."..<..f>SY.r...'1=..5...A.C.Y....j..Y....x+.<.Q66...F.E.G.B...,L.^...9B1.K...m@.o*.FV...=..1q...#..|.#=.@B........':..G../'M........}....8bb...JoB5",.4...V.H....&&...i.........U...E..]. f.$.L%&.jBb~E.lB...6...Q.3...rT...p..h.?~.g...#....c....U..V~..u.vht......F.m.i.5..*k.....4.......[L..FC.H.i..&...i...hP..v...E$.Yh.Vr.T..!Z-.8.hP<.<.*.h=..B..%"...C..*.j..\.N....Q.8....i0..G..w......EG.=..}..L...P...q.}5<U..../.0...d......kUsF.e\.q=..........F.0..j..j..'.....|.R. .-../2'....h.....@+E@.!.-.........F.}.Ctv....Q.n}.#.*......X4.(#%..r;...1(.,....N.Z.V.../....>.....#N.<.k.:Dg.4.<./.l....r$Qv:.!........ B.....e....I.:<.I.;=.......7.|.3...p......u..J...:v9:...".....q!P1..h....b.m..eF..Q..^......D..@*.....A...+..qUT......#....'y...*..r<..W..y;7xRL...dO.....3C(.<..W..^.N.{....a....-............/

                              C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_150.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):23351
                              Entropy (8bit):7.980214157292412
                              Encrypted:false
                              SSDEEP:
                              MD5:56369CAAD9B56064A237CBEBB26FFC2E
                              SHA1:5C5EE5279AE79061CDB174F11976756EBE36B31B
                              SHA-256:F8000B3405014E83836491AD996F39FAD84A2D0D2EEA4B3E36F9C0AF6E6D9CB7
                              SHA-512:381622E0D8D50E4FB22A61ECD78F5A59E9A0CE69EF108514826BA8085D93F1F424546AE9FC0163A9C6B2E9E17FC55CC4237BF69DEAF27791BFC21F7CC2E79088
                              Malicious:false
                              Preview:U.....g..$.3..<A.d^.#...N..LM..{.c.....RA.......G!,.$..'0X.o..I2..............................q...lI.0..{..c....f.?...$..,?\.33...............\..n..h..."..<..f>SY.r...'1=..5...A.C.Y....j..Y....x+.<.Q66...F.E.G.B...,L.^...9B1.K...m@.o*.FV...=..1q...#..|.#=.@B........':..G../'M........}....8bb...JoB5",.4...V.H....&&...i.........U...E..]. f.$.L%&.jBb~E.lB...6...Q.3...rT...p..h.?~.g...#....c....U..V~..u.vht......F.m.i.5..*k.....4.......[L..FC.H.i..&...i...hP..v...E$.Yh.Vr.T..!Z-.8.hP<.<.*.h=..B..%"...C..*.j..\.N....Q.8....i0..G..w......EG.=..}..L...P...q.}5<U..../.0...d......kUsF.e\.q=..........F.0..j..j..'.....|.R. .-../2'....h.....@+E@.!.-.........F.}.Ctv....Q.n}.#.*......X4.(#%..r;...1(.,....N.Z.V.../....>.....#N.<.k.:Dg.4.<./.l....r$Qv:.!........ B.....e....I.:<.I.;=.......7.|.3...p......u..J...:v9:...".....q!P1..h....b.m..eF..Q..^......D..@*.....A...+..qUT......#....'y...*..r<..W..y;7xRL...dO.....3C(.<..W..^.N.{....a....-............/

                              C:\Program Files\Mozilla Firefox\browser\VisualElements\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1101
                              Entropy (8bit):7.448580388459641
                              Encrypted:false
                              SSDEEP:
                              MD5:71BD758AB531C03ABF4A754B4578127A
                              SHA1:A419165AA232FBFE296EE5A3D7B68A4A75A5E89F
                              SHA-256:C55F491025D228A2C8E4EDCC7A4ECFB1AB8BBCDB044C6BBA3CD137AB9E653A16
                              SHA-512:8A6792CFFBD2A04D118BAFEFB573CC8339EE93E34A326E4B51DE2F1ED222A6345DFDE6ECE20EAACC849412D4C951F603B2C0DB2F082C4737E0B04DF0D45784A1
                              Malicious:false
                              Preview:....o...s.K.3...Jb.z.4..w...7T....w.r.$.^@.}Ry.J._%..4.......~e..P.Z.8...q..'#i.CM....>^....~.r.$.gu.0V8....C`.9(........~r...t.J.m...Bb..Lb,..e...)P....v.&.5.BQ.`.v....^,.1u.........')..?.m.?..Gk..|~y..$.....e.._}.e.%.DB.Kr-....D..s{.<....XH...H.......FU..z.-..T...>E...j.c.5....DI<....^3.">.........&...h.P.1...@s..{d7.C`...1T...~.t. .CJ.>+.....e%.?)........Rt..H.A.d...\b..m-1..$...2S.._y.b^".KV.uEw...N...<{.........ci.e.L.v...]'..q-...`....*Y....l.t.2.KW.c.....Y&."/.........r&..o...3...Zb..|~y..e....)^...u.r^ .IW.cIy....E4..5.......7#...n.J.....\s..Qh*..m...3e..M%.o.$.E].x@=..J.E/.<>.S.......c..K..o...Zu..aby..w...}H.._l.d.a.DA.gH7....7.55.........cu...@.m.v...^'..5i0..j....<_...`.r.$.ZW.rM<..J.X5.3:.S...us a crash report....S....]p...]gg.%.....&.o.u\.....y....b..]...z.....L.b..v.Tz....T.v..6...+..r{.O...u...M[...c.,.cM..]..zr...T..4^....U}.w...S.3....KL..K.....S...?....z........X.....4......a]..".l..".+..@\..=..%{.....

                              C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1101
                              Entropy (8bit):7.448580388459641
                              Encrypted:false
                              SSDEEP:
                              MD5:71BD758AB531C03ABF4A754B4578127A
                              SHA1:A419165AA232FBFE296EE5A3D7B68A4A75A5E89F
                              SHA-256:C55F491025D228A2C8E4EDCC7A4ECFB1AB8BBCDB044C6BBA3CD137AB9E653A16
                              SHA-512:8A6792CFFBD2A04D118BAFEFB573CC8339EE93E34A326E4B51DE2F1ED222A6345DFDE6ECE20EAACC849412D4C951F603B2C0DB2F082C4737E0B04DF0D45784A1
                              Malicious:false
                              Preview:....o...s.K.3...Jb.z.4..w...7T....w.r.$.^@.}Ry.J._%..4.......~e..P.Z.8...q..'#i.CM....>^....~.r.$.gu.0V8....C`.9(........~r...t.J.m...Bb..Lb,..e...)P....v.&.5.BQ.`.v....^,.1u.........')..?.m.?..Gk..|~y..$.....e.._}.e.%.DB.Kr-....D..s{.<....XH...H.......FU..z.-..T...>E...j.c.5....DI<....^3.">.........&...h.P.1...@s..{d7.C`...1T...~.t. .CJ.>+.....e%.?)........Rt..H.A.d...\b..m-1..$...2S.._y.b^".KV.uEw...N...<{.........ci.e.L.v...]'..q-...`....*Y....l.t.2.KW.c.....Y&."/.........r&..o...3...Zb..|~y..e....)^...u.r^ .IW.cIy....E4..5.......7#...n.J.....\s..Qh*..m...3e..M%.o.$.E].x@=..J.E/.<>.S.......c..K..o...Zu..aby..w...}H.._l.d.a.DA.gH7....7.55.........cu...@.m.v...^'..5i0..j....<_...`.r.$.ZW.rM<..J.X5.3:.S...us a crash report....S....]p...]gg.%.....&.o.u\.....y....b..]...z.....L.b..v.Tz....T.v..6...+..r{.O...u...M[...c.,.cM..]..zr...T..4^....U}.w...S.3....KL..K.....S...?....z........X.....4......a]..".l..".+..@\..=..%{.....

                              C:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):139216
                              Entropy (8bit):6.872537654865669
                              Encrypted:false
                              SSDEEP:
                              MD5:F6EE1B9011FC68762184937670D1A281
                              SHA1:36BC02DC00E0FD1D809DBF4ED7730A6AD1E1642E
                              SHA-256:8CDDE1B1CD6CC4CC5656925E1F767A5637F1912F48C6B753FDFD3AAA232D9096
                              SHA-512:D9DC2B86AF04FF9BC8EE221F1E3DA256A5DEBFE5CA42F9D0427E65F3170DDC704BD4EB34F4BC85E9A778E6C77CF0F5DF1F071543E120C88B9BFAB11AAF39DE9A
                              Malicious:false
                              Preview:{..U...ry./$VAO~.I...5.t..k..M.p....t<...b..9.RbY.To-.L.0].......!<.).........................(..chrome.manifestPK............!<.AI.S...S.................K)..background.jsPK............!<s.GK.....1./.VAO~.u.+D..J.7(w..9...*.p.Hl....I.V.Z~\.Zu.."..@yusPK............!<..uiq1..q1.. ..............w..chrome/content/customElements.jsPK............!<!.DH........ .............d...chr_..f.dm....A2(;?...aX7.a..qD'.I.s....t<.....F...".0./.}.M.3W............chrome/content/editCreditCard.xhtmlPK............!<.C............................chrome/content/editDialog.jsPK......0...+%Q./'._AOt.u.+D...t.(w...bx,..|.Nf...,S.M.]f..Qn..8..U>sl.cssPK............!<.iet........".............O...chrome/content/formfill-anchor.svgPK............!<...........$.............(...m.et.U.@J"$!....kEi.}..y[...*...v.x$w....E<.9.3.0..O2..K.3W....&.................chrome/content/icon-address-update.svgPK............!<P+F.........+.................chrome/content/icon-creT...f.x}K..AA$(,P...T`E...~.(w..K.Q.`.@.

                              C:\Program Files\Mozilla Firefox\browser\features\formautofill@mozilla.org.xpi.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):139216
                              Entropy (8bit):6.872537654865669
                              Encrypted:false
                              SSDEEP:
                              MD5:F6EE1B9011FC68762184937670D1A281
                              SHA1:36BC02DC00E0FD1D809DBF4ED7730A6AD1E1642E
                              SHA-256:8CDDE1B1CD6CC4CC5656925E1F767A5637F1912F48C6B753FDFD3AAA232D9096
                              SHA-512:D9DC2B86AF04FF9BC8EE221F1E3DA256A5DEBFE5CA42F9D0427E65F3170DDC704BD4EB34F4BC85E9A778E6C77CF0F5DF1F071543E120C88B9BFAB11AAF39DE9A
                              Malicious:false
                              Preview:{..U...ry./$VAO~.I...5.t..k..M.p....t<...b..9.RbY.To-.L.0].......!<.).........................(..chrome.manifestPK............!<.AI.S...S.................K)..background.jsPK............!<s.GK.....1./.VAO~.u.+D..J.7(w..9...*.p.Hl....I.V.Z~\.Zu.."..@yusPK............!<..uiq1..q1.. ..............w..chrome/content/customElements.jsPK............!<!.DH........ .............d...chr_..f.dm....A2(;?...aX7.a..qD'.I.s....t<.....F...".0./.}.M.3W............chrome/content/editCreditCard.xhtmlPK............!<.C............................chrome/content/editDialog.jsPK......0...+%Q./'._AOt.u.+D...t.(w...bx,..|.Nf...,S.M.]f..Qn..8..U>sl.cssPK............!<.iet........".............O...chrome/content/formfill-anchor.svgPK............!<...........$.............(...m.et.U.@J"$!....kEi.}..y[...*...v.x$w....E<.9.3.0..O2..K.3W....&.................chrome/content/icon-address-update.svgPK............!<P+F.........+.................chrome/content/icon-creT...f.x}K..AA$(,P...T`E...~.(w..K.Q.`.@.

                              C:\Program Files\Mozilla Firefox\browser\features\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Mozilla Firefox\browser\features\pictureinpicture@mozilla.org.xpi

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):62561
                              Entropy (8bit):6.594013587413401
                              Encrypted:false
                              SSDEEP:
                              MD5:2D06FA1D39026DDB996A03BFFC98DC45
                              SHA1:A2EC1B9F3DB28328E22801B321DE0C426E8F6E99
                              SHA-256:AF40D69ECF9E9B934F83C6B0699E41EA213DEE477B879269F37C926520AA1FA6
                              SHA-512:E9960A962D7B1EAF2780515BE0D63FD2C1937ADD6B6EFFD4B9B8D1A5B5A8106DD79D22A74CF4EBF510A9C850D110CEB28B5151808F5EF3B2B1A4C5A3E7711530
                              Malicious:false
                              Preview:.}..h.......z.a..|L.,.8..3..l-\....T.%.).S(...Z.D.h...v..H..s/aboutConfigPipPrefs.jsPK............!<...........#.................experiment-apis/pictureInPicture.jsPK............!<..f.i!.....8.......z.a{...|.)..+....~.......L.]......?.N.i....k..(...........!<..c.Y...Y...(..............@..experiment-apis/aboutConfigPipPrefs.jsonPK............!<.$.<...<...%..............F..e...lQ......U...P5p..#...p..Ba/....U.1.#...@..Z...b......v%..#..............M..lib/picture_in_picture_overrides.jsPK............!<..........................0Z..manifest.jsonPK............!<f.q,....F...z.a.$@.|.M.f.[....er....U.1.#...@..Z........../.................`..video-wrappers/airmozilla.jsPK............!<x.iD...D..................g..video-wrappers/arte.jsPK.............^X.\*O......o.a.$@.|.M.......l}5....#.D.Y..o..9.V.].....).....!<@U..E...E..................o..video-wrappers/cbc.jsPK............!<..F......................._s..video-wrappers/dailymotion...Ns........z.a..u,......p.\....T.

                              C:\Program Files\Mozilla Firefox\browser\features\pictureinpicture@mozilla.org.xpi.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):62561
                              Entropy (8bit):6.594013587413401
                              Encrypted:false
                              SSDEEP:
                              MD5:2D06FA1D39026DDB996A03BFFC98DC45
                              SHA1:A2EC1B9F3DB28328E22801B321DE0C426E8F6E99
                              SHA-256:AF40D69ECF9E9B934F83C6B0699E41EA213DEE477B879269F37C926520AA1FA6
                              SHA-512:E9960A962D7B1EAF2780515BE0D63FD2C1937ADD6B6EFFD4B9B8D1A5B5A8106DD79D22A74CF4EBF510A9C850D110CEB28B5151808F5EF3B2B1A4C5A3E7711530
                              Malicious:false
                              Preview:.}..h.......z.a..|L.,.8..3..l-\....T.%.).S(...Z.D.h...v..H..s/aboutConfigPipPrefs.jsPK............!<...........#.................experiment-apis/pictureInPicture.jsPK............!<..f.i!.....8.......z.a{...|.)..+....~.......L.]......?.N.i....k..(...........!<..c.Y...Y...(..............@..experiment-apis/aboutConfigPipPrefs.jsonPK............!<.$.<...<...%..............F..e...lQ......U...P5p..#...p..Ba/....U.1.#...@..Z...b......v%..#..............M..lib/picture_in_picture_overrides.jsPK............!<..........................0Z..manifest.jsonPK............!<f.q,....F...z.a.$@.|.M.f.[....er....U.1.#...@..Z........../.................`..video-wrappers/airmozilla.jsPK............!<x.iD...D..................g..video-wrappers/arte.jsPK.............^X.\*O......o.a.$@.|.M.......l}5....#.D.Y..o..9.V.].....).....!<@U..E...E..................o..video-wrappers/cbc.jsPK............!<..F......................._s..video-wrappers/dailymotion...Ns........z.a..u,......p.\....T.

                              C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):172583
                              Entropy (8bit):6.499031403124671
                              Encrypted:false
                              SSDEEP:
                              MD5:61DBD5C93D6AEB4FDDE9A593ECE48C3A
                              SHA1:4686A51F2F8BE1906EE1065169F359739193EE07
                              SHA-256:F089AAA978F69524E410A1AEADBE2393040FBB9833F1E9696711F53A1A20872D
                              SHA-512:A5225A2EA53B4000249760AC9EC768881A381DE364C92017BF2A1DFFEB47FE9ED969DD1E49563AE63587104A1D0C21E578FF81F0F3187E244ECAC9F8372645B7
                              Malicious:false
                              Preview:.... p7....%.W.T@.4..f`......I..b.c.u.?....-`..3l.4v6....jurce Code Form is subject to the terms of the Mozilla Public. * License, v. 2.0. If a copy of the MPL was not distributed with t..c.L.[b6....2.F.3...........M@..0.^.G.q....4a...>0.N.M.W...%*/../* globals browser */../** For use inside an iframe onload function, throws an Error if iframe src is not blank.html.. Sh..|...R'{..I.....9...........M...q.I.q.0.....R'....0l..%....GlankDocument = function assertIsBlankDocument(doc) {. if (doc.documentURI !== browser.runtime.getURL("blank.html")) {. const.h..M.i..`...A.r...........G...~.^.Z.*.....(h...y}..8....');. exc.foundURL = doc.documentURI;. throw exc;. }.};.null;.PK..........!<..|jh...h.......assertIsTrusted.js/* This Sourc..S.N..Au......@.2...........\..cTE...6.A..1a....,}.w5h.S...fense, v. 2.0. If a copy of the MPL was not distributed with this file,. * You can obtain one at http://mozilla.org/MPL/2.0/. */...:..6Xu:..@...G.p...#.......M...<TK.D.

                              C:\Program Files\Mozilla Firefox\browser\features\screenshots@mozilla.org.xpi.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):172583
                              Entropy (8bit):6.499031403124671
                              Encrypted:false
                              SSDEEP:
                              MD5:61DBD5C93D6AEB4FDDE9A593ECE48C3A
                              SHA1:4686A51F2F8BE1906EE1065169F359739193EE07
                              SHA-256:F089AAA978F69524E410A1AEADBE2393040FBB9833F1E9696711F53A1A20872D
                              SHA-512:A5225A2EA53B4000249760AC9EC768881A381DE364C92017BF2A1DFFEB47FE9ED969DD1E49563AE63587104A1D0C21E578FF81F0F3187E244ECAC9F8372645B7
                              Malicious:false
                              Preview:.... p7....%.W.T@.4..f`......I..b.c.u.?....-`..3l.4v6....jurce Code Form is subject to the terms of the Mozilla Public. * License, v. 2.0. If a copy of the MPL was not distributed with t..c.L.[b6....2.F.3...........M@..0.^.G.q....4a...>0.N.M.W...%*/../* globals browser */../** For use inside an iframe onload function, throws an Error if iframe src is not blank.html.. Sh..|...R'{..I.....9...........M...q.I.q.0.....R'....0l..%....GlankDocument = function assertIsBlankDocument(doc) {. if (doc.documentURI !== browser.runtime.getURL("blank.html")) {. const.h..M.i..`...A.r...........G...~.^.Z.*.....(h...y}..8....');. exc.foundURL = doc.documentURI;. throw exc;. }.};.null;.PK..........!<..|jh...h.......assertIsTrusted.js/* This Sourc..S.N..Au......@.2...........\..cTE...6.A..1a....,}.w5h.S...fense, v. 2.0. If a copy of the MPL was not distributed with this file,. * You can obtain one at http://mozilla.org/MPL/2.0/. */...:..6Xu:..@...G.p...#.......M...<TK.D.

                              C:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31155
                              Entropy (8bit):6.565572193993586
                              Encrypted:false
                              SSDEEP:
                              MD5:D5989FEA4C8E1174FB16E048341EDA87
                              SHA1:03E184414A34B2F2C92D3BC7143ED57365FEBB45
                              SHA-256:1B27D538C248385343E4EF416BA046D3CD4CD5FAB79E9B7900057F2D55E87BBF
                              SHA-512:A41FC64A592AD34C7559FF3D1DAFF8E97878D829CB0046A2BA3BC3F17E54812FD2B118282EEAFBA3EFE219D70BC165F1B770F095B2E2225172163E1C44981130
                              Malicious:false
                              Preview:......@....C.T.^.F../. .c0.Y.=.4....)..k9....}.tHD..y.....e...Is/helpMenu.jsPK............!<..`.D...D...$.................experimentalAPIs/aboutConfigPrefs.jsPK............!<..{3...3............eA..kiM.T{6.)O.....R.*.i..*....)..k9..K....'7...l.....T............background.jsPK............!<...._..._...'..............%..en-US/locale/en-US/webcompat.propertiesPK............!<lYi.....HB....C.T.^.F"...J.[4.<.I..A}.sHB.;p........N..l<....*.'.nPK............!<gv.........*..............)..experimentalAPIs/actors/tabExtrasActor.jsmPK............!<.G.{j...j...............8.e.eA.`..1.9}0.'N......F...\..Fv..mZ~.j;.}...tH!....F&.....4...!..............M..experimentalAPIs/browserInfo.jsonPK............!<.:........................#T..experimentalAPIs/helpMenu.jso..\..qB....C.T..Cz......}].Y.!.(....)..k... ...8D..n.....T.'.l10n.jsPK............!<o9.i.......................]..experimentalAPIs/l10n.jsonPK............!<..........................._..exp..~...5.t....{l?..Z.....G...;."....)..

                              C:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):31155
                              Entropy (8bit):6.565572193993586
                              Encrypted:false
                              SSDEEP:
                              MD5:D5989FEA4C8E1174FB16E048341EDA87
                              SHA1:03E184414A34B2F2C92D3BC7143ED57365FEBB45
                              SHA-256:1B27D538C248385343E4EF416BA046D3CD4CD5FAB79E9B7900057F2D55E87BBF
                              SHA-512:A41FC64A592AD34C7559FF3D1DAFF8E97878D829CB0046A2BA3BC3F17E54812FD2B118282EEAFBA3EFE219D70BC165F1B770F095B2E2225172163E1C44981130
                              Malicious:false
                              Preview:......@....C.T.^.F../. .c0.Y.=.4....)..k9....}.tHD..y.....e...Is/helpMenu.jsPK............!<..`.D...D...$.................experimentalAPIs/aboutConfigPrefs.jsPK............!<..{3...3............eA..kiM.T{6.)O.....R.*.i..*....)..k9..K....'7...l.....T............background.jsPK............!<...._..._...'..............%..en-US/locale/en-US/webcompat.propertiesPK............!<lYi.....HB....C.T.^.F"...J.[4.<.I..A}.sHB.;p........N..l<....*.'.nPK............!<gv.........*..............)..experimentalAPIs/actors/tabExtrasActor.jsmPK............!<.G.{j...j...............8.e.eA.`..1.9}0.'N......F...\..Fv..mZ~.j;.}...tH!....F&.....4...!..............M..experimentalAPIs/browserInfo.jsonPK............!<.:........................#T..experimentalAPIs/helpMenu.jso..\..qB....C.T..Cz......}].Y.!.(....)..k... ...8D..n.....T.'.l10n.jsPK............!<o9.i.......................]..experimentalAPIs/l10n.jsonPK............!<..........................._..exp..~...5.t....{l?..Z.....G...;."....)..

                              C:\Program Files\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):424254
                              Entropy (8bit):6.624377946758985
                              Encrypted:false
                              SSDEEP:
                              MD5:3D1E76B9E62E5C76A34A0AF5CD347D58
                              SHA1:DF4438E93080BC45AECA11D886A99FA3467A7A96
                              SHA-256:F4BA0B1AF78D38C30EBA3E4E56FB79E4A9842BE116BA04BE9E1716A68B4CF764
                              SHA-512:D41E5BEC8578F351E135D7CEEBAEE7F2510F78E66EDF5183D8F1BA5EBE6A92AFE85495A2936CCEDB54C24662C4CF55F7B50BDECE13AF5C7C80DD3E07C44FAB68
                              Malicious:false
                              Preview:.m....7......7..G...j..m....h.Y...,...Q....H...0.X....^?.2$.boutPage.jsPK............!<...I...I..................8..experiment-apis/appConstants.jsPK............!<..-.7...7...#..............5.\Sq.....R..j...O.i......v'......v...yk.q..aR.-...@..fg...!...%..............C..experiment-apis/trackingProtection.jsPK............!<..d2L...L..................\..about-compat/AboutCompsE.c.1fB.....7..G...\^.......J.@...,...Q.{.I...aRqO....P .6j./aboutCompat.cssPK............!<.D.HR...R..................n..about-compat/aboutCompat.htmlPK............!<.....................1.{.C......C..(...O.i......~4.....-...[.{..{..@ne..6..3O.F................|...about-compat/aboutPage.jsonPK............!<...O........&.................about-compat/aboutPageProcessScript.jaa...H5......7..{..>....ml....h.@...,..[......i..}yC....Z .5%.sPK............!<s+,..]...]................*...data/shims.jsPK............!<(.&B.....................^..data/ua_overrides.jsPK.3...\6.......M...`..m.....h.@...n

                              C:\Program Files\Mozilla Firefox\browser\features\webcompat@mozilla.org.xpi.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):424254
                              Entropy (8bit):6.624377946758985
                              Encrypted:false
                              SSDEEP:
                              MD5:3D1E76B9E62E5C76A34A0AF5CD347D58
                              SHA1:DF4438E93080BC45AECA11D886A99FA3467A7A96
                              SHA-256:F4BA0B1AF78D38C30EBA3E4E56FB79E4A9842BE116BA04BE9E1716A68B4CF764
                              SHA-512:D41E5BEC8578F351E135D7CEEBAEE7F2510F78E66EDF5183D8F1BA5EBE6A92AFE85495A2936CCEDB54C24662C4CF55F7B50BDECE13AF5C7C80DD3E07C44FAB68
                              Malicious:false
                              Preview:.m....7......7..G...j..m....h.Y...,...Q....H...0.X....^?.2$.boutPage.jsPK............!<...I...I..................8..experiment-apis/appConstants.jsPK............!<..-.7...7...#..............5.\Sq.....R..j...O.i......v'......v...yk.q..aR.-...@..fg...!...%..............C..experiment-apis/trackingProtection.jsPK............!<..d2L...L..................\..about-compat/AboutCompsE.c.1fB.....7..G...\^.......J.@...,...Q.{.I...aRqO....P .6j./aboutCompat.cssPK............!<.D.HR...R..................n..about-compat/aboutCompat.htmlPK............!<.....................1.{.C......C..(...O.i......~4.....-...[.{..{..@ne..6..3O.F................|...about-compat/aboutPage.jsonPK............!<...O........&.................about-compat/aboutPageProcessScript.jaa...H5......7..{..>....ml....h.@...,..[......i..}yC....Z .5%.sPK............!<s+,..]...]................*...data/shims.jsPK............!<(.&B.....................^..data/ua_overrides.jsPK.3...\6.......M...`..m.....h.@...n

                              C:\Program Files\Mozilla Firefox\browser\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Mozilla Firefox\browser\omni.ja

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):42504982
                              Entropy (8bit):6.821784911033645
                              Encrypted:false
                              SSDEEP:
                              MD5:20C6EAA575968E2922EF1E41B6CDD7EC
                              SHA1:C8AD67858C6C0CC8D8043A4BDFBDF760B5B5B213
                              SHA-256:BB497FF37188701A2A1943825614FD0A25FFF66626C786C5CF6C761DC307AE32
                              SHA-512:F07C92311790A30911DDCC1424CBEA0510273B2585B772984FBDD0206CD26FF5B70084546F13637B215D3D992F606C17CD3FC01ABB7C87A34FE60ED397AA223F
                              Malicious:false
                              Preview:.F,..b..Gp3{...`..&z........V.........W.nc...@-P?.......rences/firefox.jsPK............!<....;...;...$.................defaults/preferences/firefox-l10n.jsPK............!<..}.........(..}.[)..Ss9.j.....$.9..3..s.....5l...j.}........H+.9.....`.........!<....[...[... .............["..defaults/preferences/debugger.jsPK............!<..Y.H...H.....................chrome.maniug.q.b..Gp3{...`.r....4..p...V.........W..m...T#H6N......manifestPK............!<#TS.#...#.................U6..components/components.manifestPK............!<E...........3..............9...m)Fk.|.K........)..oP.n....#`...j...v...K...H.nRc....t.....!<..!.O...O...-..............:..chrome/en-US/locale/branding/brand.propertiesPK............!<S...........=.............r;..lopc.l!Hr.<........3.?..o[.d.....$l...w...\.......O#K}.....u...........!<:./.........*..............>..localization/en-US/browser/screenshots.ftlPK............!<...\........&..............I..n.f:Eo.2.P.........>..3W........'...S

                              C:\Program Files\Mozilla Firefox\browser\omni.ja.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):42504982
                              Entropy (8bit):6.821784911033645
                              Encrypted:false
                              SSDEEP:
                              MD5:20C6EAA575968E2922EF1E41B6CDD7EC
                              SHA1:C8AD67858C6C0CC8D8043A4BDFBDF760B5B5B213
                              SHA-256:BB497FF37188701A2A1943825614FD0A25FFF66626C786C5CF6C761DC307AE32
                              SHA-512:F07C92311790A30911DDCC1424CBEA0510273B2585B772984FBDD0206CD26FF5B70084546F13637B215D3D992F606C17CD3FC01ABB7C87A34FE60ED397AA223F
                              Malicious:false
                              Preview:.F,..b..Gp3{...`..&z........V.........W.nc...@-P?.......rences/firefox.jsPK............!<....;...;...$.................defaults/preferences/firefox-l10n.jsPK............!<..}.........(..}.[)..Ss9.j.....$.9..3..s.....5l...j.}........H+.9.....`.........!<....[...[... .............["..defaults/preferences/debugger.jsPK............!<..Y.H...H.....................chrome.maniug.q.b..Gp3{...`.r....4..p...V.........W..m...T#H6N......manifestPK............!<#TS.#...#.................U6..components/components.manifestPK............!<E...........3..............9...m)Fk.|.K........)..oP.n....#`...j...v...K...H.nRc....t.....!<..!.O...O...-..............:..chrome/en-US/locale/branding/brand.propertiesPK............!<S...........=.............r;..lopc.l!Hr.<........3.?..o[.d.....$l...w...\.......O#K}.....u...........!<:./.........*..............>..localization/en-US/browser/screenshots.ftlPK............!<...\........&..............I..n.f:Eo.2.P.........>..3W........'...S

                              C:\Program Files\Mozilla Firefox\crashreporter.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):259802
                              Entropy (8bit):7.105776710521069
                              Encrypted:false
                              SSDEEP:
                              MD5:0C00202B3515171EFD137797C57B9F17
                              SHA1:A0A92CD915EED40183A562148119F99A3DDB360C
                              SHA-256:01F32E1946C8301405804A05F49C3EB090F76DD55831EE4F0C1E42F0CEE3C72E
                              SHA-512:F8380651307D0474B28DA17E0C3424ECC8F1C9E83B2AE330A4DB3F6DCB9F274D9682BDDF3B30BBDD41D027FF0D967BC734240C861C3CFCBF6798B57D568E1F14
                              Malicious:true
                              Preview:..:..w...g......y....On....@..[7.........0;%.K.pb.?...4.E. ..........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@.....................HB..w...c.....OE}....l.nJ...@..K7.........0;%.K.pb.?...4.Ej ...........................P...........)... ......T...........................(...p...8...........H................................<'...w..oe.....,{.....n....@..[7.....,...DZ%.}pb...^.Ez...............@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@...........HB..w.........y.....l....C..[7.........p;%.ec...]..4.Ez........D...................rsrc................F..............@..@.reloc....... ......................@..B.........................HB..w...g......y.....n....@..[7.........0;%.K.pb.?...4.Ez ...................................................................................................................................HB..w...g......y.....n....@..[7.....

                              C:\Program Files\Mozilla Firefox\crashreporter.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):259802
                              Entropy (8bit):7.105776710521069
                              Encrypted:false
                              SSDEEP:
                              MD5:0C00202B3515171EFD137797C57B9F17
                              SHA1:A0A92CD915EED40183A562148119F99A3DDB360C
                              SHA-256:01F32E1946C8301405804A05F49C3EB090F76DD55831EE4F0C1E42F0CEE3C72E
                              SHA-512:F8380651307D0474B28DA17E0C3424ECC8F1C9E83B2AE330A4DB3F6DCB9F274D9682BDDF3B30BBDD41D027FF0D967BC734240C861C3CFCBF6798B57D568E1F14
                              Malicious:false
                              Preview:..:..w...g......y....On....@..[7.........0;%.K.pb.?...4.E. ..........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."............................@.....................HB..w...c.....OE}....l.nJ...@..K7.........0;%.K.pb.?...4.Ej ...........................P...........)... ......T...........................(...p...8...........H................................<'...w..oe.....,{.....n....@..[7.....,...DZ%.}pb...^.Ez...............@..@.data........@......................@....pdata.......P.......0..............@..@.00cfg..(....`.......@...........HB..w.........y.....l....C..[7.........p;%.ec...]..4.Ez........D...................rsrc................F..............@..@.reloc....... ......................@..B.........................HB..w...g......y.....n....@..[7.........0;%.K.pb.?...4.Ez ...................................................................................................................................HB..w...g......y.....n....@..[7.....

                              C:\Program Files\Mozilla Firefox\crashreporter.ini

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4216
                              Entropy (8bit):7.785458242941135
                              Encrypted:false
                              SSDEEP:
                              MD5:89AD0E45E0671691C8974851B4321649
                              SHA1:F8A9CA17F36DB3B1C104B388F06570B00AA64AFD
                              SHA-256:D5B57F254D90DD5A5833B89DDB2EA4A5F3A422F360EEF2BBF722DFD07FB2614F
                              SHA-512:CE707B93F912CBB029011C9F635FC8F24BD2AE3CC6CD11E49704D82861CE423873D345244207EE7ACBE806CB091DA00288BE0535B8562E5423A7B45743825728
                              Malicious:false
                              Preview:.qF..M.:.c.......;..x.iY..d.F>..i.=.3.......d....k......F..]9J.3~..4.I.....S&.(..$.g.8.7..7..i.4.3......R`....p.F.>..]..Im..qe..V.....Q.%..;...e.iS..7.F ..i.<.g.......-._..e...6..].qIV.c<R...c.6...Sc..2...y. ^Q......q.7.$....)D....x.;.t..`..pP@..[-...&.S...S...w..*.,Q..7.L=...'. .g.....y....?...%..N..Ix}.q`..K...e...G+..*...o.=...n.Q ...i.=.g.......7....?...5.....Y{h.&>B.[...w..Ji%..1...f.'W..p..:..:.....S....r.S..l.F.?..Z..Nxt.=s..Z.,.q...Hc..,..s.:.Q.d.R5..C.!...N..........m......C..k{.920.N...s.I........K...?.Y.p....;.!........A....m...;.....O9s.q`..R...r...T+..6...o.-_..y.I1..a.|.i.Q....{.R..\...?.._..H|h.4|..L...z..OSc..?...X.9_..r..w.........'...<X.5.\...?.._..H|h.#`..j...?..OSc..~...f.*U..`.P<...&.:.5.......7....~...9..K..]pv.52..X...w...Nm..,...X.9_..r.a&.....*.z.......{....v...?....Lku.=w.._...u...H&......_./_..b.E ..e.&.".....Re....k...>..Z..^u..%}B.K...b..JR&..,...e.iD..d.G&..g.<.).......-.U..<.*....f..hPU.q\-.{.A.d...r&..,...Z.&T..c.V&..,.&.n.

                              C:\Program Files\Mozilla Firefox\crashreporter.ini.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4216
                              Entropy (8bit):7.785458242941135
                              Encrypted:false
                              SSDEEP:
                              MD5:89AD0E45E0671691C8974851B4321649
                              SHA1:F8A9CA17F36DB3B1C104B388F06570B00AA64AFD
                              SHA-256:D5B57F254D90DD5A5833B89DDB2EA4A5F3A422F360EEF2BBF722DFD07FB2614F
                              SHA-512:CE707B93F912CBB029011C9F635FC8F24BD2AE3CC6CD11E49704D82861CE423873D345244207EE7ACBE806CB091DA00288BE0535B8562E5423A7B45743825728
                              Malicious:false
                              Preview:.qF..M.:.c.......;..x.iY..d.F>..i.=.3.......d....k......F..]9J.3~..4.I.....S&.(..$.g.8.7..7..i.4.3......R`....p.F.>..]..Im..qe..V.....Q.%..;...e.iS..7.F ..i.<.g.......-._..e...6..].qIV.c<R...c.6...Sc..2...y. ^Q......q.7.$....)D....x.;.t..`..pP@..[-...&.S...S...w..*.,Q..7.L=...'. .g.....y....?...%..N..Ix}.q`..K...e...G+..*...o.=...n.Q ...i.=.g.......7....?...5.....Y{h.&>B.[...w..Ji%..1...f.'W..p..:..:.....S....r.S..l.F.?..Z..Nxt.=s..Z.,.q...Hc..,..s.:.Q.d.R5..C.!...N..........m......C..k{.920.N...s.I........K...?.Y.p....;.!........A....m...;.....O9s.q`..R...r...T+..6...o.-_..y.I1..a.|.i.Q....{.R..\...?.._..H|h.4|..L...z..OSc..?...X.9_..r..w.........'...<X.5.\...?.._..H|h.#`..j...?..OSc..~...f.*U..`.P<...&.:.5.......7....~...9..K..]pv.52..X...w...Nm..,...X.9_..r.a&.....*.z.......{....v...?....Lku.=w.._...u...H&......_./_..b.E ..e.&.".....Re....k...>..Z..^u..%}B.K...b..JR&..,...e.iD..d.G&..g.<.).......-.U..<.*....f..hPU.q\-.{.A.d...r&..,...Z.&T..c.V&..,.&.n.

                              C:\Program Files\Mozilla Firefox\default-browser-agent.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):718042
                              Entropy (8bit):7.028307955660467
                              Encrypted:false
                              SSDEEP:
                              MD5:477AF5ECBA9613326AF076C620B35FEC
                              SHA1:B5D187A5970938D9902726AFB7B9973095773908
                              SHA-256:CB1752811E9EFEE2E0918844A6F83DFC44BD659C09D091818C0156929FEBB15F
                              SHA-512:FF7685A8400EF747B1FFAA19CF711121A40122D7D188E7AEBB4E48DE22D66D3FC885DFF5CEC3ACE9481AA41BACA747C97AF3644B008B96A0AD595B5E1B3D66E0
                              Malicious:true
                              Preview:K..`^.<]..jVw.s....G.-....A..wY........[=.U.....?^"...|..1.n........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@........................a^.<Y..jVs.s+w..E.M...$.A..gY........[=.U.....?^"...|..1.n.J.......K..........`........%.......)... ......DA..........................(...`...8............V..............................(....^.<...jVg.s.-..G.-...A..wY.'..8d.:I.U....?.$..x....n............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................!^.|w...Vw.sm...Gf'...AP..wY........[}.U:8.pzK<N...|..1.n.........................rsrc...`...........................@..@.reloc....... ......................@..B............................a^.<Y..jVw.s....G.-...A..wY........[=.U.....?^"...|..1.n....................................................................................................................................a^.<Y..jVw.s....G.-...A..wY.....

                              C:\Program Files\Mozilla Firefox\default-browser-agent.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):718042
                              Entropy (8bit):7.028307955660467
                              Encrypted:false
                              SSDEEP:
                              MD5:477AF5ECBA9613326AF076C620B35FEC
                              SHA1:B5D187A5970938D9902726AFB7B9973095773908
                              SHA-256:CB1752811E9EFEE2E0918844A6F83DFC44BD659C09D091818C0156929FEBB15F
                              SHA-512:FF7685A8400EF747B1FFAA19CF711121A40122D7D188E7AEBB4E48DE22D66D3FC885DFF5CEC3ACE9481AA41BACA747C97AF3644B008B96A0AD595B5E1B3D66E0
                              Malicious:false
                              Preview:K..`^.<]..jVw.s....G.-....A..wY........[=.U.....?^"...|..1.n........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......6..........pX.........@........................a^.<Y..jVs.s+w..E.M...$.A..gY........[=.U.....?^"...|..1.n.J.......K..........`........%.......)... ......DA..........................(...`...8............V..............................(....^.<...jVg.s.-..G.-...A..wY.'..8d.:I.U....?.$..x....n............@..@.data...............................@....pdata...%.......&..................@..@.00cfg..(...........................!^.|w...Vw.sm...Gf'...AP..wY........[}.U:8.pzK<N...|..1.n.........................rsrc...`...........................@..@.reloc....... ......................@..B............................a^.<Y..jVw.s....G.-...A..wY........[=.U.....?^"...|..1.n....................................................................................................................................a^.<Y..jVw.s....G.-...A..wY.....

                              C:\Program Files\Mozilla Firefox\defaultagent.ini

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1246
                              Entropy (8bit):7.553415371392115
                              Encrypted:false
                              SSDEEP:
                              MD5:63711CF2E044AAF417973F592482AB11
                              SHA1:6D796C05928A352DDE2E42883C8CE199DE57555C
                              SHA-256:8918C7FFE51FBC379B45EA7408EAB31A454686B7B3608E0EF0AE7AA3094C2A77
                              SHA-512:6F3778DFB65AB09A3B4955D07AEB471C97F3EFAA70E925E91B47058A21213387ACE581EDB099363F479230F4D97CCE6C7E91E8DC5AAE335ED8D209C3E9E6256F
                              Malicious:false
                              Preview:..O....t..#/.M9..T.~....G..g.....@T+j[.K}..C.....>w..o.q..._.DCw.....W..%$.kz..2."..JE...%.....[]+j[.KD...._...%k.IK.......U.l....s..Jq.h?..2.c...m...g.....[Un>R.Ka..^..V.0v.AC.d..../...5U... ..(#..0...2.....,...%......^e}\..g..u.J...-l.'f.m...=.^Vh.....r..#+.g9...f.i...e...%.....@T+XZ..o....z...?s.oP.|.....XGr.....u..8>.W9..v.j..xG..j.....CZx>A..l..B.....$x.I..O.....sSt.....t..&#.o"...@.a..A...q....YRez...)..Z.Ls.,~.AV.y.....^Ur.....r...+.k....t.t..m...8.....GLbjP.Kk..E.z...?s.oP.|.....XGr.....u...>.f9...s.b...b.l.q.....Zl.Z.a..g.n6..Q....c......T.h.....;..7+.}v...`.,...dG.\k....Q.bp...z..O.R...&z....+._.._...;........`..Gv...a.b.Ji..\r......Uni_..l.$.p..%|.AK.n."....EHz.....o..,+.g ...s.i..dZ..j.....bRxkR..e..K.J...#l.LN.g.....n..U.......,&.y#...s.x..m...`.....dZ.v...f..K../..?~.hN.f...P.XRn.....v..49.?c..|....m...`.....@inrR.....C.Y..>w.OP.|....).sualElements/VisualElements_150.png......E..eF.0Kk..2.....k.M.!_.j].ac.'{.g.....P.0.{FC....@6..^..E..

                              C:\Program Files\Mozilla Firefox\defaultagent.ini.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1246
                              Entropy (8bit):7.553415371392115
                              Encrypted:false
                              SSDEEP:
                              MD5:63711CF2E044AAF417973F592482AB11
                              SHA1:6D796C05928A352DDE2E42883C8CE199DE57555C
                              SHA-256:8918C7FFE51FBC379B45EA7408EAB31A454686B7B3608E0EF0AE7AA3094C2A77
                              SHA-512:6F3778DFB65AB09A3B4955D07AEB471C97F3EFAA70E925E91B47058A21213387ACE581EDB099363F479230F4D97CCE6C7E91E8DC5AAE335ED8D209C3E9E6256F
                              Malicious:false
                              Preview:..O....t..#/.M9..T.~....G..g.....@T+j[.K}..C.....>w..o.q..._.DCw.....W..%$.kz..2."..JE...%.....[]+j[.KD...._...%k.IK.......U.l....s..Jq.h?..2.c...m...g.....[Un>R.Ka..^..V.0v.AC.d..../...5U... ..(#..0...2.....,...%......^e}\..g..u.J...-l.'f.m...=.^Vh.....r..#+.g9...f.i...e...%.....@T+XZ..o....z...?s.oP.|.....XGr.....u..8>.W9..v.j..xG..j.....CZx>A..l..B.....$x.I..O.....sSt.....t..&#.o"...@.a..A...q....YRez...)..Z.Ls.,~.AV.y.....^Ur.....r...+.k....t.t..m...8.....GLbjP.Kk..E.z...?s.oP.|.....XGr.....u...>.f9...s.b...b.l.q.....Zl.Z.a..g.n6..Q....c......T.h.....;..7+.}v...`.,...dG.\k....Q.bp...z..O.R...&z....+._.._...;........`..Gv...a.b.Ji..\r......Uni_..l.$.p..%|.AK.n."....EHz.....o..,+.g ...s.i..dZ..j.....bRxkR..e..K.J...#l.LN.g.....n..U.......,&.y#...s.x..m...`.....dZ.v...f..K../..?~.hN.f...P.XRn.....v..49.?c..|....m...`.....@inrR.....C.Y..>w.OP.|....).sualElements/VisualElements_150.png......E..eF.0Kk..2.....k.M.!_.j].ac.'{.g.....P.0.{FC....@6..^..E..

                              C:\Program Files\Mozilla Firefox\defaultagent_localized.ini

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1344
                              Entropy (8bit):7.566850316435204
                              Encrypted:false
                              SSDEEP:
                              MD5:B956BFA5D7D4A9ED67A65B349A9EDB12
                              SHA1:AD6CD6043F32DEC665DFCD320A767EA1A5413871
                              SHA-256:FB3039C746BA569D649768EE9D2A3A8A9D6EBF8F4523F20D3A42B6DC20E9CC55
                              SHA-512:2648E22A7F002FB4BE3C2A25B1318D32BCA69D490E039DA2A2217AFC34A6D75BE6BF65D54074F002CE5D1F10EB8D46931213C4B25579525AB151855910C4A8B2
                              Malicious:false
                              Preview:.SP.:[B.."..a.<...|..2.;.=...n..Q....F..*.y*.h.t....L.(.d..h.0"Y..>..j......\.o.r..n.l.d.rQ....F....}k..&.h.....I.<.Q.Ss.'@B..>..?......7.*.1..n...j.eQ.DR.W..,.0%..'.u....G...x.A*.|.h.w..m._........<..&.l._.&I..O..G...R.Y~.&.o....U.=.F..w.!i...#..w.;...S..6.<..&.l.n.j...0.L...*.Km.<.h....E."....a.s\...3..e.....[..:.r..!.l.b.n.........,.ox..:.k...F.=.Q..l.=O...6..a......_..,.!..-.#.x.h...T..W...=.&*.h.u......M.=.A..v.s\...?..c._........;..(.4.e.+..DR.K...,.e*.%.o....(._..w.:F...;..`.....[..<.>..n.5.M.y..Y^.B...1.*x.&.h....W.,....v.5G...'..p........,.0..n.$.x......R.S...=.~b..i....T.+.[..a.~I...#..j......./.7..<.".n.d...I..B...,.ie.!.<....R.=.Q.5m.6N...2..a........3.1.=.8.b.lQgp.6.P...=.ol.$.^.....a.,.@R.Y"&..6..p.....H .+.4../.%.e.n..S&.[...=.z*.!.{.....O.v.p..e.?\ .. ..v.....Y..6.<..*...s.6(.SR.F...4.*h.?.y.....R.*.Z..}.0@...2.$........,.=..n.%.n.d...NR.F...4.$....i......S.;.[..b.0I...9..w.....n..+....D.).j.g..N..

                              C:\Program Files\Mozilla Firefox\defaultagent_localized.ini.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1344
                              Entropy (8bit):7.566850316435204
                              Encrypted:false
                              SSDEEP:
                              MD5:B956BFA5D7D4A9ED67A65B349A9EDB12
                              SHA1:AD6CD6043F32DEC665DFCD320A767EA1A5413871
                              SHA-256:FB3039C746BA569D649768EE9D2A3A8A9D6EBF8F4523F20D3A42B6DC20E9CC55
                              SHA-512:2648E22A7F002FB4BE3C2A25B1318D32BCA69D490E039DA2A2217AFC34A6D75BE6BF65D54074F002CE5D1F10EB8D46931213C4B25579525AB151855910C4A8B2
                              Malicious:false
                              Preview:.SP.:[B.."..a.<...|..2.;.=...n..Q....F..*.y*.h.t....L.(.d..h.0"Y..>..j......\.o.r..n.l.d.rQ....F....}k..&.h.....I.<.Q.Ss.'@B..>..?......7.*.1..n...j.eQ.DR.W..,.0%..'.u....G...x.A*.|.h.w..m._........<..&.l._.&I..O..G...R.Y~.&.o....U.=.F..w.!i...#..w.;...S..6.<..&.l.n.j...0.L...*.Km.<.h....E."....a.s\...3..e.....[..:.r..!.l.b.n.........,.ox..:.k...F.=.Q..l.=O...6..a......_..,.!..-.#.x.h...T..W...=.&*.h.u......M.=.A..v.s\...?..c._........;..(.4.e.+..DR.K...,.e*.%.o....(._..w.:F...;..`.....[..<.>..n.5.M.y..Y^.B...1.*x.&.h....W.,....v.5G...'..p........,.0..n.$.x......R.S...=.~b..i....T.+.[..a.~I...#..j......./.7..<.".n.d...I..B...,.ie.!.<....R.=.Q.5m.6N...2..a........3.1.=.8.b.lQgp.6.P...=.ol.$.^.....a.,.@R.Y"&..6..p.....H .+.4../.%.e.n..S&.[...=.z*.!.{.....O.v.p..e.?\ .. ..v.....Y..6.<..*...s.6(.SR.F...4.*h.?.y.....R.*.Z..}.0@...2.$........,.=..n.%.n.d...NR.F...4.$....i......S.;.[..b.0I...9..w.....n..+....D.).j.g..N..

                              C:\Program Files\Mozilla Firefox\defaults\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Mozilla Firefox\defaults\pref\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Mozilla Firefox\dependentlibs.list

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):418
                              Entropy (8bit):6.364666621752463
                              Encrypted:false
                              SSDEEP:
                              MD5:4FA888E44F86F6E9F655FDB573469CB9
                              SHA1:C7DD6A48CDE76B3B3B07E8CCC9494B7ECEC52636
                              SHA-256:2308F7338A02296621BD411C90A53FE12377121011BEFD41051ADAEA5E6B1E98
                              SHA-512:A84D5FE4AF6A17BE81061A2F8BA41DCF2BDC6B4B7D09695B0DCCCF65EF3009EC56E8A94C5205B9B631202BB62D5FE64B1B6A27A0A5663E6DFCED2EE16FED1AC0
                              Malicious:false
                              Preview:I.@.k.... !.....Z3.#.X.g......i.S.50.......a..g...6.@....V.4.1.dll.msvcp140.dll.lgpllibs.dll.xul.dll...f...Q]f..2W. .....K......`.".....XtR.'....p.....}...f5........s..s..9.....)J..t).s..G..1.?....g<......;.o..3./.C.m[.....L.....D.l.%..G....pQu.-.a...#m.v....q...VP...LK....j...}...cr4..-..o.;.<=.H...................................................................................@.........tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\dependentlibs.list.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):418
                              Entropy (8bit):6.364666621752463
                              Encrypted:false
                              SSDEEP:
                              MD5:4FA888E44F86F6E9F655FDB573469CB9
                              SHA1:C7DD6A48CDE76B3B3B07E8CCC9494B7ECEC52636
                              SHA-256:2308F7338A02296621BD411C90A53FE12377121011BEFD41051ADAEA5E6B1E98
                              SHA-512:A84D5FE4AF6A17BE81061A2F8BA41DCF2BDC6B4B7D09695B0DCCCF65EF3009EC56E8A94C5205B9B631202BB62D5FE64B1B6A27A0A5663E6DFCED2EE16FED1AC0
                              Malicious:false
                              Preview:I.@.k.... !.....Z3.#.X.g......i.S.50.......a..g...6.@....V.4.1.dll.msvcp140.dll.lgpllibs.dll.xul.dll...f...Q]f..2W. .....K......`.".....XtR.'....p.....}...f5........s..s..9.....)J..t).s..G..1.?....g<......;.o..3./.C.m[.....L.....D.l.%..G....pQu.-.a...#m.v....q...VP...LK....j...}...cr4..-..o.;.<=.H...................................................................................@.........tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):871
                              Entropy (8bit):7.310270333168738
                              Encrypted:false
                              SSDEEP:
                              MD5:45CE4F7A9BF545EA2D7E6DE22DE076C0
                              SHA1:4AD9268E2F37DA4ACE4774CE33008C80CF49FA25
                              SHA-256:E842C21420AB3E3955AEC66EF933EBF4B9055D6121FD813758C1716AC25362F3
                              SHA-512:A8A398CC7D7A3D79DDE2F24654C1E8DC31E57A38B3462D8FD681E7BD83205ACF1A63317C2D48F02AA0B106CD206CC54F7482192A9F89BCF9304E16F2F7288C44
                              Malicious:false
                              Preview: .....G...3..k|n.o.ga..*%hAL.R.?....wYt"b...G......;\.p.!`..}....F....|AFDp-/n.gm..vhz.....;.{..8]b"y............sWGIL?`..n...K...4L.`p=jf.n$.axhh...N.}.{..8Ooc.............i..P.!`..}...b....r\I&9cg>..}..($!K^.H.3.b.9^!ze....A.....}N...)n.,....c...1.Kaw=>a.a$.URhh.i.R.<._.:Huve....P......>\gS?*|..y.......3QAgwi@ ."a.K.9=IM...m.+...B|m+.....F.......2UmQ.6l..o....N...1..|j.{5.,1...Bh.......o..2.+z!...........!e~T..h..p...\...)..Mu+'e.v2.\hf8FX.+.}.:...Bigq....a......4Q\.f{).. BackgroundColor='#20123a'/>.</Application>...].+....|".?.........)1.}b.,...f.$..P.]t-p$NR..D0..q.p.....o.....D*...zA^.u.....)..jEYq.F.(2..,.O'u :L!#.P>..1...;....+..(.NW.g.M..V...`.[m)*..3.aLW.S.!..j........=;.9.r......=.B.o.g.*..........TV-Q.............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):871
                              Entropy (8bit):7.310270333168738
                              Encrypted:false
                              SSDEEP:
                              MD5:45CE4F7A9BF545EA2D7E6DE22DE076C0
                              SHA1:4AD9268E2F37DA4ACE4774CE33008C80CF49FA25
                              SHA-256:E842C21420AB3E3955AEC66EF933EBF4B9055D6121FD813758C1716AC25362F3
                              SHA-512:A8A398CC7D7A3D79DDE2F24654C1E8DC31E57A38B3462D8FD681E7BD83205ACF1A63317C2D48F02AA0B106CD206CC54F7482192A9F89BCF9304E16F2F7288C44
                              Malicious:false
                              Preview: .....G...3..k|n.o.ga..*%hAL.R.?....wYt"b...G......;\.p.!`..}....F....|AFDp-/n.gm..vhz.....;.{..8]b"y............sWGIL?`..n...K...4L.`p=jf.n$.axhh...N.}.{..8Ooc.............i..P.!`..}...b....r\I&9cg>..}..($!K^.H.3.b.9^!ze....A.....}N...)n.,....c...1.Kaw=>a.a$.URhh.i.R.<._.:Huve....P......>\gS?*|..y.......3QAgwi@ ."a.K.9=IM...m.+...B|m+.....F.......2UmQ.6l..o....N...1..|j.{5.,1...Bh.......o..2.+z!...........!e~T..h..p...\...)..Mu+'e.v2.\hf8FX.+.}.:...Bigq....a......4Q\.f{).. BackgroundColor='#20123a'/>.</Application>...].+....|".?.........)1.}b.,...f.$..P.]t-p$NR..D0..q.p.....o.....D*...zA^.u.....)..jEYq.F.(2..,.O'u :L!#.P>..1...;....+..(.NW.g.M..V...`.[m)*..3.aLW.S.!..j........=;.9.r......=.B.o.g.*..........TV-Q.............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\firefox.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):677082
                              Entropy (8bit):7.373602046308443
                              Encrypted:false
                              SSDEEP:
                              MD5:3A9288A6C00C8B0526473135465B54E2
                              SHA1:25B22AD8B7DA42F823E27351658CD3CE1AE8ED97
                              SHA-256:4C66880A2EACFB610AD9B92D70D30DE0FA64B09B47265EAFF90CC76537C08566
                              SHA-512:49C318B6F248FD0ABDAEBDCE1403952ED0A749FBFDA6B05D75AFB2830934EBE1443AAF4EDF41FFA6E950C3C4FA4F8647B350E77A2599BBDD9788DF9AE4050EC0
                              Malicious:true
                              Preview:.....RD..'..E....w..'.]F(:H,....?..[*...... .n...P.9P g.N...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@..........................R@`.'..E.M..w....].(:H,....?..[*...... .~...P.9P g.&..........g...h............P..t%...*...)......x...4........................k..(....@..8...........P...........@........................R..'..E....w..'.]F(:H,....?..[J...j... 1......9P.g.6.z.............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..................n..B.c1....w.@.'._F(:|*....?..[*......`.....<.\t g.63y......6...................tls.................8..............@....voltbl..............:...................rsrc................<........R@..'..E.(...q..'.YF(:.&....?..Q*...... .n...P.{P g.6.........................................................................................................................................R@..'..E....w..'.]F(:H,....?..[*

                              C:\Program Files\Mozilla Firefox\firefox.exe.sig

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1763
                              Entropy (8bit):7.735992434222886
                              Encrypted:false
                              SSDEEP:
                              MD5:53EB2F57A35FD527E3B664BEF66D19F3
                              SHA1:CB611282A21527CDD2D1B9B895C7398CFD7293C1
                              SHA-256:4273A507F2BADE230411AA7331BFD262470A5DC722EC8F88A1979EB00687BAB7
                              SHA-512:BB8C0CE0C9A3015E68B0433DCDAD3BA2732098E15A1E4D4B73F241EFE731D3BCA68719C1ED5E2CD2C6CABDC4F7BAEEEDA7665B40E56F3F5F2636E5A0830E592A
                              Malicious:false
                              Preview:m.D.........[..s-3..Y_..R.m.=...J.7....6...zq.|4$..R..=+...>..}.`........*...Zl.....S.H.\....Qe.......$p.@OR..8.(....8..A.1..t....{..w>Mo....1.k..5...._z.........;R^...c.......Z..@.Q..7...m..A..Z...........l.+...`........d>'|..d..:x...`.r8...."...h...;.>.....:.t..1..O.<...o........nl.{..1..PC...]..N.b..o...5...RuZ.....0UIg]..~.){..........g (;..d1......GnU..k.....".V...<.iL...Y`Y.*.Ti.go..}JI...9..q...5."j..Y../.....K.$.2...0...)nm..5R....fM..T...W..C.5M.2...:.:Qp.&:..S.n...!~(.....}.=.....=....f`W?....B..F...3.v.C.ak......!.!...O`j..+SF0tT.L.t.8...W.U.?.DR.A....=.e.C..p.d...S>].VZ..J.@...;....z.....^......."G.eb..V...3?..O.<...j....\Ej........0..N.Kr..K.3...... ....2l<.:o>zt._4...CO.<...w....ww^QF...S3.*+..H..}.`......Z..w42.l..T....D..j)..U...*...Z....6XY..V..r......U..b\..Z.I....w.e<..t.s. ......RL...R.v....i.......2..y.,.....7.<..u...0Fe....4..V....M;[\..^o..a...-..3.}......^...u..r.l!~.r.6.j.Mm(.GTy'7ctbW./.3......x

                              C:\Program Files\Mozilla Firefox\firefox.exe.sig.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1763
                              Entropy (8bit):7.735992434222886
                              Encrypted:false
                              SSDEEP:
                              MD5:53EB2F57A35FD527E3B664BEF66D19F3
                              SHA1:CB611282A21527CDD2D1B9B895C7398CFD7293C1
                              SHA-256:4273A507F2BADE230411AA7331BFD262470A5DC722EC8F88A1979EB00687BAB7
                              SHA-512:BB8C0CE0C9A3015E68B0433DCDAD3BA2732098E15A1E4D4B73F241EFE731D3BCA68719C1ED5E2CD2C6CABDC4F7BAEEEDA7665B40E56F3F5F2636E5A0830E592A
                              Malicious:false
                              Preview:m.D.........[..s-3..Y_..R.m.=...J.7....6...zq.|4$..R..=+...>..}.`........*...Zl.....S.H.\....Qe.......$p.@OR..8.(....8..A.1..t....{..w>Mo....1.k..5...._z.........;R^...c.......Z..@.Q..7...m..A..Z...........l.+...`........d>'|..d..:x...`.r8...."...h...;.>.....:.t..1..O.<...o........nl.{..1..PC...]..N.b..o...5...RuZ.....0UIg]..~.){..........g (;..d1......GnU..k.....".V...<.iL...Y`Y.*.Ti.go..}JI...9..q...5."j..Y../.....K.$.2...0...)nm..5R....fM..T...W..C.5M.2...:.:Qp.&:..S.n...!~(.....}.=.....=....f`W?....B..F...3.v.C.ak......!.!...O`j..+SF0tT.L.t.8...W.U.?.DR.A....=.e.C..p.d...S>].VZ..J.@...;....z.....^......."G.eb..V...3?..O.<...j....\Ej........0..N.Kr..K.3...... ....2l<.:o>zt._4...CO.<...w....ww^QF...S3.*+..H..}.`......Z..w42.l..T....D..j)..U...*...Z....6XY..V..r......U..b\..Z.I....w.e<..t.s. ......RL...R.v....i.......2..y.,.....7.<..u...0Fe....4..V....M;[\..^o..a...-..3.}......^...u..r.l!~.r.6.j.Mm(.GTy'7ctbW./.3......x

                              C:\Program Files\Mozilla Firefox\firefox.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):677082
                              Entropy (8bit):7.373602046308443
                              Encrypted:false
                              SSDEEP:
                              MD5:3A9288A6C00C8B0526473135465B54E2
                              SHA1:25B22AD8B7DA42F823E27351658CD3CE1AE8ED97
                              SHA-256:4C66880A2EACFB610AD9B92D70D30DE0FA64B09B47265EAFF90CC76537C08566
                              SHA-512:49C318B6F248FD0ABDAEBDCE1403952ED0A749FBFDA6B05D75AFB2830934EBE1443AAF4EDF41FFA6E950C3C4FA4F8647B350E77A2599BBDD9788DF9AE4050EC0
                              Malicious:false
                              Preview:.....RD..'..E....w..'.]F(:H,....?..[*...... .n...P.9P g.N...........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......$.....................@..........................R@`.'..E.M..w....].(:H,....?..[*...... .~...P.9P g.&..........g...h............P..t%...*...)......x...4........................k..(....@..8...........P...........@........................R..'..E....w..'.]F(:H,....?..[J...j... 1......9P.g.6.z.............@..@.data...p+... ......................@....pdata..t%...P...&..................@..@.00cfg..(............2..................n..B.c1....w.@.'._F(:|*....?..[*......`.....<.\t g.63y......6...................tls.................8..............@....voltbl..............:...................rsrc................<........R@..'..E.(...q..'.YF(:.&....?..Q*...... .n...P.{P g.6.........................................................................................................................................R@..'..E....w..'.]F(:H,....?..[*

                              C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1474598
                              Entropy (8bit):7.168600544078521
                              Encrypted:false
                              SSDEEP:
                              MD5:D5206B554D510C9AB1B342CB36981B76
                              SHA1:065334CAB6BDE73D359DC0753AE36B3515169D9E
                              SHA-256:CD0893922570092E09211D34A89C9C9D8AC21CFF82D4FD50775A66B5EEB21ACD
                              SHA-512:233C7DA9478C330E3D118A85DE84F796D0532EAB33329678BC49F79DF33B1571F95F89CC40D6E48E3C8C7838FE52468F2BD62AD5C5A033CF193CD20B192FA5F6
                              Malicious:false
                              Preview:. .3*.S5..R.....s.5}.!$n......'...g...F%....&Nv.'...).2.G...Y...'5....X....GSUB.w....x..otOS/24..........`cmap%A....m8....cvt ...D..y@....gasp............glyf$a.k..O....@head 7.........6hhea.1..*.Sa..R...)..hu..2.6...C.<..y..........U.iZ..K..).<DG.$4|&,...h..<.....post......>...b........3...._.<..........y/.....y+............................................................5....x.3*.R7..R...].y...2.....}..f."nUY......ian"....).=<E..Z.KI.......A.........PfEd...#...........[............... ...........................................................................!.3*.R5..R...].9...2.....}.Sf."nT.......%`.".}..).=<G..Z.KI.................................................................................................................................!.3*.R5..R...].9...2.....}.Sf."nT.......%`.".}..).=<G..Z.KI.................................................................................................................................!.3*.R5..R...].9...2.....}.Sf."nT....

                              C:\Program Files\Mozilla Firefox\fonts\TwemojiMozilla.ttf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1474598
                              Entropy (8bit):7.168600544078521
                              Encrypted:false
                              SSDEEP:
                              MD5:D5206B554D510C9AB1B342CB36981B76
                              SHA1:065334CAB6BDE73D359DC0753AE36B3515169D9E
                              SHA-256:CD0893922570092E09211D34A89C9C9D8AC21CFF82D4FD50775A66B5EEB21ACD
                              SHA-512:233C7DA9478C330E3D118A85DE84F796D0532EAB33329678BC49F79DF33B1571F95F89CC40D6E48E3C8C7838FE52468F2BD62AD5C5A033CF193CD20B192FA5F6
                              Malicious:false
                              Preview:. .3*.S5..R.....s.5}.!$n......'...g...F%....&Nv.'...).2.G...Y...'5....X....GSUB.w....x..otOS/24..........`cmap%A....m8....cvt ...D..y@....gasp............glyf$a.k..O....@head 7.........6hhea.1..*.Sa..R...)..hu..2.6...C.<..y..........U.iZ..K..).<DG.$4|&,...h..<.....post......>...b........3...._.<..........y/.....y+............................................................5....x.3*.R7..R...].y...2.....}..f."nUY......ian"....).=<E..Z.KI.......A.........PfEd...#...........[............... ...........................................................................!.3*.R5..R...].9...2.....}.Sf."nT.......%`.".}..).=<G..Z.KI.................................................................................................................................!.3*.R5..R...].9...2.....}.Sf."nT.......%`.".}..).=<G..Z.KI.................................................................................................................................!.3*.R5..R...].9...2.....}.Sf."nT....

                              C:\Program Files\Mozilla Firefox\fonts\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Mozilla Firefox\freebl3.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):805594
                              Entropy (8bit):7.236710990138391
                              Encrypted:false
                              SSDEEP:
                              MD5:B233E71024A5289129A32B2AFE82ED79
                              SHA1:03981C98546E48F2FD9C595B03AB9844E8CAC955
                              SHA-256:8D0ACA23C46BCF08073ACEEC6C336E608528F3D3408ED4BCBDBC025927F72423
                              SHA-512:4E6B22804A0ED299EA8D54FC5C1A32C35938BD42A81A054C47F29C64BF213ACAFF4F1288DB821DD0700E3CD4A430A8EB8E6BFEEC2BC9860F98CB47D3A85338F7
                              Malicious:true
                              Preview:....z8.:.....?.\V...gE3..;x.W...[.......D.......N$.....'..b..Z........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....f...........g................................s.z8.>=.....?..Z.....s..;x.W...[.......T.......N$.....'.....Z....O...O...........x....`....... ...)..............................................8................................................z8.8.....?.:_...gEs..;x.W...[..... .ck....L$.}.........Z............@..@.data....I..........................@....pdata.......`......................@..@.00cfg..(.........................s..z8.....m..?.\V..HkEs..;x.[...[.......D......{=V.....$...).Z....................@..@.reloc..............................@..B..................................................................s.z8.>.....?.\V...gEs..;x.W...[.......D.......N$.....'.....Z..................................................................................................................................s.z8.>.....?.\V...gEs..;x.W...[.....

                              C:\Program Files\Mozilla Firefox\freebl3.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):805594
                              Entropy (8bit):7.236710990138391
                              Encrypted:false
                              SSDEEP:
                              MD5:B233E71024A5289129A32B2AFE82ED79
                              SHA1:03981C98546E48F2FD9C595B03AB9844E8CAC955
                              SHA-256:8D0ACA23C46BCF08073ACEEC6C336E608528F3D3408ED4BCBDBC025927F72423
                              SHA-512:4E6B22804A0ED299EA8D54FC5C1A32C35938BD42A81A054C47F29C64BF213ACAFF4F1288DB821DD0700E3CD4A430A8EB8E6BFEEC2BC9860F98CB47D3A85338F7
                              Malicious:false
                              Preview:....z8.:.....?.\V...gE3..;x.W...[.......D.......N$.....'..b..Z........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....f...........g................................s.z8.>=.....?..Z.....s..;x.W...[.......T.......N$.....'.....Z....O...O...........x....`....... ...)..............................................8................................................z8.8.....?.:_...gEs..;x.W...[..... .ck....L$.}.........Z............@..@.data....I..........................@....pdata.......`......................@..@.00cfg..(.........................s..z8.....m..?.\V..HkEs..;x.[...[.......D......{=V.....$...).Z....................@..@.reloc..............................@..B..................................................................s.z8.>.....?.\V...gEs..;x.W...[.......D.......N$.....'.....Z..................................................................................................................................s.z8.>.....?.\V...gEs..;x.W...[.....

                              C:\Program Files\Mozilla Firefox\gkcodecs.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):474330
                              Entropy (8bit):7.420908450778865
                              Encrypted:false
                              SSDEEP:
                              MD5:71D20BFD18A2905261C6D7B9C621428F
                              SHA1:FC753D9CA487E5DA9730A3DC82F4EB828ACDC337
                              SHA-256:329D923B163005553E49D0FE05E2F16F6E983BCD7AC39AFBCA0D84D8BA15E687
                              SHA-512:B14831365EC7D16B9A25B8BBB28CDCC0568B06B7DBF8B5FF4D2971F9E8104AB91BCBCE42F59CB0C963010220B659911C0C166859ADC157ED43310BFA6CD408BC
                              Malicious:true
                              Preview:&........L....."S.V.P..[...)1.....w|c..-.6.......c.)1j...............!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....^..........`...............................a.........L.....[.T.0..[...)1.....w|c..-.6.......c.)1j.......p................P...................)...`.......................................p..8...........................................E........L.....|V.V.P.[...)1.....W|c.._.W....x..cw,1j..................@..@.data...p...........................@....pdata..............................@..@.00cfg..(....0..................k........ m...."S.VXW.Y...#6.....w|c..-.6...1.m...)1...........................@..@.reloc.......`......................@..B................................................................k.........L....."S.V.P.[...)1.....w|c..-.6.......c.)1j.......................................................................................................................................k.........L....."S.V.P.[...)1.....w|c.

                              C:\Program Files\Mozilla Firefox\gkcodecs.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):474330
                              Entropy (8bit):7.420908450778865
                              Encrypted:false
                              SSDEEP:
                              MD5:71D20BFD18A2905261C6D7B9C621428F
                              SHA1:FC753D9CA487E5DA9730A3DC82F4EB828ACDC337
                              SHA-256:329D923B163005553E49D0FE05E2F16F6E983BCD7AC39AFBCA0D84D8BA15E687
                              SHA-512:B14831365EC7D16B9A25B8BBB28CDCC0568B06B7DBF8B5FF4D2971F9E8104AB91BCBCE42F59CB0C963010220B659911C0C166859ADC157ED43310BFA6CD408BC
                              Malicious:false
                              Preview:&........L....."S.V.P..[...)1.....w|c..-.6.......c.)1j...............!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....^..........`...............................a.........L.....[.T.0..[...)1.....w|c..-.6.......c.)1j.......p................P...................)...`.......................................p..8...........................................E........L.....|V.V.P.[...)1.....W|c.._.W....x..cw,1j..................@..@.data...p...........................@....pdata..............................@..@.00cfg..(....0..................k........ m...."S.VXW.Y...#6.....w|c..-.6...1.m...)1...........................@..@.reloc.......`......................@..B................................................................k.........L....."S.V.P.[...)1.....w|c..-.6.......c.)1j.......................................................................................................................................k.........L....."S.V.P.[...)1.....w|c.

                              C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Mozilla Firefox\gmp-clearkey\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Mozilla Firefox\install.log

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25296
                              Entropy (8bit):5.407295847815849
                              Encrypted:false
                              SSDEEP:
                              MD5:095BC54CA69D48C31A03F66C4C05634D
                              SHA1:6096456537E673FD6AA4FD0D3B5C276CB52D7278
                              SHA-256:85E5EC738F27A919AF72D6D3EA233567306148F5140C9F18674B29AA42F33535
                              SHA-512:F4FE36C08885F46B49CCB824019856F591F50435A90F7AC3295A1680EED152D6928735FFD9352BDD3BACD0D6D437983DC312B0258DEDBB17859548E2FE75157F
                              Malicious:false
                              Preview:...;.!J._.@...r.JT..+...R.>x!.d..F.$.....V.P..B...RN.y.Qi...4a.r.t.e.d.:. .2.0.2.3.-.1.0.-.0.3. .1.1.:.5.9.:.5.6.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.We.;.!......C.>.GT..o.F..RP>:!Td..".g.........B..BR..;..i.h..4-.-.-.-.-.-.-.-.-.-.-.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.We.;.!......C.>.GT..o.F..RP>:!Td..".g.........B..BR..;..i.H..4I.n.s.t.a.l.l.a.t.i.o.n. .D.e.t.a.i.l.s.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.We.;.!......C.>.GT..o.F..RP>:!Td..".g.........B..BR..;..i.h..4-.-.-.-.-..... . .I.n.s.t.a.l.l. .D.i.r.:. .C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x..... . .L.o.c.a.l.e.Ze.;.!......N.v..T....8..Rw>7!Yd....:.....R.N..B...RI.,..i.t..4..0...1..... . .G.R.E. .V.e.r.s.i.o.n.:. .1.1.8...0...1..... . .O.S. .N.a.m.e. . . . .:. .W.i.n.d.o.w.s. .1.0..... . .T.a.r.g.e..e.;.!`.c...T.3..T..v.f..Rp>.!Td..".g...

                              C:\Program Files\Mozilla Firefox\install.log.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):25296
                              Entropy (8bit):5.407295847815849
                              Encrypted:false
                              SSDEEP:
                              MD5:095BC54CA69D48C31A03F66C4C05634D
                              SHA1:6096456537E673FD6AA4FD0D3B5C276CB52D7278
                              SHA-256:85E5EC738F27A919AF72D6D3EA233567306148F5140C9F18674B29AA42F33535
                              SHA-512:F4FE36C08885F46B49CCB824019856F591F50435A90F7AC3295A1680EED152D6928735FFD9352BDD3BACD0D6D437983DC312B0258DEDBB17859548E2FE75157F
                              Malicious:false
                              Preview:...;.!J._.@...r.JT..+...R.>x!.d..F.$.....V.P..B...RN.y.Qi...4a.r.t.e.d.:. .2.0.2.3.-.1.0.-.0.3. .1.1.:.5.9.:.5.6.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.We.;.!......C.>.GT..o.F..RP>:!Td..".g.........B..BR..;..i.h..4-.-.-.-.-.-.-.-.-.-.-.........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.We.;.!......C.>.GT..o.F..RP>:!Td..".g.........B..BR..;..i.H..4I.n.s.t.a.l.l.a.t.i.o.n. .D.e.t.a.i.l.s.....-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.We.;.!......C.>.GT..o.F..RP>:!Td..".g.........B..BR..;..i.h..4-.-.-.-.-..... . .I.n.s.t.a.l.l. .D.i.r.:. .C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.M.o.z.i.l.l.a. .F.i.r.e.f.o.x..... . .L.o.c.a.l.e.Ze.;.!......N.v..T....8..Rw>7!Yd....:.....R.N..B...RI.,..i.t..4..0...1..... . .G.R.E. .V.e.r.s.i.o.n.:. .1.1.8...0...1..... . .O.S. .N.a.m.e. . . . .:. .W.i.n.d.o.w.s. .1.0..... . .T.a.r.g.e..e.;.!`.c...T.3..T..v.f..Rp>.!Td..".g...

                              C:\Program Files\Mozilla Firefox\installation_telemetry.json

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):776
                              Entropy (8bit):6.825644876087027
                              Encrypted:false
                              SSDEEP:
                              MD5:8A5877813379DA0AB7A445473CD148C8
                              SHA1:D76D1E9B0D440BD437361165E5DF2BD11C36A72A
                              SHA-256:0AF03A19DBE8A0F016723446134BD1AE8B2D1A96D161A542F60D59156F20DF30
                              SHA-512:9F8C78A5ACF13FF6353F5344F7E16BD00B1A0203B14A51CF5D4A412597246C583A852AD9611D91595FDC663FB519430E61D266568B8C9DBA982A5E0F5F5AB17D
                              Malicious:false
                              Preview:..fzy.H...pN?.D....v|^..pU..;.;.M..^/{Xj.H.}..Y.#.1..X..R_.j...)S.vz?.....3No...Y..vu^..tU..;.7.Q..^.{.j.H.}..s.?....X..._.jB..)..!z#.....mN%._....v*^x.$U.j.f...^z{Xj.H.}..@.9.8..X..K_.jY..)..-z}.r...{N?.X....v"^..{U.q.`....^<{.j.H.}..M.&.1..X..d_.jO..)..fz5.....vN:.G.L..vd^T.(U..f.{....^${.j.H.}..I.f....X..T_.ji..)..-z-.....bN:.X....vd^C.$U..b.`...^A{.j.H.}....p.)..X..^_.j...)..7z{.L...oN.._....v#^T.5U..n.e._..^<{Kj.H.}....r.m..X..._.j...)9.5.3.7.6.".}....z.7.Q.".&`...[.d~I..P.........H4.".!..RI}..}.?[.%.b..B..|.i....%.L...u...+y-.@ j..c\.LqL.U.C.={..k.j.q?...h..k.Dc<.e.J..Az.qi._...f.&&\>gI....S..gz.Z./...@o.N...........;;.m.........R.n..../~..W.D...............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\installation_telemetry.json.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):776
                              Entropy (8bit):6.825644876087027
                              Encrypted:false
                              SSDEEP:
                              MD5:8A5877813379DA0AB7A445473CD148C8
                              SHA1:D76D1E9B0D440BD437361165E5DF2BD11C36A72A
                              SHA-256:0AF03A19DBE8A0F016723446134BD1AE8B2D1A96D161A542F60D59156F20DF30
                              SHA-512:9F8C78A5ACF13FF6353F5344F7E16BD00B1A0203B14A51CF5D4A412597246C583A852AD9611D91595FDC663FB519430E61D266568B8C9DBA982A5E0F5F5AB17D
                              Malicious:false
                              Preview:..fzy.H...pN?.D....v|^..pU..;.;.M..^/{Xj.H.}..Y.#.1..X..R_.j...)S.vz?.....3No...Y..vu^..tU..;.7.Q..^.{.j.H.}..s.?....X..._.jB..)..!z#.....mN%._....v*^x.$U.j.f...^z{Xj.H.}..@.9.8..X..K_.jY..)..-z}.r...{N?.X....v"^..{U.q.`....^<{.j.H.}..M.&.1..X..d_.jO..)..fz5.....vN:.G.L..vd^T.(U..f.{....^${.j.H.}..I.f....X..T_.ji..)..-z-.....bN:.X....vd^C.$U..b.`...^A{.j.H.}....p.)..X..^_.j...)..7z{.L...oN.._....v#^T.5U..n.e._..^<{Kj.H.}....r.m..X..._.j...)9.5.3.7.6.".}....z.7.Q.".&`...[.d~I..P.........H4.".!..RI}..}.?[.%.b..B..|.i....%.L...u...+y-.@ j..c\.LqL.U.C.={..k.j.q?...h..k.Dc<.e.J..Az.qi._...f.&&\>gI....S..gz.Z./...@o.N...........;;.m.........R.n..../~..W.D...............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Mozilla Firefox\ipcclientcerts.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):217818
                              Entropy (8bit):7.159541910995505
                              Encrypted:false
                              SSDEEP:
                              MD5:AD9E01D95911958C9460664D43F9E17E
                              SHA1:94E593CE4D2C436B692E4B68C05F1D1917097C4C
                              SHA-256:5611A1475D94495B282F09E48655F15F415BF6952E0DB65E07CE8060E87FEF46
                              SHA-512:9C2D61C330BD1C79FC358D18746FEAD9AAC69FB6100EAA35CF91841093E526DA9EEDBA89A25D501CCDAB59279C42682BC99D3179BEBDC2F6CCE5B478D3FCDDF1
                              Malicious:true
                              Preview:g.o.H.}Er.$...P....\..}MX.n2W..'....Q..Wd....Vh .z1.s@F.q...........!..L.!This program cannot be run in DOS mode.$..PE..d...=..e.........." ................................................ ..o.H.y.q.$....1...\..=MH.n2W..7....Q..Gd....Vx .z1.s@F.........W.../...x............0.......(...)..........(...........................(.......8...............................................qH./.p.$...P....X..=MX.n2W..'..!.Q...3.x..... ..3.s:F..w..............@..@.data........ ......................@....pdata.......0......................@..@.00cfg..(....P..................*..oEH..W1.c$...1....<..=OX.n(T..'....Q..WdL..9x.O...]..@F..............................rsrc...............................@..@.reloc..............."..............@..B........................*..o.H.yEr.$...P....\..=MX.n2W..'....Q..Wd....Vh .z1.s@F.....................................................................................................................................*..o.H.yEr.$...P....\..=MX.n2W..'....Q.

                              C:\Program Files\Mozilla Firefox\ipcclientcerts.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):217818
                              Entropy (8bit):7.159541910995505
                              Encrypted:false
                              SSDEEP:
                              MD5:AD9E01D95911958C9460664D43F9E17E
                              SHA1:94E593CE4D2C436B692E4B68C05F1D1917097C4C
                              SHA-256:5611A1475D94495B282F09E48655F15F415BF6952E0DB65E07CE8060E87FEF46
                              SHA-512:9C2D61C330BD1C79FC358D18746FEAD9AAC69FB6100EAA35CF91841093E526DA9EEDBA89A25D501CCDAB59279C42682BC99D3179BEBDC2F6CCE5B478D3FCDDF1
                              Malicious:false
                              Preview:g.o.H.}Er.$...P....\..}MX.n2W..'....Q..Wd....Vh .z1.s@F.q...........!..L.!This program cannot be run in DOS mode.$..PE..d...=..e.........." ................................................ ..o.H.y.q.$....1...\..=MH.n2W..7....Q..Gd....Vx .z1.s@F.........W.../...x............0.......(...)..........(...........................(.......8...............................................qH./.p.$...P....X..=MX.n2W..'..!.Q...3.x..... ..3.s:F..w..............@..@.data........ ......................@....pdata.......0......................@..@.00cfg..(....P..................*..oEH..W1.c$...1....<..=OX.n(T..'....Q..WdL..9x.O...]..@F..............................rsrc...............................@..@.reloc..............."..............@..B........................*..o.H.yEr.$...P....\..=MX.n2W..'....Q..Wd....Vh .z1.s@F.....................................................................................................................................*..o.H.yEr.$...P....\..=MX.n2W..'....Q.

                              C:\Program Files\Mozilla Firefox\lgpllibs.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:DOS executable (COM)
                              Category:dropped
                              Size (bytes):41178
                              Entropy (8bit):7.164500630272437
                              Encrypted:false
                              SSDEEP:
                              MD5:E0022BC975695FD4EEECAB2E83AB44E9
                              SHA1:A21B4C9D8DFE8CB34715E40A56E05B39372A354B
                              SHA-256:7DC0C0450114E8741C3CAF31B2BC4CF5602D885F7442F97CA3A405C5B5BA1E0B
                              SHA-512:604CF8C1150E3A9E5B6A1B243E22FC1708263DEE9C4FB458629840BDC9F0A17CB3F93BF9556C0D03B29BDAB4135D9C67F49D04F4FBB939E29D99D0826B3A8BFD
                              Malicious:true
                              Preview:.)k.<.Q......c.8p'Bx....iO...o.I.....U.....,.!.."~D.f.LN....*........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....F...*......@................................s..=.Q......g.8..Bx....)O...o.I.....U.....,.!.."~D.f.LN....*.g.......n..x....................v...)...........f...............................`..8...........xp..P.............................v.I.Q.6D...s.8paBx....)O...o.I.....{s..g.,.).."~$.f.VN..Q.*............@..@.data...P............d..............@....pdata...............f..............@..@.00cfg..(............l...........s..}.QS.v.m..8.'Bx."..)M....o.I.....U.....,...P.D.f.ON....*.....p..............@..@.reloc...............t..............@..B.................................................................s..=.Q......c.8p'Bx....)O...o.I.....U.....,.!.."~D.f.LN....*.................................................................................................................................s..=.Q......c.8p'Bx....)O...o.I.....

                              C:\Program Files\Mozilla Firefox\lgpllibs.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:DOS executable (COM)
                              Category:dropped
                              Size (bytes):41178
                              Entropy (8bit):7.164500630272437
                              Encrypted:false
                              SSDEEP:
                              MD5:E0022BC975695FD4EEECAB2E83AB44E9
                              SHA1:A21B4C9D8DFE8CB34715E40A56E05B39372A354B
                              SHA-256:7DC0C0450114E8741C3CAF31B2BC4CF5602D885F7442F97CA3A405C5B5BA1E0B
                              SHA-512:604CF8C1150E3A9E5B6A1B243E22FC1708263DEE9C4FB458629840BDC9F0A17CB3F93BF9556C0D03B29BDAB4135D9C67F49D04F4FBB939E29D99D0826B3A8BFD
                              Malicious:false
                              Preview:.)k.<.Q......c.8p'Bx....iO...o.I.....U.....,.!.."~D.f.LN....*........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....F...*......@................................s..=.Q......g.8..Bx....)O...o.I.....U.....,.!.."~D.f.LN....*.g.......n..x....................v...)...........f...............................`..8...........xp..P.............................v.I.Q.6D...s.8paBx....)O...o.I.....{s..g.,.).."~$.f.VN..Q.*............@..@.data...P............d..............@....pdata...............f..............@..@.00cfg..(............l...........s..}.QS.v.m..8.'Bx."..)M....o.I.....U.....,...P.D.f.ON....*.....p..............@..@.reloc...............t..............@..B.................................................................s..=.Q......c.8p'Bx....)O...o.I.....U.....,.!.."~D.f.LN....*.................................................................................................................................s..=.Q......c.8p'Bx....)O...o.I.....

                              C:\Program Files\Mozilla Firefox\libEGL.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):48858
                              Entropy (8bit):7.065113624355113
                              Encrypted:false
                              SSDEEP:
                              MD5:944C3089DB8F1AF691B8D6B788758B9B
                              SHA1:13C7BF3971D30556C11E7ECF3D349BD1116F6F48
                              SHA-256:526B3D41D7D47BC8C7F7F3F444FD3C857E63C7DEB21DF5497F0145F9FC2185E1
                              SHA-512:A0112EE630BED21A29DCB4A04E6FE8354943B78492F2AEA79B23EB8B527F2C688B01A9987D5A1E61BDB60ECE036512336ED5A8F50FC81D46A0608D223DC41E6C
                              Malicious:true
                              Preview:j..<...Agn...i..H-...v.v..1.G.....B.q-A7.I...L.H_..k..kc;.........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....N...@.......A..............................-..<...Ac....iV3H-...U6.f..1.G.....B.q-Q7.I...\.H_..k...c;.pn......]|..........x................)......8....l.............................. `..8..............................................D...A."...i.H-...6.v..1.G.....By__%V.(...e.(_..A...1;.............@..@.data................|..............@....pdata...............~..............@..@.00cfg..(.......................'..<....M.mg...i..H-.!..6.v..G.....B.q-A7.I...>...H_..o....;.....................@..@.reloc..8...........................@..B................................................................'..<...Acn...i..H-...6.v..1.G.....B.q-A7.I...L.H_..k...c;.................................................................................................................................'..<...Acn...i..H-...6.v..1.G.....B.

                              C:\Program Files\Mozilla Firefox\libEGL.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):48858
                              Entropy (8bit):7.065113624355113
                              Encrypted:false
                              SSDEEP:
                              MD5:944C3089DB8F1AF691B8D6B788758B9B
                              SHA1:13C7BF3971D30556C11E7ECF3D349BD1116F6F48
                              SHA-256:526B3D41D7D47BC8C7F7F3F444FD3C857E63C7DEB21DF5497F0145F9FC2185E1
                              SHA-512:A0112EE630BED21A29DCB4A04E6FE8354943B78492F2AEA79B23EB8B527F2C688B01A9987D5A1E61BDB60ECE036512336ED5A8F50FC81D46A0608D223DC41E6C
                              Malicious:false
                              Preview:j..<...Agn...i..H-...v.v..1.G.....B.q-A7.I...L.H_..k..kc;.........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....N...@.......A..............................-..<...Ac....iV3H-...U6.f..1.G.....B.q-Q7.I...\.H_..k...c;.pn......]|..........x................)......8....l.............................. `..8..............................................D...A."...i.H-...6.v..1.G.....By__%V.(...e.(_..A...1;.............@..@.data................|..............@....pdata...............~..............@..@.00cfg..(.......................'..<....M.mg...i..H-.!..6.v..G.....B.q-A7.I...>...H_..o....;.....................@..@.reloc..8...........................@..B................................................................'..<...Acn...i..H-...6.v..1.G.....B.q-A7.I...L.H_..k...c;.................................................................................................................................'..<...Acn...i..H-...6.v..1.G.....B.

                              C:\Program Files\Mozilla Firefox\libGLESv2.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:modified
                              Size (bytes):4998362
                              Entropy (8bit):7.101650564908802
                              Encrypted:false
                              SSDEEP:
                              MD5:9EC4AE165CFD9532F70468038B5BA52D
                              SHA1:04D2F67031235214942F3220EE2AC5F30F30E886
                              SHA-256:4E3A5B90C555FE39813B24BC31E862435CD6BE669D5A3970A734DC4BBDF6CEBA
                              SHA-512:9A0101299FFE8ECFC5FFE3AF63EC095517F3C8CC3B5A91759578806412D2F3121828189AF53AEA665EBCBE1D4EED5799A6953BEE8D32F37727B8DD3B70D83A46
                              Malicious:true
                              Preview:..4.... ..Yi..Q.....8........<....a..h4..I..^k.}Jp....N..............!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....8:.........pN-.............................i.L....$t.Yi..Q.KG...X.........<....a..h4.I..^k.}Jp....N.......F.T...4.F.......K.......J.......L..)....L.....d.E.....................h.A.(...PP:.8........... .F.............................M.)...b..Yi..Q.1...8........<....a..FF..=..^..qJp.5...... .............@..@.data........@G..<..."G.............@....pdata........J......^J.............@..@.00cfg..(.....K......HK.........c.L........*i..Q.....Ts.....^..<....a..h4......E..&..c..N...ZQ......LK..................rsrc.........K......NK.............@..@.reloc........L......TK.............@..B........................c.L....$..Yi..Q.....8........<....a..h4..I..^k.}Jp....N.....................................................................................................................................c.L....$..Yi..Q.....8........<....a..

                              C:\Program Files\Mozilla Firefox\libGLESv2.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):4998362
                              Entropy (8bit):7.101650564908802
                              Encrypted:false
                              SSDEEP:
                              MD5:9EC4AE165CFD9532F70468038B5BA52D
                              SHA1:04D2F67031235214942F3220EE2AC5F30F30E886
                              SHA-256:4E3A5B90C555FE39813B24BC31E862435CD6BE669D5A3970A734DC4BBDF6CEBA
                              SHA-512:9A0101299FFE8ECFC5FFE3AF63EC095517F3C8CC3B5A91759578806412D2F3121828189AF53AEA665EBCBE1D4EED5799A6953BEE8D32F37727B8DD3B70D83A46
                              Malicious:false
                              Preview:..4.... ..Yi..Q.....8........<....a..h4..I..^k.}Jp....N..............!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....8:.........pN-.............................i.L....$t.Yi..Q.KG...X.........<....a..h4.I..^k.}Jp....N.......F.T...4.F.......K.......J.......L..)....L.....d.E.....................h.A.(...PP:.8........... .F.............................M.)...b..Yi..Q.1...8........<....a..FF..=..^..qJp.5...... .............@..@.data........@G..<..."G.............@....pdata........J......^J.............@..@.00cfg..(.....K......HK.........c.L........*i..Q.....Ts.....^..<....a..h4......E..&..c..N...ZQ......LK..................rsrc.........K......NK.............@..@.reloc........L......TK.............@..B........................c.L....$..Yi..Q.....8........<....a..h4..I..^k.}Jp....N.....................................................................................................................................c.L....$..Yi..Q.....8........<....a..

                              C:\Program Files\Mozilla Firefox\locale.ini

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):336
                              Entropy (8bit):5.997049387262576
                              Encrypted:false
                              SSDEEP:
                              MD5:E8667D9E56B5C4A2BFA76D58889518BC
                              SHA1:442F01367393FAAD69DA568FAFE7DF09DF6CD4C0
                              SHA-256:14C47F269BB173EFE10BD603DBDE4DDAF2162A42A1B2CC6401076D2767DBF9BF
                              SHA-512:ED37DE3264780AB186A54C21EDA05F14902D9518A39894544C20D56A477D956AF5156369148A7A484E6D7578EC1EDAB6BBEC51E75511075C0869F386377FFCF3
                              Malicious:false
                              Preview:.`..|jD.F.E?.|..7.j..6.....^p!.}79.....2..K#.d.5..XpT.)`y..J;H<b...C40L.JO.).\nI..2...f.4OPT..R-l(..R..c.TX.8...,.X..era.V.:..Y..=.:S{|...=....Y7..=n..h3.E.C...1X.....q...d^"......D..d...u.xIV|G..KyC...F..u*4p|0\b&3.QW..N..............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\locale.ini.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):336
                              Entropy (8bit):5.997049387262576
                              Encrypted:false
                              SSDEEP:
                              MD5:E8667D9E56B5C4A2BFA76D58889518BC
                              SHA1:442F01367393FAAD69DA568FAFE7DF09DF6CD4C0
                              SHA-256:14C47F269BB173EFE10BD603DBDE4DDAF2162A42A1B2CC6401076D2767DBF9BF
                              SHA-512:ED37DE3264780AB186A54C21EDA05F14902D9518A39894544C20D56A477D956AF5156369148A7A484E6D7578EC1EDAB6BBEC51E75511075C0869F386377FFCF3
                              Malicious:false
                              Preview:.`..|jD.F.E?.|..7.j..6.....^p!.}79.....2..K#.d.5..XpT.)`y..J;H<b...C40L.JO.).\nI..2...f.4OPT..R-l(..R..c.TX.8...,.X..era.V.:..Y..=.:S{|...=....Y7..=n..h3.E.C...1X.....q...d^"......D..d...u.xIV|G..KyC...F..u*4p|0\b&3.QW..N..............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\maintenanceservice.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):239322
                              Entropy (8bit):7.132688844780229
                              Encrypted:false
                              SSDEEP:
                              MD5:049F2CCEAECB8EA79861657047D7A291
                              SHA1:F77852D3EFEBC2D086FA8C53CDA6F5E87FFE7359
                              SHA-256:A1E00D669C4999AF9D631CE1CCB9DB496812425F8D6584727B1982CC6D631AAE
                              SHA-512:BFCEE9D2A232148A0EDBF16C917FC013A4FB19CC151CE37DDBAF37133B8EFC37D0DDB3981241863DB80265A50E821DEF4B1B39A6F8BC26266EF133B74D06CF01
                              Malicious:false
                              Preview:<d........qdc.}.X.zh.^.u..i/.F.u"[.a..5mL.J..(..7.}8?TC...+u..T........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@....................{>........udc.}...yh.^...../.F.u"K.a..5mL.Z..(..7.}8?TC...+...T........h&..................`....|...)...........$..........................(....p..8............,.............................._J.b....B.sdc.}.XQxh.Z.u..i/.F.u"[.a..5.b....I...<.}8OVC.b.+..,T............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..........q>......*...c.}.Q.zh..u..i/. .u"[.a..5mL.J.(......L]8C...+..-T.....h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...............t..q>........qd#.}.X.zh.^.u..i/.F.u"[.a..5mL.J..(..7.}8?TC...+...T................................................................................................................................q>........qdc.}.X.zh.^.u..i/.F.u"[.a..5m

                              C:\Program Files\Mozilla Firefox\maintenanceservice.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):239322
                              Entropy (8bit):7.132688844780229
                              Encrypted:false
                              SSDEEP:
                              MD5:049F2CCEAECB8EA79861657047D7A291
                              SHA1:F77852D3EFEBC2D086FA8C53CDA6F5E87FFE7359
                              SHA-256:A1E00D669C4999AF9D631CE1CCB9DB496812425F8D6584727B1982CC6D631AAE
                              SHA-512:BFCEE9D2A232148A0EDBF16C917FC013A4FB19CC151CE37DDBAF37133B8EFC37D0DDB3981241863DB80265A50E821DEF4B1B39A6F8BC26266EF133B74D06CF01
                              Malicious:false
                              Preview:<d........qdc.}.X.zh.^.u..i/.F.u"[.a..5mL.J..(..7.}8?TC...+u..T........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......R...$.................@....................{>........udc.}...yh.^...../.F.u"K.a..5mL.Z..(..7.}8?TC...+...T........h&..................`....|...)...........$..........................(....p..8............,.............................._J.b....B.sdc.}.XQxh.Z.u..i/.F.u"[.a..5.b....I...<.}8OVC.b.+..,T............@..@.data...4#...`.......<..............@....pdata..`............J..............@..@.00cfg..(............d..........q>......*...c.}.Q.zh..u..i/. .u"[.a..5mL.J.(......L]8C...+..-T.....h.................._RDATA...............j..............@..@.rsrc................l..............@..@.reloc...............t..q>........qd#.}.X.zh.^.u..i/.F.u"[.a..5mL.J..(..7.}8?TC...+...T................................................................................................................................q>........qdc.}.X.zh.^.u..i/.F.u"[.a..5m

                              C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):188546
                              Entropy (8bit):6.792253510061169
                              Encrypted:false
                              SSDEEP:
                              MD5:4C90DFAD316EBB99CC3531B9613DAAAB
                              SHA1:ADB38B8515616F7A4428D9A37C8286732F8CB69B
                              SHA-256:1AD23A03B104BF718EE23F7214E9967FE3F7699016E286906FE94CA907504FF7
                              SHA-512:41DA5285866A30D32B2A5AD3B8787750A577013F07E9656C3DD314AB1EE3E727D396C8EA81C0DCA4D09A0D5E03CA58DA5ABB46992EDF4998D31749A12B49A9F1
                              Malicious:false
                              Preview:...6.)..V.......h6i.g.z.F..%....R..;......s..?....{).`............!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf....5.)..V..q...vh6i.g.z...$...??.R..;.... .r..9....{)..`t....4............@.......................... .......k....@..............................................r...............)..............5.)..V..q...vh6i.g.zOF..%....R..;......s.:?....{).`t....................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................u.){.8uq....v(7i...zOF..%....R..;....@....L.M..{...`t....t..................@..@............................................................................................................5.)..V..q...vh6i.g.zOF..%....R..;......s..?....{).`t.......................................................................................................................................5.)..V..q...vh6i.g.zOF..%....R..;

                              C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):188546
                              Entropy (8bit):6.792253510061169
                              Encrypted:false
                              SSDEEP:
                              MD5:4C90DFAD316EBB99CC3531B9613DAAAB
                              SHA1:ADB38B8515616F7A4428D9A37C8286732F8CB69B
                              SHA-256:1AD23A03B104BF718EE23F7214E9967FE3F7699016E286906FE94CA907504FF7
                              SHA-512:41DA5285866A30D32B2A5AD3B8787750A577013F07E9656C3DD314AB1EE3E727D396C8EA81C0DCA4D09A0D5E03CA58DA5ABB46992EDF4998D31749A12B49A9F1
                              Malicious:false
                              Preview:...6.)..V.......h6i.g.z.F..%....R..;......s..?....{).`............!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf....5.)..V..q...vh6i.g.z...$...??.R..;.... .r..9....{)..`t....4............@.......................... .......k....@..............................................r...............)..............5.)..V..q...vh6i.g.zOF..%....R..;......s.:?....{).`t....................text....g.......h.................. ..`.rdata...............l..............@..@.data...............................u.){.8uq....v(7i...zOF..%....R..;....@....L.M..{...`t....t..................@..@............................................................................................................5.)..V..q...vh6i.g.zOF..%....R..;......s..?....{).`t.......................................................................................................................................5.)..V..q...vh6i.g.zOF..%....R..;

                              C:\Program Files\Mozilla Firefox\minidump-analyzer.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):773338
                              Entropy (8bit):6.532034355990736
                              Encrypted:false
                              SSDEEP:
                              MD5:F9254C33AEE3E455109FA36CDE617B15
                              SHA1:557AE91012B0BBD8A369F2587CCFF8CD42169008
                              SHA-256:956AFF9E29B204D344A53919E5C6B4EAEA6A2E7D6F810314133FA42AFBEF2C6D
                              SHA-512:5C94DBE6B454B981EF7A48FA12EAE6B7D9781CAB413FCC53B2CD27097D5060555AE1223627B0C76182DE346B83BBCA844DF584CE757FC30C3F1585613ED5F72F
                              Malicious:false
                              Preview:$kU..E#G..gV%>....n...}....s..&...k.5.c.p.._3..6..n,.H...Z........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@....................c1-..E#G..kV%:..-.n...a=.]..s..6...k.5.s.p.._3..6..n,.H...Z.....................................)......./..T........................r..(....p..8...............`...........................GEH..E#G..cV%.....n.{.=....s..&...k|......._.)...F..n..H.Q.Z............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..........i1-..E#....%%>....n...=...x..&...k.5.c.0.......T..a,.H...Z.....h...................rsrc................j..............@..@.reloc.../.......0...r..............@..B........................i1-..E#G..gV%>....n...=....s..&...k.5.c.p.._3..6..n,.H...Z................................................................................................................................i1-..E#G..gV%>....n...=....s..&...k.

                              C:\Program Files\Mozilla Firefox\minidump-analyzer.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):773338
                              Entropy (8bit):6.532034355990736
                              Encrypted:false
                              SSDEEP:
                              MD5:F9254C33AEE3E455109FA36CDE617B15
                              SHA1:557AE91012B0BBD8A369F2587CCFF8CD42169008
                              SHA-256:956AFF9E29B204D344A53919E5C6B4EAEA6A2E7D6F810314133FA42AFBEF2C6D
                              SHA-512:5C94DBE6B454B981EF7A48FA12EAE6B7D9781CAB413FCC53B2CD27097D5060555AE1223627B0C76182DE346B83BBCA844DF584CE757FC30C3F1585613ED5F72F
                              Malicious:false
                              Preview:$kU..E#G..gV%>....n...}....s..&...k.5.c.p.._3..6..n,.H...Z........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......T...H......0..........@....................c1-..E#G..kV%:..-.n...a=.]..s..6...k.5.s.p.._3..6..n,.H...Z.....................................)......./..T........................r..(....p..8...............`...........................GEH..E#G..cV%.....n.{.=....s..&...k|......._.)...F..n..H.Q.Z............@..@.data....2...@...,..."..............@....pdata...............N..............@..@.00cfg..(............d..........i1-..E#....%%>....n...=...x..&...k.5.c.0.......T..a,.H...Z.....h...................rsrc................j..............@..@.reloc.../.......0...r..............@..B........................i1-..E#G..gV%>....n...=....s..&...k.5.c.p.._3..6..n,.H...Z................................................................................................................................i1-..E#G..gV%>....n...=....s..&...k.

                              C:\Program Files\Mozilla Firefox\mozavcodec.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3088602
                              Entropy (8bit):7.341047227103575
                              Encrypted:false
                              SSDEEP:
                              MD5:BBE91E15AF6DB6C6324EF2A2C64BE7D4
                              SHA1:272378258008944D9BA703092EDF3427AB599F7B
                              SHA-256:50A3E058FABDBF95DB0C8CA2191A508005378CF84CE2C728F0E3D1EFF9A5C608
                              SHA-512:68C53B3B6DB318AF7ACDC8143E2FE32EFCA353835AB3987F4DFDBA70E3DEFE2E24ABA9AF000C86DDB172BADC5E0DE6B0B6783781BB406D5DEA421D1AF6075D35
                              Malicious:false
                              Preview:;sKj>..TP.x........P..&...$..(.+...F.i)f!..9..q.t..#..n.q.l.+........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." ......*......... {..............................|)3j?..TT,B....J.?.R.|g..$..(.+...F.i)f!..9..q.t..#..n.q`l.+.Y......Kc........:......0:..M.......)....:.....\7.............................. .+.8............i..............................X]V.K..T..R......:.P..&..$..(.+...f.iIHS...X...%w..#..nS.qp.=+............@..@.data...............................@....pdata...M...0:..N..................@..@.00cfg..(.....:.................v)3j....z..l..l.....Pb&&..$....+...F.i)f!..9.._...#....qp.-+....................@..@.reloc........:.....................@..B................................................................v)3j?..TT.x........P..&..$..(.+...F.i)f!..9..q.t..#..n.qpl.+................................................................................................................................v)3j?..TT.x........P..&..$..(.+...F.i)

                              C:\Program Files\Mozilla Firefox\mozavcodec.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3088602
                              Entropy (8bit):7.341047227103575
                              Encrypted:false
                              SSDEEP:
                              MD5:BBE91E15AF6DB6C6324EF2A2C64BE7D4
                              SHA1:272378258008944D9BA703092EDF3427AB599F7B
                              SHA-256:50A3E058FABDBF95DB0C8CA2191A508005378CF84CE2C728F0E3D1EFF9A5C608
                              SHA-512:68C53B3B6DB318AF7ACDC8143E2FE32EFCA353835AB3987F4DFDBA70E3DEFE2E24ABA9AF000C86DDB172BADC5E0DE6B0B6783781BB406D5DEA421D1AF6075D35
                              Malicious:false
                              Preview:;sKj>..TP.x........P..&...$..(.+...F.i)f!..9..q.t..#..n.q.l.+........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." ......*......... {..............................|)3j?..TT,B....J.?.R.|g..$..(.+...F.i)f!..9..q.t..#..n.q`l.+.Y......Kc........:......0:..M.......)....:.....\7.............................. .+.8............i..............................X]V.K..T..R......:.P..&..$..(.+...f.iIHS...X...%w..#..nS.qp.=+............@..@.data...............................@....pdata...M...0:..N..................@..@.00cfg..(.....:.................v)3j....z..l..l.....Pb&&..$....+...F.i)f!..9.._...#....qp.-+....................@..@.reloc........:.....................@..B................................................................v)3j?..TT.x........P..&..$..(.+...F.i)f!..9..q.t..#..n.qpl.+................................................................................................................................v)3j?..TT.x........P..&..$..(.+...F.i)

                              C:\Program Files\Mozilla Firefox\mozavutil.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):215258
                              Entropy (8bit):6.99377014348982
                              Encrypted:false
                              SSDEEP:
                              MD5:9D82F4BC83CE97A4354CFE99A26D6D5E
                              SHA1:35AB0E1D056D87F10531640502B400CE15893E16
                              SHA-256:FB3A1216BD74F7A5E8557DA1E50F4C886A4FAA36FD09C57E92E6E4FAEC4E8B48
                              SHA-512:E0285A7209E7653E9465969212A3D49460E9A2BD22885D1BCF410CF516F966B681A32EB2496CE9DC530220173037433F87DA36DE2EAD3A8E523D8B7AC2F66D18
                              Malicious:false
                              Preview:p.....>.f......_6.O_....Z)..9....k..g......P....t.L.....> ).........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .........4.......$..............................7.....>.b......_.tL_..i..)..9....{..g......P....d.L.....>H).(...c$......................8........)......H...................................0...8...........(...................................b.>.)....._6.N_.{...)..9....k..G....{.1..Pe.L.....>X..............@..@.data........ ......................@....pdata..8...........................@..@.00cfg..(.......................=...V.>.L..s.`._9.O_.....+..9....k..g......P......>...)..>X......................@..@.reloc..H...........................@..B................................................................=.....>.b......_6.O_.....)..9....k..g......P....t.L.....>X).................................................................................................................................=.....>.b......_6.O_.....)..9....k..g...

                              C:\Program Files\Mozilla Firefox\mozavutil.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):215258
                              Entropy (8bit):6.99377014348982
                              Encrypted:false
                              SSDEEP:
                              MD5:9D82F4BC83CE97A4354CFE99A26D6D5E
                              SHA1:35AB0E1D056D87F10531640502B400CE15893E16
                              SHA-256:FB3A1216BD74F7A5E8557DA1E50F4C886A4FAA36FD09C57E92E6E4FAEC4E8B48
                              SHA-512:E0285A7209E7653E9465969212A3D49460E9A2BD22885D1BCF410CF516F966B681A32EB2496CE9DC530220173037433F87DA36DE2EAD3A8E523D8B7AC2F66D18
                              Malicious:false
                              Preview:p.....>.f......_6.O_....Z)..9....k..g......P....t.L.....> ).........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .........4.......$..............................7.....>.b......_.tL_..i..)..9....{..g......P....d.L.....>H).(...c$......................8........)......H...................................0...8...........(...................................b.>.)....._6.N_.{...)..9....k..G....{.1..Pe.L.....>X..............@..@.data........ ......................@....pdata..8...........................@..@.00cfg..(.......................=...V.>.L..s.`._9.O_.....+..9....k..g......P......>...)..>X......................@..@.reloc..H...........................@..B................................................................=.....>.b......_6.O_.....)..9....k..g......P....t.L.....>X).................................................................................................................................=.....>.b......_6.O_.....)..9....k..g...

                              C:\Program Files\Mozilla Firefox\mozglue.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):852186
                              Entropy (8bit):7.255896419940164
                              Encrypted:false
                              SSDEEP:
                              MD5:E38C95E00775166C19EF7F16D4029A26
                              SHA1:67556F71F782E2D2EC82A972CC6699B950631505
                              SHA-256:04C26ABCF0ECD854D045323641BF069262583202FE04B3C7E31EE81705B3D518
                              SHA-512:43C839B3AFE659B2397CC1421A6A3C6B3BDDCE99DC3987F4613F4B0A1D0751902AB65F2532A8480911E25D933F16AE034A799F2AF8DAC5F227F6942C90CF0E58
                              Malicious:false
                              Preview:L..#.K.xi....o........t]...O.s\...?=.{..B...0.*=o..wh...XK=.........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....R...|.......................................X.#.K.xmt...k......p.4]...O.s\...?=.{..B...0.:=o..wh...0K=.'....^...g..T....`..........,........)...p.. ...$.......................`...(....p..8...........@p............................../,.[.K.x............4]...O.s\...?=.U..#...0..<o..|h.7. .6.............@..@.data....2..........................@....pdata..,........0..................@..@.00cfg..(.... ...................X.#.K.8C..r.........4_.....s\...?=.{..B...0.^Q...wh... .0.....................@....voltbl......P...........................rsrc........`......................@..@.reloc.. ....p...........X.#.K.xm...Bo........4]...O.s\...?=.{..B...0.*=o..wh... K=..................................................................................................................................X.#.K.xm....o........4]...O.s\...?=.

                              C:\Program Files\Mozilla Firefox\mozglue.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):852186
                              Entropy (8bit):7.255896419940164
                              Encrypted:false
                              SSDEEP:
                              MD5:E38C95E00775166C19EF7F16D4029A26
                              SHA1:67556F71F782E2D2EC82A972CC6699B950631505
                              SHA-256:04C26ABCF0ECD854D045323641BF069262583202FE04B3C7E31EE81705B3D518
                              SHA-512:43C839B3AFE659B2397CC1421A6A3C6B3BDDCE99DC3987F4613F4B0A1D0751902AB65F2532A8480911E25D933F16AE034A799F2AF8DAC5F227F6942C90CF0E58
                              Malicious:false
                              Preview:L..#.K.xi....o........t]...O.s\...?=.{..B...0.*=o..wh...XK=.........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....R...|.......................................X.#.K.xmt...k......p.4]...O.s\...?=.{..B...0.:=o..wh...0K=.'....^...g..T....`..........,........)...p.. ...$.......................`...(....p..8...........@p............................../,.[.K.x............4]...O.s\...?=.U..#...0..<o..|h.7. .6.............@..@.data....2..........................@....pdata..,........0..................@..@.00cfg..(.... ...................X.#.K.8C..r.........4_.....s\...?=.{..B...0.^Q...wh... .0.....................@....voltbl......P...........................rsrc........`......................@..@.reloc.. ....p...........X.#.K.xm...Bo........4]...O.s\...?=.{..B...0.*=o..wh... K=..................................................................................................................................X.#.K.xm....o........4]...O.s\...?=.

                              C:\Program Files\Mozilla Firefox\mozwer.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):309466
                              Entropy (8bit):7.132587693821839
                              Encrypted:false
                              SSDEEP:
                              MD5:78E9FA6C9D7CFEC3D7E89ACB7F59BD24
                              SHA1:6264F8ED43D6EC6215E1CE92B06F775F849090BE
                              SHA-256:388B31E4931FA1FFBABC889B9EF81294183DA272F1FFA520E4E6CDD108A0D6A9
                              SHA-512:115BAFBDB8372CA6AD1CF65AD0DD620C9E4EE577638165AD550EF387A9D5C9E92B832C05B000444CD86824A6DEA14AE26B9E7AC479800135669B2D62C4F11754
                              Malicious:false
                              Preview:..%J..... Z.N..e....?Q.N../.~.....V,...v..%t7...S.8RT.|C.........!..L.!This program cannot be run in DOS mode.$..PE..d...I..e.........." .....:...N.......f..............................X.]J.....0_.N..1....?1..N../.~.....V,...v..5t7...S.8RTv|C.p.......S ..........x........ .......)......................................(....P..8............$..............................|.82.....Y.N..e....;Q..N../.~.....6.....v.,,u7..S.2STfB@.............@..@.data........`.......H..............@....pdata... ......."...T..............@..@.00cfg..(............v..........R.]J....T6.N......U..L../.z.....V,...v..S.[...S.8RTf.G......z.................._RDATA...............|..............@..@.rsrc...x............~..............@..@.reloc..................R.]J..... Z.....e....?Q..N../.~.....V,...v..%t7...S.8RTf|C.................................................................................................................................R.]J..... Z.N..e....?Q..N../.~.....V

                              C:\Program Files\Mozilla Firefox\mozwer.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):309466
                              Entropy (8bit):7.132587693821839
                              Encrypted:false
                              SSDEEP:
                              MD5:78E9FA6C9D7CFEC3D7E89ACB7F59BD24
                              SHA1:6264F8ED43D6EC6215E1CE92B06F775F849090BE
                              SHA-256:388B31E4931FA1FFBABC889B9EF81294183DA272F1FFA520E4E6CDD108A0D6A9
                              SHA-512:115BAFBDB8372CA6AD1CF65AD0DD620C9E4EE577638165AD550EF387A9D5C9E92B832C05B000444CD86824A6DEA14AE26B9E7AC479800135669B2D62C4F11754
                              Malicious:false
                              Preview:..%J..... Z.N..e....?Q.N../.~.....V,...v..%t7...S.8RT.|C.........!..L.!This program cannot be run in DOS mode.$..PE..d...I..e.........." .....:...N.......f..............................X.]J.....0_.N..1....?1..N../.~.....V,...v..5t7...S.8RTv|C.p.......S ..........x........ .......)......................................(....P..8............$..............................|.82.....Y.N..e....;Q..N../.~.....6.....v.,,u7..S.2STfB@.............@..@.data........`.......H..............@....pdata... ......."...T..............@..@.00cfg..(............v..........R.]J....T6.N......U..L../.z.....V,...v..S.[...S.8RTf.G......z.................._RDATA...............|..............@..@.rsrc...x............~..............@..@.reloc..................R.]J..... Z.....e....?Q..N../.~.....V,...v..%t7...S.8RTf|C.................................................................................................................................R.]J..... Z.N..e....?Q..N../.~.....V

                              C:\Program Files\Mozilla Firefox\msvcp140.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):567018
                              Entropy (8bit):7.250629353967684
                              Encrypted:false
                              SSDEEP:
                              MD5:AD4AAFACC2A824E9A2A9F23893DAD24A
                              SHA1:71BFA6B584F2C31B0ADDCE3B9CFA5EB60AE0EE41
                              SHA-256:1C4B33E50611E1DEBD23628B5C48D64F83EEC7F3B0A84DD7340B81A340148A3B
                              SHA-512:B0A8B475BE92F34B08672D9E0A9A4BBF513D245BBF6F73C19189B07D35958EF785833BD1770F24AA3E7F97A720C98DDBE09F77695C7F08F96B158B5AFADCA2B8
                              Malicious:false
                              Preview:..B.#X}.....B....-..:.zm.._;.....#.'.j..X.E....e..o...?..[.A........!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O......*.....9..C....hX?..).Du.DQC......K.....X.E....e..o...?..[.APE..d...%|.a.........." .....<...\.......)...................................................`A...................................0X}.?..gg..?..-.:.:...8....#~..j..P........g..g.....A............................8............P...............................text....;.......<.................. ..`.rdata..j....P...). .x...........-..:....>;.....#...j..X.E....e..o...?.....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B........... X}...........-..:.:m.._;.....#.'.j..X.E....e..o...?..[.A................................................................................................................................... X}...........-..:.:m.._;.....#.'.j

                              C:\Program Files\Mozilla Firefox\msvcp140.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):567018
                              Entropy (8bit):7.250629353967684
                              Encrypted:false
                              SSDEEP:
                              MD5:AD4AAFACC2A824E9A2A9F23893DAD24A
                              SHA1:71BFA6B584F2C31B0ADDCE3B9CFA5EB60AE0EE41
                              SHA-256:1C4B33E50611E1DEBD23628B5C48D64F83EEC7F3B0A84DD7340B81A340148A3B
                              SHA-512:B0A8B475BE92F34B08672D9E0A9A4BBF513D245BBF6F73C19189B07D35958EF785833BD1770F24AA3E7F97A720C98DDBE09F77695C7F08F96B158B5AFADCA2B8
                              Malicious:false
                              Preview:..B.#X}.....B....-..:.zm.._;.....#.'.j..X.E....e..o...?..[.A........!..L.!This program cannot be run in DOS mode....$.......Y...................Z.........O.....O.....O......*.....9..C....hX?..).Du.DQC......K.....X.E....e..o...?..[.APE..d...%|.a.........." .....<...\.......)...................................................`A...................................0X}.?..gg..?..-.:.:...8....#~..j..P........g..g.....A............................8............P...............................text....;.......<.................. ..`.rdata..j....P...). .x...........-..:....>;.....#...j..X.E....e..o...?.....pdata...9...p...:...6..............@..@.rsrc................p..............@..@.reloc..0............t..............@..B........... X}...........-..:.:m.._;.....#.'.j..X.E....e..o...?..[.A................................................................................................................................... X}...........-..:.:m.._;.....#.'.j

                              C:\Program Files\Mozilla Firefox\notificationserver.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):62170
                              Entropy (8bit):7.04446500190848
                              Encrypted:false
                              SSDEEP:
                              MD5:EDC620EE8BBA59BF760EF4C2BA4920ED
                              SHA1:91495185185A36BBCF57FD9BA0B7FBA54AC238AC
                              SHA-256:1A80AD8ABC9654DEC3ABB6DC5F3EA5F2A35285841F36DDC3C224AC32364AE955
                              SHA-512:F5E3DB9CB96756FA4DEE31F7A8A5CE9433DB1FEE8ABBA018B64F4298E090B503A426E74793D5EAABC908625C582819C6EECE91AE4A94A493B955C131DE23B010
                              Malicious:false
                              Preview:=hO..&Y.;..>....h,Sw.B%.f....@...f.S.;..&$....F.~w.6i......"F.........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....~...D.......{..............................z27..&Y.?..>.....Rw.BE..f....@...f.S.;..&4....F.nw.6i......"F. ............... ...................)...0......t.......................(...(.......8...........................................^FRh.&Y.I..>....hRSw.F%..f....@...f.s.;w.T@..`.F.Nw.6......F.............@..@.data...............................@....pdata..............................@..@.00cfg..(.......................p27..&Y...M....a,Sw.B$..d...4@...f.S.;..&$.......B.......2G..........................rsrc........ ......................@..@.reloc.......0......................@..B........................p27..&Y.?..>....h,Sw.B%..f....@...f.S.;..&$....F.~w.6i......"F.................................................................................................................................p27..&Y.?..>....h,Sw.B%..f....@...f.S.;.

                              C:\Program Files\Mozilla Firefox\notificationserver.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):62170
                              Entropy (8bit):7.04446500190848
                              Encrypted:false
                              SSDEEP:
                              MD5:EDC620EE8BBA59BF760EF4C2BA4920ED
                              SHA1:91495185185A36BBCF57FD9BA0B7FBA54AC238AC
                              SHA-256:1A80AD8ABC9654DEC3ABB6DC5F3EA5F2A35285841F36DDC3C224AC32364AE955
                              SHA-512:F5E3DB9CB96756FA4DEE31F7A8A5CE9433DB1FEE8ABBA018B64F4298E090B503A426E74793D5EAABC908625C582819C6EECE91AE4A94A493B955C131DE23B010
                              Malicious:false
                              Preview:=hO..&Y.;..>....h,Sw.B%.f....@...f.S.;..&$....F.~w.6i......"F.........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....~...D.......{..............................z27..&Y.?..>.....Rw.BE..f....@...f.S.;..&4....F.nw.6i......"F. ............... ...................)...0......t.......................(...(.......8...........................................^FRh.&Y.I..>....hRSw.F%..f....@...f.s.;w.T@..`.F.Nw.6......F.............@..@.data...............................@....pdata..............................@..@.00cfg..(.......................p27..&Y...M....a,Sw.B$..d...4@...f.S.;..&$.......B.......2G..........................rsrc........ ......................@..@.reloc.......0......................@..B........................p27..&Y.?..>....h,Sw.B%..f....@...f.S.;..&$....F.~w.6i......"F.................................................................................................................................p27..&Y.?..>....h,Sw.B%..f....@...f.S.;.

                              C:\Program Files\Mozilla Firefox\nss3.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2539738
                              Entropy (8bit):7.212988659803264
                              Encrypted:false
                              SSDEEP:
                              MD5:28517ACF042A2FF5DA5CAE739FCC3AF6
                              SHA1:31412C7D49644464B4872229C8D1CF322ACADA0D
                              SHA-256:4ACDBED738C0FFE277302C1F54B7BAFDBF5931B26EE9BB382FAD1D1154EC49C9
                              SHA-512:E508C5761D01E52D87956370B835162CC609320FFA1B38B9183468B743519F25D10ED893F5A66D6B031CCCBBF6890EA8393CA2AEE473B4BA38856729D06CED35
                              Malicious:false
                              Preview:-..KYr.L_df.qB..+~.......`E^...N.z=.q.r......)......X...Yl.........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....&!..j.......*..............................j...JYr.H.Cf.uB...X......`E^...N.z=.q.r......)......X..fYl.(.$.....J%.T.....&.x.... &.......&..)....&.4(....$..............................@!.8...........0U%.......$.@...................N...>Yr..{Ef.aB..._.....`E^...N.Z=....u......-........vsM.............@..@.data.........%..R...v%.............@....pdata....... &.......%.............@..@.00cfg..(.....&......d&.........`....Yr.f).......+~......`E8...N.z=.q.r.......Z......[..v.J......h&.............@..@.reloc..4(....&..*...l&.............@..B................................................................`...JYr.H_df.qB..+~.....`E^...N.z=.q.r......)......X..vYl.................................................................................................................................`...JYr.H_df.qB..+~.....`E^...N.z=.q

                              C:\Program Files\Mozilla Firefox\nss3.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2539738
                              Entropy (8bit):7.212988659803264
                              Encrypted:false
                              SSDEEP:
                              MD5:28517ACF042A2FF5DA5CAE739FCC3AF6
                              SHA1:31412C7D49644464B4872229C8D1CF322ACADA0D
                              SHA-256:4ACDBED738C0FFE277302C1F54B7BAFDBF5931B26EE9BB382FAD1D1154EC49C9
                              SHA-512:E508C5761D01E52D87956370B835162CC609320FFA1B38B9183468B743519F25D10ED893F5A66D6B031CCCBBF6890EA8393CA2AEE473B4BA38856729D06CED35
                              Malicious:false
                              Preview:-..KYr.L_df.qB..+~.......`E^...N.z=.q.r......)......X...Yl.........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .....&!..j.......*..............................j...JYr.H.Cf.uB...X......`E^...N.z=.q.r......)......X..fYl.(.$.....J%.T.....&.x.... &.......&..)....&.4(....$..............................@!.8...........0U%.......$.@...................N...>Yr..{Ef.aB..._.....`E^...N.Z=....u......-........vsM.............@..@.data.........%..R...v%.............@....pdata....... &.......%.............@..@.00cfg..(.....&......d&.........`....Yr.f).......+~......`E8...N.z=.q.r.......Z......[..v.J......h&.............@..@.reloc..4(....&..*...l&.............@..B................................................................`...JYr.H_df.qB..+~.....`E^...N.z=.q.r......)......X..vYl.................................................................................................................................`...JYr.H_df.qB..+~.....`E^...N.z=.q

                              C:\Program Files\Mozilla Firefox\nssckbi.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):383706
                              Entropy (8bit):7.589468352773093
                              Encrypted:false
                              SSDEEP:
                              MD5:92A9FE82BF13BB228F3CB5C67732C569
                              SHA1:7F5D690DA3C2235B55D3CA87A6F91C47B6B34C97
                              SHA-256:7ABB23F1EBCC0811F5DC1ECEF43F9C7204A334689E340E184A39EA49635F8D92
                              SHA-512:AB9F62D3807ECB1AC96A5F5ECB264DFD5D7EA03ED071E63D3ADFAA9CEF58E51436240F2B41CDB572E377CA7026875B84F7451856D1D13A5600C911F0EEFD8AF4
                              Malicious:false
                              Preview:QF..X....R.`\Rs..}heF....{}.E...|..&;\+.[....W...Z.._Vi....[8?6........!..L.!This program cannot be run in DOS mode.$..PE..d...7..e.........." ...................................................Y....B.`\Vs...neD...^{m.E...|..&;\+.[....W...Z.._Vi....38?6.p..P....q..d.......x.......l........)......`....j......................`j..(...@...8...........Xs..............................2h.u-...v..`\Bs..ieF...^{}.E...|..&.\+.u.n..6..@Y..Wi.6..#.>6............@..@.data...:...........................@....pdata..l...........................@..@.00cfg..(...............................&p.\Rs.}heF...^y}.ER..|..&;\+.[....W.&..5|.=:i....#.:6.........................rsrc...x...........................@..@.reloc..`...........................@..B............................Y....R.`\Rs..}heF...^{}.E...|..&;\+.[....W...Z.._Vi....#8?6....................................................................................................................................Y....R.`\Rs..}heF...^{}.E...|..&;\+.

                              C:\Program Files\Mozilla Firefox\nssckbi.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):383706
                              Entropy (8bit):7.589468352773093
                              Encrypted:false
                              SSDEEP:
                              MD5:92A9FE82BF13BB228F3CB5C67732C569
                              SHA1:7F5D690DA3C2235B55D3CA87A6F91C47B6B34C97
                              SHA-256:7ABB23F1EBCC0811F5DC1ECEF43F9C7204A334689E340E184A39EA49635F8D92
                              SHA-512:AB9F62D3807ECB1AC96A5F5ECB264DFD5D7EA03ED071E63D3ADFAA9CEF58E51436240F2B41CDB572E377CA7026875B84F7451856D1D13A5600C911F0EEFD8AF4
                              Malicious:false
                              Preview:QF..X....R.`\Rs..}heF....{}.E...|..&;\+.[....W...Z.._Vi....[8?6........!..L.!This program cannot be run in DOS mode.$..PE..d...7..e.........." ...................................................Y....B.`\Vs...neD...^{m.E...|..&;\+.[....W...Z.._Vi....38?6.p..P....q..d.......x.......l........)......`....j......................`j..(...@...8...........Xs..............................2h.u-...v..`\Bs..ieF...^{}.E...|..&.\+.u.n..6..@Y..Wi.6..#.>6............@..@.data...:...........................@....pdata..l...........................@..@.00cfg..(...............................&p.\Rs.}heF...^y}.ER..|..&;\+.[....W.&..5|.=:i....#.:6.........................rsrc...x...........................@..@.reloc..`...........................@..B............................Y....R.`\Rs..}heF...^{}.E...|..&;\+.[....W...Z.._Vi....#8?6....................................................................................................................................Y....R.`\Rs..}heF...^{}.E...|..&;\+.

                              C:\Program Files\Mozilla Firefox\omni.ja

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):32908796
                              Entropy (8bit):6.934198185791233
                              Encrypted:false
                              SSDEEP:
                              MD5:97204C9CF231CD204ECC510EFA3B0067
                              SHA1:BCA528744830C394999E58F0CF1C86ABAD2D77E8
                              SHA-256:18D8623117999CBF6E57910A5999C280D6D5E6C6C34083F279E977152204B865
                              SHA-512:114D0402BDE2F78F3D4B0349AE795F1EADFA48AC0AD50B2B6533482DC6DC9F2E51C3AE4850CE634BB80AC0B03B05EF07F0D814F07F13DDE025255A9107CD1961
                              Malicious:false
                              Preview:$.R...e...x...[<.J4."/e@..e..c.^..}.........>Z..H&..I...W.&.]............!<..Y.H...H.....................chrome.manifestPK............!<...z...z.................s...chrome/chrome.manifestPK.sY.d...r.'...9..*.=.t0.i....^..}....O:...Y.Bi-o..Z...2uWK.........!<W.........................R...res/multilocale.txtPK............!<...Bg...g.....................components/components.ma..+...4...f...[<.J.*..O.U>..MP..R........,.T.1`E..Q...V.;rC./locale/en-US/global/css.propertiesPK............!<b@..u...u.../..............7..chrome/en-US/locale/en-US/global/xul.properties.:L.n...r...z...z0q2.t..d....^..}....f.(..Ko',..\....V.:<w.e/en-US/global/layout_errors.propertiesPK............!<....*...*...;..............G..chrome/en-US/locale/en-US/global/layout/Htm.7"......dr.>O...(.>.t0.d....b..n.0.........#.HA.9.U.V8Q_u.rome/en-US/locale/en-US/global/printing.propertiesPK............!<X.[.........3.............[Q..chrome/en-US/locale/en-US/global.."........yv.)H./fz.<.`3.d....^..A..k.

                              C:\Program Files\Mozilla Firefox\omni.ja.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):32908796
                              Entropy (8bit):6.934198185791233
                              Encrypted:false
                              SSDEEP:
                              MD5:97204C9CF231CD204ECC510EFA3B0067
                              SHA1:BCA528744830C394999E58F0CF1C86ABAD2D77E8
                              SHA-256:18D8623117999CBF6E57910A5999C280D6D5E6C6C34083F279E977152204B865
                              SHA-512:114D0402BDE2F78F3D4B0349AE795F1EADFA48AC0AD50B2B6533482DC6DC9F2E51C3AE4850CE634BB80AC0B03B05EF07F0D814F07F13DDE025255A9107CD1961
                              Malicious:false
                              Preview:$.R...e...x...[<.J4."/e@..e..c.^..}.........>Z..H&..I...W.&.]............!<..Y.H...H.....................chrome.manifestPK............!<...z...z.................s...chrome/chrome.manifestPK.sY.d...r.'...9..*.=.t0.i....^..}....O:...Y.Bi-o..Z...2uWK.........!<W.........................R...res/multilocale.txtPK............!<...Bg...g.....................components/components.ma..+...4...f...[<.J.*..O.U>..MP..R........,.T.1`E..Q...V.;rC./locale/en-US/global/css.propertiesPK............!<b@..u...u.../..............7..chrome/en-US/locale/en-US/global/xul.properties.:L.n...r...z...z0q2.t..d....^..}....f.(..Ko',..\....V.:<w.e/en-US/global/layout_errors.propertiesPK............!<....*...*...;..............G..chrome/en-US/locale/en-US/global/layout/Htm.7"......dr.>O...(.>.t0.d....b..n.0.........#.HA.9.U.V8Q_u.rome/en-US/locale/en-US/global/printing.propertiesPK............!<X.[.........3.............[Q..chrome/en-US/locale/en-US/global.."........yv.)H./fz.<.`3.d....^..A..k.

                              C:\Program Files\Mozilla Firefox\osclientcerts.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):380634
                              Entropy (8bit):7.129641380556959
                              Encrypted:false
                              SSDEEP:
                              MD5:DA5713331E1CE9C290006D1D6E69BA04
                              SHA1:C5AA2481423E8DCD43ED1E7A349C72B8ACF81DA8
                              SHA-256:74F069173AB905EF9457632B6AFFC904BB33C19870BB092F9906D9EDBE1039A3
                              SHA-512:2CF1A18470EC1DFBAB66F456AA466A00C46B83E7D358625FD27F5E07FEFECE836983F9D610BBB0E973E9AC17232A45C5131DAED07FA71157783ACE4061D94B7A
                              Malicious:false
                              Preview:......EE..D..9.}........%..X..M.iVl.4..R.mA..j..]#...S.(.<.5R.q........!..L.!This program cannot be run in DOS mode.$..PE..d...C..e.........." .....n...0............................................EE..B..=.}%.....e..X..M.yVl.4..R.}A..j..M#...S.(.<.]R.q.2..V....3...................$.......)......\....(.......................(..(.......8............6.................................m..EER.@..).}.......e..X..M.iVl.4.|.. v.j.f.#.."W.(.<.M .q............@..@.data...(............d..............@....pdata...$.......&...h..............@..@.00cfg..(.............................E...(..9.}N...._..e..X...M.iVl.4..R.mAB.j?.+L.k.?.$.<.M..q.........................rsrc...............................@..@.reloc..\...........................@..B..............................EE..D..9.}........e..X..M.iVl.4..R.mA..j..]#...S.(.<.MR.q......................................................................................................................................EE..D..9.}........e..X..M.iVl.4..

                              C:\Program Files\Mozilla Firefox\osclientcerts.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):380634
                              Entropy (8bit):7.129641380556959
                              Encrypted:false
                              SSDEEP:
                              MD5:DA5713331E1CE9C290006D1D6E69BA04
                              SHA1:C5AA2481423E8DCD43ED1E7A349C72B8ACF81DA8
                              SHA-256:74F069173AB905EF9457632B6AFFC904BB33C19870BB092F9906D9EDBE1039A3
                              SHA-512:2CF1A18470EC1DFBAB66F456AA466A00C46B83E7D358625FD27F5E07FEFECE836983F9D610BBB0E973E9AC17232A45C5131DAED07FA71157783ACE4061D94B7A
                              Malicious:false
                              Preview:......EE..D..9.}........%..X..M.iVl.4..R.mA..j..]#...S.(.<.5R.q........!..L.!This program cannot be run in DOS mode.$..PE..d...C..e.........." .....n...0............................................EE..B..=.}%.....e..X..M.yVl.4..R.}A..j..M#...S.(.<.]R.q.2..V....3...................$.......)......\....(.......................(..(.......8............6.................................m..EER.@..).}.......e..X..M.iVl.4.|.. v.j.f.#.."W.(.<.M .q............@..@.data...(............d..............@....pdata...$.......&...h..............@..@.00cfg..(.............................E...(..9.}N...._..e..X...M.iVl.4..R.mAB.j?.+L.k.?.$.<.M..q.........................rsrc...............................@..@.reloc..\...........................@..B..............................EE..D..9.}........e..X..M.iVl.4..R.mA..j..]#...S.(.<.MR.q......................................................................................................................................EE..D..9.}........e..X..M.iVl.4..

                              C:\Program Files\Mozilla Firefox\pingsender.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):81114
                              Entropy (8bit):7.285588277330085
                              Encrypted:false
                              SSDEEP:
                              MD5:88B6A2DDE5EFD95241D3A2A5116251B5
                              SHA1:93DA8741E578C84427A656E9949A731975303F60
                              SHA-256:96ABCC58B4B1771B7DE83090E01E3DD6FC72E84ECC9C7046754BCE00479A5D84
                              SHA-512:23A6C3087E19E5B9B29562F4DBB19A16AE925E2D0701E2B90CFD06EF0343DD7B8EE49E9E4611F7FFC24471C90A9267C2FA0CE19B6897A92E407AB7D9023D38DF
                              Malicious:false
                              Preview:..<3....|..2......ED.x...).....Y...-..u....&.J..Q..<....]....L"........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@.....................BD3....xV~2....y.DD.x.Y........Y...-..u....&.J..A..<....]....L".................`....... .. ........)...p......t...........................(.......8............................................6!K.......2.....jED.|....).....Y..........R.J.f...<P.......]L"............@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0...................BD3....V..A......ED.8....).....Y...-..u....f.J.,'..H...]....M".........................rsrc........`......................@..@.reloc.......p......................@..B.........................BD3....x..2......ED.x....).....Y...-..u....&.J..Q..<....]....L".................................................................................................................................BD3....x..2......ED.x....).....Y...-..u

                              C:\Program Files\Mozilla Firefox\pingsender.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):81114
                              Entropy (8bit):7.285588277330085
                              Encrypted:false
                              SSDEEP:
                              MD5:88B6A2DDE5EFD95241D3A2A5116251B5
                              SHA1:93DA8741E578C84427A656E9949A731975303F60
                              SHA-256:96ABCC58B4B1771B7DE83090E01E3DD6FC72E84ECC9C7046754BCE00479A5D84
                              SHA-512:23A6C3087E19E5B9B29562F4DBB19A16AE925E2D0701E2B90CFD06EF0343DD7B8EE49E9E4611F7FFC24471C90A9267C2FA0CE19B6897A92E407AB7D9023D38DF
                              Malicious:false
                              Preview:..<3....|..2......ED.x...).....Y...-..u....&.J..Q..<....]....L"........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."..........b......`..........@.....................BD3....xV~2....y.DD.x.Y........Y...-..u....&.J..A..<....]....L".................`....... .. ........)...p......t...........................(.......8............................................6!K.......2.....jED.|....).....Y..........R.J.f...<P.......]L"............@..@.data...............................@....pdata.. .... ......................@..@.00cfg..(....0...................BD3....V..A......ED.8....).....Y...-..u....f.J.,'..H...]....M".........................rsrc........`......................@..@.reloc.......p......................@..B.........................BD3....x..2......ED.x....).....Y...-..u....&.J..Q..<....]....L".................................................................................................................................BD3....x..2......ED.x....).....Y...-..u

                              C:\Program Files\Mozilla Firefox\platform.ini

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):481
                              Entropy (8bit):6.6217318618587235
                              Encrypted:false
                              SSDEEP:
                              MD5:997E3EB3D76437EE2E7D7D1DFB40EA4C
                              SHA1:0EC49F80120A474C4B561AAB39FAD2CC263C3AB9
                              SHA-256:96B1491219FE3D4DAFB8BE65BADC5D1947F1FEA0B6968BE83BBB07DA6B3F67CD
                              SHA-512:B504B11462E4D15AB6F121A2FE0921783782BE7742A57BA330C77E09E20162A9DEA8605643156A321EADDF3D0DA4DB49E69166698912B3BCE71CC31700A01E0A
                              Malicious:false
                              Preview:2...!..C. n... .E.^..w..b....w,.pE.V..lC..........,.g....":....9..s.zo..........!...N...U.j..J..nJ......._..=.Q....kc.e4c357d26c5a1f075a1ec0c696d4fe684ed881....]..K/.., SH...r.5...w........]..?uwSP|{.M..J..=..$.a.Q.........d.m..`C.".UrOz...y..TT[..0...sT.......*.....::U........d.=.K...... "..#u...t.......4C-...#....K.2..|.K(......d..t....{5+..R..0.............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\platform.ini.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):481
                              Entropy (8bit):6.6217318618587235
                              Encrypted:false
                              SSDEEP:
                              MD5:997E3EB3D76437EE2E7D7D1DFB40EA4C
                              SHA1:0EC49F80120A474C4B561AAB39FAD2CC263C3AB9
                              SHA-256:96B1491219FE3D4DAFB8BE65BADC5D1947F1FEA0B6968BE83BBB07DA6B3F67CD
                              SHA-512:B504B11462E4D15AB6F121A2FE0921783782BE7742A57BA330C77E09E20162A9DEA8605643156A321EADDF3D0DA4DB49E69166698912B3BCE71CC31700A01E0A
                              Malicious:false
                              Preview:2...!..C. n... .E.^..w..b....w,.pE.V..lC..........,.g....":....9..s.zo..........!...N...U.j..J..nJ......._..=.Q....kc.e4c357d26c5a1f075a1ec0c696d4fe684ed881....]..K/.., SH...r.5...w........]..?uwSP|{.M..J..=..$.a.Q.........d.m..`C.".UrOz...y..TT[..0...sT.......*.....::U........d.=.K...... "..#u...t.......4C-...#....K.2..|.K(......d..t....{5+..R..0.............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\plugin-container.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):290010
                              Entropy (8bit):7.158899503456856
                              Encrypted:false
                              SSDEEP:
                              MD5:60872A1DE49DFF6418B7E587B1AB1477
                              SHA1:3CFB8F43AFAE139A962615227A31536C0389A5A3
                              SHA-256:0007D2D69113C8632FF68A921C625A3CEFCDAE740C649F949F9417152B0CE897
                              SHA-512:E2F227C92BDB6794AAFA1B88EFAA413A76FFCB937C46E0B6C003919BD8229C72B08A2DBAA9852E9963AC65F13CD5F4EC43BFE1767E1C787259692084BB832A69
                              Malicious:false
                              Preview:(Fg..k..H.Ss..[z.[.....x...I...4,!*...Zi..4....g..2...uwi+k.f.,........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@....................o....k...Ss..[r.^....g8...I...4<!*...Zi..4....g.2...uwi+kyf.,............@.......P....P.......B...).....................................(... ...8...................8.......................Khz...k.5.Ss..[z.X.....8...I...4,!*...:G..U.w..Kq.2./.uw.+ki..,............@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..........e.....k..<. s..[s.[.....8...I..4,!*...Zi..4...kI..^j.uli+ki..,.........................rsrc...P............0..............@..@.reloc...............>..............@..B........................e....k..H.Ss..[z.[.....8...I...4,!*...Zi..4....g..2...uwi+kif.,................................................................................................................................e....k..H.Ss..[z.[.....8...I...4,!*...Z

                              C:\Program Files\Mozilla Firefox\plugin-container.exe.sig

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1763
                              Entropy (8bit):7.757902991696678
                              Encrypted:false
                              SSDEEP:
                              MD5:653EE81B44726EB14E0B67C7AD4634DB
                              SHA1:001B4F35AE70FFA2354C8B8197AC3A8ED4B2753F
                              SHA-256:CCFCA9388A82467950D51111D1A49C3B98124F2907CFC3FB1A1C99291BC5F571
                              SHA-512:44ECE727B15B4BEF9A0DF2B1E89A9EF908798E3E02B91F32F5E6B79704158D34115C43FB43B931ABFE047713FF89F1123B1BD7A7C52091C3240336797712E05D
                              Malicious:false
                              Preview:5....\\.&.|..D..$..~.o./gVf.l....s.m..=....~............Lf.5/6.[.?....-p.S.:E9...JsQ..]........D7].. .........e......`.-./.1.^....u9.7..Wx1.L,P<..x........XJ......#......2."..2-..1...h.....rC...._D!..}M F......o.g.{}4g....|.............8.IjI.9.U....U).2..P~$..G3O9..d...x.1.ty+?....v......e.y..2... .r.[.0....$7.[..vD.....n.S.T...m.....K..............2.....ln..Y.:..^..E).5...u).0....J..[=+<6nQ.5b.\.Ei....o.....WD#w....N...u*....O.....D3.\/#+.....dM.v..L.0...(....S..`|..?...a..l.WA..aZ....7...5.V/..j..[.............f}.&..s.q%..8..8 F...2..y...=.(T........\..4L.9.0..V..JNy6.X_3c{...T....w.`S.Ycc...!.......,0...D....+H&T..e..x.1.qq.i..9A..~CK.A.Y..V...*.9.$.E.?..\.~x..;.+..M...d...|&..x.1.lq:]..s.F...........V...*/-.P.=....u..=.Z....)B#U..T!......NU.K!.....Kr.,.tjvO,.;X......+s+......i$.d~E..]]...,...5..G....@.u}.e.Hq................6..R.........i\_..?..5cy.9....I..f8.b)........{.....i}-.. ..7*..e..D..!.....D...l....j...p~k

                              C:\Program Files\Mozilla Firefox\plugin-container.exe.sig.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1763
                              Entropy (8bit):7.757902991696678
                              Encrypted:false
                              SSDEEP:
                              MD5:653EE81B44726EB14E0B67C7AD4634DB
                              SHA1:001B4F35AE70FFA2354C8B8197AC3A8ED4B2753F
                              SHA-256:CCFCA9388A82467950D51111D1A49C3B98124F2907CFC3FB1A1C99291BC5F571
                              SHA-512:44ECE727B15B4BEF9A0DF2B1E89A9EF908798E3E02B91F32F5E6B79704158D34115C43FB43B931ABFE047713FF89F1123B1BD7A7C52091C3240336797712E05D
                              Malicious:false
                              Preview:5....\\.&.|..D..$..~.o./gVf.l....s.m..=....~............Lf.5/6.[.?....-p.S.:E9...JsQ..]........D7].. .........e......`.-./.1.^....u9.7..Wx1.L,P<..x........XJ......#......2."..2-..1...h.....rC...._D!..}M F......o.g.{}4g....|.............8.IjI.9.U....U).2..P~$..G3O9..d...x.1.ty+?....v......e.y..2... .r.[.0....$7.[..vD.....n.S.T...m.....K..............2.....ln..Y.:..^..E).5...u).0....J..[=+<6nQ.5b.\.Ei....o.....WD#w....N...u*....O.....D3.\/#+.....dM.v..L.0...(....S..`|..?...a..l.WA..aZ....7...5.V/..j..[.............f}.&..s.q%..8..8 F...2..y...=.(T........\..4L.9.0..V..JNy6.X_3c{...T....w.`S.Ycc...!.......,0...D....+H&T..e..x.1.qq.i..9A..~CK.A.Y..V...*.9.$.E.?..\.~x..;.+..M...d...|&..x.1.lq:]..s.F...........V...*/-.P.=....u..=.Z....)B#U..T!......NU.K!.....Kr.,.tjvO,.;X......+s+......i$.d~E..]]...,...5..G....@.u}.e.Hq................6..R.........i\_..?..5cy.9....I..f8.b)........{.....i}-.. ..7*..e..D..!.....D...l....j...p~k

                              C:\Program Files\Mozilla Firefox\plugin-container.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):290010
                              Entropy (8bit):7.158899503456856
                              Encrypted:false
                              SSDEEP:
                              MD5:60872A1DE49DFF6418B7E587B1AB1477
                              SHA1:3CFB8F43AFAE139A962615227A31536C0389A5A3
                              SHA-256:0007D2D69113C8632FF68A921C625A3CEFCDAE740C649F949F9417152B0CE897
                              SHA-512:E2F227C92BDB6794AAFA1B88EFAA413A76FFCB937C46E0B6C003919BD8229C72B08A2DBAA9852E9963AC65F13CD5F4EC43BFE1767E1C787259692084BB832A69
                              Malicious:false
                              Preview:(Fg..k..H.Ss..[z.[.....x...I...4,!*...Zi..4....g..2...uwi+k.f.,........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......~.....................@....................o....k...Ss..[r.^....g8...I...4<!*...Zi..4....g.2...uwi+kyf.,............@.......P....P.......B...).....................................(... ...8...................8.......................Khz...k.5.Ss..[z.X.....8...I...4,!*...:G..U.w..Kq.2./.uw.+ki..,............@..@.data...0%... ......................@....pdata.......P......................@..@.00cfg..(....p.......*..........e.....k..<. s..[s.[.....8...I..4,!*...Zi..4...kI..^j.uli+ki..,.........................rsrc...P............0..............@..@.reloc...............>..............@..B........................e....k..H.Ss..[z.[.....8...I...4,!*...Zi..4....g..2...uwi+kif.,................................................................................................................................e....k..H.Ss..[z.[.....8...I...4,!*...Z

                              C:\Program Files\Mozilla Firefox\postSigningData

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):574
                              Entropy (8bit):6.960745496812686
                              Encrypted:false
                              SSDEEP:
                              MD5:952D201815A350A408EC1D4A1FBD66FD
                              SHA1:4141C9A39E9ED38C22FFC8ECFA4872BB89104A18
                              SHA-256:7B20BC37C0E278E1FEB35183C7C92ED6F772B32759C1633103FEB2B0AA4CED46
                              SHA-512:62800F0A1E52930E2AEEF85EE5038A321253FE1F6555C739DC834935A5178B7710E641674ADC464C1EC0A115285A9611D7C4231490EBF72017F3B0D5B4585BDD
                              Malicious:false
                              Preview:.J.X....X....../.....+e.XP..|. ..2mB.~.4..].T..&.'_|y..AD...K..D..../w.....~.....0+..G..-Is.#1....&w....X..:.\..4.HD.....C.......nZ........1/.HP`.+Yf..t1... u.......fK.^kl..F@....B..u...{\.....4....>e.).J.!@&..p~M..,1x..J.~..6.]Bvy..6....2529..z..aBb....7...^`yo.B.hC#=s......M.H....S.NQx......e..`..6j(vt.c......Y..o.v8...Z.....Hv.~..E...>>.......N^8.6R..)..-.B7...Jj6.,...`.U..&...f....M..l...../...;~.{U.IV.p...</<...-.vM.3.%.................................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\postSigningData.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):574
                              Entropy (8bit):6.960745496812686
                              Encrypted:false
                              SSDEEP:
                              MD5:952D201815A350A408EC1D4A1FBD66FD
                              SHA1:4141C9A39E9ED38C22FFC8ECFA4872BB89104A18
                              SHA-256:7B20BC37C0E278E1FEB35183C7C92ED6F772B32759C1633103FEB2B0AA4CED46
                              SHA-512:62800F0A1E52930E2AEEF85EE5038A321253FE1F6555C739DC834935A5178B7710E641674ADC464C1EC0A115285A9611D7C4231490EBF72017F3B0D5B4585BDD
                              Malicious:false
                              Preview:.J.X....X....../.....+e.XP..|. ..2mB.~.4..].T..&.'_|y..AD...K..D..../w.....~.....0+..G..-Is.#1....&w....X..:.\..4.HD.....C.......nZ........1/.HP`.+Yf..t1... u.......fK.^kl..F@....B..u...{\.....4....>e.).J.!@&..p~M..,1x..J.~..6.]Bvy..6....2529..z..aBb....7...^`yo.B.hC#=s......M.H....S.NQx......e..`..6j(vt.c......Y..o.v8...Z.....Hv.~..E...>>.......N^8.6R..)..-.B7...Jj6.,...`.U..&...f....M..l...../...;~.{U.IV.p...</<...-.vM.3.%.................................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\precomplete

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2494
                              Entropy (8bit):7.71293933775566
                              Encrypted:false
                              SSDEEP:
                              MD5:F20D0883E9FFF27F18E082F5D9CFA775
                              SHA1:16A3AD51DB9EEA115543B2D6E9B4EB656C9640C1
                              SHA-256:FD91F7F1438355E7C0A91E99572D8E5A1A07B1E9D344CB435C20830744A988CC
                              SHA-512:01E83365F94EE74ABDAE6A6DEC499AB79704C0079F5DF987BD27B745C71AF6BAD88699108B3DF2D97CF9448965DD5DF4EB62CDA182D30E1D8AB6704FCECB92DF
                              Malicious:false
                              Preview:.........~.ca.....|\x.....q..L......K...y.6....{.o..}-....R........I)..w.@...ob:.....!..O..G....R...0.)P...}.o..8.G...L........d.(%..Z...*7f.....6.E..E....P.L.*.&....<.f..G.F...[.........&.$i.....39|......0..........C...<.b...f.U.F".P.............}.m'.]...;.h.....4..I.......C..........<.g..G.F...[.........g.9`..F...(3*....=..O........C...*.'P...}.o..=.V.............%.5`..F...(3*....<..........I...{.)....v.x.Q5.....S........b.#q.F..::f...%.........,...6.%R...q.h..).O..[.........8.)i..>...1 o.....5..A........C.B.5.bx...d.*.Y>.@............d.(%..[...,xn...q.>..E.......C...5.J....w.(.[7.U...R........d.(%..[...=9n.....q..E.....H...4.m....h.x.Q5.....S..........#d.Q...(?i....2..E......C...<.b....w.k.W(.F...]........f.;`..X...23$..Y..6..V.E.....c...w.,......|..o.J...r........d.(%..S...74y.....!..O..G....J...-.%....~.(.F(.L..........`.4*......0?l..U.<.*........A...:.%...=.$....F...[.........).?`.B...9;z....8.....V....

                              C:\Program Files\Mozilla Firefox\precomplete.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2494
                              Entropy (8bit):7.71293933775566
                              Encrypted:false
                              SSDEEP:
                              MD5:F20D0883E9FFF27F18E082F5D9CFA775
                              SHA1:16A3AD51DB9EEA115543B2D6E9B4EB656C9640C1
                              SHA-256:FD91F7F1438355E7C0A91E99572D8E5A1A07B1E9D344CB435C20830744A988CC
                              SHA-512:01E83365F94EE74ABDAE6A6DEC499AB79704C0079F5DF987BD27B745C71AF6BAD88699108B3DF2D97CF9448965DD5DF4EB62CDA182D30E1D8AB6704FCECB92DF
                              Malicious:false
                              Preview:.........~.ca.....|\x.....q..L......K...y.6....{.o..}-....R........I)..w.@...ob:.....!..O..G....R...0.)P...}.o..8.G...L........d.(%..Z...*7f.....6.E..E....P.L.*.&....<.f..G.F...[.........&.$i.....39|......0..........C...<.b...f.U.F".P.............}.m'.]...;.h.....4..I.......C..........<.g..G.F...[.........g.9`..F...(3*....=..O........C...*.'P...}.o..=.V.............%.5`..F...(3*....<..........I...{.)....v.x.Q5.....S........b.#q.F..::f...%.........,...6.%R...q.h..).O..[.........8.)i..>...1 o.....5..A........C.B.5.bx...d.*.Y>.@............d.(%..[...,xn...q.>..E.......C...5.J....w.(.[7.U...R........d.(%..[...=9n.....q..E.....H...4.m....h.x.Q5.....S..........#d.Q...(?i....2..E......C...<.b....w.k.W(.F...]........f.;`..X...23$..Y..6..V.E.....c...w.,......|..o.J...r........d.(%..S...74y.....!..O..G....J...-.%....~.(.F(.L..........`.4*......0?l..U.<.*........A...:.%...=.$....F...[.........).?`.B...9;z....8.....V....

                              C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):873
                              Entropy (8bit):7.31907294516857
                              Encrypted:false
                              SSDEEP:
                              MD5:E8E62D2B3681829DC0AF03EBD16CC5E7
                              SHA1:2BD20FF1DA01231BB92B950BDACEA7E13E0211BB
                              SHA-256:BC8F29561E18A95B71EF3B87C6A7EE1335CC77D5B1687717572D6F46ABD4B255
                              SHA-512:F020215BA699501861BE1B27FE783B7D0C158DA258046E08697C9DECEB707FA33AFBB37E2C56084B6023592549577B1242B500CB13C0A2E80B5F99CA59F5F4B5
                              Malicious:false
                              Preview:.sqf...)e....i.f.Z.4.D..K.8..@9<..S.-......V.F4.N.|4.g.. .=Usr.>...#...;.j.|.#.H.7..*i.Nj..SW..b.......V..eXP_I{|.(.>."M`;>>...`a....o.j.9.9...K..8j.9%<..W..b......V..A4.\\xf.h.. .=Us|39.U..Z..4.#.4.Z.X.1I.q$..#&.SN.c........G..;___.r.t..(.~."bmd.7..u....6.m.m.>....3.8{..9<..s.`...a......f|._fi1....+.0Kwci{.K.pZ....<.m...p.D.aj.m&..{|.....A...L..D.GH&A[}=....7.?Ma..9...4s....h.m.F.e.J./^..g.@ji. G......\..T...v.G_{9....).0UW>9&...3J....z.f.k.'...&f.(i..-n.S...-.....F..aq.\./0. ..}.q. BackgroundColor='#14171a'/>.</Application>...6..c......&..N......N.m.7#.-.T.73~.Z..M}.P.L...v...R....Y4..d...f.........W]..z\.....P..%%.@...EF..|J...(.V.d..]....[.E..}..........cH..|...<T.ln....~..Lj..*.db.a.......~..K.;e}.B..m..5+..)^kP...B.sq..............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\private_browsing.VisualElementsManifest.xml.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):873
                              Entropy (8bit):7.31907294516857
                              Encrypted:false
                              SSDEEP:
                              MD5:E8E62D2B3681829DC0AF03EBD16CC5E7
                              SHA1:2BD20FF1DA01231BB92B950BDACEA7E13E0211BB
                              SHA-256:BC8F29561E18A95B71EF3B87C6A7EE1335CC77D5B1687717572D6F46ABD4B255
                              SHA-512:F020215BA699501861BE1B27FE783B7D0C158DA258046E08697C9DECEB707FA33AFBB37E2C56084B6023592549577B1242B500CB13C0A2E80B5F99CA59F5F4B5
                              Malicious:false
                              Preview:.sqf...)e....i.f.Z.4.D..K.8..@9<..S.-......V.F4.N.|4.g.. .=Usr.>...#...;.j.|.#.H.7..*i.Nj..SW..b.......V..eXP_I{|.(.>."M`;>>...`a....o.j.9.9...K..8j.9%<..W..b......V..A4.\\xf.h.. .=Us|39.U..Z..4.#.4.Z.X.1I.q$..#&.SN.c........G..;___.r.t..(.~."bmd.7..u....6.m.m.>....3.8{..9<..s.`...a......f|._fi1....+.0Kwci{.K.pZ....<.m...p.D.aj.m&..{|.....A...L..D.GH&A[}=....7.?Ma..9...4s....h.m.F.e.J./^..g.@ji. G......\..T...v.G_{9....).0UW>9&...3J....z.f.k.'...&f.(i..-n.S...-.....F..aq.\./0. ..}.q. BackgroundColor='#14171a'/>.</Application>...6..c......&..N......N.m.7#.-.T.73~.Z..M}.P.L...v...R....Y4..d...f.........W]..z\.....P..%%.@...EF..|J...(.V.d..]....[.E..}..........cH..|...<T.ln....~..Lj..*.db.a.......~..K.;e}.B..m..5+..)^kP...B.sq..............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\private_browsing.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):66266
                              Entropy (8bit):7.237769500436657
                              Encrypted:false
                              SSDEEP:
                              MD5:FECCCB619A5761002B1B223818F63334
                              SHA1:1750D4DDC6F08E4A9D100D605AC611DCEDD7A26A
                              SHA-256:30770352DACED52AD5D5BFB3666790EE843608D568704C198F82DFD73AB4524F
                              SHA-512:A027975BCD746B88F5D684E5D41B4AC14BF1A7113D740B3C8DB9C7D4457E42B0C972FDDABEF97B7E83C34CC7CDB545A35AA0A4D902AC30D82AB6E7BCE21D7AD2
                              Malicious:false
                              Preview:,..p..Q.c.[.....Z.9....E.B.m.Wz...B.o....L.C.f........sE.4........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@....................k...p..U.b.[.....[.;......B.m.Wj...B.o....L.C.f.........E.4.........6...............`..4........)...0..d....5..............................`0..8............:..H...........................O..p...c.[.....Z.9.....E.B.m.Wz..."...kg.L...f.........g.4............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..........a....p.R{.../.....Z.9Z....E.BSm.Wz...B.o....L.m..d.....A.....4.....B..............@..@.reloc..d....0......................@..B................................................................a...p..U.c.[.....Z.9.....E.B.m.Wz...B.o....L.C.f.........E.4................................................................................................................................a...p..U.c.[.....Z.9.....E.B.m.Wz...B

                              C:\Program Files\Mozilla Firefox\private_browsing.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):66266
                              Entropy (8bit):7.237769500436657
                              Encrypted:false
                              SSDEEP:
                              MD5:FECCCB619A5761002B1B223818F63334
                              SHA1:1750D4DDC6F08E4A9D100D605AC611DCEDD7A26A
                              SHA-256:30770352DACED52AD5D5BFB3666790EE843608D568704C198F82DFD73AB4524F
                              SHA-512:A027975BCD746B88F5D684E5D41B4AC14BF1A7113D740B3C8DB9C7D4457E42B0C972FDDABEF97B7E83C34CC7CDB545A35AA0A4D902AC30D82AB6E7BCE21D7AD2
                              Malicious:false
                              Preview:,..p..Q.c.[.....Z.9....E.B.m.Wz...B.o....L.C.f........sE.4........!..L.!This program cannot be run in DOS mode.$..PE..d......e..........".................p..........@....................k...p..U.b.[.....[.;......B.m.Wj...B.o....L.C.f.........E.4.........6...............`..4........)...0..d....5..............................`0..8............:..H...........................O..p...c.[.....Z.9.....E.B.m.Wz..."...kg.L...f.........g.4............@..@.data........P.......8..............@....pdata..4....`.......:..............@..@.00cfg..(....p.......>..........a....p.R{.../.....Z.9Z....E.BSm.Wz...B.o....L.m..d.....A.....4.....B..............@..@.reloc..d....0......................@..B................................................................a...p..U.c.[.....Z.9.....E.B.m.Wz...B.o....L.C.f.........E.4................................................................................................................................a...p..U.c.[.....Z.9.....E.B.m.Wz...B

                              C:\Program Files\Mozilla Firefox\qipcap64.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):21210
                              Entropy (8bit):7.099392019269133
                              Encrypted:false
                              SSDEEP:
                              MD5:D1B793A110EEC9274E79D34B9C332366
                              SHA1:596397EA8B19CEF6CCFF3616C9B7F09A2CAA747D
                              SHA-256:469A76A9925BE00FCD0F167B014CE21238BFD745F02F362FC1BC7582229EA81D
                              SHA-512:CD36DD9BC2DB9357BDB0ED2B57891308A6013AAEEC632842213E1139FB500FB9E9A9EC3701DAA575924A11A2DE4AA3F27E794EA6C762039116DE5A024E85C1C1
                              Malicious:false
                              Preview:....9.....-..k.t...>'.8.xDI..U....."..JC.......<6.m. .LP.r........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." ................P....................................9..v..-..k.....g.(.xDI..U....."..JC.......<6.m. .$P.r.........!..P....p.......@.......(...)......,...`!............................... ..8............#...................................9.c...-.k.z...>g.8.xDI..U./.....+7.......<..m& .4B.r............@..@.data........0......................@....pdata.......@......................@..@.00cfg..(....P......................9.....Y..k.t....>g.8.xdI..U....."..JC....l.._6..- .4 .r....."..............@..@.reloc..,............&..............@..B.....................................................................9.....-..k.t...>g.8.xDI..U....."..JC.......<6.m. .4P.r.....................................................................................................................................9.....-..k.t...>g.8.xDI..U.....

                              C:\Program Files\Mozilla Firefox\qipcap64.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):21210
                              Entropy (8bit):7.099392019269133
                              Encrypted:false
                              SSDEEP:
                              MD5:D1B793A110EEC9274E79D34B9C332366
                              SHA1:596397EA8B19CEF6CCFF3616C9B7F09A2CAA747D
                              SHA-256:469A76A9925BE00FCD0F167B014CE21238BFD745F02F362FC1BC7582229EA81D
                              SHA-512:CD36DD9BC2DB9357BDB0ED2B57891308A6013AAEEC632842213E1139FB500FB9E9A9EC3701DAA575924A11A2DE4AA3F27E794EA6C762039116DE5A024E85C1C1
                              Malicious:false
                              Preview:....9.....-..k.t...>'.8.xDI..U....."..JC.......<6.m. .LP.r........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." ................P....................................9..v..-..k.....g.(.xDI..U....."..JC.......<6.m. .$P.r.........!..P....p.......@.......(...)......,...`!............................... ..8............#...................................9.c...-.k.z...>g.8.xDI..U./.....+7.......<..m& .4B.r............@..@.data........0......................@....pdata.......@......................@..@.00cfg..(....P......................9.....Y..k.t....>g.8.xdI..U....."..JC....l.._6..- .4 .r....."..............@..@.reloc..,............&..............@..B.....................................................................9.....-..k.t...>g.8.xDI..U....."..JC.......<6.m. .4P.r.....................................................................................................................................9.....-..k.t...>g.8.xDI..U.....

                              C:\Program Files\Mozilla Firefox\removed-files

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):330
                              Entropy (8bit):6.002742706714403
                              Encrypted:false
                              SSDEEP:
                              MD5:DEB6BA58091D8B05AEA60D67F4FE683A
                              SHA1:DCD7E45263E13891FC7175D6EB19F8E7D6465EBC
                              SHA-256:33D04B0350EC75CF6522E250BB8ACC929831B4AC3B4314BEA96FBA2F1B24D8A0
                              SHA-512:F5E76DBA80AEEAE4A1CF56264252130F41D5828C915A03B2F6DC973E7F30C899023853898587D1EEEFB0A38406E812D0FA93BD3A5E53E003C0E60767F02909A1
                              Malicious:false
                              Preview:.ER.g.7.S..g..b...v.).MFRJEI.8....?F3I...(c,.......Z<..N..i3..G........[..tED...cN....r./.q..s..u.@..H._....?:.M.gZ...jy'......o8.RE._.B%.a.<~cg.]..li...U.>J.VI.(...J%.yzAH%B....f;.Y.....(f.~..A..f......;..*....,.............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\removed-files.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):330
                              Entropy (8bit):6.002742706714403
                              Encrypted:false
                              SSDEEP:
                              MD5:DEB6BA58091D8B05AEA60D67F4FE683A
                              SHA1:DCD7E45263E13891FC7175D6EB19F8E7D6465EBC
                              SHA-256:33D04B0350EC75CF6522E250BB8ACC929831B4AC3B4314BEA96FBA2F1B24D8A0
                              SHA-512:F5E76DBA80AEEAE4A1CF56264252130F41D5828C915A03B2F6DC973E7F30C899023853898587D1EEEFB0A38406E812D0FA93BD3A5E53E003C0E60767F02909A1
                              Malicious:false
                              Preview:.ER.g.7.S..g..b...v.).MFRJEI.8....?F3I...(c,.......Z<..N..i3..G........[..tED...cN....r./.q..s..u.@..H._....?:.M.gZ...jy'......o8.RE._.B%.a.<~cg.]..li...U.>J.VI.(...J%.yzAH%B....f;.Y.....(f.~..A..f......;..*....,.............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\softokn3.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):317146
                              Entropy (8bit):7.136759451861937
                              Encrypted:false
                              SSDEEP:
                              MD5:2E96D851B2DADFCA58F1D1F3EF49614B
                              SHA1:410A9FF1C16284737F68DE6A76E41F3C13006520
                              SHA-256:DBE9E50A0D64D1F0866DCB02517D1D1B4879699A9A11F826305230C284CD20B6
                              SHA-512:6ED2DE6B5B371E0E7B8D020C28FB39B378D5F7189664736A71CFF10408B5D26C9CB983F672352B5A2008C72D8237611E3B79DE57F3BC467B9DF90A204DA3B0C9
                              Malicious:false
                              Preview:....s...zqO...n......@w]......M.t...:.cH.u-.....7..T9....).WI........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." ....................................................r...~AJ...n....@..J.....M.d...:.cH.e-.....'..T9....A.WI.l..O....m...........................)... ..\...Pg..................................8............t..(....................................L...n....Dw]J.....M.t...:..f..L.}....T=....Q.TI............@..@.data....+...........z..............@....pdata..............................@..@.00cfg..(...........................2...P. ..........@r]J......M.t...:.cH.u-.....E...T9.....Q.RI....................@..@.reloc..\.... ......................@..B....................................................................r...~qO...n......@w]J.....M.t...:.cH.u-.....7..T9....Q.WI....................................................................................................................................r...~qO...n......@w]J.....M.t...:.c

                              C:\Program Files\Mozilla Firefox\softokn3.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):317146
                              Entropy (8bit):7.136759451861937
                              Encrypted:false
                              SSDEEP:
                              MD5:2E96D851B2DADFCA58F1D1F3EF49614B
                              SHA1:410A9FF1C16284737F68DE6A76E41F3C13006520
                              SHA-256:DBE9E50A0D64D1F0866DCB02517D1D1B4879699A9A11F826305230C284CD20B6
                              SHA-512:6ED2DE6B5B371E0E7B8D020C28FB39B378D5F7189664736A71CFF10408B5D26C9CB983F672352B5A2008C72D8237611E3B79DE57F3BC467B9DF90A204DA3B0C9
                              Malicious:false
                              Preview:....s...zqO...n......@w]......M.t...:.cH.u-.....7..T9....).WI........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." ....................................................r...~AJ...n....@..J.....M.d...:.cH.e-.....'..T9....A.WI.l..O....m...........................)... ..\...Pg..................................8............t..(....................................L...n....Dw]J.....M.t...:..f..L.}....T=....Q.TI............@..@.data....+...........z..............@....pdata..............................@..@.00cfg..(...........................2...P. ..........@r]J......M.t...:.cH.u-.....E...T9.....Q.RI....................@..@.reloc..\.... ......................@..B....................................................................r...~qO...n......@w]J.....M.t...:.cH.u-.....7..T9....Q.WI....................................................................................................................................r...~qO...n......@w]J.....M.t...:.c

                              C:\Program Files\Mozilla Firefox\uninstall\helper.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1259138
                              Entropy (8bit):6.713495038476084
                              Encrypted:false
                              SSDEEP:
                              MD5:7E44C1C266ED25586F832543A016EC90
                              SHA1:276B120F974FD8ED2C7F26926F08926FB8DF009B
                              SHA-256:7EC8EFADB93AEF7D04D24D3AC66891B828FEAACB5014AF0817D79B16E53AE66F
                              SHA-512:D31FDC477F4FA97450FE32ECBBDAE9C90B03C7F9A06CC1D6F775B534BABC833E9282E7B10B62C9DEE665CAFF9BB7FD681A56299FB4E5669349BB6FB276FFCBEF
                              Malicious:false
                              Preview:.4`....Q.Ll.|.1.(.....w...\;........K..*d.|.....FE..e..X..2.!..........!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.Zn.....U.Ll..1.(.....w...\w...r.n.K..*d.|d....GC.....X!.2d)...4............@.................................Z_....@.......................................... ...p...............)..........Zn.....U.Ll..1.(.....wP..\;........K..*d.|......E.kg..X..2d!...................text....g.......h.................. ..`.rdata...............l..............@..@.data...........................Zn......{.(....1......wP..\;........K..*d.|.....46..e.....2d....r..................@..@........................................................................................................Zn.....U.Ll..1.(.....wP..\;........K..*d.|.....FE..e..X..2d!..................................................................................................................................Zn.....U.Ll..1.(.....wP..\;........K..

                              C:\Program Files\Mozilla Firefox\uninstall\helper.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1259138
                              Entropy (8bit):6.713495038476084
                              Encrypted:false
                              SSDEEP:
                              MD5:7E44C1C266ED25586F832543A016EC90
                              SHA1:276B120F974FD8ED2C7F26926F08926FB8DF009B
                              SHA-256:7EC8EFADB93AEF7D04D24D3AC66891B828FEAACB5014AF0817D79B16E53AE66F
                              SHA-512:D31FDC477F4FA97450FE32ECBBDAE9C90B03C7F9A06CC1D6F775B534BABC833E9282E7B10B62C9DEE665CAFF9BB7FD681A56299FB4E5669349BB6FB276FFCBEF
                              Malicious:false
                              Preview:.4`....Q.Ll.|.1.(.....w...\;........K..*d.|.....FE..e..X..2.!..........!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.Zn.....U.Ll..1.(.....w...\w...r.n.K..*d.|d....GC.....X!.2d)...4............@.................................Z_....@.......................................... ...p...............)..........Zn.....U.Ll..1.(.....wP..\;........K..*d.|......E.kg..X..2d!...................text....g.......h.................. ..`.rdata...............l..............@..@.data...........................Zn......{.(....1......wP..\;........K..*d.|.....46..e.....2d....r..................@..@........................................................................................................Zn.....U.Ll..1.(.....wP..\;........K..*d.|.....FE..e..X..2d!..................................................................................................................................Zn.....U.Ll..1.(.....wP..\;........K..

                              C:\Program Files\Mozilla Firefox\uninstall\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):668
                              Entropy (8bit):6.7146736675875385
                              Encrypted:false
                              SSDEEP:
                              MD5:67F132648F297A0B1FAB6D28F414B147
                              SHA1:A78871FA964D46BF3CF68D86E596D5606CC9E09F
                              SHA-256:F46AB2091A02712B7A021F4432411F4D265258DB2A68326B77B6B02BDE906EAD
                              SHA-512:EE4D2B47A4D3A8F305540653DD96793DA6C264D1BB5E9BD6363E59BF1043804958364900E0D60B54CC5AF55ED1BEEF49801024B27E8A0311658F0DDAD6BFD26F
                              Malicious:false
                              Preview:M.......I.M.c.sk...v.....<.......3T.w5#....4O|..j...= .L..ft....?=...8.q...(.rk...v.9..<..u....T.w5#.....Op..j..= .H..ff...?Q...9.m.j.K.Ok...v.#..<.......T.w.##....O].fj..=..3..fA....?a...5.o.m....k...v.(..<..y....5T.wJ#b....OM.{j..=..n..f.....?{...$.n.z.W.Uk.v..$..<..g....uT.w)#...KOS.|j..=..|..f@.......M.i.g.r.a.t.e.d.=.t.r.u.e.......9.G....i.....'jd..[A.*5...+...s....jw....X9Sj[....`...~l=..D.b.......a.zm^V...&..dv.[Cp..>f9mA....K1.....g.){.-.i1.......{..$l..8..L..E..Qv...*..I.......s.-f.'.._;gC......P..X..J...5n...Og.#0^u.....................................................................................@.........tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):668
                              Entropy (8bit):6.7146736675875385
                              Encrypted:false
                              SSDEEP:
                              MD5:67F132648F297A0B1FAB6D28F414B147
                              SHA1:A78871FA964D46BF3CF68D86E596D5606CC9E09F
                              SHA-256:F46AB2091A02712B7A021F4432411F4D265258DB2A68326B77B6B02BDE906EAD
                              SHA-512:EE4D2B47A4D3A8F305540653DD96793DA6C264D1BB5E9BD6363E59BF1043804958364900E0D60B54CC5AF55ED1BEEF49801024B27E8A0311658F0DDAD6BFD26F
                              Malicious:false
                              Preview:M.......I.M.c.sk...v.....<.......3T.w5#....4O|..j...= .L..ft....?=...8.q...(.rk...v.9..<..u....T.w5#.....Op..j..= .H..ff...?Q...9.m.j.K.Ok...v.#..<.......T.w.##....O].fj..=..3..fA....?a...5.o.m....k...v.(..<..y....5T.wJ#b....OM.{j..=..n..f.....?{...$.n.z.W.Uk.v..$..<..g....uT.w)#...KOS.|j..=..|..f@.......M.i.g.r.a.t.e.d.=.t.r.u.e.......9.G....i.....'jd..[A.*5...+...s....jw....X9Sj[....`...~l=..D.b.......a.zm^V...&..dv.[Cp..>f9mA....K1.....g.){.-.i1.......{..$l..8..L..E..Qv...*..I.......s.-f.'.._;gC......P..X..J...5n...Og.#0^u.....................................................................................@.........tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\uninstall\uninstall.log

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2332
                              Entropy (8bit):7.7412658947122575
                              Encrypted:false
                              SSDEEP:
                              MD5:B23D42BBDDD4C94DC074B2FBB934ADFF
                              SHA1:9052E37AE27A2C3BA60EF09DBC1C18EFEACA3775
                              SHA-256:51A5334A97FD4C0AE6FAF0F943E2F932DA3DCD6B18A7F5C5938A6D6875980180
                              SHA-512:8E17FE8CDDAC43C120902B7CE04530C094A80505259391A812235000BDB28BF527DE8BF29B8DE22FC21BFF46ED75557D6E781E76011F1222AFFB033F46E8F2B9
                              Malicious:false
                              Preview:.(...|..2.!...Od.$..j.V...D.e..Fu"D.G.A.z.k.+.g.........?.......)...3..4.j... .\...#.k...[..A)@k3..5._...N.3.2J.....}..~..5... ...(..).Im..Am I..|.V...I..J-.p)....X.s.(3;.n......m.....#....%.5....(..ql....}.Y...J.FH0\mJt.r.T.6.n.-.n..O.....#:..b ...$...r..4H7...'Ns..X9.Q...N....Fj2..^.T.s.|...f.....p..^.......'...>....(..kav..BE.\...M...=CuJt.r.T.6.a.<.d......z..}..Ov...$..0..=.-...Idvd.$p.R...D..a.c7#....w.z.2O..a..-...:..?.......a...?..4H-...'Ns..X9.Z...\..E7L|4..m.R.8.p.R.N......e..=..#....$...?..8.7...AmhG..|.=...M.Hx4Fw...v...x.d.%.zD...N..6.../...."...?..=.Im..Am I..v.V...A.F@5C.M8.w...J.g.8.}........?.......$..0..[ -....Tw...i.....D.e..Fu"D.G.^...a.>.a......m.K7..H:...{./....(..kav..BE.D...J.F@5C.M8.w...J.e.6.b..k...m.E........".../..=.Im..Am I..p.P...L...<W|Jt.r.T.6.x.>.n......a.o...x\...4...q..?.%..._&...o..^......H,Hp)S.t.E...m.q.p.........?...........9..\l.....(F...o.C...Z..W0A~i..~.;...mU..x......W..<..,....2......<.*...Lfs...m.O..."..H<.9...k.P.

                              C:\Program Files\Mozilla Firefox\uninstall\uninstall.log.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2332
                              Entropy (8bit):7.7412658947122575
                              Encrypted:false
                              SSDEEP:
                              MD5:B23D42BBDDD4C94DC074B2FBB934ADFF
                              SHA1:9052E37AE27A2C3BA60EF09DBC1C18EFEACA3775
                              SHA-256:51A5334A97FD4C0AE6FAF0F943E2F932DA3DCD6B18A7F5C5938A6D6875980180
                              SHA-512:8E17FE8CDDAC43C120902B7CE04530C094A80505259391A812235000BDB28BF527DE8BF29B8DE22FC21BFF46ED75557D6E781E76011F1222AFFB033F46E8F2B9
                              Malicious:false
                              Preview:.(...|..2.!...Od.$..j.V...D.e..Fu"D.G.A.z.k.+.g.........?.......)...3..4.j... .\...#.k...[..A)@k3..5._...N.3.2J.....}..~..5... ...(..).Im..Am I..|.V...I..J-.p)....X.s.(3;.n......m.....#....%.5....(..ql....}.Y...J.FH0\mJt.r.T.6.n.-.n..O.....#:..b ...$...r..4H7...'Ns..X9.Q...N....Fj2..^.T.s.|...f.....p..^.......'...>....(..kav..BE.\...M...=CuJt.r.T.6.a.<.d......z..}..Ov...$..0..=.-...Idvd.$p.R...D..a.c7#....w.z.2O..a..-...:..?.......a...?..4H-...'Ns..X9.Z...\..E7L|4..m.R.8.p.R.N......e..=..#....$...?..8.7...AmhG..|.=...M.Hx4Fw...v...x.d.%.zD...N..6.../...."...?..=.Im..Am I..v.V...A.F@5C.M8.w...J.g.8.}........?.......$..0..[ -....Tw...i.....D.e..Fu"D.G.^...a.>.a......m.K7..H:...{./....(..kav..BE.D...J.F@5C.M8.w...J.e.6.b..k...m.E........".../..=.Im..Am I..p.P...L...<W|Jt.r.T.6.x.>.n......a.o...x\...4...q..?.%..._&...o..^......H,Hp)S.t.E...m.q.p.........?...........9..\l.....(F...o.C...Z..W0A~i..~.;...mU..x......W..<..,....2......<.*...Lfs...m.O..."..H<.9...k.P.

                              C:\Program Files\Mozilla Firefox\update-settings.ini

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):446
                              Entropy (8bit):6.574257513672169
                              Encrypted:false
                              SSDEEP:
                              MD5:F6468B5BBBAAFB273510F7C338742969
                              SHA1:9B4A736C873ED26D22ABF73CAE222F5FE957D455
                              SHA-256:6C645EFCAA795986FA74519B7858933E306AB81E1B24F55F4ECD8382F9D68E75
                              SHA-512:3D5DAB5D6E17FE621C15E1D7A533B56F93A2CB068DB08038BD11B41C0BB50A0B6801800C06DDE7BBBA87482EADE1D9F2562EB1EEF8C0203684D453CF765D6BAC
                              Malicious:false
                              Preview:iC.g.SE....".@S/^...B>....5.k.g.<.E..X...5M.^u..*.....V.t...6r..mV. i..?.W.(k....n.....)..Q..... .%x.a<h..T3..sE....\.y.#. ase...D..e.....J... ...y&~.,k..Mgr9........".....S..U.!.V.`......).KHK....03....;Co..P..x.>.d|{...b..R..;.K...;..}.q1P..(.....cZ.T....A7.N......\)A[...?f.R.h..M8.}{.V.Q0E....`~V.~..Az._..+....}.u%...e.....>..............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\update-settings.ini.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):446
                              Entropy (8bit):6.574257513672169
                              Encrypted:false
                              SSDEEP:
                              MD5:F6468B5BBBAAFB273510F7C338742969
                              SHA1:9B4A736C873ED26D22ABF73CAE222F5FE957D455
                              SHA-256:6C645EFCAA795986FA74519B7858933E306AB81E1B24F55F4ECD8382F9D68E75
                              SHA-512:3D5DAB5D6E17FE621C15E1D7A533B56F93A2CB068DB08038BD11B41C0BB50A0B6801800C06DDE7BBBA87482EADE1D9F2562EB1EEF8C0203684D453CF765D6BAC
                              Malicious:false
                              Preview:iC.g.SE....".@S/^...B>....5.k.g.<.E..X...5M.^u..*.....V.t...6r..mV. i..?.W.(k....n.....)..Q..... .%x.a<h..T3..sE....\.y.#. ase...D..e.....J... ...y&~.,k..Mgr9........".....S..U.!.V.`......).KHK....03....;Co..P..x.>.d|{...b..R..;.K...;..}.q1P..(.....cZ.T....A7.N......\)A[...?f.R.h..M8.}{.V.Q0E....`~V.~..Az._..+....}.u%...e.....>..............................................................................................tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\updater.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):414938
                              Entropy (8bit):6.987876225621026
                              Encrypted:false
                              SSDEEP:
                              MD5:476376E6E6E0D666206C0AEAD87F345E
                              SHA1:931BA7E1DC59D34632952F2E6A2B4E472E2EF3F8
                              SHA-256:56934281F0A1886C4573EBA2B3353831A292AA1FA2DEE02D1DDE872763D343D1
                              SHA-512:69EF485E46E039F7AA27D11BE0DDD9A14C644DF17DEC3B0901FC9FAEFF7089C762B503557D8CD65AC8F3AF2522D6E07BD873E3AB2EBF0CB450E51FEFE0DB00FA
                              Malicious:false
                              Preview:0..3..U.1...!Y..N*...g|....A..6..7.~q....RR...WkY...<aF-*M..........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@....................w..3..U.5+..!]...a...g.H..A..6..'.~q....RR...GkY...<aF-*%...........;.......0..X~....... ...*...)...........6..........................(....`..8...........0B..H...H9..`...................S..K..U.....!I..Nd...c|....A..6..7.^q...r3&...HCjY.q.<aP,*5N.............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(.......................}..3..U.....!Y..G*...gy....A..2..7.~q....R..a.!.5.s.<]F-*5.........................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc............... ..}..3..U.5...aY.N*...g|....A..6..7.~q....RR...WkY...<aF-*5..................................................................................................................................}..3..U.5...!Y..N*...g|....A..6..7.~q..

                              C:\Program Files\Mozilla Firefox\updater.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):414938
                              Entropy (8bit):6.987876225621026
                              Encrypted:false
                              SSDEEP:
                              MD5:476376E6E6E0D666206C0AEAD87F345E
                              SHA1:931BA7E1DC59D34632952F2E6A2B4E472E2EF3F8
                              SHA-256:56934281F0A1886C4573EBA2B3353831A292AA1FA2DEE02D1DDE872763D343D1
                              SHA-512:69EF485E46E039F7AA27D11BE0DDD9A14C644DF17DEC3B0901FC9FAEFF7089C762B503557D8CD65AC8F3AF2522D6E07BD873E3AB2EBF0CB450E51FEFE0DB00FA
                              Malicious:false
                              Preview:0..3..U.1...!Y..N*...g|....A..6..7.~q....RR...WkY...<aF-*M..........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........."......N...........B.........@....................w..3..U.5+..!]...a...g.H..A..6..'.~q....RR...GkY...<aF-*%...........;.......0..X~....... ...*...)...........6..........................(....`..8...........0B..H...H9..`...................S..K..U.....!I..Nd...c|....A..6..7.^q...r3&...HCjY.q.<aP,*5N.............@..@.data....>...........h..............@....pdata... ......."...v..............@..@.00cfg..(.......................}..3..U.....!Y..G*...gy....A..2..7.~q....R..a.!.5.s.<]F-*5.........................._RDATA....... ......................@..@.rsrc...X~...0......................@..@.reloc............... ..}..3..U.5...aY.N*...g|....A..6..7.~q....RR...WkY...<aF-*5..................................................................................................................................}..3..U.5...!Y..N*...g|....A..6..7.~q..

                              C:\Program Files\Mozilla Firefox\updater.ini

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1516
                              Entropy (8bit):7.619026776868831
                              Encrypted:false
                              SSDEEP:
                              MD5:113D0B2BE3875461D5D19D3F91B7E9C6
                              SHA1:356D67E6C482D4A5F3148344AAD9574EF27A342F
                              SHA-256:7825D01DFBC326F324BA12AE2746621B603670D252534C2DFB3FB2807A51BC94
                              SHA-512:3A1CB981607A5D53A74610B1257C01A7B8D649051024E56617882CFB3341B05012874BA474D98C7A0E940BFA9EA6963CB8271FA739855055B5E6F557DEF0E8DC
                              Malicious:false
                              Preview:.b:.X....N7..exg..P...5....z..-.t....,1..3...(.?.U..K.lf..p2. ..!..)._1...&<t...N..|?.G..s..-.}....,.. ~.D.n.$..Q.W.wc..$..b..C....O^..cpg..f...?..G.d...-.u[.,-......#.1.\Y...wmZ....p@...+.^.h<...lun..V...2V....E...5.~P...e+.f..Q.'.,.m?.M.ioH.9..$...~Q...Y^...e!D.Z..|..G.c..a.uY.y7....D.+.k.^Q.S.ifU.$..6N..@...Kt...orv. ...3....]...y.u_...H ..,.U.'.%.d]...jp..<....._D..._1..xjk....).....x...t.n....ie..;.I.:.8..T.@.he..p..!...W...U;..l<O.V..|0......c.bQ...o*..+.@.`...UE.J.%L..5..:N..U.E.] ..y<t.F@.,....d....bQ...c+..0...+.>.YA...dd.....+....R...R3...xya.R../V...0..-.~[..d,.L-.W.'...U[.F.`n[.ZY..#.yu.+..t...y<d.Z@.3.....|..~.hJ...,2..6.D. .<.Y[...k*..#..#N..H@....t...|uf....=.....~..b.h...., ..~.L.&.*.^P.H.ko[.kB.2...H@...Rt...f}w.W@.(..G.0..l.~....,'..0.V.-...CS.H.|*.. ..'....I....t...~<`..V...4....u....xJ...,*.L?.V.,./.BP.P.wsU.6B.*...BS...S&..l<v.5[..,....d..-.c[...m'..~.M.:.".YA.E.`nU.8..1...\@...I$...o2..P..,....y...6.^F..

                              C:\Program Files\Mozilla Firefox\updater.ini.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1516
                              Entropy (8bit):7.619026776868831
                              Encrypted:false
                              SSDEEP:
                              MD5:113D0B2BE3875461D5D19D3F91B7E9C6
                              SHA1:356D67E6C482D4A5F3148344AAD9574EF27A342F
                              SHA-256:7825D01DFBC326F324BA12AE2746621B603670D252534C2DFB3FB2807A51BC94
                              SHA-512:3A1CB981607A5D53A74610B1257C01A7B8D649051024E56617882CFB3341B05012874BA474D98C7A0E940BFA9EA6963CB8271FA739855055B5E6F557DEF0E8DC
                              Malicious:false
                              Preview:.b:.X....N7..exg..P...5....z..-.t....,1..3...(.?.U..K.lf..p2. ..!..)._1...&<t...N..|?.G..s..-.}....,.. ~.D.n.$..Q.W.wc..$..b..C....O^..cpg..f...?..G.d...-.u[.,-......#.1.\Y...wmZ....p@...+.^.h<...lun..V...2V....E...5.~P...e+.f..Q.'.,.m?.M.ioH.9..$...~Q...Y^...e!D.Z..|..G.c..a.uY.y7....D.+.k.^Q.S.ifU.$..6N..@...Kt...orv. ...3....]...y.u_...H ..,.U.'.%.d]...jp..<....._D..._1..xjk....).....x...t.n....ie..;.I.:.8..T.@.he..p..!...W...U;..l<O.V..|0......c.bQ...o*..+.@.`...UE.J.%L..5..:N..U.E.] ..y<t.F@.,....d....bQ...c+..0...+.>.YA...dd.....+....R...R3...xya.R../V...0..-.~[..d,.L-.W.'...U[.F.`n[.ZY..#.yu.+..t...y<d.Z@.3.....|..~.hJ...,2..6.D. .<.Y[...k*..#..#N..H@....t...|uf....=.....~..b.h...., ..~.L.&.*.^P.H.ko[.kB.2...H@...Rt...f}w.W@.(..G.0..l.~....,'..0.V.-...CS.H.|*.. ..'....I....t...~<`..V...4....u....xJ...,*.L?.V.,./.BP.P.wsU.6B.*...BS...S&..l<v.5[..,....d..-.c[...m'..~.M.:.".YA.E.`nU.8..1...\@...I$...o2..P..,....y...6.^F..

                              C:\Program Files\Mozilla Firefox\vcruntime140.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):98538
                              Entropy (8bit):7.182667658183252
                              Encrypted:false
                              SSDEEP:
                              MD5:E40838CBEFED3FE67FC5787B701CFBE1
                              SHA1:1AE88FBCFC0F0DEBC3E9D626443615F2C4F23B7D
                              SHA-256:7E162F2D3FC8311B7EB3843F2942947C6CE4D60AE9F5F332DF49E3F202AB47F8
                              SHA-512:2B70745FF86ABA6AF7475C612E5B231672881D2D79E34C2F7CF56492E17AC8D5DFEC8810B8549F0B5B8422E4B136762DFA9BEADFD5ABE6C6B0D8D5521F44EFA3
                              Malicious:false
                              Preview:(..........h@^.lq..y.Fy....Z.>.+..5.~=.4d..z..an.)Vb..3.#.MR........!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."Y\..S0.....7..b.h.R...:T.......>.+..5.~=.4d..z..an.Qb......MR......" .........`......p................................................{....`A.........................................B..4.....@.r.........h@.mq..y..!..W.Z..+..5....40..z..an.)Vb..3...MR.........,..8............................................text............................... ..`.rdata...@.......B..............e.A....L.n..9.h@..lq.hx..}...[.>.+..5.~=.4$........HVb..3..}LR.....D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..e.A..........h...lq..y..y....Z.>.+..5.~=.4d..z..an.)Vb..3...MR................................................................................................................................e.A........X.h@..lq..y..y....Z.>.+..5.

                              C:\Program Files\Mozilla Firefox\vcruntime140.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):98538
                              Entropy (8bit):7.182667658183252
                              Encrypted:false
                              SSDEEP:
                              MD5:E40838CBEFED3FE67FC5787B701CFBE1
                              SHA1:1AE88FBCFC0F0DEBC3E9D626443615F2C4F23B7D
                              SHA-256:7E162F2D3FC8311B7EB3843F2942947C6CE4D60AE9F5F332DF49E3F202AB47F8
                              SHA-512:2B70745FF86ABA6AF7475C612E5B231672881D2D79E34C2F7CF56492E17AC8D5DFEC8810B8549F0B5B8422E4B136762DFA9BEADFD5ABE6C6B0D8D5521F44EFA3
                              Malicious:false
                              Preview:(..........h@^.lq..y.Fy....Z.>.+..5.~=.4d..z..an.)Vb..3.#.MR........!..L.!This program cannot be run in DOS mode....$.......*..qn.."n.."n.."...#l.."g.."e.."n.."B.."<..#c.."<..#~.."<..#q.."Y\..S0.....7..b.h.R...:T.......>.+..5.~=.4d..z..an.Qb......MR......" .........`......p................................................{....`A.........................................B..4.....@.r.........h@.mq..y..!..W.Z..+..5....40..z..an.)Vb..3...MR.........,..8............................................text............................... ..`.rdata...@.......B..............e.A....L.n..9.h@..lq.hx..}...[.>.+..5.~=.4$........HVb..3..}LR.....D..............@..@_RDATA...............P..............@..@.rsrc................R..............@..@.reloc...............V..e.A..........h...lq..y..y....Z.>.+..5.~=.4d..z..an.)Vb..3...MR................................................................................................................................e.A........X.h@..lq..y..y....Z.>.+..5.

                              C:\Program Files\Mozilla Firefox\vcruntime140_1.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):37570
                              Entropy (8bit):7.061573227624662
                              Encrypted:false
                              SSDEEP:
                              MD5:E13F601D95E60ABA8C9AC01D29508B50
                              SHA1:70035B4B7E65982A22CF64010D76BF22B4967A6B
                              SHA-256:860E2D87859FE029281DCBD8C0F378544D025037E171C86916B265654F5D5EAE
                              SHA-512:7763E91A78F1937BF4DF4EBD1AB6F1A863CADD9DB25362A76924EE6B86B4B99B36AC9CB4105FFE156C22203525ED1AE31B912985620E682A396048C5F7EFA7FC
                              Malicious:false
                              Preview:?^..<<...;....r.............$.P&aO*Qi2.B..Iy..E.....(%....r9........!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>.. O..%.T..p..)....U...0t.........O.'*o...B..Iy..E.....(%....r9PE..d...)|.a.........." .....:...6......`A....................................................`A................................r._./<..ZW...r..s.......Y...$.P.aO.Ri2..B.-jy........(.....r9.........................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P..r _.?....;..(.r...........`.$.p!aO*.i2.B..+y..E.....(%...r..pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B........r._.?<...;..(.r..............$.P&aO*Qi2.B..Iy..E.....(%....r9................................................................................................................................r._.?<...;..(.r..............$.P&aO*Qi2

                              C:\Program Files\Mozilla Firefox\vcruntime140_1.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):37570
                              Entropy (8bit):7.061573227624662
                              Encrypted:false
                              SSDEEP:
                              MD5:E13F601D95E60ABA8C9AC01D29508B50
                              SHA1:70035B4B7E65982A22CF64010D76BF22B4967A6B
                              SHA-256:860E2D87859FE029281DCBD8C0F378544D025037E171C86916B265654F5D5EAE
                              SHA-512:7763E91A78F1937BF4DF4EBD1AB6F1A863CADD9DB25362A76924EE6B86B4B99B36AC9CB4105FFE156C22203525ED1AE31B912985620E682A396048C5F7EFA7FC
                              Malicious:false
                              Preview:?^..<<...;....r.............$.P&aO*Qi2.B..Iy..E.....(%....r9........!..L.!This program cannot be run in DOS mode....$.......D_.O.>...>...>...N...>..RK...>...F^..>...>..1>..RK...>..RK...>.. O..%.T..p..)....U...0t.........O.'*o...B..Iy..E.....(%....r9PE..d...)|.a.........." .....:...6......`A....................................................`A................................r._./<..ZW...r..s.......Y...$.P.aO.Ri2..B.-jy........(.....r9.........................b..8............P..X............................text...e9.......:.................. ..`.rdata.. "...P..r _.?....;..(.r...........`.$.p!aO*.i2.B..+y..E.....(%...r..pdata...............d..............@..@.rsrc................h..............@..@.reloc..<............l..............@..B........r._.?<...;..(.r..............$.P&aO*Qi2.B..Iy..E.....(%....r9................................................................................................................................r._.?<...;..(.r..............$.P&aO*Qi2

                              C:\Program Files\Mozilla Firefox\xul.dll

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):131645658
                              Entropy (8bit):7.2930838754419955
                              Encrypted:false
                              SSDEEP:
                              MD5:6A1FF8A96212602CC1EB0F9EBC2423C8
                              SHA1:51AC20FE90F80AB3312751EE0AC75844E575F662
                              SHA-256:6B3D9B34B2A3C1C4AD94BF6A1D525FB0085F1CBB9151B8D865F489F81EB46DD8
                              SHA-512:48A63EDC4AFEB92E2EC80E0F944DD5C65C4363075A4298959A9963D6A25B9D0E882AAB8A072FA13867C37BA639B54772A61369F4B65709F6EF1310D5344AD203
                              Malicious:false
                              Preview:.0."m.....0?..4~..+..K+..z.._Q.|.Al..E...#5f...~P.P*.X7&.[s..._.........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .........x3.......I..............................j."l......8..4~.]..KK..z.._Q.|.Ql..E...#%f...~P.P*.X7&.[s..._.............X....`..........p.!......)......$O.../......................X.x.(... ...8........... ...(5...~..@......................Z.......:..4~.....O+.z.._Q.|.Al..E...QQ.d..~.._+.x.#.!|................@..@.data............"..................@....pdata..p.!.......!.................@..@.00cfg..(....0.......F...........j.",....}UK..Z..+.....x.._.5z.Al..E...#5f...~~.?N.,V&.Rs.........J.............. ..`.rodata......`.......T..............@....tls.........0......."..............@....voltbl......@.......*...j."l.....0?..4~..Q.%D..z.._.0{.Cl..i...#5f...~P.P*.X7..)..._......`......................@..@.reloc..$O.......P...F..............@..B.........................................................j."l.....0?..4~..+..K+.z.._Q.|.Al..E..

                              C:\Program Files\Mozilla Firefox\xul.dll.sig

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1763
                              Entropy (8bit):7.74218150557281
                              Encrypted:false
                              SSDEEP:
                              MD5:E18D8FC04C93D895DA46E12A183D3D22
                              SHA1:9C3B6A6ED703100545D5DB5011BDC66DA2FB5388
                              SHA-256:2A5D1398DD935F18FC4EA8F51B4B774A625B86B9D0B0CC4C9BBE1A0D033BBFB9
                              SHA-512:F68968DA77AB819AF44271A14920B5D28A780F05EFF69EC64518D83CBABD8164C0E13BC3E9FE1A877CDB20855B951DC461C978F3C9D6D2D5212AC585F7D3775B
                              Malicious:false
                              Preview:.#9.5f.p..&j[.?...3.Nj.....W....H....dz.*.Q.K..N..Y.W+.i........a.D../.9lV...ls..3.G...`.Y..........*.V..J..5....1O._..G.&......%f.K.i=....M.g.;W!b...q0........W..$../.$..^.fI.].:p.x....R.r%...i+...G.-o.+&KS..w....n......:)..1..(..].X..@x.:..H.o......0.L./......I`..'.i...s4..M....>6..<..=..v....1....:P.0...a.K}._.4s_.u-F..&A,....X..|....SV..=..'..R........_..M...|N.c.A..&HY.>.X.....# .3.:.|.nm.'.-.1.(.[c1..bN...Z~..L~..yOLx...q..u..X.)...9m....1.cw.W.g....-t...6.....2.D....i.N......1!.Xk..S..m.......j.)...+....:.t...!..&[.a.j.Zv.Z............m..6.P~..NnW.6f>.F....Y...T.'W.....'`>...D...9.4.`..Q>.)gbQ...j....#.K.j"0tV..J...e.:..M....63....P(.....V....A..........D..3JL...T.lK.....'F..<..GM....6'.`.M..<..j..N.i.^Y.&...j.F.. .[.....2.,_.-I...d..@}........}O..`.1.@q.:e"...}P..L7q..I{......._q<.....W.<.v......~.i...!OZe...L....#.;.H0..Cx...)g_n.&v.k[b.o.. ..C.R.>aX......!%V._].<Y.{....t.m-..a ....D..gQ`...,?C..0.J..'-.*......Sa.4

                              C:\Program Files\Mozilla Firefox\xul.dll.sig.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1763
                              Entropy (8bit):7.74218150557281
                              Encrypted:false
                              SSDEEP:
                              MD5:E18D8FC04C93D895DA46E12A183D3D22
                              SHA1:9C3B6A6ED703100545D5DB5011BDC66DA2FB5388
                              SHA-256:2A5D1398DD935F18FC4EA8F51B4B774A625B86B9D0B0CC4C9BBE1A0D033BBFB9
                              SHA-512:F68968DA77AB819AF44271A14920B5D28A780F05EFF69EC64518D83CBABD8164C0E13BC3E9FE1A877CDB20855B951DC461C978F3C9D6D2D5212AC585F7D3775B
                              Malicious:false
                              Preview:.#9.5f.p..&j[.?...3.Nj.....W....H....dz.*.Q.K..N..Y.W+.i........a.D../.9lV...ls..3.G...`.Y..........*.V..J..5....1O._..G.&......%f.K.i=....M.g.;W!b...q0........W..$../.$..^.fI.].:p.x....R.r%...i+...G.-o.+&KS..w....n......:)..1..(..].X..@x.:..H.o......0.L./......I`..'.i...s4..M....>6..<..=..v....1....:P.0...a.K}._.4s_.u-F..&A,....X..|....SV..=..'..R........_..M...|N.c.A..&HY.>.X.....# .3.:.|.nm.'.-.1.(.[c1..bN...Z~..L~..yOLx...q..u..X.)...9m....1.cw.W.g....-t...6.....2.D....i.N......1!.Xk..S..m.......j.)...+....:.t...!..&[.a.j.Zv.Z............m..6.P~..NnW.6f>.F....Y...T.'W.....'`>...D...9.4.`..Q>.)gbQ...j....#.K.j"0tV..J...e.:..M....63....P(.....V....A..........D..3JL...T.lK.....'F..<..GM....6'.`.M..<..j..N.i.^Y.&...j.F.. .[.....2.,_.-I...d..@}........}O..`.1.@q.:e"...}P..L7q..I{......._q<.....W.<.v......~.i...!OZe...L....#.;.H0..Cx...)g_n.&v.k[b.o.. ..C.R.>aX......!%V._].<Y.{....t.m-..a ....D..gQ`...,?C..0.J..'-.*......Sa.4

                              C:\Program Files\Mozilla Firefox\xul.dll.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):131645658
                              Entropy (8bit):7.2930838754419955
                              Encrypted:false
                              SSDEEP:
                              MD5:6A1FF8A96212602CC1EB0F9EBC2423C8
                              SHA1:51AC20FE90F80AB3312751EE0AC75844E575F662
                              SHA-256:6B3D9B34B2A3C1C4AD94BF6A1D525FB0085F1CBB9151B8D865F489F81EB46DD8
                              SHA-512:48A63EDC4AFEB92E2EC80E0F944DD5C65C4363075A4298959A9963D6A25B9D0E882AAB8A072FA13867C37BA639B54772A61369F4B65709F6EF1310D5344AD203
                              Malicious:false
                              Preview:.0."m.....0?..4~..+..K+..z.._Q.|.Al..E...#5f...~P.P*.X7&.[s..._.........!..L.!This program cannot be run in DOS mode.$..PE..d......e.........." .........x3.......I..............................j."l......8..4~.]..KK..z.._Q.|.Ql..E...#%f...~P.P*.X7&.[s..._.............X....`..........p.!......)......$O.../......................X.x.(... ...8........... ...(5...~..@......................Z.......:..4~.....O+.z.._Q.|.Al..E...QQ.d..~.._+.x.#.!|................@..@.data............"..................@....pdata..p.!.......!.................@..@.00cfg..(....0.......F...........j.",....}UK..Z..+.....x.._.5z.Al..E...#5f...~~.?N.,V&.Rs.........J.............. ..`.rodata......`.......T..............@....tls.........0......."..............@....voltbl......@.......*...j."l.....0?..4~..Q.%D..z.._.0{.Cl..i...#5f...~P.P*.X7..)..._......`......................@..@.reloc..$O.......P...F..............@..B.........................................................j."l.....0?..4~..+..K+.z.._Q.|.Al..E..

                              C:\Program Files\Mozilla Firefox\zoneIdProvenanceData

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):387
                              Entropy (8bit):6.283984773194034
                              Encrypted:false
                              SSDEEP:
                              MD5:9CC0BD341400A90B6DA4392334382280
                              SHA1:9A6AF96CC895DB25A9B9CB61677E8508409B91DC
                              SHA-256:31A49825845F0F527F5790F99C3F81A66C746561A8ADE0DFACCC0340D7923A60
                              SHA-512:E824D33D4D641A4F3156865442FC47186508D9F1ACB0832C621FD96707816886257F587464DEE00F831B52C31BBCD80B78ED9B1CC6D4F9D7635D4E5B1D970BA9
                              Malicious:false
                              Preview:.....].2.X.......<.SI....F..wg...k8&4.<.m...r.{..Ip.].=.Z....orCode=2...U".T.$l..?..w90...1...<.2"....5AX...Ih.3...R...H.)/.....]u.....v...y"I.P.........pTC(..yJ.@f`.dU..1..u/...`3 .R`._."JbJ..n4...F..,..[ /D.dp.V....i..p.bn-U./Q+m.......42.'.)z........V.Np.*...+.J..g....................................................................................@.........tmrk2oxcouu.

                              C:\Program Files\Mozilla Firefox\zoneIdProvenanceData.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):387
                              Entropy (8bit):6.283984773194034
                              Encrypted:false
                              SSDEEP:
                              MD5:9CC0BD341400A90B6DA4392334382280
                              SHA1:9A6AF96CC895DB25A9B9CB61677E8508409B91DC
                              SHA-256:31A49825845F0F527F5790F99C3F81A66C746561A8ADE0DFACCC0340D7923A60
                              SHA-512:E824D33D4D641A4F3156865442FC47186508D9F1ACB0832C621FD96707816886257F587464DEE00F831B52C31BBCD80B78ED9B1CC6D4F9D7635D4E5B1D970BA9
                              Malicious:false
                              Preview:.....].2.X.......<.SI....F..wg...k8&4.<.m...r.{..Ip.].=.Z....orCode=2...U".T.$l..?..w90...1...<.2"....5AX...Ih.3...R...H.)/.....]u.....v...y"I.P.........pTC(..yJ.@f`.dU..1..u/...`3 .R`._."JbJ..n4...F..,..[ /D.dp.V....i..p.bn-U./Q+m.......42.'.)z........V.Np.*...+.J..g....................................................................................@.........tmrk2oxcouu.

                              C:\Program Files\Reference Assemblies\Microsoft\Framework\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Reference Assemblies\Microsoft\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Reference Assemblies\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Uninstall Information\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Defender Advanced Threat Protection\Classification\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Defender Advanced Threat Protection\en-GB\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Defender Advanced Threat Protection\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Defender\Offline\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Defender\Platform\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Defender\en-GB\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Defender\en-US\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Defender\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Mail\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Media Player\Media Renderer\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Media Player\Network Sharing\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Media Player\Skins\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Media Player\Visualizations\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Media Player\en-GB\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Media Player\en-US\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Media Player\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Multimedia Platform\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows NT\Accessories\en-GB\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows NT\Accessories\en-US\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows NT\Accessories\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows NT\TableTextService\en-US\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows NT\TableTextService\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows NT\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Photo Viewer\en-GB\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Photo Viewer\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Portable Devices\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Security\BrowserCore\en-US\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Security\BrowserCore\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\Windows Security\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\WindowsPowerShell\Modules\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\WindowsPowerShell\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Program Files\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\.curlrc

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):322
                              Entropy (8bit):5.896394496301377
                              Encrypted:false
                              SSDEEP:
                              MD5:8FA9940FDC226FD0012B71FAE37A6DAF
                              SHA1:1DC8A541084FA17D2877DC91DD432003FBB7C763
                              SHA-256:5148514FB32AD7E92599C824C19733CD19AB0A7F716ABD64AD57F3D3F9144E49
                              SHA-512:156D892E78C459128154F273A471739485F91F27D5507672BED220020BE747159CB2463208E3CB303E8BCB0FBEF3174F566267C0CA2C832982DEC0436B7372DC
                              Malicious:false
                              Preview:.qNU...m...D...(.....k.1a8.w.......0Zu.1 ^X...T.:>L0.m..NgM..... .r#.].Joih.#..|O...a..6n.......e.t..Jc[.gu).F y..R......K...}..W2.Pz.m&........=.sj...R.e..,.!o....V..'.&M).[.S..M...YF......3i.9..<..bTcnc.W..............................................................................................tmrk2oxcouu.

                              C:\ProgramData\.curlrc.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):322
                              Entropy (8bit):5.896394496301377
                              Encrypted:false
                              SSDEEP:
                              MD5:8FA9940FDC226FD0012B71FAE37A6DAF
                              SHA1:1DC8A541084FA17D2877DC91DD432003FBB7C763
                              SHA-256:5148514FB32AD7E92599C824C19733CD19AB0A7F716ABD64AD57F3D3F9144E49
                              SHA-512:156D892E78C459128154F273A471739485F91F27D5507672BED220020BE747159CB2463208E3CB303E8BCB0FBEF3174F566267C0CA2C832982DEC0436B7372DC
                              Malicious:false
                              Preview:.qNU...m...D...(.....k.1a8.w.......0Zu.1 ^X...T.:>L0.m..NgM..... .r#.].Joih.#..|O...a..6n.......e.t..Jc[.gu).F y..R......K...}..W2.Pz.m&........=.sj...R.e..,.!o....V..'.&M).[.S..M...YF......3i.9..<..bTcnc.W..............................................................................................tmrk2oxcouu.

                              C:\ProgramData\Adobe\ARM\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Adobe\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Microsoft OneDrive\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Microsoft OneDrive\setup\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Microsoft OneDrive\setup\refcount.ini

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):339
                              Entropy (8bit):6.083681708063125
                              Encrypted:false
                              SSDEEP:
                              MD5:AEE20466C13897F9408F843A0B339ADB
                              SHA1:82C9699D3304E4EE0CE9048DE24B664EB804EDE8
                              SHA-256:22CE31D5A4360E41DB4E836F57B603DE3F6516463BA09CAA6010F9C7FEA0FBA3
                              SHA-512:8327244C868F5A674D9CE77B1AEBD786AF249B1A1807488169F19281B843FBDAEC467C816F0C8CF50C4010DE46B558427EF019BCDE8B8331836FC38DC1F5A798
                              Malicious:false
                              Preview:<.T"p@+6..B..]..xv...q....XBe5.yK.:.>?r[.:`...L....s..u...#H.....n@7...e.......aN...~..F...}&...y@..65.J..S....lq......R!j..I....P.R.B9h._..rD....-N.c..5zxZ._...*.<.+I=..ZL...Ct<\g...Y+...*e...3..:$~..}...."P(k..V....q...............................................................................................tmrk2oxcouu.

                              C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):339
                              Entropy (8bit):6.083681708063125
                              Encrypted:false
                              SSDEEP:
                              MD5:AEE20466C13897F9408F843A0B339ADB
                              SHA1:82C9699D3304E4EE0CE9048DE24B664EB804EDE8
                              SHA-256:22CE31D5A4360E41DB4E836F57B603DE3F6516463BA09CAA6010F9C7FEA0FBA3
                              SHA-512:8327244C868F5A674D9CE77B1AEBD786AF249B1A1807488169F19281B843FBDAEC467C816F0C8CF50C4010DE46B558427EF019BCDE8B8331836FC38DC1F5A798
                              Malicious:false
                              Preview:<.T"p@+6..B..]..xv...q....XBe5.yK.:.>?r[.:`...L....s..u...#H.....n@7...e.......aN...~..F...}&...y@..65.J..S....lq......R!j..I....P.R.B9h._..rD....-N.c..5zxZ._...*.<.+I=..ZL...Ct<\g...Y+...*e...3..:$~..}...."P(k..V....q...............................................................................................tmrk2oxcouu.

                              C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\UpdateLock-308046B0AF4A39CB

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):314
                              Entropy (8bit):5.799666721589588
                              Encrypted:false
                              SSDEEP:
                              MD5:C61955B9D729680CFDB9FB84CEB1F273
                              SHA1:259FE55A367DE28B14ACAECA68DC0293C753118F
                              SHA-256:B82EB80741502E3EAF53654AA44018480C8C89B411AA681B98138507889E47E8
                              SHA-512:A8E8F66BCE85EA3545599EA4A23F03B7847D891BE9265A09AC9DD3916B937A1CA77D024924E997087F816A274621A58FDE3775B3BC439226695D97BA7483FE12
                              Malicious:false
                              Preview:.......'b.A 'X|.l.......)j...............`....2.Y....f.r.V...x..T..K*.I..'JlNI.....y..z.|0.4=...c.....3.2.%..$1D$~8..P.....$$.D.&HJK1.0.....uH.Z.a.......a....`..4;..p..t.....*...fbH.A.!.q.d.GVj.,.u.]...............................................................................................tmrk2oxcouu.

                              C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\UpdateLock-308046B0AF4A39CB.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):314
                              Entropy (8bit):5.799666721589588
                              Encrypted:false
                              SSDEEP:
                              MD5:C61955B9D729680CFDB9FB84CEB1F273
                              SHA1:259FE55A367DE28B14ACAECA68DC0293C753118F
                              SHA-256:B82EB80741502E3EAF53654AA44018480C8C89B411AA681B98138507889E47E8
                              SHA-512:A8E8F66BCE85EA3545599EA4A23F03B7847D891BE9265A09AC9DD3916B937A1CA77D024924E997087F816A274621A58FDE3775B3BC439226695D97BA7483FE12
                              Malicious:false
                              Preview:.......'b.A 'X|.l.......)j...............`....2.Y....f.r.V...x..T..K*.I..'JlNI.....y..z.|0.4=...c.....3.2.%..$1D$~8..P.....$$.D.&HJK1.0.....uH.Z.a.......a....`..4;..p..t.....*...fbH.A.!.q.d.GVj.,.u.]...............................................................................................tmrk2oxcouu.

                              C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_db668827-0733-45bb-bfdb-099e4c6663de.json

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7728
                              Entropy (8bit):6.737685985434278
                              Encrypted:false
                              SSDEEP:
                              MD5:5D6814702A94D4D9D334530A4F3FBB69
                              SHA1:43B980E8D4A115ACB9A75036AD9C5C78874FE978
                              SHA-256:9E474535595A28C0CF900DB4DAEB5D0342B987459B814DA813ADCA4BF9B71E70
                              SHA-512:C29E870D50C775D3D9BFDD09138C891AE000BD40D4E085806B9D30F000F1FBCCC9409DA1D4FB15B3B1F2696EDF1E1309472DBEAF2997029F9A304E86647C9565
                              Malicious:false
                              Preview:.y....l......._...H..xh.Cs....<.../..~G.xb3.......R..`.#..%.d."creationDate":"2023-10-05T07:41:35.604Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":".2...6..\....B..DP.. 4.I.P..`..Vn.....?>>...W....E../.c..%.4.:"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a.i.........L.\...K...(!..aP...7..Dc..o..:>#........I..j_q..:.'.plicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232.i_..@8......J.Q.WR..?=.Us....k... ..7.. 6s.........=..pZz..{.w.8.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distribut.4...=....A..G..D..ZebU.....q... ..>..%5$..W.....G.j@a..#.2.rChannel":null,"partnerNames":[]},"system":{"memoryMB":4095,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":2,"co.>...Pb.......I.!..]xbU0?...(..Go..wV.

                              C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\uninstall_ping_308046B0AF4A39CB_db668827-0733-45bb-bfdb-099e4c6663de.json.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):7728
                              Entropy (8bit):6.737685985434278
                              Encrypted:false
                              SSDEEP:
                              MD5:5D6814702A94D4D9D334530A4F3FBB69
                              SHA1:43B980E8D4A115ACB9A75036AD9C5C78874FE978
                              SHA-256:9E474535595A28C0CF900DB4DAEB5D0342B987459B814DA813ADCA4BF9B71E70
                              SHA-512:C29E870D50C775D3D9BFDD09138C891AE000BD40D4E085806B9D30F000F1FBCCC9409DA1D4FB15B3B1F2696EDF1E1309472DBEAF2997029F9A304E86647C9565
                              Malicious:false
                              Preview:.y....l......._...H..xh.Cs....<.../..~G.xb3.......R..`.#..%.d."creationDate":"2023-10-05T07:41:35.604Z","version":4,"application":{"architecture":"x86-64","buildId":"20230927232528","name":".2...6..\....B..DP.. 4.I.P..`..Vn.....?>>...W....E../.c..%.4.:"Mozilla","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","channel":"release"},"payload":{"otherInstalls":0},"clientId":"a.i.........L.\...K...(!..aP...7..Dc..o..:>#........I..j_q..:.'.plicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86-64","buildId":"20230927232.i_..@8......J.Q.WR..?=.Us....k... ..7.. 6s.........=..pZz..{.w.8.0.1","platformVersion":"118.0.1","xpcomAbi":"x86_64-msvc","updaterAvailable":true},"partner":{"distributionId":null,"distribut.4...=....A..G..D..ZebU.....q... ..>..%5$..W.....G.j@a..#.2.rChannel":null,"partnerNames":[]},"system":{"memoryMB":4095,"virtualMaxMB":134217728,"cpu":{"isWindowsSMode":false,"count":2,"co.>...Pb.......I.!..]xbU0?...(..Go..wV.

                              C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Package Cache\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Package Cache\{0025DD72-A959-45B5-A0A3-7EFEB15A8050}v14.36.32532\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):650906
                              Entropy (8bit):7.591445100600519
                              Encrypted:false
                              SSDEEP:
                              MD5:3FDBEA7AF1586C92F31A96E6E3321DDE
                              SHA1:D4C22D536EFB22F3802DE50A9718B4EBDF9070EF
                              SHA-256:A8C8D787989C4D8E1DD05B94855FFC5CB66C849621180B587F98586DC27FD119
                              SHA-512:9F9A6F7FCE123715EA0DB8EB2C674100245AE7A2604CA60DD33EFF73E870F2B47652FAEE98F8980380ECE53EF4D9BB9E68D79562A158350262A82BA045DC65AF
                              Malicious:false
                              Preview:....a...b.j..{..;0..v.}.!..mrW{...Y......Zl{i...'.L..m..x..........!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u....t@-.qH2.9[..H......m.3QO....."*Q....~3l......:...|............................PE..L......Z.....................v......m.............@..........................p.......*....@..........PA.b...f.j.}....0..v.u'.;mrW{....b......Zl{A.....L.%j.OD.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..U.P.b...f:k.m....0..v.=.!..mr.U....Y.......j{i....L..m..y......@....wixburn8...........................@..@.tls................................@....gfids..............................@..@."".....z.j.mt......p.=.!..mrW{..Y.@.....9l{.1....L.+m................@..B.................................................................................................................PQ.b...f.j.m....0..v.=.!..mrW{...Y..

                              C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\VC_redist.x64.exe.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):650906
                              Entropy (8bit):7.591445100600519
                              Encrypted:false
                              SSDEEP:
                              MD5:3FDBEA7AF1586C92F31A96E6E3321DDE
                              SHA1:D4C22D536EFB22F3802DE50A9718B4EBDF9070EF
                              SHA-256:A8C8D787989C4D8E1DD05B94855FFC5CB66C849621180B587F98586DC27FD119
                              SHA-512:9F9A6F7FCE123715EA0DB8EB2C674100245AE7A2604CA60DD33EFF73E870F2B47652FAEE98F8980380ECE53EF4D9BB9E68D79562A158350262A82BA045DC65AF
                              Malicious:false
                              Preview:....a...b.j..{..;0..v.}.!..mrW{...Y......Zl{i...'.L..m..x..........!..L.!This program cannot be run in DOS mode....$.......c...'.u.'.u.'.u.......u.....[.u.....?.u...v.4.u...q.4.u...p...u....t@-.qH2.9[..H......m.3QO....."*Q....~3l......:...|............................PE..L......Z.....................v......m.............@..........................p.......*....@..........PA.b...f.j.}....0..v.u'.;mrW{....b......Zl{A.....L.%j.OD.. t..T...................tt......@n..@...................$........................text.............................. ..`.rdata..U.P.b...f:k.m....0..v.=.!..mr.U....Y.......j{i....L..m..y......@....wixburn8...........................@..@.tls................................@....gfids..............................@..@."".....z.j.mt......p.=.!..mrW{..Y.@.....9l{.1....L.+m................@..B.................................................................................................................PQ.b...f.j.m....0..v.=.!..mrW{...Y..

                              C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\state.rsm

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1194
                              Entropy (8bit):6.88046026362708
                              Encrypted:false
                              SSDEEP:
                              MD5:507C0E4A2F9D99300CD600FC3CF5E36B
                              SHA1:581EA51938E5F998E18664A8402751D94A6D3726
                              SHA-256:6FB2625599BC84CEBE5B0C01D7B5D99CDBA5DF469D8AF94DC4E048144E74124B
                              SHA-512:F27F7516612BBCD4A00C61BF9E6B254B92E2922C9B80296424D3A6FA47D669D9AF9C7DEA7BEEF9047DF880F53C8A27866E546D04B7376224E389BC2FCA1FDE4B
                              Malicious:false
                              Preview:".x3......C..U..E.....M.*.|'.o..}.?]m.4..t.$...5....vY`..:=jqn.x3......C..U..E.....M.*.|'.o..}.?]m.4..t.$...5....vY`..:=jqn.x3......C..U..E.....M.*.|'.o..}.?]m.4..t.$...5....vY`..:=jqn.x3......C..U..E.....M.*.|'.o..}.?]m.4..t.$...5....v.`.B=(q...3....~..C..'..E..|..M..Y..'}o...}.?<m.4i...C..5....vY`..:=kqn.o3....r..C.. ..E..t..M..K..'ho...}.?9m.4m...V..P....vY`..:=jqn.x3......C.U..E..O..M..h..'ro...}.?.m.4o...&...w...Dv0`.H=.q...3....;..C..&..E..t..M....W'<o..}.?hm.40.D.........lv=`.I=.q...3....o..C..9..E.0..M...U'<o...}.?im.41.B.........:vk`..:=kqn.o3....r..C.. ..E..t..M..X..'{o...}.?1m.4m...V..P....vs`..y=Pq2.-3....i..C..=..E..|..M..n..'ko...}.?<m.4q.(.r..j...lv=`.I=.q@..3...5..C..0..E.....M.*.+'uo...}.?3m.4n...k..\...`v7`.V=9q...3....~..C..9..E..j..M.3.|'_o.}.?.m.4p...x..T...mv#`.~=.qw.n.l.o.a.d.s.\...................................b.........D.Y.Y.q...h.. .e.....W(....:..i-i+h.....A....gl\;uk............../%.+*.%;zU...9.~]&.%.n...T..}S.....V.w .w.

                              C:\ProgramData\Package Cache\{8bdfe669-9705-4184-9368-db9ce581e0e7}\state.rsm.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1194
                              Entropy (8bit):6.88046026362708
                              Encrypted:false
                              SSDEEP:
                              MD5:507C0E4A2F9D99300CD600FC3CF5E36B
                              SHA1:581EA51938E5F998E18664A8402751D94A6D3726
                              SHA-256:6FB2625599BC84CEBE5B0C01D7B5D99CDBA5DF469D8AF94DC4E048144E74124B
                              SHA-512:F27F7516612BBCD4A00C61BF9E6B254B92E2922C9B80296424D3A6FA47D669D9AF9C7DEA7BEEF9047DF880F53C8A27866E546D04B7376224E389BC2FCA1FDE4B
                              Malicious:false
                              Preview:".x3......C..U..E.....M.*.|'.o..}.?]m.4..t.$...5....vY`..:=jqn.x3......C..U..E.....M.*.|'.o..}.?]m.4..t.$...5....vY`..:=jqn.x3......C..U..E.....M.*.|'.o..}.?]m.4..t.$...5....vY`..:=jqn.x3......C..U..E.....M.*.|'.o..}.?]m.4..t.$...5....v.`.B=(q...3....~..C..'..E..|..M..Y..'}o...}.?<m.4i...C..5....vY`..:=kqn.o3....r..C.. ..E..t..M..K..'ho...}.?9m.4m...V..P....vY`..:=jqn.x3......C.U..E..O..M..h..'ro...}.?.m.4o...&...w...Dv0`.H=.q...3....;..C..&..E..t..M....W'<o..}.?hm.40.D.........lv=`.I=.q...3....o..C..9..E.0..M...U'<o...}.?im.41.B.........:vk`..:=kqn.o3....r..C.. ..E..t..M..X..'{o...}.?1m.4m...V..P....vs`..y=Pq2.-3....i..C..=..E..|..M..n..'ko...}.?<m.4q.(.r..j...lv=`.I=.q@..3...5..C..0..E.....M.*.+'uo...}.?3m.4n...k..\...`v7`.V=9q...3....~..C..9..E..j..M.3.|'_o.}.?.m.4p...x..T...mv#`.~=.qw.n.l.o.a.d.s.\...................................b.........D.Y.Y.q...h.. .e.....W(....:..i-i+h.....A....gl\;uk............../%.+*.%;zU...9.~]&.%.n...T..}S.....V.w .w.

                              C:\ProgramData\Package Cache\{D5D19E2F-7189-42FE-8103-92CD1FA457C2}v14.36.32532\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Packages\Microsoft.Getstarted_8wekyb3d8bbwe\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Packages\Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Packages\Microsoft.MixedReality.Portal_8wekyb3d8bbwe\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Packages\Microsoft.SkypeApp_kzf8qxf38zg5c\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\Packages\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\SoftwareDistribution\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\USOShared\Logs\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\USOShared\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\WindowsHolographicDevices\SpatialStore\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\WindowsHolographicDevices\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\_curlrc

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):322
                              Entropy (8bit):5.935364618008552
                              Encrypted:false
                              SSDEEP:
                              MD5:64AFB784DA56788D8CB650E1CBA8C446
                              SHA1:ABCD3CFB11ED58DA9976C42C3E777340AF747AE9
                              SHA-256:8F6E6C5FC88AD6F78329F5B3187CFDC5FDE172B37A0B2CF88525178F253097A4
                              SHA-512:20340479AEE805B4A6678C102BFA0C29765CE9D13C2A5580DD0B2D846ECDAD3A1AAB1F6E419B7DAF13076E0D9F45FF8F3E71F56F4471BC9648410559A85D8A94
                              Malicious:false
                              Preview:..F.=?.....Y N.f.........jk..l.....v."..jh~......X..<..w.Oc*l.z...g..A.f.._F.(hs.......>......7.\~A|Hj@...9!..S.II.V..b.G..|H........%.../..<-...M..M..Pm...I......,...2r.n.....(.R0.&IC..xZ...&.U.....+.[.H...............................................................................................tmrk2oxcouu.

                              C:\ProgramData\_curlrc.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):322
                              Entropy (8bit):5.935364618008552
                              Encrypted:false
                              SSDEEP:
                              MD5:64AFB784DA56788D8CB650E1CBA8C446
                              SHA1:ABCD3CFB11ED58DA9976C42C3E777340AF747AE9
                              SHA-256:8F6E6C5FC88AD6F78329F5B3187CFDC5FDE172B37A0B2CF88525178F253097A4
                              SHA-512:20340479AEE805B4A6678C102BFA0C29765CE9D13C2A5580DD0B2D846ECDAD3A1AAB1F6E419B7DAF13076E0D9F45FF8F3E71F56F4471BC9648410559A85D8A94
                              Malicious:false
                              Preview:..F.=?.....Y N.f.........jk..l.....v."..jh~......X..<..w.Oc*l.z...g..A.f.._F.(hs.......>......7.\~A|Hj@...9!..S.II.V..b.G..|H........%.../..<-...M..M..Pm...I......,...2r.n.....(.R0.&IC..xZ...&.U.....+.[.H...............................................................................................tmrk2oxcouu.

                              C:\ProgramData\dbg\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\regid.1991-06.com.microsoft\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1313
                              Entropy (8bit):7.552936635621831
                              Encrypted:false
                              SSDEEP:
                              MD5:48452A5C70E306EA3025C66B51960206
                              SHA1:B874A660FF11A0088F486EB83D94B69B9255ADD2
                              SHA-256:32BC5A2C52D3DABD8CC5C50141FE4CFBD0FB689EC8AE018B1DD7828552181244
                              SHA-512:5CD9AED2655FE9B15B52122D88EF42BA02784F0E53C24DB1A29A28EA83463BBCF1F276F4765E5B492A757C6B5B8F7A8239833178F68D5E173D8A2388798480EA
                              Malicious:false
                              Preview:....I..D.........%,.IB.4.........dL5..e...@xYk..r ..;6..\&r.....4B.....Y........sm.VO.%..t........w..u..dS:.:.U<..x`b...<w.....#_.T.."(........jx..?.4..y.....yIy..(.y.n."..g;.;7?..\.f....>H....AB......j.;m....2..d.....~Nw..z..+,yY1..a=."1&..A;x.....g\....KU........9..pi.?..u.....).,..k..>@$Xl..-_.^[n..E*f.....R%.J..BN..PO....mr.Gm.X.,.....,.u..5...v.?...f;.3lc...~(....?..|..!.......^.?+.EO.4..u.....?Dm..(..5q.?1..a=."1&..M=g....Q%....\V... ....sr.Gm.X.~.....bEk....d.{Y...z=.k}<..Mq......>K...MF..ON..Q.7+.......s......?X}..>...u7.~..g%.%7...M.`...R....._@..>.....tr.Gm.X.~.....bEk....d.{Y...z=.k}<..Mq......>K...MF..ON..Q.7+.......s......?X}..>...u7.~..g%.%7...K*z....Q%....\V... ..^....E..8..u.....tEo..k..[.d."..z#.2.;..%E.......O....GS......^.bz..N.h.=......}C{..)...@$Bl.:p .6&=..Z*s.....R.....\V... ..^..........u.......#$..7..F.hDb..u&..= ..Z.`....5M...."(........ux....`.!......>Gq..5..m.7....z6.ZX[..\.s....ator>..</software_identification_tag>...

                              C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1313
                              Entropy (8bit):7.552936635621831
                              Encrypted:false
                              SSDEEP:
                              MD5:48452A5C70E306EA3025C66B51960206
                              SHA1:B874A660FF11A0088F486EB83D94B69B9255ADD2
                              SHA-256:32BC5A2C52D3DABD8CC5C50141FE4CFBD0FB689EC8AE018B1DD7828552181244
                              SHA-512:5CD9AED2655FE9B15B52122D88EF42BA02784F0E53C24DB1A29A28EA83463BBCF1F276F4765E5B492A757C6B5B8F7A8239833178F68D5E173D8A2388798480EA
                              Malicious:false
                              Preview:....I..D.........%,.IB.4.........dL5..e...@xYk..r ..;6..\&r.....4B.....Y........sm.VO.%..t........w..u..dS:.:.U<..x`b...<w.....#_.T.."(........jx..?.4..y.....yIy..(.y.n."..g;.;7?..\.f....>H....AB......j.;m....2..d.....~Nw..z..+,yY1..a=."1&..A;x.....g\....KU........9..pi.?..u.....).,..k..>@$Xl..-_.^[n..E*f.....R%.J..BN..PO....mr.Gm.X.,.....,.u..5...v.?...f;.3lc...~(....?..|..!.......^.?+.EO.4..u.....?Dm..(..5q.?1..a=."1&..M=g....Q%....\V... ....sr.Gm.X.~.....bEk....d.{Y...z=.k}<..Mq......>K...MF..ON..Q.7+.......s......?X}..>...u7.~..g%.%7...M.`...R....._@..>.....tr.Gm.X.~.....bEk....d.{Y...z=.k}<..Mq......>K...MF..ON..Q.7+.......s......?X}..>...u7.~..g%.%7...K*z....Q%....\V... ..^....E..8..u.....tEo..k..[.d."..z#.2.;..%E.......O....GS......^.bz..N.h.=......}C{..)...@$Bl.:p .6&=..Z*s.....R.....\V... ..^..........u.......#$..7..F.hDb..u&..= ..Z.`....5M...."(........ux....`.!......>Gq..5..m.7....z6.ZX[..\.s....ator>..</software_identification_tag>...

                              C:\ProgramData\ssh\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Default\AppData\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Default\Desktop\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Default\Documents\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Default\Downloads\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Default\Favorites\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Default\Links\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Default\Music\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Default\NTUSER.DAT

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):262458
                              Entropy (8bit):4.993621632928523
                              Encrypted:false
                              SSDEEP:
                              MD5:4F29FEB14E6270957FE6F6641449593B
                              SHA1:4F2E8A825C19817E5DA92B9970DDA8300A4E6F9F
                              SHA-256:AEDD62BB08A9E45C0E9C05338CC5C33389A9B0B1DBBFFA77FE59C6484BBB22AE
                              SHA-512:3B2049D99AC4FD3DF0AC646834E91BBA914754138E290C2E1B0B885343CB8969CF018F9F00A8EF0B61F1BB12F5D3C3BEFD3FC6728E912A566D8A4D7BB6D5D200
                              Malicious:false
                              Preview:H...$..c..x;;.x.mX}T~.9K-.wG....U|o..t.'...=..Dm....Jc.L*..s.e.r.s.\.D.e.f.a.u.l.t.\.N.T.U.S.E.R...D.A.T......S........:.i+...S........:.i+.......S........:.i+rmtm...7....OfRg............:..r...N..x;;.x.mY}T~.9K-.wG.~..u|o....'...=I.{m...JY..*.................................................................................................................................:..r...N..x;;.x.mY}T~.9K-.wG.~..u|o....'...=I.{m...JY..*...............................................................F>................................................................:..r...N..x;;.x.mY}T~.9K-.wG.~..u|o....'...=I.{m...JY..*.................................................................................................................................:..r...N..x;;.x.mY}T~.9K-.wG.~..u|o....'...=I.{m...JY..*.................................................................................................................................:..r...N..x;;.x.mY}T~.9K-.wG.~..u|o.

                              C:\Users\Default\NTUSER.DAT.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):262458
                              Entropy (8bit):4.993621632928523
                              Encrypted:false
                              SSDEEP:
                              MD5:4F29FEB14E6270957FE6F6641449593B
                              SHA1:4F2E8A825C19817E5DA92B9970DDA8300A4E6F9F
                              SHA-256:AEDD62BB08A9E45C0E9C05338CC5C33389A9B0B1DBBFFA77FE59C6484BBB22AE
                              SHA-512:3B2049D99AC4FD3DF0AC646834E91BBA914754138E290C2E1B0B885343CB8969CF018F9F00A8EF0B61F1BB12F5D3C3BEFD3FC6728E912A566D8A4D7BB6D5D200
                              Malicious:false
                              Preview:H...$..c..x;;.x.mX}T~.9K-.wG....U|o..t.'...=..Dm....Jc.L*..s.e.r.s.\.D.e.f.a.u.l.t.\.N.T.U.S.E.R...D.A.T......S........:.i+...S........:.i+.......S........:.i+rmtm...7....OfRg............:..r...N..x;;.x.mY}T~.9K-.wG.~..u|o....'...=I.{m...JY..*.................................................................................................................................:..r...N..x;;.x.mY}T~.9K-.wG.~..u|o....'...=I.{m...JY..*...............................................................F>................................................................:..r...N..x;;.x.mY}T~.9K-.wG.~..u|o....'...=I.{m...JY..*.................................................................................................................................:..r...N..x;;.x.mY}T~.9K-.wG.~..u|o....'...=I.{m...JY..*.................................................................................................................................:..r...N..x;;.x.mY}T~.9K-.wG.~..u|o.

                              C:\Users\Default\OneDrive\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Default\Pictures\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Default\Saved Games\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Default\Videos\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Default\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Public\AccountPictures\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Public\Desktop\Adobe Acrobat.lnk

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2375
                              Entropy (8bit):7.28108954393942
                              Encrypted:false
                              SSDEEP:
                              MD5:728DE87A3E6403F422D1FBAB7B9E3F2F
                              SHA1:DFC83DD8A19BDA299FF7C243960B4BE7CDD75D45
                              SHA-256:57110E89DBB5253173BE9B23983F6120E585E797FC1E1A39F772A5DB7ED1B014
                              SHA-512:EE718A9C9F22581EB790B63739B9C584A3360CC286CF08452A981EBCF1BF64E39942762A88E9EFAE7F56E8ED0844F0E196CF9B0A058696FC15BF5D4C4B651D35
                              Malicious:false
                              Preview:vc.J..d_.....Q....;..2O...6.Z......m.bw.j..-......3..G.D..v...:c.J..f_....US.....2..u....^.a...,.&H.m.-<.F.5....G.D..w...:c...u0N...O3......9.2K.%...5.-. O..o.8H.m.-=.F.5......D..w.^.;3.8..f8...at<......9.2*..6..........H.m -..".Y...8.j.v."w...:R.J..f.....tQ..d.m9.V ......j.......9.C;<-<..k4....G.D..w...:c.J.3.]...dt>....}9.2....6..-.!O....(..,l.<...<...T...TP B..:c..z.f_....tQ....}9.2O.s.p..........H.m2-x...5..B.v.D..w...ls.....=..@tX...WA>nmd...T...1....n.zH.m.-<.F.5.../....pw.:..+..f_...btc.0...[n%.o.aD.....a.'.sH.m.....$v.l.:.G.1..w...:c.J..f_....tQ....<9.2=..T...........H.m.-<.".5....F.D..w...:c.J..f<....tQ....t..._...6...>..~....<!..aq}.).P..f.%.0"W4..H.m+..'<..a.......F9.2a......2.....3.*H.m}-[.4.T...4...-..w...:?....f0...et......9.2-..B..*......H.m}-^.'.A...U.$.6.|w...:..d..f'...Kt......*9.2!..Y..........H.ms-P.*.P...H.<...Pw...:!....fi...1ta....P9.2.......Y....._.WH.mQ-..s.... .....$w...:.....f...._t......9.2............o.}

                              C:\Users\Public\Desktop\Adobe Acrobat.lnk.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2375
                              Entropy (8bit):7.28108954393942
                              Encrypted:false
                              SSDEEP:
                              MD5:728DE87A3E6403F422D1FBAB7B9E3F2F
                              SHA1:DFC83DD8A19BDA299FF7C243960B4BE7CDD75D45
                              SHA-256:57110E89DBB5253173BE9B23983F6120E585E797FC1E1A39F772A5DB7ED1B014
                              SHA-512:EE718A9C9F22581EB790B63739B9C584A3360CC286CF08452A981EBCF1BF64E39942762A88E9EFAE7F56E8ED0844F0E196CF9B0A058696FC15BF5D4C4B651D35
                              Malicious:false
                              Preview:vc.J..d_.....Q....;..2O...6.Z......m.bw.j..-......3..G.D..v...:c.J..f_....US.....2..u....^.a...,.&H.m.-<.F.5....G.D..w...:c...u0N...O3......9.2K.%...5.-. O..o.8H.m.-=.F.5......D..w.^.;3.8..f8...at<......9.2*..6..........H.m -..".Y...8.j.v."w...:R.J..f.....tQ..d.m9.V ......j.......9.C;<-<..k4....G.D..w...:c.J.3.]...dt>....}9.2....6..-.!O....(..,l.<...<...T...TP B..:c..z.f_....tQ....}9.2O.s.p..........H.m2-x...5..B.v.D..w...ls.....=..@tX...WA>nmd...T...1....n.zH.m.-<.F.5.../....pw.:..+..f_...btc.0...[n%.o.aD.....a.'.sH.m.....$v.l.:.G.1..w...:c.J..f_....tQ....<9.2=..T...........H.m.-<.".5....F.D..w...:c.J..f<....tQ....t..._...6...>..~....<!..aq}.).P..f.%.0"W4..H.m+..'<..a.......F9.2a......2.....3.*H.m}-[.4.T...4...-..w...:?....f0...et......9.2-..B..*......H.m}-^.'.A...U.$.6.|w...:..d..f'...Kt......*9.2!..Y..........H.ms-P.*.P...H.<...Pw...:!....fi...1ta....P9.2.......Y....._.WH.mQ-..s.... .....$w...:.....f...._t......9.2............o.}

                              C:\Users\Public\Desktop\Firefox.lnk

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1307
                              Entropy (8bit):7.271420889000363
                              Encrypted:false
                              SSDEEP:
                              MD5:1B3C42647E8FED6D0D12792C71B282EA
                              SHA1:23DEB2315D485E7C6BC69E4223AC71DF1E859461
                              SHA-256:5BB9DB81586B52E8A8391D20E2CB804D47984AB9327290A8E5358E8124819806
                              SHA-512:4887FE9AB050DED54B208574688F0CB60539B047DCA5A147F9DB73EB1669DF7D108801F53DF4D7D78CF7FF18E2B7561F0203F08C3A40250879997158D61F7A15
                              Malicious:false
                              Preview:I.0._).2.~...[y6..e]r.......c4.*..3.T......6%....V@....;.l.<...0.^=.2.~.D.Oy).4l.R..R......g.F2.t:.VR .6....Z.W..u..;..m&<...0..@.#..,..M.....W.{..;z.O@Tc..u...7..VR .6....Z.W..uL.;.m ...0.^R.U..~..r[Y6..J....;....*$.`_W.[..Va .6....6.;..u+...m <?..0.^%.Z.~...[:a.3.?G.r..>.*..._6..../w.a.v..Z....u..9.m.<...0.^=.2.7...R[.6..J....;.....*>.z_W.Q..V* .6....h....u:...mqUu`._.pX.W..~...[....^.1_.c.....'U.._3.7..VR .6....Z..vou`.R..mr<a..0.^..W..~...[c6..x.r..;.....*K.._..7..VR .6....Z.T..u..!\.m.<.F.l.,R.@..^..s>.j..Y..d.....j.E/.n6@.Qo.x7X.6...*Z.W..[..;..C...Y.`.,=.2.....6y..#.rd.^...S.gW..%2.7l.:RA...h.mZ.W.....;..1.Z.l.B.;=.2......>yN.#.rK....._.XW..82.7a.;R..p.G.hZ.W..)..;....U.i.\.?=.2.....>yP.#.rh.;..../rW.._2.7d.%9T.F.O.a..#...n.(D..Q.a1...~..zqo../..d6.......o...}.1...*.........V......;.m.^......n.....{.T..?......;.....*\.._._7..VR .6....Z.W..u..;.U...1....=.2..8....y...#.rJ.;.....*W.._2.dP..DM...^....yD....;...<..H.....K...YM...?..................d..m.

                              C:\Users\Public\Desktop\Firefox.lnk.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1307
                              Entropy (8bit):7.271420889000363
                              Encrypted:false
                              SSDEEP:
                              MD5:1B3C42647E8FED6D0D12792C71B282EA
                              SHA1:23DEB2315D485E7C6BC69E4223AC71DF1E859461
                              SHA-256:5BB9DB81586B52E8A8391D20E2CB804D47984AB9327290A8E5358E8124819806
                              SHA-512:4887FE9AB050DED54B208574688F0CB60539B047DCA5A147F9DB73EB1669DF7D108801F53DF4D7D78CF7FF18E2B7561F0203F08C3A40250879997158D61F7A15
                              Malicious:false
                              Preview:I.0._).2.~...[y6..e]r.......c4.*..3.T......6%....V@....;.l.<...0.^=.2.~.D.Oy).4l.R..R......g.F2.t:.VR .6....Z.W..u..;..m&<...0..@.#..,..M.....W.{..;z.O@Tc..u...7..VR .6....Z.W..uL.;.m ...0.^R.U..~..r[Y6..J....;....*$.`_W.[..Va .6....6.;..u+...m <?..0.^%.Z.~...[:a.3.?G.r..>.*..._6..../w.a.v..Z....u..9.m.<...0.^=.2.7...R[.6..J....;.....*>.z_W.Q..V* .6....h....u:...mqUu`._.pX.W..~...[....^.1_.c.....'U.._3.7..VR .6....Z..vou`.R..mr<a..0.^..W..~...[c6..x.r..;.....*K.._..7..VR .6....Z.T..u..!\.m.<.F.l.,R.@..^..s>.j..Y..d.....j.E/.n6@.Qo.x7X.6...*Z.W..[..;..C...Y.`.,=.2.....6y..#.rd.^...S.gW..%2.7l.:RA...h.mZ.W.....;..1.Z.l.B.;=.2......>yN.#.rK....._.XW..82.7a.;R..p.G.hZ.W..)..;....U.i.\.?=.2.....>yP.#.rh.;..../rW.._2.7d.%9T.F.O.a..#...n.(D..Q.a1...~..zqo../..d6.......o...}.1...*.........V......;.m.^......n.....{.T..?......;.....*\.._._7..VR .6....Z.W..u..;.U...1....=.2..8....y...#.rJ.;.....*W.._2.dP..DM...^....yD....;...<..H.....K...YM...?..................d..m.

                              C:\Users\Public\Desktop\Google Chrome.lnk

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2666
                              Entropy (8bit):7.144631918992502
                              Encrypted:false
                              SSDEEP:
                              MD5:A3BD0478273655DEA255586E271B79A2
                              SHA1:0FFFB433AAB214A26B281EC471850871A19C4D0B
                              SHA-256:E081394D52CD5A6B68B1856C3903DD357BA7467E11C32F9F9E5DAD6892649E4E
                              SHA-512:44508DED081047E4B23F7FC991235F00A548E2AF304EB7FB318790F721CDE6D04F78D98290D784A0E583B5F931D7FBEC013F20CA631393891F41026F9D2C2E27
                              Malicious:false
                              Preview:.V.X..0..|.;.P...W......%Fvu...d.Ph.....D.8.......:.&.2..y[r.V.X..0..|...D....x...P..E..fi.....h{.....yw.....&.2J.H[r.V...).!....R........9/.......H......h{.....yw.....&.2........*...W.|..mP.....9..%M...V.......[{......w.....&!2..N[J.g.X..d..|...P.......e.^.w%M..V.>6...-,....5......&.2..y[r.V.X..@..|..oP.......9..qM..V....w...+.....Gw....J.Pe.<..x.X..e1..|...P.......9...S...V........{.....Hw.....q....8."...&..x..|.......y2.9......V.......h{.....Gi.....&c2...[..7.,..._.|...P.........n\^.M...9.......{...DY: ...\h.=2....s.V.P..0..|...P...{...9..WM...V........{......w.....&.2..e[r.{.X..0.|...P.....L...%M..................H.T|_..8+..?.9...^....m5.......9..FM...V......{......w.....&v2..B[\.x.......|...P.......9..DM..V........{......w.....&O2...[..9.5...l.|..pP.......9..JM...V........{......w.....&)2..)[..9.?...Q.|..FP.......9..JM...V........{.......w.....&c2...[..7.,..._.|$.-P.......9..IM..V......

                              C:\Users\Public\Desktop\Google Chrome.lnk.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2666
                              Entropy (8bit):7.144631918992502
                              Encrypted:false
                              SSDEEP:
                              MD5:A3BD0478273655DEA255586E271B79A2
                              SHA1:0FFFB433AAB214A26B281EC471850871A19C4D0B
                              SHA-256:E081394D52CD5A6B68B1856C3903DD357BA7467E11C32F9F9E5DAD6892649E4E
                              SHA-512:44508DED081047E4B23F7FC991235F00A548E2AF304EB7FB318790F721CDE6D04F78D98290D784A0E583B5F931D7FBEC013F20CA631393891F41026F9D2C2E27
                              Malicious:false
                              Preview:.V.X..0..|.;.P...W......%Fvu...d.Ph.....D.8.......:.&.2..y[r.V.X..0..|...D....x...P..E..fi.....h{.....yw.....&.2J.H[r.V...).!....R........9/.......H......h{.....yw.....&.2........*...W.|..mP.....9..%M...V.......[{......w.....&!2..N[J.g.X..d..|...P.......e.^.w%M..V.>6...-,....5......&.2..y[r.V.X..@..|..oP.......9..qM..V....w...+.....Gw....J.Pe.<..x.X..e1..|...P.......9...S...V........{.....Hw.....q....8."...&..x..|.......y2.9......V.......h{.....Gi.....&c2...[..7.,..._.|...P.........n\^.M...9.......{...DY: ...\h.=2....s.V.P..0..|...P...{...9..WM...V........{......w.....&.2..e[r.{.X..0.|...P.....L...%M..................H.T|_..8+..?.9...^....m5.......9..FM...V......{......w.....&v2..B[\.x.......|...P.......9..DM..V........{......w.....&O2...[..9.5...l.|..pP.......9..JM...V........{......w.....&)2..)[..9.?...Q.|..FP.......9..JM...V........{.......w.....&c2...[..7.,..._.|$.-P.......9..IM..V......

                              C:\Users\Public\Desktop\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Public\Documents\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Public\Downloads\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Public\Libraries\RecordedTV.library-ms

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1313
                              Entropy (8bit):7.620303890376663
                              Encrypted:false
                              SSDEEP:
                              MD5:DCBD738502662CD5DC79C8E9FDE8F708
                              SHA1:270B3F55235974FD7C661E238F5DD26967D4F59D
                              SHA-256:B5E34ED52D32DD0FAE71C049797DF86644CBF8760CCC79F6E13AD9AE4546F92D
                              SHA-512:0484F9469FC1D3133E6352B602C6C67866077A6B787B1F7709867EF71597062BFF78BC6BE6FBD52C9341C0F005AAE1C732BEE82F0FF3EBE9D59B96DE0D7D52F3
                              Malicious:false
                              Preview:3...c.bD..<T/....4...f.I.%.[........h.+.U..]...7q...8.f.>..3{@|..{.d.X.&X)...*...z.U.*....y.U...!..........u....E./.l/.s7gK...J.[s3..o....E...%..eF.....;.....3.M....C._.@ ...g.n.50.T7.3../.\h3..w....]...G.b-..j...h.6...?.N.k..J....q.../.}.# .2{."..7.;H..;i$...j......Hp.O...$.N...8.D....Z.O..g...).v.9`.;s.....3.qL..4O$...:..(..Tm.......y.....h.f..K...S9...h./.lh.2sK}...j.o...l.u...a..<...a._...`....n...\...O...p...8.1.Z..b8Zj...n.qh..:.L...w...k.e.".Y..$.Y...?.U.V..F...~....t.j."m..x@a...`.PD..'R1...$...d.U.).....5.S..."...K..Z...QC...?.-.]..~7./..".4h3..i....A...D.e)..s.....n.....o...."jS.S4...-.l.9~.7x@1...j.x.E.1W-....2..'.C./.U..9.....v......\$...a...>.C.3o.7x@1...j.;H..0] ...e...g.G.%.R...v.....j.R.\..Z....z...:.n.5B.=vZf..{.aDK.<H....h...f.Q.).o...._...9...3...@S.Og....-.`.1z.1y...../.4.W.iN3...a...x.D.%.`.9.X......L...my.S4...g.f. b..xMn...a..+W.u.}....v...g.H./.S..%.N...?.O.4..\\..u...'.a.3z.,SKscriptionList>..</libraryDescription>...

                              C:\Users\Public\Libraries\RecordedTV.library-ms.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1313
                              Entropy (8bit):7.620303890376663
                              Encrypted:false
                              SSDEEP:
                              MD5:DCBD738502662CD5DC79C8E9FDE8F708
                              SHA1:270B3F55235974FD7C661E238F5DD26967D4F59D
                              SHA-256:B5E34ED52D32DD0FAE71C049797DF86644CBF8760CCC79F6E13AD9AE4546F92D
                              SHA-512:0484F9469FC1D3133E6352B602C6C67866077A6B787B1F7709867EF71597062BFF78BC6BE6FBD52C9341C0F005AAE1C732BEE82F0FF3EBE9D59B96DE0D7D52F3
                              Malicious:false
                              Preview:3...c.bD..<T/....4...f.I.%.[........h.+.U..]...7q...8.f.>..3{@|..{.d.X.&X)...*...z.U.*....y.U...!..........u....E./.l/.s7gK...J.[s3..o....E...%..eF.....;.....3.M....C._.@ ...g.n.50.T7.3../.\h3..w....]...G.b-..j...h.6...?.N.k..J....q.../.}.# .2{."..7.;H..;i$...j......Hp.O...$.N...8.D....Z.O..g...).v.9`.;s.....3.qL..4O$...:..(..Tm.......y.....h.f..K...S9...h./.lh.2sK}...j.o...l.u...a..<...a._...`....n...\...O...p...8.1.Z..b8Zj...n.qh..:.L...w...k.e.".Y..$.Y...?.U.V..F...~....t.j."m..x@a...`.PD..'R1...$...d.U.).....5.S..."...K..Z...QC...?.-.]..~7./..".4h3..i....A...D.e)..s.....n.....o...."jS.S4...-.l.9~.7x@1...j.x.E.1W-....2..'.C./.U..9.....v......\$...a...>.C.3o.7x@1...j.;H..0] ...e...g.G.%.R...v.....j.R.\..Z....z...:.n.5B.=vZf..{.aDK.<H....h...f.Q.).o...._...9...3...@S.Og....-.`.1z.1y...../.4.W.iN3...a...x.D.%.`.9.X......L...my.S4...g.f. b..xMn...a..+W.u.}....v...g.H./.S..%.N...?.O.4..\\..u...'.a.3z.,SKscriptionList>..</libraryDescription>...

                              C:\Users\Public\Libraries\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Public\Music\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Public\Pictures\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Public\Videos\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\Public\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\.curlrc

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):322
                              Entropy (8bit):6.010338151458706
                              Encrypted:false
                              SSDEEP:
                              MD5:F9EC2E6F49F7F96F3A6B5880E1B668ED
                              SHA1:89405F097440D8CD87E169192D9D615BC76AC3B5
                              SHA-256:96DF6E08D59D18C0C2C914FDEF056158F8BE51A11A08FF003E77271DACC1AF2E
                              SHA-512:C083383E0CB75D8B7E550FD92C92895AD91CAF091C5E70A4D6D0D12A73E52674CC19A365E432925B1D9D3B021D97F904DEA4203FB19277270FC174DDA56205FB
                              Malicious:false
                              Preview:..:V|.X...P.w...._......6....V...=...e..v.....m*..`...T.......QsZ....../.yS.2Y.......$K...Xh..P8.J.y..p.x.t.Ti..!H:Q.Z.4.......1.. "..55..xKM.j......N?....vS.u..|-.B.j).....Pzh..-.xj!...Q...W...w._G].1#%FG...............................................................................................tmrk2oxcouu.

                              C:\Users\user\.curlrc.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):322
                              Entropy (8bit):6.010338151458706
                              Encrypted:false
                              SSDEEP:
                              MD5:F9EC2E6F49F7F96F3A6B5880E1B668ED
                              SHA1:89405F097440D8CD87E169192D9D615BC76AC3B5
                              SHA-256:96DF6E08D59D18C0C2C914FDEF056158F8BE51A11A08FF003E77271DACC1AF2E
                              SHA-512:C083383E0CB75D8B7E550FD92C92895AD91CAF091C5E70A4D6D0D12A73E52674CC19A365E432925B1D9D3B021D97F904DEA4203FB19277270FC174DDA56205FB
                              Malicious:false
                              Preview:..:V|.X...P.w...._......6....V...=...e..v.....m*..`...T.......QsZ....../.yS.2Y.......$K...Xh..P8.J.y..p.x.t.Ti..!H:Q.Z.4.......1.. "..55..xKM.j......N?....vS.u..|-.B.j).....Pzh..-.xj!...Q...W...w._G].1#%FG...............................................................................................tmrk2oxcouu.

                              C:\Users\user\.ms-ad\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\3D Objects\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\AppData\Local\Temp\fkdjsadasd.ico

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:MS Windows icon resource - 1 icon, 64x64, 32 bits/pixel
                              Category:dropped
                              Size (bytes):16958
                              Entropy (8bit):2.9616661784314777
                              Encrypted:false
                              SSDEEP:
                              MD5:A1FAD2EA0C8FCBD0875248172BB457E8
                              SHA1:648F40B1CC77AB6B34013F696F1C07D7ADF303CF
                              SHA-256:2E6C63AB7769F3F7EA2F3622A865D857ECB14D7F2DDBD4AB64E15B6C3DC5E14A
                              SHA-512:034DC081B23FC5A42D23AA3CB76A50A329BAD1BC79CCF37A33C9C78CC642D941AE22649879AC43F87077000711CEF0FBECE27C80313F83C53195084CFE6528F2
                              Malicious:false
                              Preview:......@@.... .(B......(...@......... ......@....................0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...2...0...0...2...0...2...0...0...0...0...0...0...2...0...0...0...0...2...0...2...0...0...0...0...0...0...0...0...2...0...0...0...2...0...0...2...2...0...0...0...2...0...0...0...0...2...0...0...0...2...0...0...0...2...0...0...0...2...0...0...2...0...0...2...0...2...2...0...0...0...0...2...0...2...0...0...0...0...0...0...0...0...0...0...2...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...2...0...0...0...0...2...0...0...0...0...2...0...2...0...0...0...0...0...0...0...2...0...0...0...0...2...0...0...0...0...0...0...0...0...0...0...0.......0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0...0.......0...0...0...0...0...0...0...0...0...0.......

                              C:\Users\user\AppData\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\Contacts\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\Desktop\AQRFEVRTGL.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.5504281786569605
                              Encrypted:false
                              SSDEEP:
                              MD5:65BA92E9CDB253C39144BF671228591F
                              SHA1:43696DF376C0E3688DADE3D1FE5716ADC8ACF3FD
                              SHA-256:2C2848CA7A71B7B842475CC02E4E61AAABD781589E595842AD025908FBB5F845
                              SHA-512:755AC41C1BDC5D84BFAD96A0A99106784B9720D36E2864DCD6434F1B5FB2260500817B55EF3A2290DDE562F497BAF5575827E2C2504E152EF15DED5FE7B83FE7
                              Malicious:false
                              Preview:..7m]...,.Jn._.b.y..b....ra.:.p`b1.A.$..P.;..O..<...w..tP....O..;mQ.;.,.Hk._.y.y..q....bn.5.ak`'x^.*..N.)..U.x;......g[....J..+y].4.%.Bp.H.f.h..p....}b.0.phl7gC.3..G.>..V.g)...b..tT....Z..=|M.*.(.[g.H.o.y..}....qe.?.slt6dY.1..X.>..N..6...e..jK....@..2g[.=.1.Pi.\.j.g..o....gt.%.}}b;o[.?..].1..@.y....u..uL....[..)cG.8.8.Oj.Y.{.y..k....wv.9.nhu=vC...._."..I.s;...t..oQ....N..:zC.1.8.Ok.F.`.h..c....se.$.h}`*f].:..U.%..I.|)...o..t[....B.. .S.7.*.^f.M.i.v..j....`i.(.`wn7d^./..Q.:..V.y?...v..sT...._..0y].5.0.Oz.^.w.i..u....av.+.zim7k\.*..@.*..I.w/...i..hP....U..+|Q.=.'.Qe.H.b.d..f....xn.#.`~i2v_.*..S.)..B.e/...i..~J....W..=jY.=.+.@m.C.t.v..i....gl.?.{ub7cA.7..\.#..Y.w ...~..pS....Z..=`M...4.Un.M.t.~..~....z~.<.|b`#zF./..W.=..Y.{>...o..aA....Z.. y^.(.1.Vb.A.{.c.......eh. .qyk#.\.<..U.6..Y.f>...~..rL.....Y..%n\.1.+.]g.K.g.y..h....~w.?.s{q*{B.5..S.4..J.b2...p..bL.....I...!mH.3./.Ux.S.q.c..l....dg.&.bon6bY.'..W. ..N.~+...r..vK....K..=aL.2.-.Vj.X.e.e..v....xj.!.tch4iQ.'.

                              C:\Users\user\Desktop\AQRFEVRTGL.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.5504281786569605
                              Encrypted:false
                              SSDEEP:
                              MD5:65BA92E9CDB253C39144BF671228591F
                              SHA1:43696DF376C0E3688DADE3D1FE5716ADC8ACF3FD
                              SHA-256:2C2848CA7A71B7B842475CC02E4E61AAABD781589E595842AD025908FBB5F845
                              SHA-512:755AC41C1BDC5D84BFAD96A0A99106784B9720D36E2864DCD6434F1B5FB2260500817B55EF3A2290DDE562F497BAF5575827E2C2504E152EF15DED5FE7B83FE7
                              Malicious:false
                              Preview:..7m]...,.Jn._.b.y..b....ra.:.p`b1.A.$..P.;..O..<...w..tP....O..;mQ.;.,.Hk._.y.y..q....bn.5.ak`'x^.*..N.)..U.x;......g[....J..+y].4.%.Bp.H.f.h..p....}b.0.phl7gC.3..G.>..V.g)...b..tT....Z..=|M.*.(.[g.H.o.y..}....qe.?.slt6dY.1..X.>..N..6...e..jK....@..2g[.=.1.Pi.\.j.g..o....gt.%.}}b;o[.?..].1..@.y....u..uL....[..)cG.8.8.Oj.Y.{.y..k....wv.9.nhu=vC...._."..I.s;...t..oQ....N..:zC.1.8.Ok.F.`.h..c....se.$.h}`*f].:..U.%..I.|)...o..t[....B.. .S.7.*.^f.M.i.v..j....`i.(.`wn7d^./..Q.:..V.y?...v..sT...._..0y].5.0.Oz.^.w.i..u....av.+.zim7k\.*..@.*..I.w/...i..hP....U..+|Q.=.'.Qe.H.b.d..f....xn.#.`~i2v_.*..S.)..B.e/...i..~J....W..=jY.=.+.@m.C.t.v..i....gl.?.{ub7cA.7..\.#..Y.w ...~..pS....Z..=`M...4.Un.M.t.~..~....z~.<.|b`#zF./..W.=..Y.{>...o..aA....Z.. y^.(.1.Vb.A.{.c.......eh. .qyk#.\.<..U.6..Y.f>...~..rL.....Y..%n\.1.+.]g.K.g.y..h....~w.?.s{q*{B.5..S.4..J.b2...p..bL.....I...!mH.3./.Ux.S.q.c..l....dg.&.bon6bY.'..W. ..N.~+...r..vK....K..=aL.2.-.Vj.X.e.e..v....xj.!.tch4iQ.'.

                              C:\Users\user\Desktop\BQJUWOYRTO.jpg

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.591344860865036
                              Encrypted:false
                              SSDEEP:
                              MD5:EE07EA06473AD64F3CEE6D76F3A56E9B
                              SHA1:4C0B00DE954228A2C8762DD6BD209AF64CE2BE29
                              SHA-256:8E0C22D512370AAF8E59BD3585E2155279FC8C6D3AE16228C18E59BB82B380E9
                              SHA-512:EFB0EF810D0C61129E773D09D9BECDF8928B8C2626440F98949DD33DA0442EB3AAA6DD26CE49C3065B79E88DABD28B51EBDC511227A151E5BE1D6C548AAFFEBF
                              Malicious:false
                              Preview:......65..N..=i.+b=..4......f%...V.....1q.g.h.....$aH6.5.8.......$#..V..9g.9v;..6......x&...B.....'r.e.n.....*hA,.1.7.......:%..D..4k.!h6../......}"...E......)z.~.n.....6vE:. ./.......;2..M..<x.2o&..%......r'...T.....?l.`.n.....(kO,.8.8.......:3..A.. q.8b#.........{?...].....'|.f.|.....$fD5.&.5.....9"..R..5j.0s2..,......m/...Y.....1o.n.}......)jL).7.-....... ...I..-q. `$..<......{8...^.....:l.p.......6uD6.).0.......>(..Q..9x.6b9..+......p8...I.....6z.w.g.....!}W$.'.,.....#5..T..:a.5k!..$.......6....C.....:x.c.|.....>jO$.+.-.....5#..Z..,j.8t5..!......m ...H.....(|.g.`.....>eT(.7.,.....&1..H..1g.>l<..3......r7...G.....5h.s.n..... gL,.".+........$..@..0a.?~>.........u<...^.....,|.}.`.....1nO9.3.".....<2..H..*d.?m ..0......q0...E...../s.w.|.....4wV7.4.=.....<+..I..<p.4g'..(......u>....X...../..m.`.....*iF4.'.0.......&$..Z.."j.&q"..7......c1...T.....5t.s.v..... ~W4.2./.......*2..H..4j.:l%..*......a6...^...

                              C:\Users\user\Desktop\BQJUWOYRTO.jpg.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.591344860865036
                              Encrypted:false
                              SSDEEP:
                              MD5:EE07EA06473AD64F3CEE6D76F3A56E9B
                              SHA1:4C0B00DE954228A2C8762DD6BD209AF64CE2BE29
                              SHA-256:8E0C22D512370AAF8E59BD3585E2155279FC8C6D3AE16228C18E59BB82B380E9
                              SHA-512:EFB0EF810D0C61129E773D09D9BECDF8928B8C2626440F98949DD33DA0442EB3AAA6DD26CE49C3065B79E88DABD28B51EBDC511227A151E5BE1D6C548AAFFEBF
                              Malicious:false
                              Preview:......65..N..=i.+b=..4......f%...V.....1q.g.h.....$aH6.5.8.......$#..V..9g.9v;..6......x&...B.....'r.e.n.....*hA,.1.7.......:%..D..4k.!h6../......}"...E......)z.~.n.....6vE:. ./.......;2..M..<x.2o&..%......r'...T.....?l.`.n.....(kO,.8.8.......:3..A.. q.8b#.........{?...].....'|.f.|.....$fD5.&.5.....9"..R..5j.0s2..,......m/...Y.....1o.n.}......)jL).7.-....... ...I..-q. `$..<......{8...^.....:l.p.......6uD6.).0.......>(..Q..9x.6b9..+......p8...I.....6z.w.g.....!}W$.'.,.....#5..T..:a.5k!..$.......6....C.....:x.c.|.....>jO$.+.-.....5#..Z..,j.8t5..!......m ...H.....(|.g.`.....>eT(.7.,.....&1..H..1g.>l<..3......r7...G.....5h.s.n..... gL,.".+........$..@..0a.?~>.........u<...^.....,|.}.`.....1nO9.3.".....<2..H..*d.?m ..0......q0...E...../s.w.|.....4wV7.4.=.....<+..I..<p.4g'..(......u>....X...../..m.`.....*iF4.'.0.......&$..Z.."j.&q"..7......c1...T.....5t.s.v..... ~W4.2./.......*2..H..4j.:l%..*......a6...^...

                              C:\Users\user\Desktop\BUFZSQPCOH.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.600739702951926
                              Encrypted:false
                              SSDEEP:
                              MD5:C2953D2F487C01FD2656E80EA0B0CF0A
                              SHA1:098931A8EE320E0F4BB3F5E149855145E19CF270
                              SHA-256:176541116FEFFEE04D2B963E17119A1533321BFA253603E607A76182478E7B0C
                              SHA-512:856EA0DFDD205435F7411FED63382B5C9EC86DDADDA17C1AFAD44476853492B68F1FE391EA5DDD426F7350662617332F714740142F0DE9E8BDF410EC4A09CBA7
                              Malicious:false
                              Preview:W.F...../.u"....J.{F.f4T.N...g..u....FR.p4[...Shr..l&n...!..Q.V.....-.b)..A.sW.a,X.Z...k..g.....VV.z/M...J....r#s... ..O.V.....2.g-..W.d@.q"D.]...|..v....UD.q:G...Mok..e"g...<..].Z.....6.z?..N.dR.n4S.M...t..n....DS.o>[...Wat..e+h...!..\.L.....#.p6....E.`E.q3I._...h..w....VE.l3V...Cei..o t...-..V.E......).o!..S.l[.y'K.U...g..s....J].p6D...Jch..j u...)..R.Z.....!.y.....@.zR.|!N.Z...{..b....@].u"G...T`k..r7f...*..E.L.......t/....G.tR.q*Y.I...s..t....AF.p&[...Mxm..a&b....-..X.J.....,.d8....J.qF.d)K.G...{..f....IT.}>D...Ogh..k5v...%..@.O.....5.u".....G.q].}%I.K...z..j....AV.v"T...^fl..a }...5..Q.O.....".x?....A.aS.g+H.F...h..b....AU.k&O...[gv..s9r...'..^.B.....2.o:....F.q_.|6W.X...q..o....@A.u4O...]kj..|7p...*..M.Q.....,.f7....C.d].g+P.J...t..s....GP.y4[...\c...p7g...%..V.X.......y+..A.pW.z4Z.M...{..n....GC..$M...M`t..l?m...<..V.L.....#.o!....J.tF.e5K.I...t..}....MO.t=S...S|a..u1k...(..E.H.....7.o2..V.{T.|!Y.F...g..w....

                              C:\Users\user\Desktop\BUFZSQPCOH.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.600739702951926
                              Encrypted:false
                              SSDEEP:
                              MD5:C2953D2F487C01FD2656E80EA0B0CF0A
                              SHA1:098931A8EE320E0F4BB3F5E149855145E19CF270
                              SHA-256:176541116FEFFEE04D2B963E17119A1533321BFA253603E607A76182478E7B0C
                              SHA-512:856EA0DFDD205435F7411FED63382B5C9EC86DDADDA17C1AFAD44476853492B68F1FE391EA5DDD426F7350662617332F714740142F0DE9E8BDF410EC4A09CBA7
                              Malicious:false
                              Preview:W.F...../.u"....J.{F.f4T.N...g..u....FR.p4[...Shr..l&n...!..Q.V.....-.b)..A.sW.a,X.Z...k..g.....VV.z/M...J....r#s... ..O.V.....2.g-..W.d@.q"D.]...|..v....UD.q:G...Mok..e"g...<..].Z.....6.z?..N.dR.n4S.M...t..n....DS.o>[...Wat..e+h...!..\.L.....#.p6....E.`E.q3I._...h..w....VE.l3V...Cei..o t...-..V.E......).o!..S.l[.y'K.U...g..s....J].p6D...Jch..j u...)..R.Z.....!.y.....@.zR.|!N.Z...{..b....@].u"G...T`k..r7f...*..E.L.......t/....G.tR.q*Y.I...s..t....AF.p&[...Mxm..a&b....-..X.J.....,.d8....J.qF.d)K.G...{..f....IT.}>D...Ogh..k5v...%..@.O.....5.u".....G.q].}%I.K...z..j....AV.v"T...^fl..a }...5..Q.O.....".x?....A.aS.g+H.F...h..b....AU.k&O...[gv..s9r...'..^.B.....2.o:....F.q_.|6W.X...q..o....@A.u4O...]kj..|7p...*..M.Q.....,.f7....C.d].g+P.J...t..s....GP.y4[...\c...p7g...%..V.X.......y+..A.pW.z4Z.M...{..n....GC..$M...M`t..l?m...<..V.L.....#.o!....J.tF.e5K.I...t..}....MO.t=S...S|a..u1k...(..E.H.....7.o2..V.{T.|!Y.F...g..w....

                              C:\Users\user\Desktop\BWETZDQDIB.mp3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.569852992044991
                              Encrypted:false
                              SSDEEP:
                              MD5:97B3E94F63EC6B3D4DB4F69B0F17FC87
                              SHA1:5069786B66853C3E54FBA289B9BBA9E80C0A4926
                              SHA-256:5F32332AF702FF1BF0AFF8286935F46708D4A5786CF985ECBFFBBE60B5696BF1
                              SHA-512:F52FE8176319D7704FA1D11DFF3332D03F794C4A6317277A0F971E536DE6DC19605CBD82FDBA68B436957B38CF707AA1721AEA5C8E1D106245A6DBD56BF64565
                              Malicious:false
                              Preview: ..\.X.o..A.k..z..,Z/...&....Q..#..Kv-....sh...}.;(.L.A.i...W/..R.Z.a..S.m..y..:X"... ....R..)..Ns"....rd...k.1?..O._.r...[-..^.Z.}..T.m..m..(G.....>....D.. ..Ht*....pc...u.!!.M.F.a...C*..J.N.x..B.c..k..?O0...0...._..6..J~!....tu...q. '.U.H.}...Z6..R.Y.m..Z.u..g..>Y1...#....^.....Et!....ri...v.3(.L.E.g...L)..X.X.j..B.n..e..'D"...<....A..(..G`7....mt...y.3!..P.I.~...K&..N._.y..O.c..m..<N%..."....Y..#..Ng0....lr...m.-(..\.U.k...Y!..].L.d..H.z..r..%B%........Q..+..Oy'.....ia...u.9)._.U.y...J3..X.W.~..N.x..e..:A7....8....M..)..Sf)....yc...f.89.^.F.g...A ..X.^.h..G.v..e..*G*..."....O..>..Qa?....nc...j.(;.H.Q.x..._3..L._.c..D.~..o..:Y5...<....O..5..^f4....yu...~.=(..I.C.j...@/..G.S.{..V.}..t..'[....'....[..:..Kp,....ud...t..-..K.S.m...J...E.F.r..Y.c..y..9M2...7....M..+..Ke.....un...~./+.E.O.g...K/..L.F.b..L.~..{..+@*...<....@..)..Fd'....dj...{./$.E.W.a...I!..I.Q.c..W.s..{../Q0...1....B..+..L~%....yn...y.?9.K.L.b...^0..[.R.}..S.j..i..2@*...7....D..=..Ws*.

                              C:\Users\user\Desktop\BWETZDQDIB.mp3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.569852992044991
                              Encrypted:false
                              SSDEEP:
                              MD5:97B3E94F63EC6B3D4DB4F69B0F17FC87
                              SHA1:5069786B66853C3E54FBA289B9BBA9E80C0A4926
                              SHA-256:5F32332AF702FF1BF0AFF8286935F46708D4A5786CF985ECBFFBBE60B5696BF1
                              SHA-512:F52FE8176319D7704FA1D11DFF3332D03F794C4A6317277A0F971E536DE6DC19605CBD82FDBA68B436957B38CF707AA1721AEA5C8E1D106245A6DBD56BF64565
                              Malicious:false
                              Preview: ..\.X.o..A.k..z..,Z/...&....Q..#..Kv-....sh...}.;(.L.A.i...W/..R.Z.a..S.m..y..:X"... ....R..)..Ns"....rd...k.1?..O._.r...[-..^.Z.}..T.m..m..(G.....>....D.. ..Ht*....pc...u.!!.M.F.a...C*..J.N.x..B.c..k..?O0...0...._..6..J~!....tu...q. '.U.H.}...Z6..R.Y.m..Z.u..g..>Y1...#....^.....Et!....ri...v.3(.L.E.g...L)..X.X.j..B.n..e..'D"...<....A..(..G`7....mt...y.3!..P.I.~...K&..N._.y..O.c..m..<N%..."....Y..#..Ng0....lr...m.-(..\.U.k...Y!..].L.d..H.z..r..%B%........Q..+..Oy'.....ia...u.9)._.U.y...J3..X.W.~..N.x..e..:A7....8....M..)..Sf)....yc...f.89.^.F.g...A ..X.^.h..G.v..e..*G*..."....O..>..Qa?....nc...j.(;.H.Q.x..._3..L._.c..D.~..o..:Y5...<....O..5..^f4....yu...~.=(..I.C.j...@/..G.S.{..V.}..t..'[....'....[..:..Kp,....ud...t..-..K.S.m...J...E.F.r..Y.c..y..9M2...7....M..+..Ke.....un...~./+.E.O.g...K/..L.F.b..L.~..{..+@*...<....@..)..Fd'....dj...{./$.E.W.a...I!..I.Q.c..W.s..{../Q0...1....B..+..L~%....yn...y.?9.K.L.b...^0..[.R.}..S.j..i..2@*...7....D..=..Ws*.

                              C:\Users\user\Desktop\Excel.lnk

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2769
                              Entropy (8bit):7.283832080481731
                              Encrypted:false
                              SSDEEP:
                              MD5:251F95E77420CEE04B5D368E82544085
                              SHA1:F101DE8C3693E538C0A04ED059A3C5B1D0CAA1FE
                              SHA-256:7DC5E3374F2071B9F78B10F11192BDED447FD0CC32A4439D3A65C0A5F7849428
                              SHA-512:B4F1D87EF76C1E5A22B2F1A8A5BEC56B6D6037D7314585BF9A60C07C0D522D456444597F8898F8CA565E2257596629F791B93E404B51CDDEEFDA4D97280441EC
                              Malicious:false
                              Preview:om.O|++..s.[^.A..y.!d.....+`-...:..8.n.(.........l....;..a:l.#m.O}?)..s.[..U..)U({.....[1.7.P.....w...g(....s......;.'`.l.#m..*.o..#...[.b.y......4....B.......s...g)....s.....;..`.y.#=.=}P)t...:.dA<.?.......+@S..........Vw_..g@.|.s.........`Vl.#A.b}.)".K.j.>A..a........+%.........(E..^g!.....S=......`:l.7o.O}:)..s.[..A..y.g..#..+.SR.u.....0wk.,gg...s.....;..`tl.#m.O}z~..c.).f5..C.n...8O.|.nt......|.Tw...g(....s......;....l.#.. }K)..g...8A..y.".}=..M.:R.6......Rw.yI0..\._N.....9..`8l.#m.O}?)..s.[.m-..6.......+.S..1......dww.'dm....s.\...~..`~l.#i...z~..6...'A...e......+`S.........(...Igp.Z.s.....c..`:l.#m.!}?)..s.Z..A..y.J......+.S1........_1...g(..../.v..V...V...E~wK.u^...4.f'h.6...e...D..~.a........4Z.""p....s.....R..`Cl.#..&}L)p...-.lAn.U.G.....+.SP.k.....zw?.mgF.}..s.....I..`.l.#..<}V)t.../.zA<..........+.S^.r....7wk.mg..R..s.........`.l.#1.a}.)O.].u.UAL.........+.S..A.....%w?.$gP.!..s.....R..`Hl.#.. }Y)g.S...oAz.........+.S^.s.....0

                              C:\Users\user\Desktop\Excel.lnk.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2769
                              Entropy (8bit):7.283832080481731
                              Encrypted:false
                              SSDEEP:
                              MD5:251F95E77420CEE04B5D368E82544085
                              SHA1:F101DE8C3693E538C0A04ED059A3C5B1D0CAA1FE
                              SHA-256:7DC5E3374F2071B9F78B10F11192BDED447FD0CC32A4439D3A65C0A5F7849428
                              SHA-512:B4F1D87EF76C1E5A22B2F1A8A5BEC56B6D6037D7314585BF9A60C07C0D522D456444597F8898F8CA565E2257596629F791B93E404B51CDDEEFDA4D97280441EC
                              Malicious:false
                              Preview:om.O|++..s.[^.A..y.!d.....+`-...:..8.n.(.........l....;..a:l.#m.O}?)..s.[..U..)U({.....[1.7.P.....w...g(....s......;.'`.l.#m..*.o..#...[.b.y......4....B.......s...g)....s.....;..`.y.#=.=}P)t...:.dA<.?.......+@S..........Vw_..g@.|.s.........`Vl.#A.b}.)".K.j.>A..a........+%.........(E..^g!.....S=......`:l.7o.O}:)..s.[..A..y.g..#..+.SR.u.....0wk.,gg...s.....;..`tl.#m.O}z~..c.).f5..C.n...8O.|.nt......|.Tw...g(....s......;....l.#.. }K)..g...8A..y.".}=..M.:R.6......Rw.yI0..\._N.....9..`8l.#m.O}?)..s.[.m-..6.......+.S..1......dww.'dm....s.\...~..`~l.#i...z~..6...'A...e......+`S.........(...Igp.Z.s.....c..`:l.#m.!}?)..s.Z..A..y.J......+.S1........_1...g(..../.v..V...V...E~wK.u^...4.f'h.6...e...D..~.a........4Z.""p....s.....R..`Cl.#..&}L)p...-.lAn.U.G.....+.SP.k.....zw?.mgF.}..s.....I..`.l.#..<}V)t.../.zA<..........+.S^.r....7wk.mg..R..s.........`.l.#1.a}.)O.].u.UAL.........+.S..A.....%w?.$gP.!..s.....R..`Hl.#.. }Y)g.S...oAz.........+.S^.s.....0

                              C:\Users\user\Desktop\GNLQNHOLWB.mp3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.587159194978132
                              Encrypted:false
                              SSDEEP:
                              MD5:02AC2AB40D11E28B982DC4D752A3E3FC
                              SHA1:910DC030B55206E2CE0EC49B21C01CFF03D3E561
                              SHA-256:7EE00A1240C7B0D9EAF1DC2337BE0E545A1F8659E6659F4FD3A410225991DED6
                              SHA-512:CD843FAD9CDED0210679A0C1D3E61F7F8C6B2D4BB175844142C1E585A94CAB82F44D63F611DAAB05CAB77D4961D5184ABBB2F300A39F6C22AE2FC9D1FC06F27F
                              Malicious:false
                              Preview:._J..4...,.v6y.(.R.m.7...X..P.z.h./..`.....L.r.j.Y#.7.(d A.(..BG..).../.r:w.-.Z.q.;..R..A.q.m.#..i.....Q.o.y.C;.).5s7^.>..]^..0...?.v5..!.K.l.4...M..A.{.l.<..s.....R.l.d.P-.:. l7K.9..AT..6...).e5e.;.O.j.?..Z..D.t.m.1..c.....P.w.t.O2.+./x/W.(..GJ..;...8.h7z.?.V.|.>..F..Y.f.g.7...~.....@.~.u.\=...4r9X.:..AE..*...-.s+t.?.V.g.$..F..D.c.s.5..q.....H.|.a.B6...?r6P.7..TD..$...?.s&u.(.X.c./...Y..[.}.t.<..c.....V.l.q.U".5.9n%X.1..BW..$...=.c0`.=.T.s.?...B..E.x.{.+..s.....P.}.e.N .<.9o4S. ..RR..2...>.h.k.&.V.h.+...\..E.f.s.?..q.....T.s.u.^>.4.,r;U.:..XT..;...;.r't.<.H...4..P..\.e.m.<..r.....S.`.t.B4.+.1a)T.*..HT..-...=.~,x.=.[.|.9..^..[.f.i.,..a.....A.v.p.R3.5.1n5B.<.._U..7...>.i2a.".R.y.:..\..F...v.2..c.....@.i.d.\2.-."y.B.=..KR..5...6.l*v./.M.n.>..C..Z.p.e.:..|.....P.|.x.K>.2.0y*A.?..FI..1...&.b.a.).[.a.5..P..H.q.i.-..w.....K.v.f.B/.?.<g4Z.=..KL..)...#.~5`.4.L.~.)..G..D.q.p.-..a.....F.g.p.Y8.*.+y(R.(..IM..*...".o5z.:.R.r.3..Y..F.o.r.4...h.

                              C:\Users\user\Desktop\GNLQNHOLWB.mp3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.587159194978132
                              Encrypted:false
                              SSDEEP:
                              MD5:02AC2AB40D11E28B982DC4D752A3E3FC
                              SHA1:910DC030B55206E2CE0EC49B21C01CFF03D3E561
                              SHA-256:7EE00A1240C7B0D9EAF1DC2337BE0E545A1F8659E6659F4FD3A410225991DED6
                              SHA-512:CD843FAD9CDED0210679A0C1D3E61F7F8C6B2D4BB175844142C1E585A94CAB82F44D63F611DAAB05CAB77D4961D5184ABBB2F300A39F6C22AE2FC9D1FC06F27F
                              Malicious:false
                              Preview:._J..4...,.v6y.(.R.m.7...X..P.z.h./..`.....L.r.j.Y#.7.(d A.(..BG..).../.r:w.-.Z.q.;..R..A.q.m.#..i.....Q.o.y.C;.).5s7^.>..]^..0...?.v5..!.K.l.4...M..A.{.l.<..s.....R.l.d.P-.:. l7K.9..AT..6...).e5e.;.O.j.?..Z..D.t.m.1..c.....P.w.t.O2.+./x/W.(..GJ..;...8.h7z.?.V.|.>..F..Y.f.g.7...~.....@.~.u.\=...4r9X.:..AE..*...-.s+t.?.V.g.$..F..D.c.s.5..q.....H.|.a.B6...?r6P.7..TD..$...?.s&u.(.X.c./...Y..[.}.t.<..c.....V.l.q.U".5.9n%X.1..BW..$...=.c0`.=.T.s.?...B..E.x.{.+..s.....P.}.e.N .<.9o4S. ..RR..2...>.h.k.&.V.h.+...\..E.f.s.?..q.....T.s.u.^>.4.,r;U.:..XT..;...;.r't.<.H...4..P..\.e.m.<..r.....S.`.t.B4.+.1a)T.*..HT..-...=.~,x.=.[.|.9..^..[.f.i.,..a.....A.v.p.R3.5.1n5B.<.._U..7...>.i2a.".R.y.:..\..F...v.2..c.....@.i.d.\2.-."y.B.=..KR..5...6.l*v./.M.n.>..C..Z.p.e.:..|.....P.|.x.K>.2.0y*A.?..FI..1...&.b.a.).[.a.5..P..H.q.i.-..w.....K.v.f.B/.?.<g4Z.=..KL..)...#.~5`.4.L.~.)..G..D.q.p.-..a.....F.g.p.Y8.*.+y(R.(..IM..*...".o5z.:.R.r.3..Y..F.o.r.4...h.

                              C:\Users\user\Desktop\HMPPSXQPQV.docx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.610845927073111
                              Encrypted:false
                              SSDEEP:
                              MD5:D1257966EA12BCDFF57720FA971C68F2
                              SHA1:031CD0EBC2B83FDEB3C3481DC6B86C515D8F44F8
                              SHA-256:C06EF77B965BF1B3E70B3F7FD3D5B1020961B656FC18546F04F713A3B2AC79E9
                              SHA-512:E27DAFD09948FAAB1CC64E015ADAA39E39EB23D4ACF3280EF3E2F5DA803E02B42F79C9EB3D2C5640EFBACDB7DE232B4F07284A7DBF88F74A21B316FEB78C4342
                              Malicious:false
                              Preview:...E%o...h=..%I._..2|4...U?.L!}.s.......p./0L..H2M..9..J..W...T"....i%../U.F..6w5...Q0.L)s.f.........p.;.R..S:V.....E..^...T:v...i!..([.A..5{)...G,.U ~.o.......l.$6O..K+S..8..\..I...Z5{...z7..3G.F..-s7...G6.I:r.e.......m.&7@..S+G.....V..K...F&y...h!...'F.B..%w7...W2.P r.l.........m.1<W..G:P....._..^...D<}...v>..(D.D..1e0...V8.M,n.h.........|.6)E..S+Q..*..N..K...\&|...j%...+B.Z..:p9...D+.W$..n.........c.=/F..P8U.....A..B...Q3t...r+..;E.K.. u+...D#.C(}.e.......o.3/B.._*O..?..M..]...V<c...p7..8D.I...:|1...H,.H(}.`.......b.<<\..M-A..4..^..H...T?{...j5..,X.[..-m2...@7.L,i.........a.8>D..S/U..9.._..R...]!c...t6..*Y.K..3d9...C).W;m.l...........8'[..D;T..6..A..V...W<a....!...$R.R...&m ...L5.L f.`.......m.'-O..H7V..1..V.._...Z7e...t1..3@.U.. m+...Z).Q/j.j.......}.57E..E>B..8..B..U..._#}...q)...&R.W..1e8...C:.M9w.a.......z.-;W..]5\..;..N..Y...O5y...q?..6W.E..;`!...R#.G;d.v.........m.7-X..N)A..1..U..^...P5n...s/..5@.F..5n'...H8.U9v.n.....

                              C:\Users\user\Desktop\HMPPSXQPQV.docx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.610845927073111
                              Encrypted:false
                              SSDEEP:
                              MD5:D1257966EA12BCDFF57720FA971C68F2
                              SHA1:031CD0EBC2B83FDEB3C3481DC6B86C515D8F44F8
                              SHA-256:C06EF77B965BF1B3E70B3F7FD3D5B1020961B656FC18546F04F713A3B2AC79E9
                              SHA-512:E27DAFD09948FAAB1CC64E015ADAA39E39EB23D4ACF3280EF3E2F5DA803E02B42F79C9EB3D2C5640EFBACDB7DE232B4F07284A7DBF88F74A21B316FEB78C4342
                              Malicious:false
                              Preview:...E%o...h=..%I._..2|4...U?.L!}.s.......p./0L..H2M..9..J..W...T"....i%../U.F..6w5...Q0.L)s.f.........p.;.R..S:V.....E..^...T:v...i!..([.A..5{)...G,.U ~.o.......l.$6O..K+S..8..\..I...Z5{...z7..3G.F..-s7...G6.I:r.e.......m.&7@..S+G.....V..K...F&y...h!...'F.B..%w7...W2.P r.l.........m.1<W..G:P....._..^...D<}...v>..(D.D..1e0...V8.M,n.h.........|.6)E..S+Q..*..N..K...\&|...j%...+B.Z..:p9...D+.W$..n.........c.=/F..P8U.....A..B...Q3t...r+..;E.K.. u+...D#.C(}.e.......o.3/B.._*O..?..M..]...V<c...p7..8D.I...:|1...H,.H(}.`.......b.<<\..M-A..4..^..H...T?{...j5..,X.[..-m2...@7.L,i.........a.8>D..S/U..9.._..R...]!c...t6..*Y.K..3d9...C).W;m.l...........8'[..D;T..6..A..V...W<a....!...$R.R...&m ...L5.L f.`.......m.'-O..H7V..1..V.._...Z7e...t1..3@.U.. m+...Z).Q/j.j.......}.57E..E>B..8..B..U..._#}...q)...&R.W..1e8...C:.M9w.a.......z.-;W..]5\..;..N..Y...O5y...q?..6W.E..;`!...R#.G;d.v.........m.7-X..N)A..1..U..^...P5n...s/..5@.F..5n'...H8.U9v.n.....

                              C:\Users\user\Desktop\HMPPSXQPQV.jpg

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.572858164545694
                              Encrypted:false
                              SSDEEP:
                              MD5:0DBD1CE738CB7B6EC924873F84BD86E6
                              SHA1:5C5D0F7FEB12BDAC9B8D703563DFDE13D4C8C1C7
                              SHA-256:F80BA3E9387BAC97633222C8E07C62B72FBC8A3D73FF82D660AFAC33E7D9A2D0
                              SHA-512:F9846877C129A3B928EE02595D1358DDAD24526031B200EBBBAAD439886623EF022594F297AB11E70BC79FA639ED4ED8E8961BD4385556F9E76CB145978177B5
                              Malicious:false
                              Preview:..{L..Y.N.'.......@'.b.4.O.r......%...R.'.xX..........2...7..K..q]..K.U.?........W0.i...^.}......3...C.?.xT..........%...1..B..a]..K.O.;.......I?.e.0.U.a......>...Q.*.d@..........3...,..U..eS..N.S.-.......\..m.1.Q.{......2...\.&.eS..........%...2..W..bO..N.W.;.......Z7.i.3.I........*...J.5.eI..........%...;..B..cM..J.[.$.......V(.{.".L.u......*...G.<.tE..........!...3..W..dU..@.L.?.......H-.n.;.K.f......6...A.?.k]..........%...<..^..eX..].O.1.......V3.k.<.T.n......<...W.<.gK..........4...5..A..e_..\.L.-........P5.b.5.W.a......7...^.6.j]..........?...,..T..y]..D.Q./........W(.s.>.M.z.......8...Y.$.iB..........2...3..N..aT..X.M.,.......B/.z.8.V.d......9...J...wS..........=...:..J..g^..Z.Y.;.......Q9.s.-.K.x......4...^.'.eA..........:...:..C..hS..E.H.+......._6.s.!.[.d......>...T.4.uP..........3...3..I...V..C.E.3.......\).{.'.Z.w......=...[.9.rZ..........0......E..lF..[.H.%.......A,.~.9.I.n....../...G.).eI..........:...:..B..`Y..A.M.5.......L/.p.5.M.u......0...

                              C:\Users\user\Desktop\HMPPSXQPQV.jpg.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.572858164545694
                              Encrypted:false
                              SSDEEP:
                              MD5:0DBD1CE738CB7B6EC924873F84BD86E6
                              SHA1:5C5D0F7FEB12BDAC9B8D703563DFDE13D4C8C1C7
                              SHA-256:F80BA3E9387BAC97633222C8E07C62B72FBC8A3D73FF82D660AFAC33E7D9A2D0
                              SHA-512:F9846877C129A3B928EE02595D1358DDAD24526031B200EBBBAAD439886623EF022594F297AB11E70BC79FA639ED4ED8E8961BD4385556F9E76CB145978177B5
                              Malicious:false
                              Preview:..{L..Y.N.'.......@'.b.4.O.r......%...R.'.xX..........2...7..K..q]..K.U.?........W0.i...^.}......3...C.?.xT..........%...1..B..a]..K.O.;.......I?.e.0.U.a......>...Q.*.d@..........3...,..U..eS..N.S.-.......\..m.1.Q.{......2...\.&.eS..........%...2..W..bO..N.W.;.......Z7.i.3.I........*...J.5.eI..........%...;..B..cM..J.[.$.......V(.{.".L.u......*...G.<.tE..........!...3..W..dU..@.L.?.......H-.n.;.K.f......6...A.?.k]..........%...<..^..eX..].O.1.......V3.k.<.T.n......<...W.<.gK..........4...5..A..e_..\.L.-........P5.b.5.W.a......7...^.6.j]..........?...,..T..y]..D.Q./........W(.s.>.M.z.......8...Y.$.iB..........2...3..N..aT..X.M.,.......B/.z.8.V.d......9...J...wS..........=...:..J..g^..Z.Y.;.......Q9.s.-.K.x......4...^.'.eA..........:...:..C..hS..E.H.+......._6.s.!.[.d......>...T.4.uP..........3...3..I...V..C.E.3.......\).{.'.Z.w......=...[.9.rZ..........0......E..lF..[.H.%.......A,.~.9.I.n....../...G.).eI..........:...:..B..`Y..A.M.5.......L/.p.5.M.u......0...

                              C:\Users\user\Desktop\HMPPSXQPQV.xlsx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.6215040070664
                              Encrypted:false
                              SSDEEP:
                              MD5:C9394F6E44F58219BFA0ABB1A7F888EA
                              SHA1:27F502542BD8E435C036B007DF771AB5EFEA4157
                              SHA-256:59AD47E23F82A8E33CE1A946B1F6BF18AEE430292EB1957E8CB3F062930A9FB2
                              SHA-512:BF650CF74936A6B52FB7E9288AAE34BFA0EFFF3C324CC065ECCDADE7856319D7E652C90752B11C7E88CFBCB491E1B30A1C5A053D3551C147C2D0C05A755E6BEB
                              Malicious:false
                              Preview:....Y.....#...".{S...S.....f.L.}v...-#...[gZD.?;%....].y..k.M....^..... ...>.b_.X.....~.D.hc...37...MgVP.!=-....^.i..}.D....F.....#...0.e[...T.....w.M.ij...)$...J{BO.<>/....H.i..m.S....I.....#...,.bK.\.....a.W.l`...+4...JzQM.3&+....C.z..c.Q....Z......5...-.fO.X.....v.M.bi...16...RzKZ.$&)....K....v.D....@..... .../.`Y.J.....a.A.fm...1$...^kG].6--....F.f..y.Q....Z.....4...).~_..._.....{.I.pk...0*...Yt_V.5.<....\.z...k.X....O.....8.....oM.Z.....m.E.p`...)6...SxIX.1;3....\.w..|.G....@.....'.../.mM.S.....f.E.le...1:...\u_W./ *....^.j..m.R....C.....=...3..G.B.....`.A.tz.../5...Tv@S.71;....G.f..f.H....].....!...2.oE...K.....f.V.qi...0+...ZhQS.(")...._.}...e.L....@.....4...9.vD.B.....`.M..e...28...IzCL.<>2....T.i..y.E....K.........+.qL.B.....}.B.ho.../"...LjR^.6'1....E.}..i.O...._.....5...9.s\.J.....p.T.od...0+...HmXF.$(2....W.`..y.C....I.....$...<.aD...O.....f.V.hs...=9...KzK\.+8'....X.g..h.D....I.....0...+.bG.A.....~.T.rk...+?

                              C:\Users\user\Desktop\HMPPSXQPQV.xlsx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.6215040070664
                              Encrypted:false
                              SSDEEP:
                              MD5:C9394F6E44F58219BFA0ABB1A7F888EA
                              SHA1:27F502542BD8E435C036B007DF771AB5EFEA4157
                              SHA-256:59AD47E23F82A8E33CE1A946B1F6BF18AEE430292EB1957E8CB3F062930A9FB2
                              SHA-512:BF650CF74936A6B52FB7E9288AAE34BFA0EFFF3C324CC065ECCDADE7856319D7E652C90752B11C7E88CFBCB491E1B30A1C5A053D3551C147C2D0C05A755E6BEB
                              Malicious:false
                              Preview:....Y.....#...".{S...S.....f.L.}v...-#...[gZD.?;%....].y..k.M....^..... ...>.b_.X.....~.D.hc...37...MgVP.!=-....^.i..}.D....F.....#...0.e[...T.....w.M.ij...)$...J{BO.<>/....H.i..m.S....I.....#...,.bK.\.....a.W.l`...+4...JzQM.3&+....C.z..c.Q....Z......5...-.fO.X.....v.M.bi...16...RzKZ.$&)....K....v.D....@..... .../.`Y.J.....a.A.fm...1$...^kG].6--....F.f..y.Q....Z.....4...).~_..._.....{.I.pk...0*...Yt_V.5.<....\.z...k.X....O.....8.....oM.Z.....m.E.p`...)6...SxIX.1;3....\.w..|.G....@.....'.../.mM.S.....f.E.le...1:...\u_W./ *....^.j..m.R....C.....=...3..G.B.....`.A.tz.../5...Tv@S.71;....G.f..f.H....].....!...2.oE...K.....f.V.qi...0+...ZhQS.(")...._.}...e.L....@.....4...9.vD.B.....`.M..e...28...IzCL.<>2....T.i..y.E....K.........+.qL.B.....}.B.ho.../"...LjR^.6'1....E.}..i.O...._.....5...9.s\.J.....p.T.od...0+...HmXF.$(2....W.`..y.C....I.....$...<.aD...O.....f.V.hs...=9...KzK\.+8'....X.g..h.D....I.....0...+.bG.A.....~.T.rk...+?

                              C:\Users\user\Desktop\HQJBRDYKDE.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.628865496833913
                              Encrypted:false
                              SSDEEP:
                              MD5:C5CCAF42ABAA995F309E786C1A685F91
                              SHA1:0DC6429CE5BF9A9D71F315A736D1037AB67B92F9
                              SHA-256:4525A65557A675D8B69AAA5E9B9CFF535A5D0C3DEC1131747AF052D70E278868
                              SHA-512:9AE913660FC681C7272BB6591779AE8F0BA52133FEB722D53841D53AAF38D9CB3885EE6D18BBE179A6A0C2AA14D98C854DAE4E4810F327E0BAC3500BC38D444F
                              Malicious:false
                              Preview:...qn...?.._.x..\.X..5J....Y.u.M..>E.7..~...jW...I...F...L..-..3.|r...:..A.q..P.A..+N....L.s.L..:^.!..|...qE...R...U..tT..0..;.}....2..O.l..K.P..?A....G.u.I..)[.=..n...dZ...Q....]..sF..)..:.~k...5.._.|..K.@..?_....[.r.Q.. J....v...uF...Y...I..oH..6..<.co...-..B.|..O.D..$R...[.z.J../_.=..c...tO...E...]..rR..1..>.e}...:..^.w..L.\..1C...C.v.Q..(D....l...{L...D...W..wE.....9.kw...(..V.l..K.Y..)^...D.g.H..%Q.#..n...wW...\...K..lU..*..4.xt...<..[.x..A.A..*O...E.w.F..7S. ..i...zD...A..._..lW..8..2.pn...=..@.h..\.R..:S...].r.H../^.8..n...yH...F...]..kE.....+.wx...:..A.{..L._..,J....F.k.Y..7E.&..n...~L...Z...J..o]..+..*.bz...?..G.|..[.Q..1L...C.m.Q../@.7..i...aS...G...I..aI..9..,.}f...>..Y.q..[.Y..$Y...X.v.I..&A."..w...}P...E...Z..nZ..4..+.wt...,..V.x..L.P..<A...@.f.L..&@.:..t...aM...^...W..hV..4..0.dh...3..D.i..P.D..9B...O.v.U..8^.;..o...wU...]...\..nK../..<.id...0..B....F.A..6V....X.r.K..8@.8..v...bL...P...L..v].....6.tk...3..C.v..K.R..4R....L.~.V..'@.:.

                              C:\Users\user\Desktop\HQJBRDYKDE.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.628865496833913
                              Encrypted:false
                              SSDEEP:
                              MD5:C5CCAF42ABAA995F309E786C1A685F91
                              SHA1:0DC6429CE5BF9A9D71F315A736D1037AB67B92F9
                              SHA-256:4525A65557A675D8B69AAA5E9B9CFF535A5D0C3DEC1131747AF052D70E278868
                              SHA-512:9AE913660FC681C7272BB6591779AE8F0BA52133FEB722D53841D53AAF38D9CB3885EE6D18BBE179A6A0C2AA14D98C854DAE4E4810F327E0BAC3500BC38D444F
                              Malicious:false
                              Preview:...qn...?.._.x..\.X..5J....Y.u.M..>E.7..~...jW...I...F...L..-..3.|r...:..A.q..P.A..+N....L.s.L..:^.!..|...qE...R...U..tT..0..;.}....2..O.l..K.P..?A....G.u.I..)[.=..n...dZ...Q....]..sF..)..:.~k...5.._.|..K.@..?_....[.r.Q.. J....v...uF...Y...I..oH..6..<.co...-..B.|..O.D..$R...[.z.J../_.=..c...tO...E...]..rR..1..>.e}...:..^.w..L.\..1C...C.v.Q..(D....l...{L...D...W..wE.....9.kw...(..V.l..K.Y..)^...D.g.H..%Q.#..n...wW...\...K..lU..*..4.xt...<..[.x..A.A..*O...E.w.F..7S. ..i...zD...A..._..lW..8..2.pn...=..@.h..\.R..:S...].r.H../^.8..n...yH...F...]..kE.....+.wx...:..A.{..L._..,J....F.k.Y..7E.&..n...~L...Z...J..o]..+..*.bz...?..G.|..[.Q..1L...C.m.Q../@.7..i...aS...G...I..aI..9..,.}f...>..Y.q..[.Y..$Y...X.v.I..&A."..w...}P...E...Z..nZ..4..+.wt...,..V.x..L.P..<A...@.f.L..&@.:..t...aM...^...W..hV..4..0.dh...3..D.i..P.D..9B...O.v.U..8^.;..o...wU...]...\..nK../..<.id...0..B....F.A..6V....X.r.K..8@.8..v...bL...P...L..v].....6.tk...3..C.v..K.R..4R....L.~.V..'@.:.

                              C:\Users\user\Desktop\LFOPODGVOH.docx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.601644996926588
                              Encrypted:false
                              SSDEEP:
                              MD5:D1AF29A252435D3F25CF90319B9FB5F4
                              SHA1:E2BE19CDAB139BB5281C84860FBCB5AD9842E369
                              SHA-256:D5434C1C5D86A4292B26FF2951FD710319D50A7B9BBA9921573E4B32F2B0DDF1
                              SHA-512:6A315252E8FF9DE6E3B9C04C293C0CC3CEB5B5AFE073901A9BD237A49F5BAF2CDDF3F21128D2E7396C1E5DBB94F8FE0349540393E33674C27AF591F1A6662539
                              Malicious:false
                              Preview:..|h.z`....BV.{^../.R.b2..\...~A%.[m.X(Ji........$;.g.$=..m.&...p}.pj....[X.qV.. .C.n1..T...vS5.Pp.^+Ye........"0.}.<'..s.?...el.xq....WU.qQ..7.L.|9..\....U'.^v.C.R|........?(.}.8%..w. ...ta.gc....@N.iP..1.A.u!..^...z[5._`.K2L~........,=.j./2..t.1....w.fh....YV.yO..-.B.u2.E...qB".Ks.S [k........,).u.?)...l.8...z..ft....B_.zB..,.X.n0.N...y^9.\o.D-Bd........7=.o.!(...k.8...}w.ms....TG.`V..1.X.i<.I...yA#.Dp.A>Fr.........?.f.-"..b.>...rq.qe....DM.`O..+.X.m>.B...z@=.P`.Q7Ie........<?.q.$2..w.'...kw.{`....VO.z@..-.[.b<..H...iO=.Cf.G5Dv........!*.r.)...e.%...qw.yo....[S.nP..4.P.w;.C...yN'.Ov.E)Hf........#;.o.4>...i.(...ch.ku....TR.}@../.\.c3.Y...|Z9.Bp._4\`........ -.s.;/...m. ...dz.zs....TS.{J.. .F.v?..C...nL;.\e.^)_r........(..r.. %..i.<...jr.dc....CV.wM..,.S.i4.T...rU:.Jy.L+Cx........!<.g.$5..e.1...d~.jo....XV.tQ..*.E.n:.O...mV*._x.L1C{........"7.u.?5..e.$...z~.qj....[Q.uA..?.K.e?..Z...lV=.Qg.B>\`........# .f.#*..q.8...vu.xk....CR.uE..=.@.c%.Z...hB'.Qf.L7O

                              C:\Users\user\Desktop\LFOPODGVOH.docx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.601644996926588
                              Encrypted:false
                              SSDEEP:
                              MD5:D1AF29A252435D3F25CF90319B9FB5F4
                              SHA1:E2BE19CDAB139BB5281C84860FBCB5AD9842E369
                              SHA-256:D5434C1C5D86A4292B26FF2951FD710319D50A7B9BBA9921573E4B32F2B0DDF1
                              SHA-512:6A315252E8FF9DE6E3B9C04C293C0CC3CEB5B5AFE073901A9BD237A49F5BAF2CDDF3F21128D2E7396C1E5DBB94F8FE0349540393E33674C27AF591F1A6662539
                              Malicious:false
                              Preview:..|h.z`....BV.{^../.R.b2..\...~A%.[m.X(Ji........$;.g.$=..m.&...p}.pj....[X.qV.. .C.n1..T...vS5.Pp.^+Ye........"0.}.<'..s.?...el.xq....WU.qQ..7.L.|9..\....U'.^v.C.R|........?(.}.8%..w. ...ta.gc....@N.iP..1.A.u!..^...z[5._`.K2L~........,=.j./2..t.1....w.fh....YV.yO..-.B.u2.E...qB".Ks.S [k........,).u.?)...l.8...z..ft....B_.zB..,.X.n0.N...y^9.\o.D-Bd........7=.o.!(...k.8...}w.ms....TG.`V..1.X.i<.I...yA#.Dp.A>Fr.........?.f.-"..b.>...rq.qe....DM.`O..+.X.m>.B...z@=.P`.Q7Ie........<?.q.$2..w.'...kw.{`....VO.z@..-.[.b<..H...iO=.Cf.G5Dv........!*.r.)...e.%...qw.yo....[S.nP..4.P.w;.C...yN'.Ov.E)Hf........#;.o.4>...i.(...ch.ku....TR.}@../.\.c3.Y...|Z9.Bp._4\`........ -.s.;/...m. ...dz.zs....TS.{J.. .F.v?..C...nL;.\e.^)_r........(..r.. %..i.<...jr.dc....CV.wM..,.S.i4.T...rU:.Jy.L+Cx........!<.g.$5..e.1...d~.jo....XV.tQ..*.E.n:.O...mV*._x.L1C{........"7.u.?5..e.$...z~.qj....[Q.uA..?.K.e?..Z...lV=.Qg.B>\`........# .f.#*..q.8...vu.xk....CR.uE..=.@.c%.Z...hB'.Qf.L7O

                              C:\Users\user\Desktop\LFOPODGVOH.xlsx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.567264571164203
                              Encrypted:false
                              SSDEEP:
                              MD5:C2E594ADE50703A3C934DE2DF7E84893
                              SHA1:ACFF87FFAD69D44A3A014D650F58AE4AA86CACF7
                              SHA-256:FB75C8F0862DB86BFF7DB08F7C632E0D28CD38204F5F7B2198B8CF2FB803997F
                              SHA-512:F267BBAD78E760D286E1025472A8714F97B9FAE9A15820027B232CAFC8200E929068F611808F716B45DFB11675A963DB77016450555B0CA13E425991CBFC45AC
                              Malicious:false
                              Preview:.c.Z..)['.)|~.V|.......(.........b./....c:kn....C..z.....Y..N.i.O..#[).5ep.\t.......+.........h.+....x9yj....E..r.....G..O...^..8X9.4i}.\s.......#.......r.1....i/el....X..j.....C..].j.S..*]%.&~f.Dr.....;.......`......a>dz....K..i.....@..A.l.E..!Z!.3g~.Tm.....(.........~.;....v fa....K..g.....X..A.|.M..=T9.!|w.W`.....*.......{.$....w9pg....P..a....._..Q.u.E..:[2.2jo.Mt.....&...........0....n%w}....I..v.....V..^.s.C..,D).$ze.Mm.......$.......r.9....z%rd....[..t.....C..U.w.E..)^!.+hg.Wb.....&.......o.:....s8ki....F..`.....Q..P.v.E..&^ .&e{.Cr.....!.......~..9....b"ux....D..u.....]..Z.a.Z..<L?..jz.Pb.....).......a.$....h(}g....G..r.....Y..Z.g.H..:O*.1j{.Vh.....%.......k.,....s-lz....O..d.....]..U.v.@..*G=.?}~.Zo.............m.0....m/wa....F..u.....Q..@.o.L..&I*."f~.Ys..... .........i.=....p#t{....E..a.....Q..\.o.L..#Z-./ey.Xc.....%.........a.%....|#xu....D..s......E..T.r.G.."_".#}z.Xg.....?.........|.?...

                              C:\Users\user\Desktop\LFOPODGVOH.xlsx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.567264571164203
                              Encrypted:false
                              SSDEEP:
                              MD5:C2E594ADE50703A3C934DE2DF7E84893
                              SHA1:ACFF87FFAD69D44A3A014D650F58AE4AA86CACF7
                              SHA-256:FB75C8F0862DB86BFF7DB08F7C632E0D28CD38204F5F7B2198B8CF2FB803997F
                              SHA-512:F267BBAD78E760D286E1025472A8714F97B9FAE9A15820027B232CAFC8200E929068F611808F716B45DFB11675A963DB77016450555B0CA13E425991CBFC45AC
                              Malicious:false
                              Preview:.c.Z..)['.)|~.V|.......(.........b./....c:kn....C..z.....Y..N.i.O..#[).5ep.\t.......+.........h.+....x9yj....E..r.....G..O...^..8X9.4i}.\s.......#.......r.1....i/el....X..j.....C..].j.S..*]%.&~f.Dr.....;.......`......a>dz....K..i.....@..A.l.E..!Z!.3g~.Tm.....(.........~.;....v fa....K..g.....X..A.|.M..=T9.!|w.W`.....*.......{.$....w9pg....P..a....._..Q.u.E..:[2.2jo.Mt.....&...........0....n%w}....I..v.....V..^.s.C..,D).$ze.Mm.......$.......r.9....z%rd....[..t.....C..U.w.E..)^!.+hg.Wb.....&.......o.:....s8ki....F..`.....Q..P.v.E..&^ .&e{.Cr.....!.......~..9....b"ux....D..u.....]..Z.a.Z..<L?..jz.Pb.....).......a.$....h(}g....G..r.....Y..Z.g.H..:O*.1j{.Vh.....%.......k.,....s-lz....O..d.....]..U.v.@..*G=.?}~.Zo.............m.0....m/wa....F..u.....Q..@.o.L..&I*."f~.Ys..... .........i.=....p#t{....E..a.....Q..\.o.L..#Z-./ey.Xc.....%.........a.%....|#xu....D..s......E..T.r.G.."_".#}z.Xg.....?.........|.?...

                              C:\Users\user\Desktop\LHEPQPGEWF.jpg

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.594376987467605
                              Encrypted:false
                              SSDEEP:
                              MD5:FCBCC0EE0E2AC9C668ABB09E88D354C4
                              SHA1:5B310277100563E7ECA9B1077D8BD08EC255132E
                              SHA-256:24D1BC355933B69DBCAAD123DE51A230D2CFD25E9D97176FDE7D33E6A901755D
                              SHA-512:E2826516A8892249136C330867CB5D19521B731C872F8E5F25A8AC53837DA99427BCA5944F5A01CFE6313A0D9AC58E386AF2D3974C5F3C567C19E4BBA69A1E5D
                              Malicious:false
                              Preview:..h.z}-O.t...(.g..[....6....H.....FH.......p.u..?..o.......{..}.}l;B.h5..-.~..X....-....S....LE.......l.v..&..b.....~..u.in-K..3..>.p..E....)....P....XF.......b....$..}.....v....yd0H.|8..-.r..\....'....J....XJ.......`.c..."..~.......g..o.j{!Y.w&..=.d..B....)....L.....EW.......{.c..2..|........y..c.fg$E.|$..6.`..]..../....G...]Z.......|.k..,..`.......y..d.~h-Y.z&..2.l..^....7....O....RQ.......t.u..3..f.......k..z.ik8\.f6..<.s..I.....5....K...LF.......a.v..6..x.......j..b.|d#O.g8..4.`..R....%....J...D\.......e.`..>..d.....l..i.sf+R.`'..,.m.._....7....Y......DE.......}.|..%..e.......~..{.bc-S.s$..>....R....&....P.....YX.......g.~..6..e.....{....qt$S.`*..+.s.._...."....U...ZW.......f.o...(..}.......p..t.aw!M.w'..+.`..J....%....I.....LY.......r.|..%..|.......m..g.jd)[.|$..7.f..@....#....U..._P.......a....%..{.....x..}.f}(F.x ..1.r..[....0....N...OB.......z.m..7..b.....l..y.rc9[.|#..4.n..R....*....M.....P[..

                              C:\Users\user\Desktop\LHEPQPGEWF.jpg.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.594376987467605
                              Encrypted:false
                              SSDEEP:
                              MD5:FCBCC0EE0E2AC9C668ABB09E88D354C4
                              SHA1:5B310277100563E7ECA9B1077D8BD08EC255132E
                              SHA-256:24D1BC355933B69DBCAAD123DE51A230D2CFD25E9D97176FDE7D33E6A901755D
                              SHA-512:E2826516A8892249136C330867CB5D19521B731C872F8E5F25A8AC53837DA99427BCA5944F5A01CFE6313A0D9AC58E386AF2D3974C5F3C567C19E4BBA69A1E5D
                              Malicious:false
                              Preview:..h.z}-O.t...(.g..[....6....H.....FH.......p.u..?..o.......{..}.}l;B.h5..-.~..X....-....S....LE.......l.v..&..b.....~..u.in-K..3..>.p..E....)....P....XF.......b....$..}.....v....yd0H.|8..-.r..\....'....J....XJ.......`.c..."..~.......g..o.j{!Y.w&..=.d..B....)....L.....EW.......{.c..2..|........y..c.fg$E.|$..6.`..]..../....G...]Z.......|.k..,..`.......y..d.~h-Y.z&..2.l..^....7....O....RQ.......t.u..3..f.......k..z.ik8\.f6..<.s..I.....5....K...LF.......a.v..6..x.......j..b.|d#O.g8..4.`..R....%....J...D\.......e.`..>..d.....l..i.sf+R.`'..,.m.._....7....Y......DE.......}.|..%..e.......~..{.bc-S.s$..>....R....&....P.....YX.......g.~..6..e.....{....qt$S.`*..+.s.._...."....U...ZW.......f.o...(..}.......p..t.aw!M.w'..+.`..J....%....I.....LY.......r.|..%..|.......m..g.jd)[.|$..7.f..@....#....U..._P.......a....%..{.....x..}.f}(F.x ..1.r..[....0....N...OB.......z.m..7..b.....l..y.rc9[.|#..4.n..R....*....M.....P[..

                              C:\Users\user\Desktop\LHEPQPGEWF.mp3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.641250145656936
                              Encrypted:false
                              SSDEEP:
                              MD5:C2227F117059A0158B53021EB971FFBE
                              SHA1:337F6F58E41E371BB165DE971E9095D5F2F7F95B
                              SHA-256:A3F215DD72857C2A2279454C61B6CB86E1AF449F0A6D57ECFF9AD81CA2D9ED13
                              SHA-512:5AFBBFC70A26CEC22B92D25CE4FE2900FA82AE67F12B65BEE0CD1F79F7FD8B5527BA149A7B8702B886D6C9627DB6C5D46C4163BAD235B56C532988DF4DC56C2E
                              Malicious:false
                              Preview:..j..6........#.2.P..7J..$.z.+..y...C3...0(.o.M..Wr$U.btc...-.....'........:.?.A..)X..).v.<..y...N?...>&.s._..Z`)[.wcu...(..w..%........4.0.H..1O..6.n.+..d...M/...,..}.W..Sf6A..y}... ..}../........6.6._..?P..(.s.0..f...A=...42...Z..Qe5^.gxc...1..m..0........ .8.D..?O..4.v.*..n...\>...">.d.D.._e7\.hit.../..a..,........$.8.D..*T..&.t.=..a...Q6...<$.c.U..Lj+R.au{.../..f..#........(...P..#P..:.q.3..c...Z-...:!.k.K...Ai-\.z|t...=..x.. .........7.=.F..=F..$.g.'..g...M2...'..~.P..Ru3].cei...<..`../........$...@..:T.. .j.<..z...W-...7 .z.\..Yv/E..~b...:..k..-........).*.T..9W.. .z.>..m...N,...!;.b.Z..Po.].wn`...(..y..(........;.<.J..#M..:.d.'..l...S/...2-.x.W.._o.@.cy}...-..}..?........7.7.T..)C..8.t.4..`...\)...!<.y.Q..@f6\.ubj...&..v..<........$.6._..4U..!.l.'..c...R8...9(.m.Z..Xh7].sdo...;..e../........".7.P..>O..".f.&..z...[....8$.~._..Y`0B.bu`.........6........6.0.T..<V..:.c.#..{...I#...$%.e.M..Ev)I.`ob...:..{..(........*.$.K..(P..&.j.+..e...P..

                              C:\Users\user\Desktop\LHEPQPGEWF.mp3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.641250145656936
                              Encrypted:false
                              SSDEEP:
                              MD5:C2227F117059A0158B53021EB971FFBE
                              SHA1:337F6F58E41E371BB165DE971E9095D5F2F7F95B
                              SHA-256:A3F215DD72857C2A2279454C61B6CB86E1AF449F0A6D57ECFF9AD81CA2D9ED13
                              SHA-512:5AFBBFC70A26CEC22B92D25CE4FE2900FA82AE67F12B65BEE0CD1F79F7FD8B5527BA149A7B8702B886D6C9627DB6C5D46C4163BAD235B56C532988DF4DC56C2E
                              Malicious:false
                              Preview:..j..6........#.2.P..7J..$.z.+..y...C3...0(.o.M..Wr$U.btc...-.....'........:.?.A..)X..).v.<..y...N?...>&.s._..Z`)[.wcu...(..w..%........4.0.H..1O..6.n.+..d...M/...,..}.W..Sf6A..y}... ..}../........6.6._..?P..(.s.0..f...A=...42...Z..Qe5^.gxc...1..m..0........ .8.D..?O..4.v.*..n...\>...">.d.D.._e7\.hit.../..a..,........$.8.D..*T..&.t.=..a...Q6...<$.c.U..Lj+R.au{.../..f..#........(...P..#P..:.q.3..c...Z-...:!.k.K...Ai-\.z|t...=..x.. .........7.=.F..=F..$.g.'..g...M2...'..~.P..Ru3].cei...<..`../........$...@..:T.. .j.<..z...W-...7 .z.\..Yv/E..~b...:..k..-........).*.T..9W.. .z.>..m...N,...!;.b.Z..Po.].wn`...(..y..(........;.<.J..#M..:.d.'..l...S/...2-.x.W.._o.@.cy}...-..}..?........7.7.T..)C..8.t.4..`...\)...!<.y.Q..@f6\.ubj...&..v..<........$.6._..4U..!.l.'..c...R8...9(.m.Z..Xh7].sdo...;..e../........".7.P..>O..".f.&..z...[....8$.~._..Y`0B.bu`.........6........6.0.T..<V..:.c.#..{...I#...$%.e.M..Ev)I.`ob...:..{..(........*.$.K..(P..&.j.+..e...P..

                              C:\Users\user\Desktop\LHEPQPGEWF.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.62665566784789
                              Encrypted:false
                              SSDEEP:
                              MD5:B795392F0E529EAB429FF87057296856
                              SHA1:ABBD3D748FC7ED906BC4C95B429F67E57DD8A290
                              SHA-256:5A0CC25BCA16B75DB110F73B4E890DA8587FB640B77CD476A61C00009162BFCF
                              SHA-512:46DADEB7E1B5462097E5C3B95DBC757EF1B833B2F805874316D79CD1729201B994E186CBFBC6E20944822F295E915EACCEEBAF15948ACC93B1139FFF4FD975B3
                              Malicious:false
                              Preview:\....V..8.PX.st...\....H.:..!q.|...<Q.YrsT.Y..D..7.5.y..(..O.|@....G.. .KY.vq..._....Z.*..-j.z...6\.F{gZ.\..G..4.8.w..?.._.yZ....E..9.MC.eh...B....M.9..5i.a..."_.Cx|H.[..N..,.1.m..%..R.q^....O..#.FV.vq...[....R.2..(s.d..."S.Cg|P.P..R..$.3.r..$..[.`Z....P..:.XU.f}...E....M.2..-u.|...?N.^naF.\..R..&.=.p..5..N.~I....L..5.Z[.my...Z....V.8../~.d...'C.LjhX.J..Z..*...~..)..U.~A....C..5.X].ik...Y....R.0..*v.z...(H.Pi.^.]..D..:.#.p.. ..K.lR....@..).HN.g}...N....D.&..<r.y....6_.[.xC.J..G..2.0.q..9..O.mI....O..6.FK.oe...U....V."..1s.f....>E.IzzS.P..Q..-.;.i.."..C.kJ....M..).YF.wt...X....U.4..!`.|...>\.ByvE.W..M..1.2.q..2..Q.yZ....H..!.Z[.ek...U....O."..?i.v....#A.@sfV.]..O..6.=.l..%..\.|F...._..,.TX.pz...X....A.6../l.`... N.Xe~E.^..^../.".p..>..C.wZ....\..!.Y^.p}...M....W.0..7p.q....6@.Nic].I..M..(.:.q..8..K.jJ....O..9.ZK.lz...G....M.1..=l.g....%I.Lyz\._..N..7.;.n..)..H..[....V..).^@.jd...\....T.&..8w.{....5[.[|s@.R..\..4.'.e..3..N.kE....H..).]I.or...U....R.+..1t.t...*B.L

                              C:\Users\user\Desktop\LHEPQPGEWF.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.62665566784789
                              Encrypted:false
                              SSDEEP:
                              MD5:B795392F0E529EAB429FF87057296856
                              SHA1:ABBD3D748FC7ED906BC4C95B429F67E57DD8A290
                              SHA-256:5A0CC25BCA16B75DB110F73B4E890DA8587FB640B77CD476A61C00009162BFCF
                              SHA-512:46DADEB7E1B5462097E5C3B95DBC757EF1B833B2F805874316D79CD1729201B994E186CBFBC6E20944822F295E915EACCEEBAF15948ACC93B1139FFF4FD975B3
                              Malicious:false
                              Preview:\....V..8.PX.st...\....H.:..!q.|...<Q.YrsT.Y..D..7.5.y..(..O.|@....G.. .KY.vq..._....Z.*..-j.z...6\.F{gZ.\..G..4.8.w..?.._.yZ....E..9.MC.eh...B....M.9..5i.a..."_.Cx|H.[..N..,.1.m..%..R.q^....O..#.FV.vq...[....R.2..(s.d..."S.Cg|P.P..R..$.3.r..$..[.`Z....P..:.XU.f}...E....M.2..-u.|...?N.^naF.\..R..&.=.p..5..N.~I....L..5.Z[.my...Z....V.8../~.d...'C.LjhX.J..Z..*...~..)..U.~A....C..5.X].ik...Y....R.0..*v.z...(H.Pi.^.]..D..:.#.p.. ..K.lR....@..).HN.g}...N....D.&..<r.y....6_.[.xC.J..G..2.0.q..9..O.mI....O..6.FK.oe...U....V."..1s.f....>E.IzzS.P..Q..-.;.i.."..C.kJ....M..).YF.wt...X....U.4..!`.|...>\.ByvE.W..M..1.2.q..2..Q.yZ....H..!.Z[.ek...U....O."..?i.v....#A.@sfV.]..O..6.=.l..%..\.|F...._..,.TX.pz...X....A.6../l.`... N.Xe~E.^..^../.".p..>..C.wZ....\..!.Y^.p}...M....W.0..7p.q....6@.Nic].I..M..(.:.q..8..K.jJ....O..9.ZK.lz...G....M.1..=l.g....%I.Lyz\._..N..7.;.n..)..H..[....V..).^@.jd...\....T.&..8w.{....5[.[|s@.R..\..4.'.e..3..N.kE....H..).]I.or...U....R.+..1t.t...*B.L

                              C:\Users\user\Desktop\LIJDSFKJZG.docx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.598978039740994
                              Encrypted:false
                              SSDEEP:
                              MD5:D5F9C22F214286989669693D67E768F6
                              SHA1:A8125491FAD11C7576EADD704C768FB0C00215BE
                              SHA-256:563CCBFBFB74A2353EF31480EA6C5BB8ABD0118F4B56FF1FD8D06FC8423CAF8A
                              SHA-512:802B69C9A54F8BD9621AACC86763569E463397C9395D534A7CD44A3201BE5C8DA26C413ED86B520EAB9393A4C585CDDEEBD307A76065B4162CB1994844FD04F3
                              Malicious:false
                              Preview:.-...k...d./."..L...R..3/..*.!..[.,aL<.k..!-yXqEbG.Z..@.6..J.M.0..`...v.$.2..D...\..1<..+.'..^.2bR#.t..+&oBuJpH.L..G.$..@.V.=......q.$.8..F...J..'5..'.>..X..9fG!.e....bM|VnM.\..F.-..B.E.5.......s.=.(..U...J..0...+.+..Z.&xK:.d..3>.SjSr@.E..A.5..\.G.-..~...o.'.4..V...\..)#..".1..Y.;qA%.d..7,rBrRu@.F..F.9..T.U.+..c...b.?.2..G...G..3<..".>..S.:nZ .l..)7uH~TmE.X..E.0..Z.C.&...t...q.&.(..Y...Z..02.."."..@.;uO;.f.. =sRw[nL.K..E.&..^.^.>...{...v.*.#..F...J..>8..(.4..X..dF".q..&6cTnNcH.U..Z.-..H.M./..y...j.?. ..Y...Q..(%.. .9..D.7~C1.i..47rD.Sp\.F..D.(..A.L.1...i...p.;.3..J...I..+%..*.4..].0|M>.o..&-eX~EsD.W..U.&..S.\.,..w...u.#.,..H...O..6!..<.:..@.1gI3.h...>uInGo@.E..P.&..N.D.*...~...l.2.<..E...G..6!..*.7..F.9{M$.t..&5zAkL~K.Y..[.0...V.L./..{...v.-.6..V...Q..93..5.8..].>p_'.c../#.S~LrA.J..P.)..U.Z.&..g...e...3..N...\...3..4.:..C.9qM1.u..4'`E{HtR.F..].&..Z.W....c...s.'.(..Z...Q...4.. .=..R.${@<.i..!$uNrE~C.J..F.)..L.M.=..`...a./.7..N...U..<!..<.&..V.4x_-.

                              C:\Users\user\Desktop\LIJDSFKJZG.docx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.598978039740994
                              Encrypted:false
                              SSDEEP:
                              MD5:D5F9C22F214286989669693D67E768F6
                              SHA1:A8125491FAD11C7576EADD704C768FB0C00215BE
                              SHA-256:563CCBFBFB74A2353EF31480EA6C5BB8ABD0118F4B56FF1FD8D06FC8423CAF8A
                              SHA-512:802B69C9A54F8BD9621AACC86763569E463397C9395D534A7CD44A3201BE5C8DA26C413ED86B520EAB9393A4C585CDDEEBD307A76065B4162CB1994844FD04F3
                              Malicious:false
                              Preview:.-...k...d./."..L...R..3/..*.!..[.,aL<.k..!-yXqEbG.Z..@.6..J.M.0..`...v.$.2..D...\..1<..+.'..^.2bR#.t..+&oBuJpH.L..G.$..@.V.=......q.$.8..F...J..'5..'.>..X..9fG!.e....bM|VnM.\..F.-..B.E.5.......s.=.(..U...J..0...+.+..Z.&xK:.d..3>.SjSr@.E..A.5..\.G.-..~...o.'.4..V...\..)#..".1..Y.;qA%.d..7,rBrRu@.F..F.9..T.U.+..c...b.?.2..G...G..3<..".>..S.:nZ .l..)7uH~TmE.X..E.0..Z.C.&...t...q.&.(..Y...Z..02.."."..@.;uO;.f.. =sRw[nL.K..E.&..^.^.>...{...v.*.#..F...J..>8..(.4..X..dF".q..&6cTnNcH.U..Z.-..H.M./..y...j.?. ..Y...Q..(%.. .9..D.7~C1.i..47rD.Sp\.F..D.(..A.L.1...i...p.;.3..J...I..+%..*.4..].0|M>.o..&-eX~EsD.W..U.&..S.\.,..w...u.#.,..H...O..6!..<.:..@.1gI3.h...>uInGo@.E..P.&..N.D.*...~...l.2.<..E...G..6!..*.7..F.9{M$.t..&5zAkL~K.Y..[.0...V.L./..{...v.-.6..V...Q..93..5.8..].>p_'.c../#.S~LrA.J..P.)..U.Z.&..g...e...3..N...\...3..4.:..C.9qM1.u..4'`E{HtR.F..].&..Z.W....c...s.'.(..Z...Q...4.. .=..R.${@<.i..!$uNrE~C.J..F.)..L.M.=..`...a./.7..N...U..<!..<.&..V.4x_-.

                              C:\Users\user\Desktop\LIJDSFKJZG.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.510344479590959
                              Encrypted:false
                              SSDEEP:
                              MD5:15F1680C263FDBB8DD06F9E5AEEC7B27
                              SHA1:4A76183646757D50A2CAC92B0FB671D7DCC41E27
                              SHA-256:E37A0549603DF770C36A6352F2E7CD2B8DC6055E8622C09B95A33DDB7491CE52
                              SHA-512:EB2BDC4D31CA7AD6A9B8C51CB40ECFA08F23FDFA9E18A58046B48105F2EFC4FCE418B2913FD4581D6DC8755AEB7B801060D605CD199982E2E9B6706A08F51B5D
                              Malicious:false
                              Preview:..-......WF....z..............^..!..:.zu...c.`..... ...k....H..)......_M....r..............[..?..3.ya...y.o.....!...}....S..2......DM....p..............]..4..&.nk...v.s.....1...|....@.."......QT....c.............._..+..*.oo...h.v.....6...c....B..4......PN....`..............\..6..<.my...y.w.....2...|....P..6......XV....q..............V..7...%.re...s.q.....!........F..,......AO....o..............E..6..=.|k...i.~.....%...`....[.. ......ZC....p..............]..#..0.k}...o.k.....&...|....H..7......[V....o..............A..:..:.nh.....v.....5...q....I..,......\R....|..............X..=..5.eo...c.`.....#...d....Y..4......GJ....~..............E..<..3.bz...r.b.....&...`....A.. ......Z[....s..............C..4..$.d}...z.i.....$...j....I..6......PD....`..............X..3..7.pc...h.i.....#...c...._..5......EG....x..............F..4..&.gb...~.m.....5...q....R..?.......ON....l..............W..)..<.rv...u.`.....'...u....H..4......WF....x..............S..9..:

                              C:\Users\user\Desktop\LIJDSFKJZG.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.510344479590959
                              Encrypted:false
                              SSDEEP:
                              MD5:15F1680C263FDBB8DD06F9E5AEEC7B27
                              SHA1:4A76183646757D50A2CAC92B0FB671D7DCC41E27
                              SHA-256:E37A0549603DF770C36A6352F2E7CD2B8DC6055E8622C09B95A33DDB7491CE52
                              SHA-512:EB2BDC4D31CA7AD6A9B8C51CB40ECFA08F23FDFA9E18A58046B48105F2EFC4FCE418B2913FD4581D6DC8755AEB7B801060D605CD199982E2E9B6706A08F51B5D
                              Malicious:false
                              Preview:..-......WF....z..............^..!..:.zu...c.`..... ...k....H..)......_M....r..............[..?..3.ya...y.o.....!...}....S..2......DM....p..............]..4..&.nk...v.s.....1...|....@.."......QT....c.............._..+..*.oo...h.v.....6...c....B..4......PN....`..............\..6..<.my...y.w.....2...|....P..6......XV....q..............V..7...%.re...s.q.....!........F..,......AO....o..............E..6..=.|k...i.~.....%...`....[.. ......ZC....p..............]..#..0.k}...o.k.....&...|....H..7......[V....o..............A..:..:.nh.....v.....5...q....I..,......\R....|..............X..=..5.eo...c.`.....#...d....Y..4......GJ....~..............E..<..3.bz...r.b.....&...`....A.. ......Z[....s..............C..4..$.d}...z.i.....$...j....I..6......PD....`..............X..3..7.pc...h.i.....#...c...._..5......EG....x..............F..4..&.gb...~.m.....5...q....R..?.......ON....l..............W..)..<.rv...u.`.....'...u....H..4......WF....x..............S..9..:

                              C:\Users\user\Desktop\PWZOQIFCAN.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.634076353827573
                              Encrypted:false
                              SSDEEP:
                              MD5:42CA2AF393AB45C240D6508B6D277167
                              SHA1:CDBE216FE34B41D119BA492BE5B0FCC926A41C8C
                              SHA-256:902E26E1214F297D82140399255DCDF01687269C167296B36EBCAA76256914D3
                              SHA-512:E7515C3BAE7AD3073E5403722B25947051B0CBB2BDE4BA64C63A912EB7395C006BAFCDD1D4F61DA68A0D8FF1142A89D5583ABBB53B6A40D10146B02C703DB2FB
                              Malicious:false
                              Preview:..I..3c.=wW~..1P.P...O.....r.<Eo..=L.1..h........J........P..<z.'rIm..'K.S....S.....h.3Fg..+S.$...{........T........O.0$w.0zOf..&Y.X...M.....n./I...,W."....p........F.........U.#,c.'eQz..(D.\...K......}.3I}..)W.,.....l........T.........Q.><n.!gHu.. V.P...^......q./Yv..&N.3....u........R........\.7%p.9wSr..9W.X...B.....q.!Ci...X./...........I........W. x.&t_{..'U.M...N.....l.&^`..&[.9.....s........H........E. 0v.#sJy..3K.]...._.....~.:Br..>J.9....i........Q........J.1:a.0.L{..=J.T...^.....q.+Zt..:J.8....y........@.........O.>:n.?vTb..#N.^...C.....x.+Aj..7G.9....{........@........P.5 c.<eIm..1X.Q....L.....i.+G|..*H.+..z........F........^.2%t.%rHb..7N.G..._.....{. Gj..-L....k........W.........J.2:g.:cJ}..!_.F....S.....m.(J...8L.&..r........W........W.&<w.9tSz..;J.S...E.....w.(Tb..?V.-............M..........^. ?b.?qDr..2R.B...Z.....n.1D}..5L.8...v........W........K.$;g.1bQ}..2M.@...N......g.,Vh..5U.

                              C:\Users\user\Desktop\PWZOQIFCAN.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.634076353827573
                              Encrypted:false
                              SSDEEP:
                              MD5:42CA2AF393AB45C240D6508B6D277167
                              SHA1:CDBE216FE34B41D119BA492BE5B0FCC926A41C8C
                              SHA-256:902E26E1214F297D82140399255DCDF01687269C167296B36EBCAA76256914D3
                              SHA-512:E7515C3BAE7AD3073E5403722B25947051B0CBB2BDE4BA64C63A912EB7395C006BAFCDD1D4F61DA68A0D8FF1142A89D5583ABBB53B6A40D10146B02C703DB2FB
                              Malicious:false
                              Preview:..I..3c.=wW~..1P.P...O.....r.<Eo..=L.1..h........J........P..<z.'rIm..'K.S....S.....h.3Fg..+S.$...{........T........O.0$w.0zOf..&Y.X...M.....n./I...,W."....p........F.........U.#,c.'eQz..(D.\...K......}.3I}..)W.,.....l........T.........Q.><n.!gHu.. V.P...^......q./Yv..&N.3....u........R........\.7%p.9wSr..9W.X...B.....q.!Ci...X./...........I........W. x.&t_{..'U.M...N.....l.&^`..&[.9.....s........H........E. 0v.#sJy..3K.]...._.....~.:Br..>J.9....i........Q........J.1:a.0.L{..=J.T...^.....q.+Zt..:J.8....y........@.........O.>:n.?vTb..#N.^...C.....x.+Aj..7G.9....{........@........P.5 c.<eIm..1X.Q....L.....i.+G|..*H.+..z........F........^.2%t.%rHb..7N.G..._.....{. Gj..-L....k........W.........J.2:g.:cJ}..!_.F....S.....m.(J...8L.&..r........W........W.&<w.9tSz..;J.S...E.....w.(Tb..?V.-............M..........^. ?b.?qDr..2R.B...Z.....n.1D}..5L.8...v........W........K.$;g.1bQ}..2M.@...N......g.,Vh..5U.

                              C:\Users\user\Desktop\QFAPOWPAFG.jpg

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.6087405581191225
                              Encrypted:false
                              SSDEEP:
                              MD5:0131E92AB4D759AC32957D421E7F51FE
                              SHA1:514F364C5D5C890086ED76710E32E04E1BABDB0E
                              SHA-256:143F21344DA1ECF75EA411F8484AE530CE861032B469F11B671EB76B7BB1034E
                              SHA-512:6D0FF0EA615BAA7C07A421CB5EDF7D5671535ABA9FAF2C4669BA2A371F9986BB56ADC406A7716FA3E62CBABC2359CEEF665D1FCE9C2FDF25ED7B5F64B7FC52AD
                              Malicious:false
                              Preview:../......X....:...PG.:~>...%......4f..I...j...v../h.T>^.(.....!......I...x/...K^.?n....?......*j..\...i...v...3}.E*U.#.....7......V...y=...[@.6h<...,......<p..T...p...t..'l.F.O.5..... ......X...a"...IQ.!t....0......:l..\...z...h..)a.B)W./.....(......K...a+...\J.6.!...#...... l..[...q...i..-o.Q$K.0.....%......Z...q:...MG.?|'.../......=f..P...v...j...%e.^0U.%.....-......O...b(...I\.'b"...=......7q..U...v...l..,s.^%F.9.....%......C...a5...^J.;c;.../......>q..[...r...l...$b.I-W.$.....?......N....x4...I_.:c....'......:n..L...u...b..2}.V?S.4.....(......P...`7...ZZ.6u;.../......#d..W...q...z...;x.@,A.'.....#......G...e7...VH.-|%...#......(q..J...g...m...0l.K=P.(.....9......W...v4...TY.%q3...8......)z..W...q...n...9m.M0B.).....?......F...}+...^S.&q>...?......5k..U...x...s...;b.^+U.&.....-......L....?...[_.;n....9......6c..W...o...k..4s.E)Q.,.....:......S...`:...[_.8g7...;......:u..[...w...e...h.^>K.$.....%......K...|"...RO.2|-...$......1o..

                              C:\Users\user\Desktop\QFAPOWPAFG.jpg.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.6087405581191225
                              Encrypted:false
                              SSDEEP:
                              MD5:0131E92AB4D759AC32957D421E7F51FE
                              SHA1:514F364C5D5C890086ED76710E32E04E1BABDB0E
                              SHA-256:143F21344DA1ECF75EA411F8484AE530CE861032B469F11B671EB76B7BB1034E
                              SHA-512:6D0FF0EA615BAA7C07A421CB5EDF7D5671535ABA9FAF2C4669BA2A371F9986BB56ADC406A7716FA3E62CBABC2359CEEF665D1FCE9C2FDF25ED7B5F64B7FC52AD
                              Malicious:false
                              Preview:../......X....:...PG.:~>...%......4f..I...j...v../h.T>^.(.....!......I...x/...K^.?n....?......*j..\...i...v...3}.E*U.#.....7......V...y=...[@.6h<...,......<p..T...p...t..'l.F.O.5..... ......X...a"...IQ.!t....0......:l..\...z...h..)a.B)W./.....(......K...a+...\J.6.!...#...... l..[...q...i..-o.Q$K.0.....%......Z...q:...MG.?|'.../......=f..P...v...j...%e.^0U.%.....-......O...b(...I\.'b"...=......7q..U...v...l..,s.^%F.9.....%......C...a5...^J.;c;.../......>q..[...r...l...$b.I-W.$.....?......N....x4...I_.:c....'......:n..L...u...b..2}.V?S.4.....(......P...`7...ZZ.6u;.../......#d..W...q...z...;x.@,A.'.....#......G...e7...VH.-|%...#......(q..J...g...m...0l.K=P.(.....9......W...v4...TY.%q3...8......)z..W...q...n...9m.M0B.).....?......F...}+...^S.&q>...?......5k..U...x...s...;b.^+U.&.....-......L....?...[_.;n....9......6c..W...o...k..4s.E)Q.,.....:......S...`:...[_.8g7...;......:u..[...w...e...h.^>K.$.....%......K...|"...RO.2|-...$......1o..

                              C:\Users\user\Desktop\QFAPOWPAFG.xlsx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.508784067448316
                              Encrypted:false
                              SSDEEP:
                              MD5:A8720ADEA7B012FFE43835A70724153B
                              SHA1:682BC90B89CADE42099CA3AC2A069332FB53E2C5
                              SHA-256:FDFA87639B41F5DD12E59A123C80A5CFB7D78CCE8056C9B2238BA43D3CB9233D
                              SHA-512:F43ADDA3A30416FA06505987D74E9CFC8F6F0AE984B7FD101307DF4E847C51FC835C1C6BA6389AA88BE77A026BB5D349586AF52E9683A232D3647377D1576760
                              Malicious:false
                              Preview:..A_EL..4a.>...RL.............2?.M..'!.....4/..}.>........].)....OHZT..<k.*...UY...........;$.C..9-......8,..n.(........[.!....YIYL..7j.*...TK...........40.[../7.....+5..s.&........F.;....NV@C..3k.1...LT.........2;.G..)+.....<?..}.4........\.,....FH\M..1b.3...L].........(6.S..3+.....<4..r.%........E.)....K^RV..4s.3...\L.............<%.I...!.....&3..p."........X.1....CNGA..!|.;...O^...........<>.B..$6.....=3..r.>........J.4....KYI^..4e.)...LC...........*+.L..-6......?7..u.+........E.0....QE[O..;e.8...UB.........8:.O..)).....60..o.0........B.0....FAAS..!q.,...MA.........../:.I..0#.....24..x.!........[.#....MH^Z..&l.$...HA........."*.\..;6.....0"..p./........F.+....WLHC..0h.)...[B.........60.J..:=.....04..r./........@.6....QLZN..(s.=...P]........./(.Y..&,..... =..a.)........@. ....CK^X..'s. ...RI.........-+._..%$...... *..p.&........_.5....TZIU..%b.;...ML...........3-.G..)2.....02..d.2........U.<....K_AW..4w.&...QT...........94.H.."(..

                              C:\Users\user\Desktop\QFAPOWPAFG.xlsx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.508784067448316
                              Encrypted:false
                              SSDEEP:
                              MD5:A8720ADEA7B012FFE43835A70724153B
                              SHA1:682BC90B89CADE42099CA3AC2A069332FB53E2C5
                              SHA-256:FDFA87639B41F5DD12E59A123C80A5CFB7D78CCE8056C9B2238BA43D3CB9233D
                              SHA-512:F43ADDA3A30416FA06505987D74E9CFC8F6F0AE984B7FD101307DF4E847C51FC835C1C6BA6389AA88BE77A026BB5D349586AF52E9683A232D3647377D1576760
                              Malicious:false
                              Preview:..A_EL..4a.>...RL.............2?.M..'!.....4/..}.>........].)....OHZT..<k.*...UY...........;$.C..9-......8,..n.(........[.!....YIYL..7j.*...TK...........40.[../7.....+5..s.&........F.;....NV@C..3k.1...LT.........2;.G..)+.....<?..}.4........\.,....FH\M..1b.3...L].........(6.S..3+.....<4..r.%........E.)....K^RV..4s.3...\L.............<%.I...!.....&3..p."........X.1....CNGA..!|.;...O^...........<>.B..$6.....=3..r.>........J.4....KYI^..4e.)...LC...........*+.L..-6......?7..u.+........E.0....QE[O..;e.8...UB.........8:.O..)).....60..o.0........B.0....FAAS..!q.,...MA.........../:.I..0#.....24..x.!........[.#....MH^Z..&l.$...HA........."*.\..;6.....0"..p./........F.+....WLHC..0h.)...[B.........60.J..:=.....04..r./........@.6....QLZN..(s.=...P]........./(.Y..&,..... =..a.)........@. ....CK^X..'s. ...RI.........-+._..%$...... *..p.&........_.5....TZIU..%b.;...ML...........3-.G..)2.....02..d.2........U.<....K_AW..4w.&...QT...........94.H.."(..

                              C:\Users\user\Desktop\SNIPGPPREP.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.539970797461499
                              Encrypted:false
                              SSDEEP:
                              MD5:8E1D48A9927199D43E008A886B9E0398
                              SHA1:CF9E568A216EAA4F20BEE2F141AE3E2814F68298
                              SHA-256:25E5402AF4A266E5394B605C203FAFFD1680BD62B08032AE8810FE85E1AEE481
                              SHA-512:BA1AEBFD57869F2CCD620F6723A7659E449E41080AE3EFEBC2305930E8D83A26EF39C5CF8363137AD0F95D8FFB34D3824511F4BC0549D09F30986F011053EA93
                              Malicious:false
                              Preview:.0.`uQ,....yG..........,.+9@zb..k.....2rk.LP......x...N......4.t.@)....y@..(....e..6.&9H{x..}.....)ic.J\......r...T......0.rkF5....g\..%....e.././']{p..j.....<ao.W^......p...F......?.raS,.....xH..;.......7.9(_ya..v.....+sa.NG......c..^......=.bqC9....bF..1....r..,.77O}...i.....%lb.SZ......{..T......#.stJ&.....{B..>....q..-.6*U}a..|.....'gu.DC......y...\......4.iiC/.....G..'....f..$.'?Iau..a.....%cq.FQ......l...W......1.ukM&....gK..;....a..4.0'Tzx..j.....3pg.B]......t...G......1.krQ,....}H..'....q..5."2Btf..}.....0lo.VL......s...N.......:.psK7......L../.......:.:2K{p..m.....0xi.OR......d..X......:.ldL5....gZ..:....e..".%.Q|d..j.....'{e.KR.......|...S......(.ucW5......d[..)....|../.&9Mde..h.....'ws.PK......p...\......6.svU'....xD..&.......!.!+Pyu..w.....*`i.OG......v..G.......!.ubE<.....sO..;....x..&.8/Pat..}.....7nc.IK......x...W......4.rdL<.....yN../....c..7.4;Izp..a....."{q.DD......t..W......-.hfN(....~P..;....k../.*9Tut..s....

                              C:\Users\user\Desktop\SNIPGPPREP.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.539970797461499
                              Encrypted:false
                              SSDEEP:
                              MD5:8E1D48A9927199D43E008A886B9E0398
                              SHA1:CF9E568A216EAA4F20BEE2F141AE3E2814F68298
                              SHA-256:25E5402AF4A266E5394B605C203FAFFD1680BD62B08032AE8810FE85E1AEE481
                              SHA-512:BA1AEBFD57869F2CCD620F6723A7659E449E41080AE3EFEBC2305930E8D83A26EF39C5CF8363137AD0F95D8FFB34D3824511F4BC0549D09F30986F011053EA93
                              Malicious:false
                              Preview:.0.`uQ,....yG..........,.+9@zb..k.....2rk.LP......x...N......4.t.@)....y@..(....e..6.&9H{x..}.....)ic.J\......r...T......0.rkF5....g\..%....e.././']{p..j.....<ao.W^......p...F......?.raS,.....xH..;.......7.9(_ya..v.....+sa.NG......c..^......=.bqC9....bF..1....r..,.77O}...i.....%lb.SZ......{..T......#.stJ&.....{B..>....q..-.6*U}a..|.....'gu.DC......y...\......4.iiC/.....G..'....f..$.'?Iau..a.....%cq.FQ......l...W......1.ukM&....gK..;....a..4.0'Tzx..j.....3pg.B]......t...G......1.krQ,....}H..'....q..5."2Btf..}.....0lo.VL......s...N.......:.psK7......L../.......:.:2K{p..m.....0xi.OR......d..X......:.ldL5....gZ..:....e..".%.Q|d..j.....'{e.KR.......|...S......(.ucW5......d[..)....|../.&9Mde..h.....'ws.PK......p...\......6.svU'....xD..&.......!.!+Pyu..w.....*`i.OG......v..G.......!.ubE<.....sO..;....x..&.8/Pat..}.....7nc.IK......x...W......4.rdL<.....yN../....c..7.4;Izp..a....."{q.DD......t..W......-.hfN(....~P..;....k../.*9Tut..s....

                              C:\Users\user\Desktop\UNKRLCVOHV.docx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.61570837290041
                              Encrypted:false
                              SSDEEP:
                              MD5:6FCC29BD4D6797F9A9089AAA25D605DC
                              SHA1:C398CF97E13306DC3EDBEA903D1A7E7FF95984BB
                              SHA-256:EF98D99251FF6D95474E680C09642CB745EEC535751C176F20DB0F4635F563DC
                              SHA-512:E052DB32BB2EB49A32520BA87FBED3640575CB61F8B02EFBBE267FB87F9AB85CA73F860A7CDC51DE5393F101ED236CED074875546A9DEA2149BC391C59B8EA49
                              Malicious:false
                              Preview:..UF-...S..2..^..n....0..|..=.... a.W8q...)/...|{z.hw.0J.~E.Jd..JA/...N..+..\..v...?..m..;.... }.I#h...!5...ir..nz.2^.rG.Wt..\D....A..:..H..g...:..y..3....7n.Q(s...(#...{so.xz.$D.v_.Jy..ZR)...Q..:..A......?..i..9.... g.]+h...6(....|d.qq.4E.aU.Ri..ZQ(...T..%..E..z...*..n..3....$j.E*x...2=...`ov.rs.+_.nZ.[t..SP8...^..;..P..~...#..o..+....=t.A8k...!#...iyc.mq.-J.qC.Ml..WL(...^..(..B..p...3..n..-....;|.J7z...*....ftv.rl.%D.~@.Pt..YP1...L..$..U..x....#..`..>....+e.D'u...(2...arp.jd.5W.oI.Eq..Z]2...]..$..X..n... ..e..4....>i.C'a...5-...t`m.ux.4_.mI.Iz..]X+...C../..W..l...<..n..+....<~.@0p...0#...wgq.vp.?U.rJ.Dh..H_8...M..?..[..}...1...k..%....:w.W6w...$8...fr`.k`.*T.hY.Nz..F^)...]..(..R..v..."...g..&....>z.^8}...8*...{u..of.4\.aT.Od..QR+...C..(..Z..l...'..o..,....:x.@"c...79...e|q.xx.6H.bJ.Sm..\Z4...V..'.._..|...&...j..:....)j.C$....'!...{av.tc.:N.iB.@q..X^0...B..2..Y..z...>..x..2....8e.I+h...,9...yca.wb.:X.kT.It..]U5...X..+..A..v...8..y..4....={.E&q

                              C:\Users\user\Desktop\UNKRLCVOHV.docx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.61570837290041
                              Encrypted:false
                              SSDEEP:
                              MD5:6FCC29BD4D6797F9A9089AAA25D605DC
                              SHA1:C398CF97E13306DC3EDBEA903D1A7E7FF95984BB
                              SHA-256:EF98D99251FF6D95474E680C09642CB745EEC535751C176F20DB0F4635F563DC
                              SHA-512:E052DB32BB2EB49A32520BA87FBED3640575CB61F8B02EFBBE267FB87F9AB85CA73F860A7CDC51DE5393F101ED236CED074875546A9DEA2149BC391C59B8EA49
                              Malicious:false
                              Preview:..UF-...S..2..^..n....0..|..=.... a.W8q...)/...|{z.hw.0J.~E.Jd..JA/...N..+..\..v...?..m..;.... }.I#h...!5...ir..nz.2^.rG.Wt..\D....A..:..H..g...:..y..3....7n.Q(s...(#...{so.xz.$D.v_.Jy..ZR)...Q..:..A......?..i..9.... g.]+h...6(....|d.qq.4E.aU.Ri..ZQ(...T..%..E..z...*..n..3....$j.E*x...2=...`ov.rs.+_.nZ.[t..SP8...^..;..P..~...#..o..+....=t.A8k...!#...iyc.mq.-J.qC.Ml..WL(...^..(..B..p...3..n..-....;|.J7z...*....ftv.rl.%D.~@.Pt..YP1...L..$..U..x....#..`..>....+e.D'u...(2...arp.jd.5W.oI.Eq..Z]2...]..$..X..n... ..e..4....>i.C'a...5-...t`m.ux.4_.mI.Iz..]X+...C../..W..l...<..n..+....<~.@0p...0#...wgq.vp.?U.rJ.Dh..H_8...M..?..[..}...1...k..%....:w.W6w...$8...fr`.k`.*T.hY.Nz..F^)...]..(..R..v..."...g..&....>z.^8}...8*...{u..of.4\.aT.Od..QR+...C..(..Z..l...'..o..,....:x.@"c...79...e|q.xx.6H.bJ.Sm..\Z4...V..'.._..|...&...j..:....)j.C$....'!...{av.tc.:N.iB.@q..X^0...B..2..Y..z...>..x..2....8e.I+h...,9...yca.wb.:X.kT.It..]U5...X..+..A..v...8..y..4....={.E&q

                              C:\Users\user\Desktop\VWDFPKGDUF.mp3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.618924716718637
                              Encrypted:false
                              SSDEEP:
                              MD5:6AB3290BCBF4E3BC449A353CA04C9E5B
                              SHA1:76E79DC6E925F5DA557CA6B2B1F5A45EE607857C
                              SHA-256:D29077478379616B57532198EF4AEFFEB1A18999354F30B99CBF598E9713E5D4
                              SHA-512:EE221B11F139EE0F33067A4EC1EA6A9D280C02103EB0CD55BE365DE12BC6ED20F221D0BCDDCD3B4DC95FDBA46C190F7E6987F0B8E65122B26A64BEB3521568BB
                              Malicious:false
                              Preview:.8=.h..6p^..@..u...wU.'.h...z..M.Q.....ct.(9...L.hD....=.\Kg.!7.h..7l^..O..j...wJ.$.o....o..[.V.....wh.>,...D.sB....6.VFo.">.`...)yX..\..d...h@.'.c...x..Y.@.....ud.2'...].fG....3.P]y.,#.a...+qX..V...|...{@.0.p....y..P.W.....rt.#$...D..N....7.L[{.50.v...4zA..]..p...rE.,.h...}..Y.I.....xq.8*...O.}E....(.OZa..8>.i..%d^..@..s...wA.?.x...b..D.V.....xp.6"...O.`P....8.RKi.%8.t...7l_..B..k...{J.2.x...f..K.F.....qm. !...H.lH....2.B@`.%).b..."`\..W..o...wL.4......c..O.U.....zf.3?..._.aM....9.\Nt.#7.z...2yH..R..a...u^.#.c...{..G.[.....zi.2=...V.lR....>.XAy.5=.}...(dU..\..d...pC.,.b...{..K.K.....sn.9+...G.j_..../.CMb..:.p...2lU..^..o...yB.'.s...x..N.Y.....qa.!1...D.~N....(.CSn.:?.y...*rZ..S..u...|U.$.p...o..N.B.....ko.:=...Y.~B....).\C`.%4.t...)dZ..B.......gM.(.|...t..S.L.....du.#!...G.`D....5.RQd.#:.}..!|M..Y..}...qN./.k......O.P.....sv. =...R.}C....2.S_e.(2.r..4f_..R..n...nU.+.~...z..[.S.....ja." ...Y.nU....-.@Eo.-4.{.. o[..[......oJ.2.|....o..X.K...

                              C:\Users\user\Desktop\VWDFPKGDUF.mp3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.618924716718637
                              Encrypted:false
                              SSDEEP:
                              MD5:6AB3290BCBF4E3BC449A353CA04C9E5B
                              SHA1:76E79DC6E925F5DA557CA6B2B1F5A45EE607857C
                              SHA-256:D29077478379616B57532198EF4AEFFEB1A18999354F30B99CBF598E9713E5D4
                              SHA-512:EE221B11F139EE0F33067A4EC1EA6A9D280C02103EB0CD55BE365DE12BC6ED20F221D0BCDDCD3B4DC95FDBA46C190F7E6987F0B8E65122B26A64BEB3521568BB
                              Malicious:false
                              Preview:.8=.h..6p^..@..u...wU.'.h...z..M.Q.....ct.(9...L.hD....=.\Kg.!7.h..7l^..O..j...wJ.$.o....o..[.V.....wh.>,...D.sB....6.VFo.">.`...)yX..\..d...h@.'.c...x..Y.@.....ud.2'...].fG....3.P]y.,#.a...+qX..V...|...{@.0.p....y..P.W.....rt.#$...D..N....7.L[{.50.v...4zA..]..p...rE.,.h...}..Y.I.....xq.8*...O.}E....(.OZa..8>.i..%d^..@..s...wA.?.x...b..D.V.....xp.6"...O.`P....8.RKi.%8.t...7l_..B..k...{J.2.x...f..K.F.....qm. !...H.lH....2.B@`.%).b..."`\..W..o...wL.4......c..O.U.....zf.3?..._.aM....9.\Nt.#7.z...2yH..R..a...u^.#.c...{..G.[.....zi.2=...V.lR....>.XAy.5=.}...(dU..\..d...pC.,.b...{..K.K.....sn.9+...G.j_..../.CMb..:.p...2lU..^..o...yB.'.s...x..N.Y.....qa.!1...D.~N....(.CSn.:?.y...*rZ..S..u...|U.$.p...o..N.B.....ko.:=...Y.~B....).\C`.%4.t...)dZ..B.......gM.(.|...t..S.L.....du.#!...G.`D....5.RQd.#:.}..!|M..Y..}...qN./.k......O.P.....sv. =...R.}C....2.S_e.(2.r..4f_..R..n...nU.+.~...z..[.S.....ja." ...Y.nU....-.@Eo.-4.{.. o[..[......oJ.2.|....o..X.K...

                              C:\Users\user\Desktop\VWDFPKGDUF.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.551189498232695
                              Encrypted:false
                              SSDEEP:
                              MD5:CE19A37D41CB11048EED787EC1138DB5
                              SHA1:2973240476EAF55BFC1ED7495D59AEFB629959B5
                              SHA-256:37F03AEE9DE9F692268F6E8C733866BF0FAE4E60D9AC11185739D8CB9824BFB8
                              SHA-512:899D98450428A267CA01B123DDE54DF28DF0F43A31212CF38448CB249735634FF8EB0225320041DCFE5CDFDC70108AC62A37A5B317B8BB0DA984E871B16A479E
                              Malicious:false
                              Preview:....<!,.+.....Q.|..P.t..y...-.8&*.'.':..l..gR2..R.nr...{.T:..om....<=(.*.....U.i..T.t..z...:.?32.1. 9..j..{W$..Q.fj....{._9..gf....4.3.4.....G.h..N.k..y...#.($/.3.6#..j..wP(..B..q...k.Z'..qq....5?1.6.....I.t..M.x..n...<.0%7.:.!&..p..gH9..K.f|....f.^?..sw...."%;.).....Y.a..Y.q..r...-.3!6.3.?;..r..bP"..B.mz....z.A'..ij....=.,.8.....S.o..[.t..a...!.:>1... #..o..c[,..I.mm.....Q/..au.... ;9.*.....C.~..[.x..l.....>:,.!.0!..o..~U:..N.j}...f.[-..hn....6%:.?.....P.i..Y.t..j...>.:?2.%.#3..x..uR)..A.}y...e.P*..|f.....09./.....E.c..V.v..}...).5'!.-.-?..i..zU(..K.tf...m.W,..qm....)21.5.....T.i..Z.s..r...4.4':.!.=5..|..}S#..J.eh...l.F<..jt....$?:./.....J.o..F.z..y...,.7$+.$./9..k..rG;..U.fc....{.A%..f|....-=1.7.....U.f..V....z...5.534.$.4#..z..|T ..^.{e....|.@/..hw.... /3.4.....S.k..D.d..v...#.<(<.9.:"..j..fV9..C.eg...h.\?..l{....)-,.<.....B.n..^.r..q...#. #0.%.&<..v..eG:..P.pl....q.[$..mh....&+(.).....F.d..E.m..u.....2&<.1.%3..`..rH8..R.{}...s.D>..gm..../;2.=.....O.i..@.l..l...0.03=.2.=+..

                              C:\Users\user\Desktop\VWDFPKGDUF.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.551189498232695
                              Encrypted:false
                              SSDEEP:
                              MD5:CE19A37D41CB11048EED787EC1138DB5
                              SHA1:2973240476EAF55BFC1ED7495D59AEFB629959B5
                              SHA-256:37F03AEE9DE9F692268F6E8C733866BF0FAE4E60D9AC11185739D8CB9824BFB8
                              SHA-512:899D98450428A267CA01B123DDE54DF28DF0F43A31212CF38448CB249735634FF8EB0225320041DCFE5CDFDC70108AC62A37A5B317B8BB0DA984E871B16A479E
                              Malicious:false
                              Preview:....<!,.+.....Q.|..P.t..y...-.8&*.'.':..l..gR2..R.nr...{.T:..om....<=(.*.....U.i..T.t..z...:.?32.1. 9..j..{W$..Q.fj....{._9..gf....4.3.4.....G.h..N.k..y...#.($/.3.6#..j..wP(..B..q...k.Z'..qq....5?1.6.....I.t..M.x..n...<.0%7.:.!&..p..gH9..K.f|....f.^?..sw...."%;.).....Y.a..Y.q..r...-.3!6.3.?;..r..bP"..B.mz....z.A'..ij....=.,.8.....S.o..[.t..a...!.:>1... #..o..c[,..I.mm.....Q/..au.... ;9.*.....C.~..[.x..l.....>:,.!.0!..o..~U:..N.j}...f.[-..hn....6%:.?.....P.i..Y.t..j...>.:?2.%.#3..x..uR)..A.}y...e.P*..|f.....09./.....E.c..V.v..}...).5'!.-.-?..i..zU(..K.tf...m.W,..qm....)21.5.....T.i..Z.s..r...4.4':.!.=5..|..}S#..J.eh...l.F<..jt....$?:./.....J.o..F.z..y...,.7$+.$./9..k..rG;..U.fc....{.A%..f|....-=1.7.....U.f..V....z...5.534.$.4#..z..|T ..^.{e....|.@/..hw.... /3.4.....S.k..D.d..v...#.<(<.9.:"..j..fV9..C.eg...h.\?..l{....)-,.<.....B.n..^.r..q...#. #0.%.&<..v..eG:..P.pl....q.[$..mh....&+(.).....F.d..E.m..u.....2&<.1.%3..`..rH8..R.{}...s.D>..gm..../;2.=.....O.i..@.l..l...0.03=.2.=+..

                              C:\Users\user\Desktop\VWDFPKGDUF.xlsx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.623300941624152
                              Encrypted:false
                              SSDEEP:
                              MD5:15B2F78937522B797CCE9CDE6AAC24BB
                              SHA1:EDA4AD0437CFB64FB514FAD3B9698D993CAC2738
                              SHA-256:D35CEDFE0DCB91919E9F39091185F32333DD7419DECFFDFFD2BCDBE172DC9F68
                              SHA-512:8E5331176A8C3082A7D2B295BDBD1E47A30E8DB92B8BD5FE9C5139D3B2B64752996AB17677EB92C1601BDC8325DBC6326C3DA04BED4AD95BDFFC09CE1284AED3
                              Malicious:false
                              Preview:A~....^X#v...I.....c..P..e.1.3.f.j2.....(L$.#+.l........t/;Eg....^Y?v...M........T..b.&.&.w.m5......-Z1. .t........y'0Sd...._G*p..._.....i..H..n.?.1.}.~#.....*V:.3%.o........b1'[j....\E"p...Q.....e..Z..}. ..0.h.x4.....2G9.:%.b........d3!Ts....HZ)i...A.....p..N..e.1..4.t.k*.....*\7.3;.d........e)<D~....LK7v...K.....p..Y..u.=.+.w.|5.....!R?.8#.s........t!#Xc....HY?w...[.....p..Z..u.2./.g.x%...../D<.?&.c.........(8Rc....WL3t...H.....l..Z..r."..*.o.x6.....(W".03.g........q<0Ue....P\*`...].....|..H..n.5..2.w.j8...../V .:8.x.........~1;Ds....IF7}...L.....e..S..o.(.2.{.x(.....)]6.;0.v........r*"Sh....S\?}...R.....y..T..~.0..1.l.d:.....=E,.$".}........l&*F|....ND!r...M.....a..[..}.)..&.k.q!......^ ./>.{........|(!Sc....]G7r...K.....i..O..q.?..=.s.w/.....,G<.2$.y........n,-Ae....PO/e...Z.....e..Y..f.?.6...n3.....=D .!2.r........`->Fn....KZ5w...^.....x..Y..s.2..3.w.o0.....2F=.#(.c.........z';Bk....QN<s...W.....l..D..q.,..&.w.o(...

                              C:\Users\user\Desktop\VWDFPKGDUF.xlsx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.623300941624152
                              Encrypted:false
                              SSDEEP:
                              MD5:15B2F78937522B797CCE9CDE6AAC24BB
                              SHA1:EDA4AD0437CFB64FB514FAD3B9698D993CAC2738
                              SHA-256:D35CEDFE0DCB91919E9F39091185F32333DD7419DECFFDFFD2BCDBE172DC9F68
                              SHA-512:8E5331176A8C3082A7D2B295BDBD1E47A30E8DB92B8BD5FE9C5139D3B2B64752996AB17677EB92C1601BDC8325DBC6326C3DA04BED4AD95BDFFC09CE1284AED3
                              Malicious:false
                              Preview:A~....^X#v...I.....c..P..e.1.3.f.j2.....(L$.#+.l........t/;Eg....^Y?v...M........T..b.&.&.w.m5......-Z1. .t........y'0Sd...._G*p..._.....i..H..n.?.1.}.~#.....*V:.3%.o........b1'[j....\E"p...Q.....e..Z..}. ..0.h.x4.....2G9.:%.b........d3!Ts....HZ)i...A.....p..N..e.1..4.t.k*.....*\7.3;.d........e)<D~....LK7v...K.....p..Y..u.=.+.w.|5.....!R?.8#.s........t!#Xc....HY?w...[.....p..Z..u.2./.g.x%...../D<.?&.c.........(8Rc....WL3t...H.....l..Z..r."..*.o.x6.....(W".03.g........q<0Ue....P\*`...].....|..H..n.5..2.w.j8...../V .:8.x.........~1;Ds....IF7}...L.....e..S..o.(.2.{.x(.....)]6.;0.v........r*"Sh....S\?}...R.....y..T..~.0..1.l.d:.....=E,.$".}........l&*F|....ND!r...M.....a..[..}.)..&.k.q!......^ ./>.{........|(!Sc....]G7r...K.....i..O..q.?..=.s.w/.....,G<.2$.y........n,-Ae....PO/e...Z.....e..Y..f.?.6...n3.....=D .!2.r........`->Fn....KZ5w...^.....x..Y..s.2..3.w.o0.....2F=.#(.c.........z';Bk....QN<s...W.....l..D..q.,..&.w.o(...

                              C:\Users\user\Desktop\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\Documents\AQRFEVRTGL.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.499247947239487
                              Encrypted:false
                              SSDEEP:
                              MD5:8BF56990ADC170014B06F5AD689FDB8B
                              SHA1:4ECB27050B02F5F0D3B4F188EF31D2E520B8626E
                              SHA-256:643027C07571301B056AC0DA7971EA6F9B004CF410614CE4B304BAF40D687E94
                              SHA-512:A7AF24B578356205A147B7FAA56B27A1821057F6EA1B913EB2D02DE52656F9FF736E23963B2625895D6FBC1D4A046A511A4088E6B54C88D8FAA8B1558D8B8DF7
                              Malicious:false
                              Preview:m.y"+.~.hRm%PG%I...\R..?9..m.v 5'....g.k...3lZ...F.UA.....d..:.\m.|.+.x.jRz'UK%@...[M../?z.b.y.$,....o.k...!z]...A.F@.....x..".Yz.~>?.o.y[|-NR2M..._S..("l.n.| 5/....y.u...6eK...S.EJ.l...m..<.Ib.s(:.x.~Vi4YZ2V...RY../;}.i.s"6+....q.w...6q@...L.WS.h...o..*.Sm.a'!.e.mOm?W_&T...GC..5(o.x.i48:....u.i...9iC...T.TA.b...o..=.He.h<%.k.yFt TP#U...N^..<(p.z.u(+/....u.o...*xA...A.LT.t...f..8.]a.x/<.a.|Fl UT<C...\Y.."=w.i.h.-:....l.h...-qX...S.ET.j......1.Qb.~59.f.bTq1XF7C...YF..('n.e.d1%0....o.|...2a[...E.IA.|...`..%.Lv.m%?.}.mNp DK$I...D^..*'h.z.g$?.....u.r..."e_...U.BN.k...m..%.Fd.y>:.`.dYq>[]2M...IR..-$v.b.o0%9....f.}...!mV...U.LA.o...s..'.Db.}(,.y.eUz/SE9V...IJ..< o.`.s)>2....w.n...+oM...Z.KM.p...q..'.Ig.{(&.d.gJz:PU7P...Y]../.z.r.p69%....k.p...5wY...D.CE.|...l..9.Iy.|5?.i.|Ol9\P;G...QF..7:h.d.l!4>....x.m...>aO...D.AO.{...|..".J}.|0(.u.aUr2Y\1^...PS..3't.{.s"6<....p.n...<dK...H.SM.i...|..&.Zb.e4+.t.iQl:F^)G...BJ..,=u.k.j3'(....o.|...(tO...Q.NL.p...t..8.Xy.y('.f.fSm9TT"H...RJ..)"t.f.m?1$....v.y

                              C:\Users\user\Documents\AQRFEVRTGL.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.499247947239487
                              Encrypted:false
                              SSDEEP:
                              MD5:8BF56990ADC170014B06F5AD689FDB8B
                              SHA1:4ECB27050B02F5F0D3B4F188EF31D2E520B8626E
                              SHA-256:643027C07571301B056AC0DA7971EA6F9B004CF410614CE4B304BAF40D687E94
                              SHA-512:A7AF24B578356205A147B7FAA56B27A1821057F6EA1B913EB2D02DE52656F9FF736E23963B2625895D6FBC1D4A046A511A4088E6B54C88D8FAA8B1558D8B8DF7
                              Malicious:false
                              Preview:m.y"+.~.hRm%PG%I...\R..?9..m.v 5'....g.k...3lZ...F.UA.....d..:.\m.|.+.x.jRz'UK%@...[M../?z.b.y.$,....o.k...!z]...A.F@.....x..".Yz.~>?.o.y[|-NR2M..._S..("l.n.| 5/....y.u...6eK...S.EJ.l...m..<.Ib.s(:.x.~Vi4YZ2V...RY../;}.i.s"6+....q.w...6q@...L.WS.h...o..*.Sm.a'!.e.mOm?W_&T...GC..5(o.x.i48:....u.i...9iC...T.TA.b...o..=.He.h<%.k.yFt TP#U...N^..<(p.z.u(+/....u.o...*xA...A.LT.t...f..8.]a.x/<.a.|Fl UT<C...\Y.."=w.i.h.-:....l.h...-qX...S.ET.j......1.Qb.~59.f.bTq1XF7C...YF..('n.e.d1%0....o.|...2a[...E.IA.|...`..%.Lv.m%?.}.mNp DK$I...D^..*'h.z.g$?.....u.r..."e_...U.BN.k...m..%.Fd.y>:.`.dYq>[]2M...IR..-$v.b.o0%9....f.}...!mV...U.LA.o...s..'.Db.}(,.y.eUz/SE9V...IJ..< o.`.s)>2....w.n...+oM...Z.KM.p...q..'.Ig.{(&.d.gJz:PU7P...Y]../.z.r.p69%....k.p...5wY...D.CE.|...l..9.Iy.|5?.i.|Ol9\P;G...QF..7:h.d.l!4>....x.m...>aO...D.AO.{...|..".J}.|0(.u.aUr2Y\1^...PS..3't.{.s"6<....p.n...<dK...H.SM.i...|..&.Zb.e4+.t.iQl:F^)G...BJ..,=u.k.j3'(....o.|...(tO...Q.NL.p...t..8.Xy.y('.f.fSm9TT"H...RJ..)"t.f.m?1$....v.y

                              C:\Users\user\Documents\BQJUWOYRTO.jpg

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.611697674184022
                              Encrypted:false
                              SSDEEP:
                              MD5:D81CFB1D11ADDCA8AC7FB47DC449B07A
                              SHA1:1F5C5E5A32831D0DE860A70AB5AB8209D3EC6F22
                              SHA-256:946F8831525D492BA73147D036803F055FD325971EF059FC889C02EA9FA4309D
                              SHA-512:F61AE50E8EFC98A7B2F13347CE3A949F4E984A7A73BD298ED7481939567AB53A8215928652A266961BB083B1ECB3EBDE8B9D732CDD40E95332504F5320E56D28
                              Malicious:false
                              Preview:f.....X...b9......8.5.........G..(..R........E.p\.....!.c.*.n.....J...z0......>.-.e.......N..2..Z........C.qY.....;.g.%.l.....T...h8......3...u.......[..1..Q........E.bE.....-.v.=.o.....U...a*......#.+.s.......T..:..V........V.fV.....;.n.*.o.....T...m,......&.+.{.........P..$..W........Y.pQ.......".p.'.v.....W...~*......7.).b.........J..;..L........U.aF.......>.a.?.i.....N...e9......!.).k.......W.."..R........^.eB.......!...".e.....P...}/......<.7.s.......S.."..]........F.{X.....3.q.>.b.....M...x3......$.1.y.........M..9..\........^.aK.......3.}.?.|.....[...v%......0. .~.......Y..?..S........A.gX.....?.a.>.`.....H...d-......9.5.k.......J..=..G........].s@.....;.t.9.m.....@...l,......;.1.}.........B..8..\........B.z[.......e.0.c.....R...d2......%.2.~.......T..&..X........E.qP....... .b./.w.....R...e;......".).a.........U..>..O........C.hS.....#.q.".i.....H...v*......'./.k.......W..$..Y........C.g_.....#.d.=.i.....D...d ...... .2.{.......L..>..P.

                              C:\Users\user\Documents\BQJUWOYRTO.jpg.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.611697674184022
                              Encrypted:false
                              SSDEEP:
                              MD5:D81CFB1D11ADDCA8AC7FB47DC449B07A
                              SHA1:1F5C5E5A32831D0DE860A70AB5AB8209D3EC6F22
                              SHA-256:946F8831525D492BA73147D036803F055FD325971EF059FC889C02EA9FA4309D
                              SHA-512:F61AE50E8EFC98A7B2F13347CE3A949F4E984A7A73BD298ED7481939567AB53A8215928652A266961BB083B1ECB3EBDE8B9D732CDD40E95332504F5320E56D28
                              Malicious:false
                              Preview:f.....X...b9......8.5.........G..(..R........E.p\.....!.c.*.n.....J...z0......>.-.e.......N..2..Z........C.qY.....;.g.%.l.....T...h8......3...u.......[..1..Q........E.bE.....-.v.=.o.....U...a*......#.+.s.......T..:..V........V.fV.....;.n.*.o.....T...m,......&.+.{.........P..$..W........Y.pQ.......".p.'.v.....W...~*......7.).b.........J..;..L........U.aF.......>.a.?.i.....N...e9......!.).k.......W.."..R........^.eB.......!...".e.....P...}/......<.7.s.......S.."..]........F.{X.....3.q.>.b.....M...x3......$.1.y.........M..9..\........^.aK.......3.}.?.|.....[...v%......0. .~.......Y..?..S........A.gX.....?.a.>.`.....H...d-......9.5.k.......J..=..G........].s@.....;.t.9.m.....@...l,......;.1.}.........B..8..\........B.z[.......e.0.c.....R...d2......%.2.~.......T..&..X........E.qP....... .b./.w.....R...e;......".).a.........U..>..O........C.hS.....#.q.".i.....H...v*......'./.k.......W..$..Y........C.g_.....#.d.=.i.....D...d ...... .2.{.......L..>..P.

                              C:\Users\user\Documents\BUFZSQPCOH.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.507718918496583
                              Encrypted:false
                              SSDEEP:
                              MD5:E9C0B01FFC8EF9FB47F8C8EA13E28715
                              SHA1:0D90E6C93F5B657BFA1C99F29AF19E4063B67B45
                              SHA-256:1A76694C2F733A1601556E5420DB7A30C27AAB522E22D695B3A48EC10182D205
                              SHA-512:AFD532B2BE680E22A6F5B63575757270F23B81E833FB2B38A9D7BA4F2C51BF7D7B7FD7CD8F43DB697F38137EE801C89FAAC318BB72C35D79C7B38ED605716FBC
                              Malicious:false
                              Preview:.R...]Y............u'..y"Z.........4..v.....].....Y.M......m._....WW............d:..u N.........>..f.....M.....A..P......}.V...OP............s-..i&I.........!..e.....I.....\.D......c.E....ZS............a<..~;Y.........'..t.....P.....@.K......h.S....EO.............v3..d5K.........$..f.....V.....B.W......j.B...F]............h>..f:A.........4..z.....P.....A.V......q.^...DY............a8..c'N.........6..p.....Y....._..E......n.U....CU............a'..t8].........!..q.....T.....H.A......b.D....EN............u/..f5S.........3..y......V.....N.U......d.^...XV............n6..d"_.........6..q.....Q.....\.^......a.]...OH............`=..e7R.........!..q......I.....B..Q........E...DJ............l'..z,L.........<..p.....Q.....B.S......p.R....FX............n8..},^......... ..w.....^.....W..D......g.@...B[............d0..w8Y.........&..w.....Y.....H.N......g.K...GH............u<..f&].........8..}.....O.....W..H......c.S...._^............g;..t#R.........7..

                              C:\Users\user\Documents\BUFZSQPCOH.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.507718918496583
                              Encrypted:false
                              SSDEEP:
                              MD5:E9C0B01FFC8EF9FB47F8C8EA13E28715
                              SHA1:0D90E6C93F5B657BFA1C99F29AF19E4063B67B45
                              SHA-256:1A76694C2F733A1601556E5420DB7A30C27AAB522E22D695B3A48EC10182D205
                              SHA-512:AFD532B2BE680E22A6F5B63575757270F23B81E833FB2B38A9D7BA4F2C51BF7D7B7FD7CD8F43DB697F38137EE801C89FAAC318BB72C35D79C7B38ED605716FBC
                              Malicious:false
                              Preview:.R...]Y............u'..y"Z.........4..v.....].....Y.M......m._....WW............d:..u N.........>..f.....M.....A..P......}.V...OP............s-..i&I.........!..e.....I.....\.D......c.E....ZS............a<..~;Y.........'..t.....P.....@.K......h.S....EO.............v3..d5K.........$..f.....V.....B.W......j.B...F]............h>..f:A.........4..z.....P.....A.V......q.^...DY............a8..c'N.........6..p.....Y....._..E......n.U....CU............a'..t8].........!..q.....T.....H.A......b.D....EN............u/..f5S.........3..y......V.....N.U......d.^...XV............n6..d"_.........6..q.....Q.....\.^......a.]...OH............`=..e7R.........!..q......I.....B..Q........E...DJ............l'..z,L.........<..p.....Q.....B.S......p.R....FX............n8..},^......... ..w.....^.....W..D......g.@...B[............d0..w8Y.........&..w.....Y.....H.N......g.K...GH............u<..f&].........8..}.....O.....W..H......c.S...._^............g;..t#R.........7..

                              C:\Users\user\Documents\BWETZDQDIB.mp3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.5784822512264
                              Encrypted:false
                              SSDEEP:
                              MD5:96964BC8D8B40C1A4261F6A385DE5F1B
                              SHA1:812478FEA6DA58AB353E6969A9CCB6057E895B1D
                              SHA-256:EA813580D4F639EAC3068DC7A65CE06F35349337F029C62CA9300AB75E0234C1
                              SHA-512:9ECE42634E701CD64F17AF6D982CED95DC2D294A55FBE3BC751A9DE5603E1A4D11FC60CD0C18BF4319B9963EDF17992E65EC776BC97BA5F8A0E9D28B300FCC36
                              Malicious:false
                              Preview:.E}.'|.|..|.x.)...k...._ ....mQv....l..G..r...ZM....Y7.nB..U...Y{.8~.r..n.~.*...i...dN&....nZw...i..C..s...NM....K-.pP..E...Ub.5~.n..i.~.>...v...m_8....xD|....n..Q..k..._N....Y4.iC..^...Cl.8j.k....p.8...~...pL6....cFj...d..\..n...W@....];..gL..I...Wn./}.~..g.f.4...h...xF%....bC}...n..B..f...FZ...._/.j\..A...Kv.5|.y....}.6...u...yO:....}@t...z..Q..l...@F....L(..fI..C...H|.7{.j..r.p.>.......vR$....eF|...}..H..~...GM....M(..zO..O...Qk.1h.w..u.i.!...s...pP(....mYy...c..F..|...YB....[2..zE..O...Vb.-s.m..s.k..6...p...`A>....qY~....|..P..a...IR....R%..iJ..Z...Ej.;z.{..z.e.6...v...~@$....s_q...{..Q..`...KX....[,.~D..K...Sk.>{.p..y.m.<...h...qS:....sKg....|..K..x...[O....M8.lG..D...Xz.+w.h..k.n.'...j....P!....gCg...j.._..p...W[....L>.|U..E..._t.,b.a..d.p.*...|...yN1....q_f.......K..o...IK....X).`Q..J...Ju.5b.q..q.m.(...q...fT:....|Kg...~..D..g...J^....U$.xM..N...D}.$u.p..j.`.(...`...|T7....~Kx....d..H..d...UE....P8.cK..E...Pw.8v.n..n.y.:...q...zS1....xVc....i..

                              C:\Users\user\Documents\BWETZDQDIB.mp3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.5784822512264
                              Encrypted:false
                              SSDEEP:
                              MD5:96964BC8D8B40C1A4261F6A385DE5F1B
                              SHA1:812478FEA6DA58AB353E6969A9CCB6057E895B1D
                              SHA-256:EA813580D4F639EAC3068DC7A65CE06F35349337F029C62CA9300AB75E0234C1
                              SHA-512:9ECE42634E701CD64F17AF6D982CED95DC2D294A55FBE3BC751A9DE5603E1A4D11FC60CD0C18BF4319B9963EDF17992E65EC776BC97BA5F8A0E9D28B300FCC36
                              Malicious:false
                              Preview:.E}.'|.|..|.x.)...k...._ ....mQv....l..G..r...ZM....Y7.nB..U...Y{.8~.r..n.~.*...i...dN&....nZw...i..C..s...NM....K-.pP..E...Ub.5~.n..i.~.>...v...m_8....xD|....n..Q..k..._N....Y4.iC..^...Cl.8j.k....p.8...~...pL6....cFj...d..\..n...W@....];..gL..I...Wn./}.~..g.f.4...h...xF%....bC}...n..B..f...FZ...._/.j\..A...Kv.5|.y....}.6...u...yO:....}@t...z..Q..l...@F....L(..fI..C...H|.7{.j..r.p.>.......vR$....eF|...}..H..~...GM....M(..zO..O...Qk.1h.w..u.i.!...s...pP(....mYy...c..F..|...YB....[2..zE..O...Vb.-s.m..s.k..6...p...`A>....qY~....|..P..a...IR....R%..iJ..Z...Ej.;z.{..z.e.6...v...~@$....s_q...{..Q..`...KX....[,.~D..K...Sk.>{.p..y.m.<...h...qS:....sKg....|..K..x...[O....M8.lG..D...Xz.+w.h..k.n.'...j....P!....gCg...j.._..p...W[....L>.|U..E..._t.,b.a..d.p.*...|...yN1....q_f.......K..o...IK....X).`Q..J...Ju.5b.q..q.m.(...q...fT:....|Kg...~..D..g...J^....U$.xM..N...D}.$u.p..j.`.(...`...|T7....~Kx....d..H..d...UE....P8.cK..E...Pw.8v.n..n.y.:...q...zS1....xVc....i..

                              C:\Users\user\Documents\GNLQNHOLWB.mp3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.60540610828585
                              Encrypted:false
                              SSDEEP:
                              MD5:99F49366998BCF631E7EFAE94231ED37
                              SHA1:2E786CCF808E5E6E09207B919CA8C6874EFCDC0B
                              SHA-256:826A892BE1EAC38F612C0B7C4BB5664557DE72D8617A2983DB31779A4F06B97D
                              SHA-512:41F0609FA2658CC8148C96550538F1030BDFDEE02325CB93D3DACB55984C00114DB40013584CFFB81F886A9CCE9922E16AC63CAB4FA0B204A0939D3E4E939D1C
                              Malicious:false
                              Preview:..s...%.j._5.VW+..[O.L...zLc.6:./*.:.@..{3..?.:.,...^k.QG@..~....,.i.[9.KR3..GI.H...hAr.1?.#,.<.V..{#.."..&.0...]v.FXU..g....=.y._6.F^;..ZO.W...z[r.4>.<).&.V..x!..!.1.%...Sc.FMA..m....1.o.L6.SD)..\X.O...gWw.1?.15.$.Z..j*..#.:.:...Ol.^QH..s.... .~.A4.Q@3..J\.X...zWj."5.77.6.\..{/..3.>.1...Sw.H^J..|....0.k.Z(.X@5..QO.H...~Aw.6!.58. .X..p<..;.<.)...R|.GVA..}....?.y.Z%.NW)..UY.Z...~Qh.>&.</.#.Z..~&..%.>.$...Wz.T^D..n...0.{.J3.]B*..EM.R...w]v.&).+!. .@..`(..#.9.!...@z.EUG....k...:.x.A-.QY,..^\.A...yIv.8!.?0.<.S..x?..'.?.....Wo.JSA..m...8.}.[$.VC,..IM.C...uLo.??.<6.0.Y...=.. .&.(...Er.XR@..m...=.{.W/.ZB...J^.Q...i@h.!;.,-.#.Q..b&..2.-.$...Fr.DDZ..l....?.x.@1.[]*..OR.J...lNu.8$.2?.=.Y...,..3.8.!...\a._DT..k....'.p.E).YP3..XK.M...iXi.47.:..;.V..j;..#.*.+...Ps.[GH..p...*.`.K-.OV4..W@.M...iO{.7;.-(.?.P..x*..8.".+...Y..E\U..u....*.e.W6.HK6..HI.@...kZw.8".-<.5.T..|;..5.!.0...Nh.YTW..t.....d.F6.WE>..DK.N...yZu..1 .44.#.C

                              C:\Users\user\Documents\GNLQNHOLWB.mp3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.60540610828585
                              Encrypted:false
                              SSDEEP:
                              MD5:99F49366998BCF631E7EFAE94231ED37
                              SHA1:2E786CCF808E5E6E09207B919CA8C6874EFCDC0B
                              SHA-256:826A892BE1EAC38F612C0B7C4BB5664557DE72D8617A2983DB31779A4F06B97D
                              SHA-512:41F0609FA2658CC8148C96550538F1030BDFDEE02325CB93D3DACB55984C00114DB40013584CFFB81F886A9CCE9922E16AC63CAB4FA0B204A0939D3E4E939D1C
                              Malicious:false
                              Preview:..s...%.j._5.VW+..[O.L...zLc.6:./*.:.@..{3..?.:.,...^k.QG@..~....,.i.[9.KR3..GI.H...hAr.1?.#,.<.V..{#.."..&.0...]v.FXU..g....=.y._6.F^;..ZO.W...z[r.4>.<).&.V..x!..!.1.%...Sc.FMA..m....1.o.L6.SD)..\X.O...gWw.1?.15.$.Z..j*..#.:.:...Ol.^QH..s.... .~.A4.Q@3..J\.X...zWj."5.77.6.\..{/..3.>.1...Sw.H^J..|....0.k.Z(.X@5..QO.H...~Aw.6!.58. .X..p<..;.<.)...R|.GVA..}....?.y.Z%.NW)..UY.Z...~Qh.>&.</.#.Z..~&..%.>.$...Wz.T^D..n...0.{.J3.]B*..EM.R...w]v.&).+!. .@..`(..#.9.!...@z.EUG....k...:.x.A-.QY,..^\.A...yIv.8!.?0.<.S..x?..'.?.....Wo.JSA..m...8.}.[$.VC,..IM.C...uLo.??.<6.0.Y...=.. .&.(...Er.XR@..m...=.{.W/.ZB...J^.Q...i@h.!;.,-.#.Q..b&..2.-.$...Fr.DDZ..l....?.x.@1.[]*..OR.J...lNu.8$.2?.=.Y...,..3.8.!...\a._DT..k....'.p.E).YP3..XK.M...iXi.47.:..;.V..j;..#.*.+...Ps.[GH..p...*.`.K-.OV4..W@.M...iO{.7;.-(.?.P..x*..8.".+...Y..E\U..u....*.e.W6.HK6..HI.@...kZw.8".-<.5.T..|;..5.!.0...Nh.YTW..t.....d.F6.WE>..DK.N...yZu..1 .44.#.C

                              C:\Users\user\Documents\HMPPSXQPQV.docx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.6099732953541475
                              Encrypted:false
                              SSDEEP:
                              MD5:578489781715CB8776C94BDFB8740D48
                              SHA1:ABBCBC1BF9DD7AA2B385DE677BF48EC3F3307A40
                              SHA-256:0A5CE0F9C035B843D0F8EC956C3D9C7F17B033E367A5EF3AEEBBC92C7CC3B17C
                              SHA-512:82A135F6608BC969CE1A08DEE0A477FF3143088106192DADA0088E57CC2AC69E98DDE7B98E78AD9C6CCFDF5593173F21697040F0EDA032C6E597F1640AB6D275
                              Malicious:false
                              Preview:.l...@...3.._N`~....y.N.A.R{.|..*...X......:.B..D.U.?.....l...X...0...CQyr....x.Z.E.J{.i..<...I.......$.J..P.B.%.....k...E...3..MJ~v....d.L.S.Cb.h..1...[......9.H...T.T.4.....h....._...3..QIyf...z.B.S.U~.m..=...V......6.L...C.B.9.....u...Q...%..PV}b...z.C.C.Bg.c..%...@......!.N..Q.B.7.....f.....S...0..RV{t....}.\.B.Uz.g..%...M......3.J...U.F.$.....y...Y...$..T[er...t.^.P.O`.q..9...K......0.[..Q.B.%.....p.....R...(..STt`...f.X.P.Yt.q..3...]......4.T...C.S.2.....f.....W...7...RWv`...|.C.\.R..m..8...T......*.M..@.X.).....w.....U...-..N^dj.....R.T.T{.u..7...S......2.\.._.U.&.....h...@...1...OIth....t.C.W.R`.p..6...@......-.N..F.Z.".....m....._...$..DXmi...m.P.X.T{.~..;...T......9.U..W.].<.....d.....T...>..V]ja...f.B.N.If.i..1...^......3.V..R.T.+.....k...X...%..DXhq....u.[.W.Dz.n..2...Q......!.U..N.W.<.....{.....T...4..AQzi...l.Y.F.Rp.i.. ...M........@...W.].>.....k.....\... ...VWyj....j.^.\.Jb.s..?...

                              C:\Users\user\Documents\HMPPSXQPQV.docx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.6099732953541475
                              Encrypted:false
                              SSDEEP:
                              MD5:578489781715CB8776C94BDFB8740D48
                              SHA1:ABBCBC1BF9DD7AA2B385DE677BF48EC3F3307A40
                              SHA-256:0A5CE0F9C035B843D0F8EC956C3D9C7F17B033E367A5EF3AEEBBC92C7CC3B17C
                              SHA-512:82A135F6608BC969CE1A08DEE0A477FF3143088106192DADA0088E57CC2AC69E98DDE7B98E78AD9C6CCFDF5593173F21697040F0EDA032C6E597F1640AB6D275
                              Malicious:false
                              Preview:.l...@...3.._N`~....y.N.A.R{.|..*...X......:.B..D.U.?.....l...X...0...CQyr....x.Z.E.J{.i..<...I.......$.J..P.B.%.....k...E...3..MJ~v....d.L.S.Cb.h..1...[......9.H...T.T.4.....h....._...3..QIyf...z.B.S.U~.m..=...V......6.L...C.B.9.....u...Q...%..PV}b...z.C.C.Bg.c..%...@......!.N..Q.B.7.....f.....S...0..RV{t....}.\.B.Uz.g..%...M......3.J...U.F.$.....y...Y...$..T[er...t.^.P.O`.q..9...K......0.[..Q.B.%.....p.....R...(..STt`...f.X.P.Yt.q..3...]......4.T...C.S.2.....f.....W...7...RWv`...|.C.\.R..m..8...T......*.M..@.X.).....w.....U...-..N^dj.....R.T.T{.u..7...S......2.\.._.U.&.....h...@...1...OIth....t.C.W.R`.p..6...@......-.N..F.Z.".....m....._...$..DXmi...m.P.X.T{.~..;...T......9.U..W.].<.....d.....T...>..V]ja...f.B.N.If.i..1...^......3.V..R.T.+.....k...X...%..DXhq....u.[.W.Dz.n..2...Q......!.U..N.W.<.....{.....T...4..AQzi...l.Y.F.Rp.i.. ...M........@...W.].>.....k.....\... ...VWyj....j.^.\.Jb.s..?...

                              C:\Users\user\Documents\HMPPSXQPQV.jpg

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.579745796011573
                              Encrypted:false
                              SSDEEP:
                              MD5:86CA497ECFB471312C7D10C99D92B206
                              SHA1:96929B33961A5F62DFD0104FFEF8CE4FB15DE632
                              SHA-256:822BCAE0C432C2F70429E1B86E6D14FB78B123FD9887CED1F0E5DB06599A8842
                              SHA-512:3B4EE727E015D3E69E6B8A4C91635EDB197A7D0FFABE8E2C687EC0511F293A4D3080CEC28112559BCDFF59BDAD4E19BD35D688373357D372BD8CED2264984ADA
                              Malicious:false
                              Preview::.Wb.+s._X..^.GlT.....T..p@.l...0..s..\.H.(`3...Y.QX8.(8.b."nt*.]s.9k.^@..L.[sM.....U..tO.l...%..w..M.P.(l'...Q.YC,.?(.m.4l}:.Ms.9v.^D..].UhJ.....I..bS.u...,..z.._.E.4x8...S.HF(.)(.t.$xj".I}..<l.MR..P.IkM.....W..bI.i...&..f..R.I.5k:...W.HR?.?;.~.*|h<.Na.<b._D..P.HtI.....W...rM.p.../..v..D.Z.5q-...U.YE-.?>.w.?p}$.Oc..8`.A[.._.JtO.....P..sG.m...+..a..I.S.$}*...Q.HD).;'.f.0bh3.H{.2j.]@..].LyQ.....Y..aT.w...-..l..O.P.;e!...@.[@-.?;.i."xa5.Iv../a.EN..R.Kv@.....K..a\.c...&..d..Y.S.7s/...O.IZ?..6.e.5c~&.Iq...d.GR..O.JuB.....Q..mS.h...#..s..P.Y.:e ...V.NT<.%+.v.$`k'.Us..6f.]P..A.V|P.....R..eH.l...<..k..W.K.9z$...G.L@#.('.w./nq&.Mz.*s.CS..E.Wk@.....Y..fV.w.../..j..D.A.'k$...U.XA:.'<.i.,`u9.Kp..(l.HD..U.\zY.....@..iJ.l...#..m..P.H.5y;...N.TC+. (.~.0g|'.D}..7g.CT..R.N.^.....K...V.q...)..f..Z.[.%h)...M.]W..)<.j. lv!.Sx.1k.FL..@.\z\.....X..fE.m..."..r..U.V."b1...N.VI2.*!.f.0fz#.@h..)g.FZ..W.YsN.....A..w\.g...5..w..I.F.5q+...[.JT+. &.}.!}}$.Lw..3o.DJ..E.NuM.....G..mG.u...-..n..

                              C:\Users\user\Documents\HMPPSXQPQV.jpg.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.579745796011573
                              Encrypted:false
                              SSDEEP:
                              MD5:86CA497ECFB471312C7D10C99D92B206
                              SHA1:96929B33961A5F62DFD0104FFEF8CE4FB15DE632
                              SHA-256:822BCAE0C432C2F70429E1B86E6D14FB78B123FD9887CED1F0E5DB06599A8842
                              SHA-512:3B4EE727E015D3E69E6B8A4C91635EDB197A7D0FFABE8E2C687EC0511F293A4D3080CEC28112559BCDFF59BDAD4E19BD35D688373357D372BD8CED2264984ADA
                              Malicious:false
                              Preview::.Wb.+s._X..^.GlT.....T..p@.l...0..s..\.H.(`3...Y.QX8.(8.b."nt*.]s.9k.^@..L.[sM.....U..tO.l...%..w..M.P.(l'...Q.YC,.?(.m.4l}:.Ms.9v.^D..].UhJ.....I..bS.u...,..z.._.E.4x8...S.HF(.)(.t.$xj".I}..<l.MR..P.IkM.....W..bI.i...&..f..R.I.5k:...W.HR?.?;.~.*|h<.Na.<b._D..P.HtI.....W...rM.p.../..v..D.Z.5q-...U.YE-.?>.w.?p}$.Oc..8`.A[.._.JtO.....P..sG.m...+..a..I.S.$}*...Q.HD).;'.f.0bh3.H{.2j.]@..].LyQ.....Y..aT.w...-..l..O.P.;e!...@.[@-.?;.i."xa5.Iv../a.EN..R.Kv@.....K..a\.c...&..d..Y.S.7s/...O.IZ?..6.e.5c~&.Iq...d.GR..O.JuB.....Q..mS.h...#..s..P.Y.:e ...V.NT<.%+.v.$`k'.Us..6f.]P..A.V|P.....R..eH.l...<..k..W.K.9z$...G.L@#.('.w./nq&.Mz.*s.CS..E.Wk@.....Y..fV.w.../..j..D.A.'k$...U.XA:.'<.i.,`u9.Kp..(l.HD..U.\zY.....@..iJ.l...#..m..P.H.5y;...N.TC+. (.~.0g|'.D}..7g.CT..R.N.^.....K...V.q...)..f..Z.[.%h)...M.]W..)<.j. lv!.Sx.1k.FL..@.\z\.....X..fE.m..."..r..U.V."b1...N.VI2.*!.f.0fz#.@h..)g.FZ..W.YsN.....A..w\.g...5..w..I.F.5q+...[.JT+. &.}.!}}$.Lw..3o.DJ..E.NuM.....G..mG.u...-..n..

                              C:\Users\user\Documents\HMPPSXQPQV.xlsx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.588834009668122
                              Encrypted:false
                              SSDEEP:
                              MD5:850ECD0C9521EF4ED125311AC71F4805
                              SHA1:654F2D0850343436C7BF5DD13D99BF9D66D8D24A
                              SHA-256:EC8956F8EC8487EE47D96EF3FEC1AB86AB6B41B47381E96CCCF7FA388EDD1586
                              SHA-512:C01837D27D853A3FA22AA4193EE23D8F79EA6EA81CD237A5EF113F71A43FB02D3BF7746A7E2F00083875A67CB7947B8BE1E0B2EA42E3F81D30A30D3CC4B7AA1C
                              Malicious:false
                              Preview:..N`O.&P.[...+K<#u9]5..n.\...Y..|........U...o..CQ^..*.W.._g_.>K.C...!W#:y.J1..t.M...W..j........A...g..WRI...,.U.._.V.#Q.G...&Y8=}0E2..j.F...Z...g........^...e..SD_...1.A..Qp[.9M.Q...=E;:m%T*..k.B...V..k........\...a..DOI../.E...McY.7I.G...)D$>i#M"..i.Z...V...s........K...c..VGI..&.I..Oy].5E.X...&F$8./R6..x._...J...s........L...g..RJM.....[...Wc\.?R.C...%@)&y1W=..a.X...[...o........G...v..VPI..!.A..ZvT.4Q.M...5G&7k/I'..f.G...Y..e........I...y..DPX..(.Z..]yC.1R.Q...6F%5k)O=..o.D...Y...n........F...`..GRS...1.Y..._z[.3O.S..."Z,'a.R*..d.^...M..a........B...q..XK^.....W..VdC.&S.P...$[;7c;U4..b.E...I...`........B...c..ASQ..'.Y..\yA.9G.G...*P*.b(C!..w.X...B...m........]...x..PXV...'.^..QrE.2V.W...=B/)j&L'..{.H...N...g........O...{...UI_....U...Tf].>[.O...(P*+z%S6..}.I...S...d........W...x..I[\..3._...DpY.2V.Y...8U#9b8V<..c.Z...@..v........M...m..PTV...'.D..[pN.:S.I...;B%:a5U2..o.^...R...i...

                              C:\Users\user\Documents\HMPPSXQPQV.xlsx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.588834009668122
                              Encrypted:false
                              SSDEEP:
                              MD5:850ECD0C9521EF4ED125311AC71F4805
                              SHA1:654F2D0850343436C7BF5DD13D99BF9D66D8D24A
                              SHA-256:EC8956F8EC8487EE47D96EF3FEC1AB86AB6B41B47381E96CCCF7FA388EDD1586
                              SHA-512:C01837D27D853A3FA22AA4193EE23D8F79EA6EA81CD237A5EF113F71A43FB02D3BF7746A7E2F00083875A67CB7947B8BE1E0B2EA42E3F81D30A30D3CC4B7AA1C
                              Malicious:false
                              Preview:..N`O.&P.[...+K<#u9]5..n.\...Y..|........U...o..CQ^..*.W.._g_.>K.C...!W#:y.J1..t.M...W..j........A...g..WRI...,.U.._.V.#Q.G...&Y8=}0E2..j.F...Z...g........^...e..SD_...1.A..Qp[.9M.Q...=E;:m%T*..k.B...V..k........\...a..DOI../.E...McY.7I.G...)D$>i#M"..i.Z...V...s........K...c..VGI..&.I..Oy].5E.X...&F$8./R6..x._...J...s........L...g..RJM.....[...Wc\.?R.C...%@)&y1W=..a.X...[...o........G...v..VPI..!.A..ZvT.4Q.M...5G&7k/I'..f.G...Y..e........I...y..DPX..(.Z..]yC.1R.Q...6F%5k)O=..o.D...Y...n........F...`..GRS...1.Y..._z[.3O.S..."Z,'a.R*..d.^...M..a........B...q..XK^.....W..VdC.&S.P...$[;7c;U4..b.E...I...`........B...c..ASQ..'.Y..\yA.9G.G...*P*.b(C!..w.X...B...m........]...x..PXV...'.^..QrE.2V.W...=B/)j&L'..{.H...N...g........O...{...UI_....U...Tf].>[.O...(P*+z%S6..}.I...S...d........W...x..I[\..3._...DpY.2V.Y...8U#9b8V<..c.Z...@..v........M...m..PTV...'.D..[pN.:S.I...;B%:a5U2..o.^...R...i...

                              C:\Users\user\Documents\HQJBRDYKDE.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.581527019180005
                              Encrypted:false
                              SSDEEP:
                              MD5:2445EE40A192A281841B125DDED9735A
                              SHA1:3F2FA7DF7BDFA695FBB268EE69D0655AB6E1BD12
                              SHA-256:00404C9B4A2BA257AAA01D7E5B8E2CD2A8FC8017F633257CA0F205CDB7E0CC0E
                              SHA-512:231000222C80645CECA4472FD56A9EC77FC2138C9131D9453379CF08D4C61DA7E6754C55B502C62BF897C644196776376312BEA3E66126057D81F525F9BBF9CE
                              Malicious:false
                              Preview:.IS?v+.}K..t..s.F..$.......@........5hW....i...........5K..7.T_2j<.wN..j..w.M..=.......Z......#|K.....q..5...n....-S..(.\T3g5.~F..d..p.A..,........M......?dX......j..6...b....?].%.]X0s8.tA..t..|.D..<......._......,eA.....n..>...k....1G..7.[U-w6.lY..i..g.S..8.......E......?aW........"...n....+I.5.YA+e%.sN..u..h.@.. .......O........,vA....}..#...y....<X.>.^J%o<.s\..}..s.G..%.......]......!vH....u..;...s....,H.1.SC6l%.bH..p....G..=.......P........"s_.....m..&...h.....D.%.UQ>v:.oI..k..n.\..........D......:t[....q..!...s....<G.8.LS9`7.{N..j..p.@..#.......M........$bM....z..=...h....$Y.?.ML,b=.nK..l..h.G..-.......T......5zT.....p.. ...i....0Z.%.KW3~+.gJ..r..d.B..%.......Z...... gT....y.."...y....#W..3.LT9l-.cX..}..y.E..,.......W......8j_....v..9...k..../B.?.WZ*p;.lG..o..s.T..8........@........9yD.....f..:...j....2E.:.[Z'|:.~D..i..j.V..=........G......:fT....d..7...h....$G.-.Q@:s$.bG..h..w.R..........A......8.

                              C:\Users\user\Documents\HQJBRDYKDE.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.581527019180005
                              Encrypted:false
                              SSDEEP:
                              MD5:2445EE40A192A281841B125DDED9735A
                              SHA1:3F2FA7DF7BDFA695FBB268EE69D0655AB6E1BD12
                              SHA-256:00404C9B4A2BA257AAA01D7E5B8E2CD2A8FC8017F633257CA0F205CDB7E0CC0E
                              SHA-512:231000222C80645CECA4472FD56A9EC77FC2138C9131D9453379CF08D4C61DA7E6754C55B502C62BF897C644196776376312BEA3E66126057D81F525F9BBF9CE
                              Malicious:false
                              Preview:.IS?v+.}K..t..s.F..$.......@........5hW....i...........5K..7.T_2j<.wN..j..w.M..=.......Z......#|K.....q..5...n....-S..(.\T3g5.~F..d..p.A..,........M......?dX......j..6...b....?].%.]X0s8.tA..t..|.D..<......._......,eA.....n..>...k....1G..7.[U-w6.lY..i..g.S..8.......E......?aW........"...n....+I.5.YA+e%.sN..u..h.@.. .......O........,vA....}..#...y....<X.>.^J%o<.s\..}..s.G..%.......]......!vH....u..;...s....,H.1.SC6l%.bH..p....G..=.......P........"s_.....m..&...h.....D.%.UQ>v:.oI..k..n.\..........D......:t[....q..!...s....<G.8.LS9`7.{N..j..p.@..#.......M........$bM....z..=...h....$Y.?.ML,b=.nK..l..h.G..-.......T......5zT.....p.. ...i....0Z.%.KW3~+.gJ..r..d.B..%.......Z...... gT....y.."...y....#W..3.LT9l-.cX..}..y.E..,.......W......8j_....v..9...k..../B.?.WZ*p;.lG..o..s.T..8........@........9yD.....f..:...j....2E.:.[Z'|:.~D..i..j.V..=........G......:fT....d..7...h....$G.-.Q@:s$.bG..h..w.R..........A......8.

                              C:\Users\user\Documents\LFOPODGVOH.docx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.613445884875621
                              Encrypted:false
                              SSDEEP:
                              MD5:C2208AEC5A99647F41FFE3576E5D3DFF
                              SHA1:883F6A96CF142E67EC9608B6C3B40AF3E5F67D90
                              SHA-256:FF192D8D5B79A1DF44CE92A40FB9F5B1384B90F346083483DC4E06DA082A8781
                              SHA-512:F744AB193FA7E46969202E9E0037C4A7895E8EEF1439AE8D0AEEC4A2AF1135E3CBD78711E9D0F262928173D249049636B1961AE2838267196EB9350AA24918F2
                              Malicious:false
                              Preview:.,OY.'...."...}@...8&..Vk.;MA...s.l.j8.Q.o.D.G65W.i;..."..D.&CL.-....>...uH...)4..Zj.4Z@..>y.q.i+.J.}.H.@ 3\.a<...<..E.0V].%....?....rK...&8..Vk. _B..,c.w..l .[.a.[.A7.D.y?...8..W.%GP.:....-....sQ...+>..W}.)TJ..>q.a.p>.S.`.N.F&=Q.z!...;..K.#LF.;....8....lU...(1..Qu.7MO..)o.r..b).D.b.J.A<=E.t*...#..K.3IN.;....*...aP...23..Oy. U\..2j.n.o0.E.t.O.Y$&Q.r(...$..[.:NF.0....9....uS...2=..Ru.2_P..(n.q..|4.\.s.].B8?S.e8....-..T.<A@.,..../....lC...2 ..Ek.%^A..6c.a..u;.H.v._.@=-S.g/...8.._.8XF.&.... ....cU...1 ..\k.%HM..6~.g..w6.A.o.D.\/0F.s*...*..Z.9BF.$....-...s]...:%..Q}.(VF..,o.w..k:.P.q.\.Y'2W.f:...&..P..PY.6....%...cV...6?..Mk.=\J..2p.q.v..Z.y.M.Z#1A.a0..."..P.(WK.'....:...i_...,'..Vn.<MQ..0z.d.k-.A.h.A.B"9B.w?...&.._.9YC.9....4....nS...9&..Ey.'M]..1|.x..i1._.s.J.R90P.f3...*..J. WO.7....)...r^.../4..Mf.;N]..!x.y..s1.B.p.H.B63[.r4...*..V. IO.,....$....bO...!,..\v.7IV..6p.f.|..N.|.D.]:2L.`5...>..^.=ED.%....(....fV...*3..Ik.5O]..,m.g..u=

                              C:\Users\user\Documents\LFOPODGVOH.docx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.613445884875621
                              Encrypted:false
                              SSDEEP:
                              MD5:C2208AEC5A99647F41FFE3576E5D3DFF
                              SHA1:883F6A96CF142E67EC9608B6C3B40AF3E5F67D90
                              SHA-256:FF192D8D5B79A1DF44CE92A40FB9F5B1384B90F346083483DC4E06DA082A8781
                              SHA-512:F744AB193FA7E46969202E9E0037C4A7895E8EEF1439AE8D0AEEC4A2AF1135E3CBD78711E9D0F262928173D249049636B1961AE2838267196EB9350AA24918F2
                              Malicious:false
                              Preview:.,OY.'...."...}@...8&..Vk.;MA...s.l.j8.Q.o.D.G65W.i;..."..D.&CL.-....>...uH...)4..Zj.4Z@..>y.q.i+.J.}.H.@ 3\.a<...<..E.0V].%....?....rK...&8..Vk. _B..,c.w..l .[.a.[.A7.D.y?...8..W.%GP.:....-....sQ...+>..W}.)TJ..>q.a.p>.S.`.N.F&=Q.z!...;..K.#LF.;....8....lU...(1..Qu.7MO..)o.r..b).D.b.J.A<=E.t*...#..K.3IN.;....*...aP...23..Oy. U\..2j.n.o0.E.t.O.Y$&Q.r(...$..[.:NF.0....9....uS...2=..Ru.2_P..(n.q..|4.\.s.].B8?S.e8....-..T.<A@.,..../....lC...2 ..Ek.%^A..6c.a..u;.H.v._.@=-S.g/...8.._.8XF.&.... ....cU...1 ..\k.%HM..6~.g..w6.A.o.D.\/0F.s*...*..Z.9BF.$....-...s]...:%..Q}.(VF..,o.w..k:.P.q.\.Y'2W.f:...&..P..PY.6....%...cV...6?..Mk.=\J..2p.q.v..Z.y.M.Z#1A.a0..."..P.(WK.'....:...i_...,'..Vn.<MQ..0z.d.k-.A.h.A.B"9B.w?...&.._.9YC.9....4....nS...9&..Ey.'M]..1|.x..i1._.s.J.R90P.f3...*..J. WO.7....)...r^.../4..Mf.;N]..!x.y..s1.B.p.H.B63[.r4...*..V. IO.,....$....bO...!,..\v.7IV..6p.f.|..N.|.D.]:2L.`5...>..^.=ED.%....(....fV...*3..Ik.5O]..,m.g..u=

                              C:\Users\user\Documents\LFOPODGVOH.xlsx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.598841402842233
                              Encrypted:false
                              SSDEEP:
                              MD5:1555842358305CE1E8EDA70C092CB23A
                              SHA1:BA3CA8BF3D03D33A5DB0DC46B150BAC5DF54A537
                              SHA-256:BFDF1EC626588487C4E3C00FB2B73E78237405ED7DD417EBD449E453A303EECF
                              SHA-512:A512EA2E5A5137AEDB2BFFF08902903793C6207DFB84CCB2B67EE3D2CB5B02CE4F8C7F0A478013FDCABF1ACE4E734B23DB495163224487B89CB43440330B6729
                              Malicious:false
                              Preview:.P..o.9?.$.c.dV.e.y......1'....q...{.4BG4..N.r.)\.gK.G@.kH.Z..x.3?.-.m.n^.p.b......>0....z.....w.7PC8..H.s.![.}W.D^.rI.L..b.(<.$.`.nY.d.l......*5....t.....n.!LE+..U...9X..E.MZ.m[.Y..m.:9.<.{.vX.x.x......#>....u...l.0MS>..F.t.:F.hT.[Y.|G._..a.1>.&.c.fG.q.b......='....a.....y..OH:..F.t.4M.sG.JA.uG.O..r.-0.5..j.eJ.w.d......*?....v...v.7YN?..].h.2O.rN.KF.uW.F..d.*?.4.r..^.l.t......85....n.....`.+^T-..D.p.%_.xP.ZO.sX.@..o.< .?.x..G.}......../4....z...w.+[M/..V.k.'H.h@.WZ.jS.D..y.9:.>.z.eH.u.d....../"....i...d.6B@4..K.v.3M.tJ._H.hV.E..m.6:.-.f.qX...w......"<....e.....t.,\Q,..I.l.&].dC.AD.e\.R..o.,(.%.g.bH.p.o......76....h.....r.&TN=..J.k.!W.uV.\@.m\.T..b.*+.:.f.dB.}.x.......6'....v...`.#ES1..B.r.7X..E.JD.qS.E..c.:#.!.c.hE.y.b......-'....`.....j.!^H:..K.}.&T.o^.CH.|F.\..b.6-.'.c.kY.{.y......1$....u.....i.-]R8...H.c.2S.oJ.YH.iZ.\..v.3>.9.d.jI.g.a......=#....{...r.-Q\4..I... R.pK.M\.uR.A..s.2;...g.jM.u.d......?%....{...

                              C:\Users\user\Documents\LFOPODGVOH.xlsx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.598841402842233
                              Encrypted:false
                              SSDEEP:
                              MD5:1555842358305CE1E8EDA70C092CB23A
                              SHA1:BA3CA8BF3D03D33A5DB0DC46B150BAC5DF54A537
                              SHA-256:BFDF1EC626588487C4E3C00FB2B73E78237405ED7DD417EBD449E453A303EECF
                              SHA-512:A512EA2E5A5137AEDB2BFFF08902903793C6207DFB84CCB2B67EE3D2CB5B02CE4F8C7F0A478013FDCABF1ACE4E734B23DB495163224487B89CB43440330B6729
                              Malicious:false
                              Preview:.P..o.9?.$.c.dV.e.y......1'....q...{.4BG4..N.r.)\.gK.G@.kH.Z..x.3?.-.m.n^.p.b......>0....z.....w.7PC8..H.s.![.}W.D^.rI.L..b.(<.$.`.nY.d.l......*5....t.....n.!LE+..U...9X..E.MZ.m[.Y..m.:9.<.{.vX.x.x......#>....u...l.0MS>..F.t.:F.hT.[Y.|G._..a.1>.&.c.fG.q.b......='....a.....y..OH:..F.t.4M.sG.JA.uG.O..r.-0.5..j.eJ.w.d......*?....v...v.7YN?..].h.2O.rN.KF.uW.F..d.*?.4.r..^.l.t......85....n.....`.+^T-..D.p.%_.xP.ZO.sX.@..o.< .?.x..G.}......../4....z...w.+[M/..V.k.'H.h@.WZ.jS.D..y.9:.>.z.eH.u.d....../"....i...d.6B@4..K.v.3M.tJ._H.hV.E..m.6:.-.f.qX...w......"<....e.....t.,\Q,..I.l.&].dC.AD.e\.R..o.,(.%.g.bH.p.o......76....h.....r.&TN=..J.k.!W.uV.\@.m\.T..b.*+.:.f.dB.}.x.......6'....v...`.#ES1..B.r.7X..E.JD.qS.E..c.:#.!.c.hE.y.b......-'....`.....j.!^H:..K.}.&T.o^.CH.|F.\..b.6-.'.c.kY.{.y......1$....u.....i.-]R8...H.c.2S.oJ.YH.iZ.\..v.3>.9.d.jI.g.a......=#....{...r.-Q\4..I... R.pK.M\.uR.A..s.2;...g.jM.u.d......?%....{...

                              C:\Users\user\Documents\LHEPQPGEWF.jpg

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.602957899356805
                              Encrypted:false
                              SSDEEP:
                              MD5:859118A400DF37C127D297688A0520CF
                              SHA1:4900594A4247A110542047D0640FE61CFA9E81BB
                              SHA-256:4FD4D9D0DE3A51B476334118B838335295C5FA694841D63D75C919810591B74A
                              SHA-512:6C25F2FA5DE1E8836DD9F1DD7270A8F96F6844C21121192493580A0D66F8F5C7D8AF8D9FDA1E7424CB0529F2F2F85D583D7C528D97D4864AC58D86BA29683B8C
                              Malicious:false
                              Preview:Q..Y.-.g....F..{e...:.....0....s..q....u..I.\..$IsTs..6&.M..X.<.j....C..vf...$.....+....a..|....{..[._.6D}Hf...&4.W..C.>.c....P..y{...<.....(....l.......s..S.G..0[gNn..+'.S.._.4.`....C...b...2.....2....n..s....o..^.O.3XxYv.."#.W..S.+.q....S..q|...2.....4....j..n....c..@.M..3Zz^y...72.D..Y.7.m....X..qc...'.....?....k..c....y....Q.A.<Ft]p..,#.L..B.8.q....\..g`.........7....b..h....|..O.Q..?@zHk..2(._..X.;.t....R..tw...0.....3....u.......s....T.Y.#^{Vr...6).D..D.4.g....Z..gl...7.....2....u..e....}..X.F.. BcOn..:9.G..].6.z....B..ca...4.....!....c..|....f..^.Z.9C{Sf..(5.W..G.3.{....P..ul.........(....|..a....p..S.].9CfIr..%$.K..M.$.{....E..~a...$.....-....i..n....a..U.D.0[zNd...:8.W..O.'.e....E...t...9.....1.......`....u....^.C.>Z{Xb...2%.G..P.4.s....Y..~~...3.....-.......i....y..[.\.6]d^s..1*.V..J.-.n...._..ye...1.....6....|..{....x..I._. DoXq..7(.H..@.3.s....Z..ml...%.....5....q..b..

                              C:\Users\user\Documents\LHEPQPGEWF.jpg.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.602957899356805
                              Encrypted:false
                              SSDEEP:
                              MD5:859118A400DF37C127D297688A0520CF
                              SHA1:4900594A4247A110542047D0640FE61CFA9E81BB
                              SHA-256:4FD4D9D0DE3A51B476334118B838335295C5FA694841D63D75C919810591B74A
                              SHA-512:6C25F2FA5DE1E8836DD9F1DD7270A8F96F6844C21121192493580A0D66F8F5C7D8AF8D9FDA1E7424CB0529F2F2F85D583D7C528D97D4864AC58D86BA29683B8C
                              Malicious:false
                              Preview:Q..Y.-.g....F..{e...:.....0....s..q....u..I.\..$IsTs..6&.M..X.<.j....C..vf...$.....+....a..|....{..[._.6D}Hf...&4.W..C.>.c....P..y{...<.....(....l.......s..S.G..0[gNn..+'.S.._.4.`....C...b...2.....2....n..s....o..^.O.3XxYv.."#.W..S.+.q....S..q|...2.....4....j..n....c..@.M..3Zz^y...72.D..Y.7.m....X..qc...'.....?....k..c....y....Q.A.<Ft]p..,#.L..B.8.q....\..g`.........7....b..h....|..O.Q..?@zHk..2(._..X.;.t....R..tw...0.....3....u.......s....T.Y.#^{Vr...6).D..D.4.g....Z..gl...7.....2....u..e....}..X.F.. BcOn..:9.G..].6.z....B..ca...4.....!....c..|....f..^.Z.9C{Sf..(5.W..G.3.{....P..ul.........(....|..a....p..S.].9CfIr..%$.K..M.$.{....E..~a...$.....-....i..n....a..U.D.0[zNd...:8.W..O.'.e....E...t...9.....1.......`....u....^.C.>Z{Xb...2%.G..P.4.s....Y..~~...3.....-.......i....y..[.\.6]d^s..1*.V..J.-.n...._..ye...1.....6....|..{....x..I._. DoXq..7(.H..@.3.s....Z..ml...%.....5....q..b..

                              C:\Users\user\Documents\LHEPQPGEWF.mp3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.576112837245432
                              Encrypted:false
                              SSDEEP:
                              MD5:647F1866A3F5F2A1E4F5057F7B987788
                              SHA1:A5EC2D73FBF949EA662A161CE474AB2D64B24C22
                              SHA-256:03F3DB1D1B39282D28F3572A474D09243C2037E1CE4243B1A3008404AC84E740
                              SHA-512:82F9B9E5231F30C7239BD3516DFB53E9F2F7599B94F1431B879950AE6CA7ABE7861BAAFFF9E38C621A40B6CB97A9699672A81F570AED077307CC66EB4A9AE45B
                              Malicious:false
                              Preview:\.*jd.....R^...Q.8.$.D..t..F..3--.<....7....N.J...V. ..l..@.?kc.....SA...G.;.;.V.y..]..?-?.1....9....X.S...X.7..|..Z.7pw.....IP...@.&.2.A.f..^..(02..2.....1....H.Q...B..-..q..^.=lg.....\B...].?.3.^.x..D.."20.>.....-....V.W...].,..x..Z.-`t....._X...E.!.2.A.d..B..*:4.#.....!....Y.G..._.=..m..I.!jx......QY...T.>.3.Z.v..I..455......;....].Y...Q.!..v..A.&q`.....WA...C.=.5.^..j..A..+7<.%.....>....N.F..._.(..h..R.8kw.....D[..._.*.).H..t..E..23+.2.....1....D.C...^.1..l..I. wb.....AH...^.1.5.Z.p..D../.+.(.....?....L.K...F..*..`..J.+nm.....LY...@.<.7.Y..p..W..#9=.1.....$....I.P...^.:..r..Z.9t|.....QB...].1.).C.j..^..88".,....2...._.C...C.-.....F.=~o.....RK...Y.<.3.M.h..[..247.#.....#....V.]..._..6..`..Z.6|......TF...A.).1.[.q..G..27!.-....7....J.P...^.0..h..J.%ct.....A[...[.#./.A.r..[..8.!.$.....;....I.P...A.!..k..[.?yx.....J^...[.8./.X..j..@..?/".6....:....^.B...J.;..m..E.;sl.....CN...X.1.8.^.v..C..!1/./..

                              C:\Users\user\Documents\LHEPQPGEWF.mp3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.576112837245432
                              Encrypted:false
                              SSDEEP:
                              MD5:647F1866A3F5F2A1E4F5057F7B987788
                              SHA1:A5EC2D73FBF949EA662A161CE474AB2D64B24C22
                              SHA-256:03F3DB1D1B39282D28F3572A474D09243C2037E1CE4243B1A3008404AC84E740
                              SHA-512:82F9B9E5231F30C7239BD3516DFB53E9F2F7599B94F1431B879950AE6CA7ABE7861BAAFFF9E38C621A40B6CB97A9699672A81F570AED077307CC66EB4A9AE45B
                              Malicious:false
                              Preview:\.*jd.....R^...Q.8.$.D..t..F..3--.<....7....N.J...V. ..l..@.?kc.....SA...G.;.;.V.y..]..?-?.1....9....X.S...X.7..|..Z.7pw.....IP...@.&.2.A.f..^..(02..2.....1....H.Q...B..-..q..^.=lg.....\B...].?.3.^.x..D.."20.>.....-....V.W...].,..x..Z.-`t....._X...E.!.2.A.d..B..*:4.#.....!....Y.G..._.=..m..I.!jx......QY...T.>.3.Z.v..I..455......;....].Y...Q.!..v..A.&q`.....WA...C.=.5.^..j..A..+7<.%.....>....N.F..._.(..h..R.8kw.....D[..._.*.).H..t..E..23+.2.....1....D.C...^.1..l..I. wb.....AH...^.1.5.Z.p..D../.+.(.....?....L.K...F..*..`..J.+nm.....LY...@.<.7.Y..p..W..#9=.1.....$....I.P...^.:..r..Z.9t|.....QB...].1.).C.j..^..88".,....2...._.C...C.-.....F.=~o.....RK...Y.<.3.M.h..[..247.#.....#....V.]..._..6..`..Z.6|......TF...A.).1.[.q..G..27!.-....7....J.P...^.0..h..J.%ct.....A[...[.#./.A.r..[..8.!.$.....;....I.P...A.!..k..[.?yx.....J^...[.8./.X..j..@..?/".6....:....^.B...J.;..m..E.;sl.....CN...X.1.8.^.v..C..!1/./..

                              C:\Users\user\Documents\LHEPQPGEWF.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.592093955689808
                              Encrypted:false
                              SSDEEP:
                              MD5:A0B91332B4B5B784AE35B65AD950C508
                              SHA1:7A4EA6E7074E90498D8CD545CD98A8F06F605191
                              SHA-256:CC016A724E49237168BA98EE2C1EA3B86D734E2CF790DF0551BC62494C8FE871
                              SHA-512:41A65177F009A437559EEF30D660B549A0953E15D1C66B919CDEECC4B5E62BF8BCE9BBE5362D16327059358B220276E707F3035E3D74479FEB6BCC0C0C135167
                              Malicious:false
                              Preview:O.l..j..1.......h...........!.FSIb#....U..~...Uml..<t:f....wiS.y...g..*..z..k...........6.JS[x)....A..{...G{o...1z&s....elI.q...n..,..i..v...........!.]NVi=....Z..|...Okw....` {....vdM.{..m..'..z..o...........:.WLTv=....Z..w...Bu....-.7c....ruI.k..|..9..j....q........... ._DPa ....G..{...\z}.../}0l....ckZ.g..`..;..a..n...........7.AKQk8....N..m...M~q..3s3e....rkR.`...|..9..e....m...........9.^IXx7....Y..z...Sma..5}&~....yyA.~...y..)..k..z...........-.GMO{)....^..m...Hgi...+|8g....xxZ.f..j..'..c..a...........6.ZPOj!....\..w...Dov...7d!{....h~Y.m..w..8..{....l...........4.VGYm!....P..p...Bjj...6|=s....dlI.....v..;..i..a...........-.MFF|<....@..z...O|m...6a'g....uiU.{...v..5..|..l...........>.GJS`?....X..y...Iut...} q....ibI.p..h..8..|..y...........-.GIEc)....E..n...Bis.../|6w....t.Y.c..~..;..`....s...........,.MPEm:....\..x...Gjl...(c0f....{jH.y..c..?..f..h...........).JQFo*....U..u...U}o..1h6d....y~V.}...~..<..c....a...........!.TOKo5...

                              C:\Users\user\Documents\LHEPQPGEWF.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.592093955689808
                              Encrypted:false
                              SSDEEP:
                              MD5:A0B91332B4B5B784AE35B65AD950C508
                              SHA1:7A4EA6E7074E90498D8CD545CD98A8F06F605191
                              SHA-256:CC016A724E49237168BA98EE2C1EA3B86D734E2CF790DF0551BC62494C8FE871
                              SHA-512:41A65177F009A437559EEF30D660B549A0953E15D1C66B919CDEECC4B5E62BF8BCE9BBE5362D16327059358B220276E707F3035E3D74479FEB6BCC0C0C135167
                              Malicious:false
                              Preview:O.l..j..1.......h...........!.FSIb#....U..~...Uml..<t:f....wiS.y...g..*..z..k...........6.JS[x)....A..{...G{o...1z&s....elI.q...n..,..i..v...........!.]NVi=....Z..|...Okw....` {....vdM.{..m..'..z..o...........:.WLTv=....Z..w...Bu....-.7c....ruI.k..|..9..j....q........... ._DPa ....G..{...\z}.../}0l....ckZ.g..`..;..a..n...........7.AKQk8....N..m...M~q..3s3e....rkR.`...|..9..e....m...........9.^IXx7....Y..z...Sma..5}&~....yyA.~...y..)..k..z...........-.GMO{)....^..m...Hgi...+|8g....xxZ.f..j..'..c..a...........6.ZPOj!....\..w...Dov...7d!{....h~Y.m..w..8..{....l...........4.VGYm!....P..p...Bjj...6|=s....dlI.....v..;..i..a...........-.MFF|<....@..z...O|m...6a'g....uiU.{...v..5..|..l...........>.GJS`?....X..y...Iut...} q....ibI.p..h..8..|..y...........-.GIEc)....E..n...Bis.../|6w....t.Y.c..~..;..`....s...........,.MPEm:....\..x...Gjl...(c0f....{jH.y..c..?..f..h...........).JQFo*....U..u...U}o..1h6d....y~V.}...~..<..c....a...........!.TOKo5...

                              C:\Users\user\Documents\LIJDSFKJZG.docx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.596856340964451
                              Encrypted:false
                              SSDEEP:
                              MD5:5ED287127A405352C26C3124EBE1C70D
                              SHA1:3210D6CFE02E730B012FDAF62981C2EB2A319032
                              SHA-256:F68D8302F76541A3BDD2425E3C67B66106CC6570E3628A1FFAD789FEBAB38BE1
                              SHA-512:59B5FC6BB709132F1EAEC1FC69B371324A292BF91910092CA59BE08FB4089578BFE578603786183E130F218BAE39FC44687983BA687CEBDF7077FF1B1F2314A0
                              Malicious:false
                              Preview:...."-qan=b..k...Y...t.R.P.....&BH$...=..fIU.FT.Or......K..w.....#&cdm/j..{...I...p.P.J.....6GN%...4..rC^.\P.]}......Y..}......69tmb(q..q..._...g.F.]......AC!...!..xFV.SY.Cx......P.........<9`jp*d..a...@...p.Q.C.....:CS;...-..|[F.MO._u......H..a.....48jqf6e..}...@...q.H.W.....:@H/...;..j_T.\W.Xu......D..i.....:%~{r;m..{...E...r.R._.....*JS'..."..vAO.V[.@p......M..g......"2v`l(t..a...G...u.Q.G.....<YW(...:..xHE.LR.Cy......[..c......#=tyw/o..j...B...}._.Z.....=A@$....7..nNN.JK.N}......P..u.....8?udw3n..i...^...x.I.\.....1]N$...=..{\O.ZZ.]i......U..|.....8/lge)i..z...K...x.J.Z.....'DN3...2..|NU.F[.^q......[...n.....%1vyn,r..e...H...q.W.B.....-YG#...4..iFF.WK.Bu......[..s......<8miu5o..u...G...b.W.K.....3_T0...#..nNM._N.S~......M..k.....#=bee/e......X...z.X.^.....)DD-...0..pG[.M[._t......T..h......4!k{|<p..z...J...y.O.F.....-ZJ-...!..q\_.[^.Yg......[..g.....2%~}{*z..a...\...`.O.X.....)KT....;..eI\.PW.Sv......T..q.....=&t`z8b..~...F...n.].T.....?OV0...=

                              C:\Users\user\Documents\LIJDSFKJZG.docx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.596856340964451
                              Encrypted:false
                              SSDEEP:
                              MD5:5ED287127A405352C26C3124EBE1C70D
                              SHA1:3210D6CFE02E730B012FDAF62981C2EB2A319032
                              SHA-256:F68D8302F76541A3BDD2425E3C67B66106CC6570E3628A1FFAD789FEBAB38BE1
                              SHA-512:59B5FC6BB709132F1EAEC1FC69B371324A292BF91910092CA59BE08FB4089578BFE578603786183E130F218BAE39FC44687983BA687CEBDF7077FF1B1F2314A0
                              Malicious:false
                              Preview:...."-qan=b..k...Y...t.R.P.....&BH$...=..fIU.FT.Or......K..w.....#&cdm/j..{...I...p.P.J.....6GN%...4..rC^.\P.]}......Y..}......69tmb(q..q..._...g.F.]......AC!...!..xFV.SY.Cx......P.........<9`jp*d..a...@...p.Q.C.....:CS;...-..|[F.MO._u......H..a.....48jqf6e..}...@...q.H.W.....:@H/...;..j_T.\W.Xu......D..i.....:%~{r;m..{...E...r.R._.....*JS'..."..vAO.V[.@p......M..g......"2v`l(t..a...G...u.Q.G.....<YW(...:..xHE.LR.Cy......[..c......#=tyw/o..j...B...}._.Z.....=A@$....7..nNN.JK.N}......P..u.....8?udw3n..i...^...x.I.\.....1]N$...=..{\O.ZZ.]i......U..|.....8/lge)i..z...K...x.J.Z.....'DN3...2..|NU.F[.^q......[...n.....%1vyn,r..e...H...q.W.B.....-YG#...4..iFF.WK.Bu......[..s......<8miu5o..u...G...b.W.K.....3_T0...#..nNM._N.S~......M..k.....#=bee/e......X...z.X.^.....)DD-...0..pG[.M[._t......T..h......4!k{|<p..z...J...y.O.F.....-ZJ-...!..q\_.[^.Yg......[..g.....2%~}{*z..a...\...`.O.X.....)KT....;..eI\.PW.Sv......T..q.....=&t`z8b..~...F...n.].T.....?OV0...=

                              C:\Users\user\Documents\LIJDSFKJZG.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.5279628599965065
                              Encrypted:false
                              SSDEEP:
                              MD5:E317B73ADE1816727823864765C4E885
                              SHA1:1DBBF978D7B3816BC6E5B7D98528912C13E20030
                              SHA-256:BF521218034DD1F6B7C7CF03E5AFFBE767C45218954C2CBF8C75220894BFC92A
                              SHA-512:F182462C95CA283706F736A989DBD6D17A83F06E9CB9C6E8AB6DC160636DE7EBDA04495DBCCAFE26D01FDA50AC1FA845F118C677A0CE60243FBEBA9FAA211958
                              Malicious:false
                              Preview:Q6A.R.Y....G...X........)v.E.O......s:.z9...tZ......L2.KR+E.S..\....\...Z........4f.C.Q......y1.`=...|L.......Q8.PV&^.F.U......L...J........'~.N.Z......|9.o4....\......O:.CK.N.L.R....H...E.........1j.^.E......a).q"...uE......G$.AI6X.D.I......C...^........2j.E.X......e;.`:...hF......M,.SZ0Z.J.C....K...U........-z.^.Y......{ .j6...vX.......A".EP=@.R.X....F..._........-l.Z.X......r*.p?....K.......Y&.X\%L.S.A....C...H........*m.M.M......t!.v&...nU......\0.KT4[.H.\....P...[........0a.C.T......f .f7...~F.......Q9.JZ*@.H._......Z...G........5w.C.S......t:.z6...|W......Y+.ZR7X.U.A....K...W.........,}.J.R......|).k&...hE......G6.BR1L.L.Q....@...H........5c.Y.Z......t".c#....Y......X..JZ4Z.S.]......E...E.........y.I.]......}4.q6...iJ......I-.\U=Y.D.C......[...Y........:}.G.Z......f0.g3...lF......Q".QY5S.B.E....O...X........"y.Y.G......s3.l:...`J......A4.KV&X.M..X....G...^........8o.[.W....

                              C:\Users\user\Documents\LIJDSFKJZG.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.5279628599965065
                              Encrypted:false
                              SSDEEP:
                              MD5:E317B73ADE1816727823864765C4E885
                              SHA1:1DBBF978D7B3816BC6E5B7D98528912C13E20030
                              SHA-256:BF521218034DD1F6B7C7CF03E5AFFBE767C45218954C2CBF8C75220894BFC92A
                              SHA-512:F182462C95CA283706F736A989DBD6D17A83F06E9CB9C6E8AB6DC160636DE7EBDA04495DBCCAFE26D01FDA50AC1FA845F118C677A0CE60243FBEBA9FAA211958
                              Malicious:false
                              Preview:Q6A.R.Y....G...X........)v.E.O......s:.z9...tZ......L2.KR+E.S..\....\...Z........4f.C.Q......y1.`=...|L.......Q8.PV&^.F.U......L...J........'~.N.Z......|9.o4....\......O:.CK.N.L.R....H...E.........1j.^.E......a).q"...uE......G$.AI6X.D.I......C...^........2j.E.X......e;.`:...hF......M,.SZ0Z.J.C....K...U........-z.^.Y......{ .j6...vX.......A".EP=@.R.X....F..._........-l.Z.X......r*.p?....K.......Y&.X\%L.S.A....C...H........*m.M.M......t!.v&...nU......\0.KT4[.H.\....P...[........0a.C.T......f .f7...~F.......Q9.JZ*@.H._......Z...G........5w.C.S......t:.z6...|W......Y+.ZR7X.U.A....K...W.........,}.J.R......|).k&...hE......G6.BR1L.L.Q....@...H........5c.Y.Z......t".c#....Y......X..JZ4Z.S.]......E...E.........y.I.]......}4.q6...iJ......I-.\U=Y.D.C......[...Y........:}.G.Z......f0.g3...lF......Q".QY5S.B.E....O...X........"y.Y.G......s3.l:...`J......A4.KV&X.M..X....G...^........8o.[.W....

                              C:\Users\user\Documents\PWZOQIFCAN.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.593183666771475
                              Encrypted:false
                              SSDEEP:
                              MD5:66B1318B7D676C6759AEF731D5556400
                              SHA1:156C3350EFB515E01F3DCF9C34F766761319C980
                              SHA-256:959E0C7495C0D702AD4907584DA1734CE2400B5340D074E24395296476CB0731
                              SHA-512:518328EB6347589E9E7C9F0CA359FDCE6549F2E30D44BB2E2A28E91A45E323C2403380B79FFD536665E1CD54C5826D5B49EB325F8A575FF20101286018C95CCB
                              Malicious:false
                              Preview:....h.b.o....B.^Q.....9.d%..5.0...l+..F...<..h...|.....b.."....w.m.i....Z.HJ.....#.p<..?.)...u#..E..."..y...d....r..>....{.u.....V.IX.....&.g6..6.#...h'..Q...5..x....e....e..%....n.}.|...B.GE.....?.y2...).9...o)..P..."..r...y....x..&....|.m.v...\.OW.....6.b(..".....h#..T...(......a....q..&....n.t.w....S.VV.....-.q5..(.>...j5..K......}...`....`..)....x.q.`....].HT.....5.~'..;.'...h>..W...*..c........b..9....m.a.l....^.\J.....5.a'...5.=...r!..V...3..h...z....s..(....x.k.~....P.RK.....:.r"..#.)...k5....R...1..b...l....u..&....|.k.v....G.LO.....>.f3..<.0...h/....V.../......f....v..#......q.m...Q.^Y.......y?...!. ...n!..G...-..}...h....e..5......t.m....T.XO.....9.e'..*.;...i7..F...,..e...h....}..:....n.k.}...^.N^.....-.e"..#.+...r%....J...'..e...{....|..8....v.m.i....^.TK.....?.g"...3.$...w!..O...$..x...c.....q..9....x.n.}....Y.]S.....5.u$..(.)...u-....G...<..u...b....t..>....j.j.h...C.]L.....;.w6...&.(...i,...

                              C:\Users\user\Documents\PWZOQIFCAN.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.593183666771475
                              Encrypted:false
                              SSDEEP:
                              MD5:66B1318B7D676C6759AEF731D5556400
                              SHA1:156C3350EFB515E01F3DCF9C34F766761319C980
                              SHA-256:959E0C7495C0D702AD4907584DA1734CE2400B5340D074E24395296476CB0731
                              SHA-512:518328EB6347589E9E7C9F0CA359FDCE6549F2E30D44BB2E2A28E91A45E323C2403380B79FFD536665E1CD54C5826D5B49EB325F8A575FF20101286018C95CCB
                              Malicious:false
                              Preview:....h.b.o....B.^Q.....9.d%..5.0...l+..F...<..h...|.....b.."....w.m.i....Z.HJ.....#.p<..?.)...u#..E..."..y...d....r..>....{.u.....V.IX.....&.g6..6.#...h'..Q...5..x....e....e..%....n.}.|...B.GE.....?.y2...).9...o)..P..."..r...y....x..&....|.m.v...\.OW.....6.b(..".....h#..T...(......a....q..&....n.t.w....S.VV.....-.q5..(.>...j5..K......}...`....`..)....x.q.`....].HT.....5.~'..;.'...h>..W...*..c........b..9....m.a.l....^.\J.....5.a'...5.=...r!..V...3..h...z....s..(....x.k.~....P.RK.....:.r"..#.)...k5....R...1..b...l....u..&....|.k.v....G.LO.....>.f3..<.0...h/....V.../......f....v..#......q.m...Q.^Y.......y?...!. ...n!..G...-..}...h....e..5......t.m....T.XO.....9.e'..*.;...i7..F...,..e...h....}..:....n.k.}...^.N^.....-.e"..#.+...r%....J...'..e...{....|..8....v.m.i....^.TK.....?.g"...3.$...w!..O...$..x...c.....q..9....x.n.}....Y.]S.....5.u$..(.)...u-....G...<..u...b....t..>....j.j.h...C.]L.....;.w6...&.(...i,...

                              C:\Users\user\Documents\QFAPOWPAFG.jpg

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.559658711644536
                              Encrypted:false
                              SSDEEP:
                              MD5:6D298C22C22A74671731D57DB937ECE5
                              SHA1:4AEF4800DB1CD22081FCDF3408BE73F5E0388D98
                              SHA-256:EBD205C2585C5482316E974B9A6143FA2962CD4366DA44598666A7E964606F99
                              SHA-512:297F56EF7568A1C5740095EC81418C1403F6DA1F2FFD618D3D21B671434F36DC9FDC9C60EF166BFCC45165B6E01E423DAA77A078C70345F2B6AC2FC8386F3637
                              Malicious:false
                              Preview:.tynj......4$%.........#...........>...D......k.K......!.....jwyu...... ?.........3...........)...G......}._.....'....`axv...... %2.........!...........<...Z......s.V.....:....zvgo......;*+.........3...........:...X......a.]..... ....f~ys......9 ?.........<...........+...U......p.N.....9.....tso}......9(:.........:...........3...Q......w.S.....$....j{.h......1!(..........?...........2...Y......k.[.....6....gshf......#?3.........&...........'...C......~.J.....9....gitt......2$,.........3...........7...G......e.[.....>....g~pn......&(?.........&...........,...[......t.J.....'....xuyq.......*'..........8...........,...C......z.F.....:....|o}g......#-9.......................4...U......z.S.....<....ei}u......7&6..........#...........7...X......|.D.....<....|{zq......*''.........3...........)...C......s.T.....#....dlkf......105.........*...........2...\......g.K......)....ysnn......,$4.........0...........(.

                              C:\Users\user\Documents\QFAPOWPAFG.jpg.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.559658711644536
                              Encrypted:false
                              SSDEEP:
                              MD5:6D298C22C22A74671731D57DB937ECE5
                              SHA1:4AEF4800DB1CD22081FCDF3408BE73F5E0388D98
                              SHA-256:EBD205C2585C5482316E974B9A6143FA2962CD4366DA44598666A7E964606F99
                              SHA-512:297F56EF7568A1C5740095EC81418C1403F6DA1F2FFD618D3D21B671434F36DC9FDC9C60EF166BFCC45165B6E01E423DAA77A078C70345F2B6AC2FC8386F3637
                              Malicious:false
                              Preview:.tynj......4$%.........#...........>...D......k.K......!.....jwyu...... ?.........3...........)...G......}._.....'....`axv...... %2.........!...........<...Z......s.V.....:....zvgo......;*+.........3...........:...X......a.]..... ....f~ys......9 ?.........<...........+...U......p.N.....9.....tso}......9(:.........:...........3...Q......w.S.....$....j{.h......1!(..........?...........2...Y......k.[.....6....gshf......#?3.........&...........'...C......~.J.....9....gitt......2$,.........3...........7...G......e.[.....>....g~pn......&(?.........&...........,...[......t.J.....'....xuyq.......*'..........8...........,...C......z.F.....:....|o}g......#-9.......................4...U......z.S.....<....ei}u......7&6..........#...........7...X......|.D.....<....|{zq......*''.........3...........)...C......s.T.....#....dlkf......105.........*...........2...\......g.K......)....ysnn......,$4.........0...........(.

                              C:\Users\user\Documents\QFAPOWPAFG.xlsx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.544251872938085
                              Encrypted:false
                              SSDEEP:
                              MD5:E565EC6ACA1B212852421955C284317E
                              SHA1:B26E643C6ADD49DBA392DD9997CC1E8C17F99037
                              SHA-256:636A3AF69C13953ECF3D0FAE7878C08D381B7B060DD6A9CE4D3FC78522E4AC9C
                              SHA-512:28146721FF04924CDEBA706526913BDA1E6E16BB0C3FBB42B314A07C550E6744FA0B419DA2FD0655DFCF0A2A3B5249F4359B45BAAAA83EE6F3BD29FBC4C6AF3A
                              Malicious:false
                              Preview:R$.B........f*...?......gt.>.5.YB...^..\...s.w..%."chg.x@:.U........|!...>.......fa.$.:.GN...]..F...e.c..4.)eco.uI0.T.......q<...<.......at.7. ...QT...@..M...k.j..#.3xuu.wN*.K........h"...<......qa.+.(.WH...B..F...y.a..$..+bob.gS6.U........|/...9......ub.8.9.MH...O..\...h.r..,.7{pg.yP$.C.......y3...'......gz.4.3.PB...K..X...o.o../.)fe..jA:.S.........k7...4.......lq.&.)...ZU...C..H...s.g..$.:tyz.eW7.D........p9...<.......gx.4.0.SU...Y..K...f.v..:.+{d~.uP7.X........o6...1.......av.<..".WJ....]..^...}.g..%./|t~.tU7.\.......|/...6.......kk.4.5.N@...A..C...l.v..'.=egm.oN(.U.......d;...%......yw.8.9...EU...Y..B...b.z..,.,xhe.lY,.Q........z7...>......di.#.+.D^...O..C...b.o..#.>~ix.lK5.Q.......u:...1......ax.$.'...XO...B..B...d.x..-.)~fn.dK,.V........d1...6.......tb.".(...[G...Y..V...k.h..:.-al{..P4.G.......v=...%......ou. .7.WQ...F..E.....w..$.7kdr.gQ).B........w3...$......vr.?..7.\K.

                              C:\Users\user\Documents\QFAPOWPAFG.xlsx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.544251872938085
                              Encrypted:false
                              SSDEEP:
                              MD5:E565EC6ACA1B212852421955C284317E
                              SHA1:B26E643C6ADD49DBA392DD9997CC1E8C17F99037
                              SHA-256:636A3AF69C13953ECF3D0FAE7878C08D381B7B060DD6A9CE4D3FC78522E4AC9C
                              SHA-512:28146721FF04924CDEBA706526913BDA1E6E16BB0C3FBB42B314A07C550E6744FA0B419DA2FD0655DFCF0A2A3B5249F4359B45BAAAA83EE6F3BD29FBC4C6AF3A
                              Malicious:false
                              Preview:R$.B........f*...?......gt.>.5.YB...^..\...s.w..%."chg.x@:.U........|!...>.......fa.$.:.GN...]..F...e.c..4.)eco.uI0.T.......q<...<.......at.7. ...QT...@..M...k.j..#.3xuu.wN*.K........h"...<......qa.+.(.WH...B..F...y.a..$..+bob.gS6.U........|/...9......ub.8.9.MH...O..\...h.r..,.7{pg.yP$.C.......y3...'......gz.4.3.PB...K..X...o.o../.)fe..jA:.S.........k7...4.......lq.&.)...ZU...C..H...s.g..$.:tyz.eW7.D........p9...<.......gx.4.0.SU...Y..K...f.v..:.+{d~.uP7.X........o6...1.......av.<..".WJ....]..^...}.g..%./|t~.tU7.\.......|/...6.......kk.4.5.N@...A..C...l.v..'.=egm.oN(.U.......d;...%......yw.8.9...EU...Y..B...b.z..,.,xhe.lY,.Q........z7...>......di.#.+.D^...O..C...b.o..#.>~ix.lK5.Q.......u:...1......ax.$.'...XO...B..B...d.x..-.)~fn.dK,.V........d1...6.......tb.".(...[G...Y..V...k.h..:.-al{..P4.G.......v=...%......ou. .7.WQ...F..E.....w..$.7kdr.gQ).B........w3...$......vr.?..7.\K.

                              C:\Users\user\Documents\SNIPGPPREP.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.606560291308269
                              Encrypted:false
                              SSDEEP:
                              MD5:027BFC4E4A3B08B310D240B04CF65835
                              SHA1:82BE7EBD8E7D13250DDE4EB94AA4EA8C91189AE5
                              SHA-256:8B924BCA23F1E9C03E4EFC33A76CAC431CF7BCFD4DD47A9FC3FD39D0729BC0B3
                              SHA-512:18861E9941D7DDE2D91505F1F1FC1EB100556738B54AEE09FF65BA0F3681D416B3085EDEF33A6439D5E1A811649410B3101B3D0469423319493E71D9597276E0
                              Malicious:false
                              Preview:.%]..y.5T....7.N.v..,_.......Q3..Mt....o..a.......C.....1...9..!Y..h.9\....0.L.e..'E.....P)..[n....t..p.......L.....+...%..%J..n. P....,.J.|..,E.......P!..La....a..r.......C.....9.......*]..{.%L...8.Z.i..,_.....R0..Pv....v..`.......Q.....!...'..(^..k.3K...6.].o..=R.......V...Oe....x..u.......V.....+...<...6J..b.&U....2.I.j..5Q.....V0..Zw....z..r.......J.....#...=..!@..k."M....7.J.i..4F.....J$..Gf....x..~.......M.....(...:..$H..e.1C....;.B.|..:A.......Q)..Lt....n..s.......Q.....8...+...$Z..y.!V...8.Y....9Q....._7..[v....m..m.......G.....1...<../O..c.%H...<.@.v..1_.....P!..Kr....m..y.......R.....'...:.../G..d.8W...*.@.}..&E.......W5..Lp....z..........P.....,...5..=X....'H...+.O.a..?\.......O4..Nr....z..s.......S.....#...,..#L..}.<A....4.K.i../_.......R$..Qv....w..p.......J.....8..."...4A..m.%Q....?.W.}..2X.....J%..[f....j..p.......H.....(...)..!F..d.)J....>.U.~..9C.......Q!..Gs.......s.......U.....(..."...8L..f.<C.... .L.y..0K.......^%..Uf...

                              C:\Users\user\Documents\SNIPGPPREP.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.606560291308269
                              Encrypted:false
                              SSDEEP:
                              MD5:027BFC4E4A3B08B310D240B04CF65835
                              SHA1:82BE7EBD8E7D13250DDE4EB94AA4EA8C91189AE5
                              SHA-256:8B924BCA23F1E9C03E4EFC33A76CAC431CF7BCFD4DD47A9FC3FD39D0729BC0B3
                              SHA-512:18861E9941D7DDE2D91505F1F1FC1EB100556738B54AEE09FF65BA0F3681D416B3085EDEF33A6439D5E1A811649410B3101B3D0469423319493E71D9597276E0
                              Malicious:false
                              Preview:.%]..y.5T....7.N.v..,_.......Q3..Mt....o..a.......C.....1...9..!Y..h.9\....0.L.e..'E.....P)..[n....t..p.......L.....+...%..%J..n. P....,.J.|..,E.......P!..La....a..r.......C.....9.......*]..{.%L...8.Z.i..,_.....R0..Pv....v..`.......Q.....!...'..(^..k.3K...6.].o..=R.......V...Oe....x..u.......V.....+...<...6J..b.&U....2.I.j..5Q.....V0..Zw....z..r.......J.....#...=..!@..k."M....7.J.i..4F.....J$..Gf....x..~.......M.....(...:..$H..e.1C....;.B.|..:A.......Q)..Lt....n..s.......Q.....8...+...$Z..y.!V...8.Y....9Q....._7..[v....m..m.......G.....1...<../O..c.%H...<.@.v..1_.....P!..Kr....m..y.......R.....'...:.../G..d.8W...*.@.}..&E.......W5..Lp....z..........P.....,...5..=X....'H...+.O.a..?\.......O4..Nr....z..s.......S.....#...,..#L..}.<A....4.K.i../_.......R$..Qv....w..p.......J.....8..."...4A..m.%Q....?.W.}..2X.....J%..[f....j..p.......H.....(...)..!F..d.)J....>.U.~..9C.......Q!..Gs.......s.......U.....(..."...8L..f.<C.... .L.y..0K.......^%..Uf...

                              C:\Users\user\Documents\UNKRLCVOHV.docx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.621713262755328
                              Encrypted:false
                              SSDEEP:
                              MD5:7847D0CEA9100B711E0F4ED93BEB85AC
                              SHA1:B06115E18A79A24EF4D9B921DCBCB690D629380F
                              SHA-256:9F13DC7CE99FA140F92FA4B71C7BC990E6C76F1462DFB02F8B49477FE6E28DF3
                              SHA-512:E0D1D691EBADB1A1C599F9F22BC6358F6D2BC7F64B95ADB15A2B0DDC4A7D463FE734DC12FD8AD2970D22BD51B8D0A07D93D83D4D36D792AFDABFE0C80BAFE51D
                              Malicious:false
                              Preview:....>h..H..rfH94C.S..&..>.0T..U..-.nF:. ....8.8......h.3.....<~..U..kcD;/E.]..;..+.6D....U..4.rQ2.4...1.*......d.?......=q..Z..z`A/6I.@..+..'.>T...K../.bN;.6...0........`.3.....:x..J..ztR&6H.\..6..?.4U....A..4.eU%.5....?.;......w.?.....;`..O..e|W"+O.Z..%..>.>I..V..$.|P!."...,.-......x.&......+s..E..{{Y71E.S.."..=.&A..._..7..F2.-....:.&......g.'.....;~..E..hnH%$Q.D...*.. . E..^..&.n_9.%....7.*......h."......"{..W..dzH27R.X..*..4.3E....\..).zQ;.3...1.:......y.(.....!o..F..duH?0N.@..(..".9W...V..=.cK&.7...#.9......{.3.....8m..X..ooF01G.H..1..&.&Y...Z..,.e]#.%....$.;......d.9.....+h..V...`O<+U._..#..=.([.....F..+.pD7.!....1.1......~.*.....:x..F..h{R5?A.@...$.. .+Y....B..!.pP+.,...6.%......w.,.....8d..X..hzW=2J.A..8...4.!Y.....G..?.f@$.6...?.+......t.:.....'h..M..gqP8&@.M..%..7.7K..Z..#.jD4."..."./........:.....#d..Y..rtM>6K.G..?..3.?W..T..4..@?.1... .9......}.3......&}..C..koN&(O.O.. ..!.9B...V..-

                              C:\Users\user\Documents\UNKRLCVOHV.docx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.621713262755328
                              Encrypted:false
                              SSDEEP:
                              MD5:7847D0CEA9100B711E0F4ED93BEB85AC
                              SHA1:B06115E18A79A24EF4D9B921DCBCB690D629380F
                              SHA-256:9F13DC7CE99FA140F92FA4B71C7BC990E6C76F1462DFB02F8B49477FE6E28DF3
                              SHA-512:E0D1D691EBADB1A1C599F9F22BC6358F6D2BC7F64B95ADB15A2B0DDC4A7D463FE734DC12FD8AD2970D22BD51B8D0A07D93D83D4D36D792AFDABFE0C80BAFE51D
                              Malicious:false
                              Preview:....>h..H..rfH94C.S..&..>.0T..U..-.nF:. ....8.8......h.3.....<~..U..kcD;/E.]..;..+.6D....U..4.rQ2.4...1.*......d.?......=q..Z..z`A/6I.@..+..'.>T...K../.bN;.6...0........`.3.....:x..J..ztR&6H.\..6..?.4U....A..4.eU%.5....?.;......w.?.....;`..O..e|W"+O.Z..%..>.>I..V..$.|P!."...,.-......x.&......+s..E..{{Y71E.S.."..=.&A..._..7..F2.-....:.&......g.'.....;~..E..hnH%$Q.D...*.. . E..^..&.n_9.%....7.*......h."......"{..W..dzH27R.X..*..4.3E....\..).zQ;.3...1.:......y.(.....!o..F..duH?0N.@..(..".9W...V..=.cK&.7...#.9......{.3.....8m..X..ooF01G.H..1..&.&Y...Z..,.e]#.%....$.;......d.9.....+h..V...`O<+U._..#..=.([.....F..+.pD7.!....1.1......~.*.....:x..F..h{R5?A.@...$.. .+Y....B..!.pP+.,...6.%......w.,.....8d..X..hzW=2J.A..8...4.!Y.....G..?.f@$.6...?.+......t.:.....'h..M..gqP8&@.M..%..7.7K..Z..#.jD4."..."./........:.....#d..Y..rtM>6K.G..?..3.?W..T..4..@?.1... .9......}.3......&}..C..koN&(O.O.. ..!.9B...V..-

                              C:\Users\user\Documents\VWDFPKGDUF.mp3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.584054223799716
                              Encrypted:false
                              SSDEEP:
                              MD5:FDE411302BDADD01B3D18D9FFB12D86E
                              SHA1:DB745F4F6504F7F38C0E40D91E9AFCCE8DFF0996
                              SHA-256:BB94DF8AE696D1344E068B43B38289C8F3BEB3F6E648B00B1C29EB0EF10AECD9
                              SHA-512:12D0EEA7C93A8F1F16DFD00374EF73AC4BA6885D5508B2CCAD998E446A5D9924C5691F6852FBA80E2E6157B3383CA78389EF251BD8D5EC1E13F1CB0214A7F714
                              Malicious:false
                              Preview:T&[8..q.2....o".Qc...n ...b.p.:..\.D`[N..).A..........|..^8P?Q<..u.3....`&.D|...n?...e.g.=..J.Cc[Y..=.D.............V3F<X*..n.-....s4.Er...q5...i.~.*..H.UyX^..?.C...........a..@$N2E'..l./....y:.Yj...b5...z.a.2..A.B|QD..8.[...........y..B"A+V;..f.0....r*.Lf...k0...b.p.1..H.\aJN..2.C...........a..X?Q&X=..q.!....o .Be...n4...r.|.8..U.CyUT..2.H..........i..P M;^7..d.3....m0.S}...b?...r.s.<..Z.S{RD..;.F...........k..Y;G;O6..g.&....x#.Dy...n9...u.c.8..^.@i_^..0.A...........l..M3@=Q9..d.6....}6.Nw...l+...i.t.7..V.NeK]..0.F..........j..@8Q+[2..l.,....s'.Dr...i6...h.i.6..Z.^oCO..9.@..........z..[!F0\'..g.6....q9.By...`7...y.q.5.._.LcNC..;.T..........c..W)S$Y5..l......|&.Kc...e ...z.h.7.._.WyCY..!.G..........i..Y"F;R=..n.-....m .Fi...~8...v.~.>...B.YxHL....E..........y..].T=\/..q.%....v1.Ck...h;...a.~."..^.EfUZ..9.T..........b..\=S6T4..u.0....}5.Ix...w ...t.s.0..J.Fi]\.. .[..........x..V8W3R5..o.$....t<.Di...v?...v.m.2..I.^qMH

                              C:\Users\user\Documents\VWDFPKGDUF.mp3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.584054223799716
                              Encrypted:false
                              SSDEEP:
                              MD5:FDE411302BDADD01B3D18D9FFB12D86E
                              SHA1:DB745F4F6504F7F38C0E40D91E9AFCCE8DFF0996
                              SHA-256:BB94DF8AE696D1344E068B43B38289C8F3BEB3F6E648B00B1C29EB0EF10AECD9
                              SHA-512:12D0EEA7C93A8F1F16DFD00374EF73AC4BA6885D5508B2CCAD998E446A5D9924C5691F6852FBA80E2E6157B3383CA78389EF251BD8D5EC1E13F1CB0214A7F714
                              Malicious:false
                              Preview:T&[8..q.2....o".Qc...n ...b.p.:..\.D`[N..).A..........|..^8P?Q<..u.3....`&.D|...n?...e.g.=..J.Cc[Y..=.D.............V3F<X*..n.-....s4.Er...q5...i.~.*..H.UyX^..?.C...........a..@$N2E'..l./....y:.Yj...b5...z.a.2..A.B|QD..8.[...........y..B"A+V;..f.0....r*.Lf...k0...b.p.1..H.\aJN..2.C...........a..X?Q&X=..q.!....o .Be...n4...r.|.8..U.CyUT..2.H..........i..P M;^7..d.3....m0.S}...b?...r.s.<..Z.S{RD..;.F...........k..Y;G;O6..g.&....x#.Dy...n9...u.c.8..^.@i_^..0.A...........l..M3@=Q9..d.6....}6.Nw...l+...i.t.7..V.NeK]..0.F..........j..@8Q+[2..l.,....s'.Dr...i6...h.i.6..Z.^oCO..9.@..........z..[!F0\'..g.6....q9.By...`7...y.q.5.._.LcNC..;.T..........c..W)S$Y5..l......|&.Kc...e ...z.h.7.._.WyCY..!.G..........i..Y"F;R=..n.-....m .Fi...~8...v.~.>...B.YxHL....E..........y..].T=\/..q.%....v1.Ck...h;...a.~."..^.EfUZ..9.T..........b..\=S6T4..u.0....}5.Ix...w ...t.s.0..J.Fi]\.. .[..........x..V8W3R5..o.$....t<.Di...v?...v.m.2..I.^qMH

                              C:\Users\user\Documents\VWDFPKGDUF.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.616600351835654
                              Encrypted:false
                              SSDEEP:
                              MD5:403048F4BD332756462FFCD04ED0BB99
                              SHA1:2D0B35BCFEC10A32B7D0996BE1547B425C7DB952
                              SHA-256:4BAC379FF503DF2F493070583CE7B532ACF8FB47C9BFEE037B38DE5F7A7585D5
                              SHA-512:704BCE33E348936A8C52620F838DD5415152395FB2C5087F125B225652C229A752DDB5062CD9C275BE49134A739AB4C928FE1F9DBBD9BA20161B3F76F8C17334
                              Malicious:false
                              Preview:.Qrbdk."....J..(..C`>3.oI......"..S..Anv.;}.:<H..b....F.g...7.Hxfdw."....W..!..Jd"3.kJ......:..T..Ayp./a.,)Z..z....F.l...<.Kqpld.#....@..>..U~4,.wI......'..G..B~p.-m. "[...a....V.i...+.El}mu. ....L..-..F}8?.e^......?..A..Kdj.*}.1!U...l....[.m...-.\.azo.4....N..8..^i-6.qB......>..R..Pnh. x.*/]...j....G.r...0.Qqged.0....Q..9..Pk-3.fQ......9..E..Otu. y.$'S...}....B.b.../.Lwmxq.4....L..?..@k-?.e\......$..A..Hdu.)d.2$C...m....[.h...4.Lflno.+....@..8..Ti13.eZ......:..A..E~b."o.!:H...i....X.c...<.Jxcvz.,....V..(..Kf!1.wM......)..S..Q}s."`. 8[...v....P.d...7.\rhqx.5....L..$..Vj84.lB......2..A..Yof.+g.+.Z...x....Q.u......Gu}|u./....U..;..Vv$=.kI......#..]..Tcq.)h.34E..s....F.r...&.Spouw.2....K..#..Gf<8.dJ......<..H..Yy`.3f.(8I..u....A.s...-.L{gxe.!....J..,..[t4#.pF......4..N..Rlp.<|.1$I...w....U.o...!.Juuqg.,....M..9..An85.fA......8..W..Ozl.+..28]..|....L.h...2.A}n~a.7....Z..!..Xu%*.fE......4..V..G|z.2h.0%X..m....N.w...7.D{owq.-....J.."..Hp1+.{\......5..V..Wh

                              C:\Users\user\Documents\VWDFPKGDUF.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.616600351835654
                              Encrypted:false
                              SSDEEP:
                              MD5:403048F4BD332756462FFCD04ED0BB99
                              SHA1:2D0B35BCFEC10A32B7D0996BE1547B425C7DB952
                              SHA-256:4BAC379FF503DF2F493070583CE7B532ACF8FB47C9BFEE037B38DE5F7A7585D5
                              SHA-512:704BCE33E348936A8C52620F838DD5415152395FB2C5087F125B225652C229A752DDB5062CD9C275BE49134A739AB4C928FE1F9DBBD9BA20161B3F76F8C17334
                              Malicious:false
                              Preview:.Qrbdk."....J..(..C`>3.oI......"..S..Anv.;}.:<H..b....F.g...7.Hxfdw."....W..!..Jd"3.kJ......:..T..Ayp./a.,)Z..z....F.l...<.Kqpld.#....@..>..U~4,.wI......'..G..B~p.-m. "[...a....V.i...+.El}mu. ....L..-..F}8?.e^......?..A..Kdj.*}.1!U...l....[.m...-.\.azo.4....N..8..^i-6.qB......>..R..Pnh. x.*/]...j....G.r...0.Qqged.0....Q..9..Pk-3.fQ......9..E..Otu. y.$'S...}....B.b.../.Lwmxq.4....L..?..@k-?.e\......$..A..Hdu.)d.2$C...m....[.h...4.Lflno.+....@..8..Ti13.eZ......:..A..E~b."o.!:H...i....X.c...<.Jxcvz.,....V..(..Kf!1.wM......)..S..Q}s."`. 8[...v....P.d...7.\rhqx.5....L..$..Vj84.lB......2..A..Yof.+g.+.Z...x....Q.u......Gu}|u./....U..;..Vv$=.kI......#..]..Tcq.)h.34E..s....F.r...&.Spouw.2....K..#..Gf<8.dJ......<..H..Yy`.3f.(8I..u....A.s...-.L{gxe.!....J..,..[t4#.pF......4..N..Rlp.<|.1$I...w....U.o...!.Juuqg.,....M..9..An85.fA......8..W..Ozl.+..28]..|....L.h...2.A}n~a.7....Z..!..Xu%*.fE......4..V..G|z.2h.0%X..m....N.w...7.D{owq.-....J.."..Hp1+.{\......5..V..Wh

                              C:\Users\user\Documents\VWDFPKGDUF.xlsx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.5733750771076345
                              Encrypted:false
                              SSDEEP:
                              MD5:BC74BDA1ACB3930E417F5FFE3370C6AE
                              SHA1:4B35D7CD164953E8DEFE950532AF143386EF9D71
                              SHA-256:D133352EA3273AC5933BD276645D25034773F22CF6BB348ADB39BB2579C50A35
                              SHA-512:3E7418C0FDDF3C62547336A8414C1488C8097F2328F2D3E20B936ADE4D5F0B7821609A38637A96917A65CBC15D4AC5EE421712B36BF64441018C5E00892645EB
                              Malicious:false
                              Preview:y;.`[.fjc..........p.f...":&...a .i|....Pw....U.....b.B...L.}".d[.bjb..........t.f....%#1...y1.n{......Lr....^.....b.I...D.k!.rS.yk|..........n.y...)=(...d;.}m......@u....[......r.L...R.c/..R.{h~..........m.j...:<7...|..{z......Pm....[.......H...P.l6.cE.q|a..........y.c...":&...}2.hd......Uu....E.....c.W...J.|;.eZ.fxp..........{.f....2%*...z1..{....T~....].....f.G...B.`&.oG.s|b..........{.j....2!%...g!.{k....Ip....X.......M...K.j&.nQ.pcw..........y.f...5'5...y).{x....Bw....M.....|.F..._.m .aI.sdg..........v.d...):"...j1.iv....Mp....F.....t.A...R.|6.jN.{}}..........z.a...('?...q=.{f......Jv....N.....u.P...I.k-..C.pgg..........f.h...99'...`*.gt....Eb....\.....b.W...E.~9.mJ.{z...........v.m....:3>....-.ro....Kq....@.....e.V...K.k&.eG.yi|..........d.v...6!(...w5.ta......Qs....Z.....q.J...O.y .wN.fdt..........~.`...!9(...{9.m}......Rb....L.....h.M...N.~+.lA.b.a..........e.....4<%...w1.l~....Em....V.....j.R...D.z..mH.xeu..........`.~....6;;...v1.lf...

                              C:\Users\user\Documents\VWDFPKGDUF.xlsx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.5733750771076345
                              Encrypted:false
                              SSDEEP:
                              MD5:BC74BDA1ACB3930E417F5FFE3370C6AE
                              SHA1:4B35D7CD164953E8DEFE950532AF143386EF9D71
                              SHA-256:D133352EA3273AC5933BD276645D25034773F22CF6BB348ADB39BB2579C50A35
                              SHA-512:3E7418C0FDDF3C62547336A8414C1488C8097F2328F2D3E20B936ADE4D5F0B7821609A38637A96917A65CBC15D4AC5EE421712B36BF64441018C5E00892645EB
                              Malicious:false
                              Preview:y;.`[.fjc..........p.f...":&...a .i|....Pw....U.....b.B...L.}".d[.bjb..........t.f....%#1...y1.n{......Lr....^.....b.I...D.k!.rS.yk|..........n.y...)=(...d;.}m......@u....[......r.L...R.c/..R.{h~..........m.j...:<7...|..{z......Pm....[.......H...P.l6.cE.q|a..........y.c...":&...}2.hd......Uu....E.....c.W...J.|;.eZ.fxp..........{.f....2%*...z1..{....T~....].....f.G...B.`&.oG.s|b..........{.j....2!%...g!.{k....Ip....X.......M...K.j&.nQ.pcw..........y.f...5'5...y).{x....Bw....M.....|.F..._.m .aI.sdg..........v.d...):"...j1.iv....Mp....F.....t.A...R.|6.jN.{}}..........z.a...('?...q=.{f......Jv....N.....u.P...I.k-..C.pgg..........f.h...99'...`*.gt....Eb....\.....b.W...E.~9.mJ.{z...........v.m....:3>....-.ro....Kq....@.....e.V...K.k&.eG.yi|..........d.v...6!(...w5.ta......Qs....Z.....q.J...O.y .wN.fdt..........~.`...!9(...{9.m}......Rb....L.....h.M...N.~+.lA.b.a..........e.....4<%...w1.l~....Em....V.....j.R...D.z..mH.xeu..........`.~....6;;...v1.lf...

                              C:\Users\user\Documents\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\Downloads\AQRFEVRTGL.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.642441748566558
                              Encrypted:false
                              SSDEEP:
                              MD5:F35110A50C212378C66A747C50E9B9B8
                              SHA1:6FE216F9F3D592A723A4797565FC49A4B67453B4
                              SHA-256:CA6D106240F02F7F6ED0ED502862F0E7D0975FD2E998F70E85B8138936F6A830
                              SHA-512:077367D209632C64EDD875FFA6B55286463D143DB89895FC225DCC86EF91211F3AE813D13719C0D5F92D6CC7CDEA54F791497462BA2E34FAF85EF66A720BA734
                              Malicious:false
                              Preview:$U]_).Qah\}(5..xwI........d...7......;......$bG$..E5m...s....$@XS).Wtj\j*0..qlN........k...<.....;....>r@#..M5x...t...3UZC=.@{yUl +..|sF........g...?.....%....=y_1..P&....n...+BWU8.We~Xy9<..gzJ.........`...;.....'......%pG...W"m...w...$UEZ#.JrmA}22..e.V........q...*.....9....+|A6..G(p...b...,VLA'.DwyHd-1..dnV........s...?.....?......"{K#..F>d...a...(A\R>.N~|H|-0..ruA........`...*.....8...."{D1..] p...o...+KZH;.IxbZa<=..r|T........l.... .....,......=sA'..D6m...s...?LIX=.Rzm@`-!..xbQ........s....>....."......"pO7..[!d...b...-N]C8.OrdWa3>..|wJ........k....).....-....)z]7..[%y...k...+\YU..Vre[j"6..gaW........i..."......>....2`O8..L:c...q....H_U$.KagDj75..aa^........{...5..... ......2tC&...]6r...h...0OXH=.Fg|A|49..vnC.........m..........=......2`^&..L1y...~...4AXM*.Z~a[b?<..orN........r...,.....>....!}Z*..B#a...e...+RAI).[|i_|7#..vdR........b...8.....,....%rF3..@:k...t...0T]U%.I}f]}41..ypB........o....4.....)

                              C:\Users\user\Downloads\AQRFEVRTGL.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.642441748566558
                              Encrypted:false
                              SSDEEP:
                              MD5:F35110A50C212378C66A747C50E9B9B8
                              SHA1:6FE216F9F3D592A723A4797565FC49A4B67453B4
                              SHA-256:CA6D106240F02F7F6ED0ED502862F0E7D0975FD2E998F70E85B8138936F6A830
                              SHA-512:077367D209632C64EDD875FFA6B55286463D143DB89895FC225DCC86EF91211F3AE813D13719C0D5F92D6CC7CDEA54F791497462BA2E34FAF85EF66A720BA734
                              Malicious:false
                              Preview:$U]_).Qah\}(5..xwI........d...7......;......$bG$..E5m...s....$@XS).Wtj\j*0..qlN........k...<.....;....>r@#..M5x...t...3UZC=.@{yUl +..|sF........g...?.....%....=y_1..P&....n...+BWU8.We~Xy9<..gzJ.........`...;.....'......%pG...W"m...w...$UEZ#.JrmA}22..e.V........q...*.....9....+|A6..G(p...b...,VLA'.DwyHd-1..dnV........s...?.....?......"{K#..F>d...a...(A\R>.N~|H|-0..ruA........`...*.....8...."{D1..] p...o...+KZH;.IxbZa<=..r|T........l.... .....,......=sA'..D6m...s...?LIX=.Rzm@`-!..xbQ........s....>....."......"pO7..[!d...b...-N]C8.OrdWa3>..|wJ........k....).....-....)z]7..[%y...k...+\YU..Vre[j"6..gaW........i..."......>....2`O8..L:c...q....H_U$.KagDj75..aa^........{...5..... ......2tC&...]6r...h...0OXH=.Fg|A|49..vnC.........m..........=......2`^&..L1y...~...4AXM*.Z~a[b?<..orN........r...,.....>....!}Z*..B#a...e...+RAI).[|i_|7#..vdR........b...8.....,....%rF3..@:k...t...0T]U%.I}f]}41..ypB........o....4.....)

                              C:\Users\user\Downloads\BQJUWOYRTO.jpg

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.586843052429244
                              Encrypted:false
                              SSDEEP:
                              MD5:7E338269877BE9CD6A5BFC8C0893A534
                              SHA1:E668AC3C9724537F8455044C4952A031AEC5AB9B
                              SHA-256:26A2EBA13D3E632B0C7C2620ABD3CA0BE3B34C10B26A3BC9A551F94DC9AEFE6C
                              SHA-512:D8D807932CEB79E0CFBF4A981B03A33D83FF1746CF6E62D4D0A16E475F16CB67C187DB7DB020239A3A361B9627834407518E9870178BBA19576EC77487A863A1
                              Malicious:false
                              Preview:...z8].g../..i.....a.....@N.k..lJ]-.....F.P...O...^..b!|Y..c...x&G.q..7..m.....y.....A^.y..oCF+.....J..F...N...Y..k(f^..r...i;C.w..%..`.....c.....WT.j..kVR9.....X.H...]...E..u,p]..|...j)H.`..,..h.....s.....]U....nY\?.....\.^....Y..._..h&fG..{....(P.a.. ..t.....h.....X].j..v]R<.....[..F....O...U..e-.Q..t...{._.p..3..a.....y.....T]....fGP6.....S..P...^...V..i%cM..a...f#K.|..(..y.....u.....XX.v..qZZ2.....T..[....Z...U..v-|J..b...a6P.z..0..m.....}.....G^.j..q^[>.....F.W....D...L..~>n[......m+K.g..5..n.....e.....__.p...@N,.....D.[...^...U..i&nQ..g...g6[.q..;..x.....c.....XA.z..iTR<.....^..I....X...G..f=b\..{...g7Q.c..)..e.....t.....[C.~..~GD(.....W..T...L...D..d%fL..z...z)[.v..!..d.....{.....YH.y..uOS?.....A.M...E...^..m&sH..t...d9C.`..)..~.....f.....^J....yY\*....._..N...N...X..t?}@..}...a?_.y..(..h.....u.....W@.`..wXN%.....[.N...W...G..j/~N..c...~-W.v..;..v.....h.....@].z..xZK).....@.T...X...B..}>~E..e...j H.`..)..`.....|.....^A.z...A\).....

                              C:\Users\user\Downloads\BQJUWOYRTO.jpg.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.586843052429244
                              Encrypted:false
                              SSDEEP:
                              MD5:7E338269877BE9CD6A5BFC8C0893A534
                              SHA1:E668AC3C9724537F8455044C4952A031AEC5AB9B
                              SHA-256:26A2EBA13D3E632B0C7C2620ABD3CA0BE3B34C10B26A3BC9A551F94DC9AEFE6C
                              SHA-512:D8D807932CEB79E0CFBF4A981B03A33D83FF1746CF6E62D4D0A16E475F16CB67C187DB7DB020239A3A361B9627834407518E9870178BBA19576EC77487A863A1
                              Malicious:false
                              Preview:...z8].g../..i.....a.....@N.k..lJ]-.....F.P...O...^..b!|Y..c...x&G.q..7..m.....y.....A^.y..oCF+.....J..F...N...Y..k(f^..r...i;C.w..%..`.....c.....WT.j..kVR9.....X.H...]...E..u,p]..|...j)H.`..,..h.....s.....]U....nY\?.....\.^....Y..._..h&fG..{....(P.a.. ..t.....h.....X].j..v]R<.....[..F....O...U..e-.Q..t...{._.p..3..a.....y.....T]....fGP6.....S..P...^...V..i%cM..a...f#K.|..(..y.....u.....XX.v..qZZ2.....T..[....Z...U..v-|J..b...a6P.z..0..m.....}.....G^.j..q^[>.....F.W....D...L..~>n[......m+K.g..5..n.....e.....__.p...@N,.....D.[...^...U..i&nQ..g...g6[.q..;..x.....c.....XA.z..iTR<.....^..I....X...G..f=b\..{...g7Q.c..)..e.....t.....[C.~..~GD(.....W..T...L...D..d%fL..z...z)[.v..!..d.....{.....YH.y..uOS?.....A.M...E...^..m&sH..t...d9C.`..)..~.....f.....^J....yY\*....._..N...N...X..t?}@..}...a?_.y..(..h.....u.....W@.`..wXN%.....[.N...W...G..j/~N..c...~-W.v..;..v.....h.....@].z..xZK).....@.T...X...B..}>~E..e...j H.`..)..`.....|.....^A.z...A\).....

                              C:\Users\user\Downloads\BUFZSQPCOH.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.5565138241776735
                              Encrypted:false
                              SSDEEP:
                              MD5:E09B0F3927033DA69932C4F2E2216405
                              SHA1:70431CF4166CE4B410587A72DC452F8B4D4C1C36
                              SHA-256:5BF23EE5FA4C388E7049109D34827E7F9D6313E938E6AEC81DE7B37DBB2C5E5C
                              SHA-512:A4648F4240D020B67CC721C30D9519C703AB8C43060C3D72C4F79BFD9DBF003986E2AD6DD35E529A5F8CFDC09E6901B3F743B96685A1BAC038E391AC0FDDEB5D
                              Malicious:false
                              Preview:NA0e&..E...?.6^..Oz...Ry.Et!...rK......I...\<........R....OpTHL p,..K...(.*[...D....Ua.Xb)...`C......H...I,.......O....NtDVE e'..L...-..]...R`...Eo...Bc;...qN......H...K(.......[....RlZDV,u$..O...0..Y..Kq...Zy.Nv;...iM......D...]1.......T....OlQE@:u;..S...:.1]..@g...E~.Bu/...pM......I...^7.......H....CtSOQ3g0..A...%.>I...Vt...Mj...Y."...t[......^...A1........I....GfHKM,e<..E...3.-W..E}...Hl.Em)...eX......K...J8.......Z....DwW\F:r>..I...>.;G..B}...Eg.Gb....sI......]...]5........^....Cz[AW<q6..R.....3M...O....Pd...Fa6...aN......M...[7.......J....Kq]YM9~>..J...?.3^..B}...Ih...Xi;...mR......@...X0........A....[qXHN9i/..T...2.9Y...D~...Sf...Ch(...eE......F...L(.......N....I~FGV4i!..V...%.;I..Cc...H{.Cr!...hP......X...F0.......L....DuITA'v0..D...,.0V...Ft...Sf.Hg+...tW......O...A?.......[....K{^OS.i,..G...3..Q...Df...Ny.@m ...iW......O...^8.......Q....Rp^OX:~0..T...%.4Q..Os...Qx...T|$...zZ......K...H........W....FtZ\@>r#..B...%.%X..Sy...Hl.Ip4...pA....

                              C:\Users\user\Downloads\BUFZSQPCOH.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.5565138241776735
                              Encrypted:false
                              SSDEEP:
                              MD5:E09B0F3927033DA69932C4F2E2216405
                              SHA1:70431CF4166CE4B410587A72DC452F8B4D4C1C36
                              SHA-256:5BF23EE5FA4C388E7049109D34827E7F9D6313E938E6AEC81DE7B37DBB2C5E5C
                              SHA-512:A4648F4240D020B67CC721C30D9519C703AB8C43060C3D72C4F79BFD9DBF003986E2AD6DD35E529A5F8CFDC09E6901B3F743B96685A1BAC038E391AC0FDDEB5D
                              Malicious:false
                              Preview:NA0e&..E...?.6^..Oz...Ry.Et!...rK......I...\<........R....OpTHL p,..K...(.*[...D....Ua.Xb)...`C......H...I,.......O....NtDVE e'..L...-..]...R`...Eo...Bc;...qN......H...K(.......[....RlZDV,u$..O...0..Y..Kq...Zy.Nv;...iM......D...]1.......T....OlQE@:u;..S...:.1]..@g...E~.Bu/...pM......I...^7.......H....CtSOQ3g0..A...%.>I...Vt...Mj...Y."...t[......^...A1........I....GfHKM,e<..E...3.-W..E}...Hl.Em)...eX......K...J8.......Z....DwW\F:r>..I...>.;G..B}...Eg.Gb....sI......]...]5........^....Cz[AW<q6..R.....3M...O....Pd...Fa6...aN......M...[7.......J....Kq]YM9~>..J...?.3^..B}...Ih...Xi;...mR......@...X0........A....[qXHN9i/..T...2.9Y...D~...Sf...Ch(...eE......F...L(.......N....I~FGV4i!..V...%.;I..Cc...H{.Cr!...hP......X...F0.......L....DuITA'v0..D...,.0V...Ft...Sf.Hg+...tW......O...A?.......[....K{^OS.i,..G...3..Q...Df...Ny.@m ...iW......O...^8.......Q....Rp^OX:~0..T...%.4Q..Os...Qx...T|$...zZ......K...H........W....FtZ\@>r#..B...%.%X..Sy...Hl.Ip4...pA....

                              C:\Users\user\Downloads\BWETZDQDIB.mp3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.564531742211648
                              Encrypted:false
                              SSDEEP:
                              MD5:0B7F27FAAE683D17E55CC3DD15A882F8
                              SHA1:F697F26EDC2AEF53AF81684856146CE0DA865A69
                              SHA-256:DA56F94AA1F08EE9FD2741E371E6583D7C966E1AE138F995B951042DE29E6DA7
                              SHA-512:EBD70E5C0362BB4C9BC9C5B5C59C8BDFC352BDDC6C0933B683583EFD2579649E2DB8B38B879AEE2EBB248CCB2F8364475EE4173DED2CB3083F4F4A2357AC135A
                              Malicious:false
                              Preview:uyZ....R....\+.U..H...g..KD..S).....J._Xp.,..<...G.bM+.C..ze\....\....Z9.V..^...a...[G.Y8.....N._Yq.8..:...D.|_0.S..xiE....@....Z7.B..L..........GQ.P+.....\.[As.)..?...F.eL#.H....K....E....T,.D..[.....q..IJ.F;.....Q.XDw..!..&...^.kC?._..ckI....P....B1.H..Z...b..\K.^<.....O.ZLq.0..>...G.fS%.W..|wQ....W....Y&.J..C.....}...WT.X'.....\.@Fn..6..'...[.jF<.U..st[....D....T3.B..X......c..DL.S".....E.KTo.1......W.v@).Y..tmL....Y....M!.]..A...o...AD.[=.....K.IVj./..>...T.vJ;.Y..fjE....C....O:.J..^....y..IX.Y*.....].KKz.?..>...U.eE%.L..uyM....U....A$.J..N.....c..BZ..N7.....\.AJm.=.. ...C.rK:.]..foL....^....I1.@..^...}...@Z.E*.....F.CRz..-..)...B.`H(.R..zd]....F....J5.[..C...f.._N.J'.....R.\Zv.!..=...@.pZ/.S..{cS....O....T".V..].....v..HX..[(.....F.FEv.?..>...N.l^%.\..zvR...._....I1.T..O....}...AU.Y:.....I.MMg.<..7...N.tB#.X..txZ....^....D6.T..K...p...XW.[6.....E.KNz.#..7...@.oD .S..elP....@....]3.F..V...v...\Q..M&.....

                              C:\Users\user\Downloads\BWETZDQDIB.mp3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.564531742211648
                              Encrypted:false
                              SSDEEP:
                              MD5:0B7F27FAAE683D17E55CC3DD15A882F8
                              SHA1:F697F26EDC2AEF53AF81684856146CE0DA865A69
                              SHA-256:DA56F94AA1F08EE9FD2741E371E6583D7C966E1AE138F995B951042DE29E6DA7
                              SHA-512:EBD70E5C0362BB4C9BC9C5B5C59C8BDFC352BDDC6C0933B683583EFD2579649E2DB8B38B879AEE2EBB248CCB2F8364475EE4173DED2CB3083F4F4A2357AC135A
                              Malicious:false
                              Preview:uyZ....R....\+.U..H...g..KD..S).....J._Xp.,..<...G.bM+.C..ze\....\....Z9.V..^...a...[G.Y8.....N._Yq.8..:...D.|_0.S..xiE....@....Z7.B..L..........GQ.P+.....\.[As.)..?...F.eL#.H....K....E....T,.D..[.....q..IJ.F;.....Q.XDw..!..&...^.kC?._..ckI....P....B1.H..Z...b..\K.^<.....O.ZLq.0..>...G.fS%.W..|wQ....W....Y&.J..C.....}...WT.X'.....\.@Fn..6..'...[.jF<.U..st[....D....T3.B..X......c..DL.S".....E.KTo.1......W.v@).Y..tmL....Y....M!.]..A...o...AD.[=.....K.IVj./..>...T.vJ;.Y..fjE....C....O:.J..^....y..IX.Y*.....].KKz.?..>...U.eE%.L..uyM....U....A$.J..N.....c..BZ..N7.....\.AJm.=.. ...C.rK:.]..foL....^....I1.@..^...}...@Z.E*.....F.CRz..-..)...B.`H(.R..zd]....F....J5.[..C...f.._N.J'.....R.\Zv.!..=...@.pZ/.S..{cS....O....T".V..].....v..HX..[(.....F.FEv.?..>...N.l^%.\..zvR...._....I1.T..O....}...AU.Y:.....I.MMg.<..7...N.tB#.X..txZ....^....D6.T..K...p...XW.[6.....E.KNz.#..7...@.oD .S..elP....@....]3.F..V...v...\Q..M&.....

                              C:\Users\user\Downloads\GNLQNHOLWB.mp3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.5926290609283145
                              Encrypted:false
                              SSDEEP:
                              MD5:2AF1C0F10CEDF93146877D5B6EEE0A85
                              SHA1:AE9ED1F7A44D904E699B88314826B253110D5015
                              SHA-256:FDA2A6EB9A61F4C725D85B2B7179EC14C6DE1A62DD27D72E54245EFA0180D6A1
                              SHA-512:1126E74A2BB8756DD98D19CBC9F97BAF12A81C4C6EA852F5B57C57204E044A4963776E077A2BCE2AE63AEF4AA92296F4517B2A8F243F07EF4C3B12DD4774DADB
                              Malicious:false
                              Preview:..r...etY.j9...?N=M...p._.J r....?.b...>,...Y..F.}.....H.u.....a...l`Z.n5...'F*Q...y.U.G1y....3.r...%9...E..Z.a....._.j....h...}gJ.j:.../W)L...v.J.]1z....,.o.$;...Q..M.t.....@......d...qw\.y:...=S=J...n.].Q4{....!.r.-....[..F.k.....T.c....d...`vM.t8...'J>\...g.A.Q)g....'.q...-7...X...B.`.....^.l....i...puX.o$...!J'G...l.A.G4z....%.x.?<...C..@.x.....^.d....h....mJ.o)...=D?C...s.^.W+|....,.u.19...]...B.u.....B.l....v...p{H..?...>H>S...|.E.[5v....;.k.24...T...E.p.....C.g....l...zwK.t!...8J:H...s.[.O5v..../.`.37...D...C.......^.a....p...xdN.n(...8T9_...k.W.J,u....,.{...%4...E..Z.y.....M.`....n...}{H.b#...:G#\...m.Y.F+y....<.m.#)..._..Q.u.....B.v.....a....sK.u=...>N<Y...l.[.H6p....".v. %..._...D.p.....U.v....g...gmC.p%...'Q9N...h.D.^*v....*.w...?$...P..V.z.....U.u....l...jyS.~!... G9A...h.W.I8.....=.t.'+...V..^.z.....K.n....b...jhV.b:..."P*^...o.@.\4p....=.i...62...A..].a.....U.f....p...neW.s:...*N!R...x.^.\6l....$.q.

                              C:\Users\user\Downloads\GNLQNHOLWB.mp3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.5926290609283145
                              Encrypted:false
                              SSDEEP:
                              MD5:2AF1C0F10CEDF93146877D5B6EEE0A85
                              SHA1:AE9ED1F7A44D904E699B88314826B253110D5015
                              SHA-256:FDA2A6EB9A61F4C725D85B2B7179EC14C6DE1A62DD27D72E54245EFA0180D6A1
                              SHA-512:1126E74A2BB8756DD98D19CBC9F97BAF12A81C4C6EA852F5B57C57204E044A4963776E077A2BCE2AE63AEF4AA92296F4517B2A8F243F07EF4C3B12DD4774DADB
                              Malicious:false
                              Preview:..r...etY.j9...?N=M...p._.J r....?.b...>,...Y..F.}.....H.u.....a...l`Z.n5...'F*Q...y.U.G1y....3.r...%9...E..Z.a....._.j....h...}gJ.j:.../W)L...v.J.]1z....,.o.$;...Q..M.t.....@......d...qw\.y:...=S=J...n.].Q4{....!.r.-....[..F.k.....T.c....d...`vM.t8...'J>\...g.A.Q)g....'.q...-7...X...B.`.....^.l....i...puX.o$...!J'G...l.A.G4z....%.x.?<...C..@.x.....^.d....h....mJ.o)...=D?C...s.^.W+|....,.u.19...]...B.u.....B.l....v...p{H..?...>H>S...|.E.[5v....;.k.24...T...E.p.....C.g....l...zwK.t!...8J:H...s.[.O5v..../.`.37...D...C.......^.a....p...xdN.n(...8T9_...k.W.J,u....,.{...%4...E..Z.y.....M.`....n...}{H.b#...:G#\...m.Y.F+y....<.m.#)..._..Q.u.....B.v.....a....sK.u=...>N<Y...l.[.H6p....".v. %..._...D.p.....U.v....g...gmC.p%...'Q9N...h.D.^*v....*.w...?$...P..V.z.....U.u....l...jyS.~!... G9A...h.W.I8.....=.t.'+...V..^.z.....K.n....b...jhV.b:..."P*^...o.@.\4p....=.i...62...A..].a.....U.f....p...neW.s:...*N!R...x.^.\6l....$.q.

                              C:\Users\user\Downloads\HMPPSXQPQV.docx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.627659067999272
                              Encrypted:false
                              SSDEEP:
                              MD5:66419B67CCEA8AA5F0C3987848631728
                              SHA1:F9C2FE9F9A242B30A595144ADBE80888F858830D
                              SHA-256:08C5C4AE12C6420AC575870E9D59DEA093E18ED3C02AAE754BA4FAD938835F2D
                              SHA-512:D0B35092926B7F550F0FA4E841D18A9A5274405D2DA3192028A4B493E344D79ABDE0B12BFE6B0900C8B6750A657E5EABDAF628439074AF277FA0072602DF6F0E
                              Malicious:false
                              Preview:t0.{....|.%..D.S.....Q......q.|.. .R..X...\&P.^9m.s..K..Y.,^..d0.|...}.&..N.L.....Z......q.r..!.V..I...\*D.@?e.{..H..C.*H..t7..d....}.%..I.W.....V.......h....(.[..[...@>[.]<g.j..^..R.7X..l4.k...n.%..R.T.....^......t.s..).G..V...A-Y.R$c.j..U.._.)V..r).x...|.3..F.K.....Z......m.s..+.W..@...A7N.E$a.{..]..Q. C..j:.b...b.&..I.K.....H......p.o..!.@..M...P;I.W/e.j..P..B.(L..}%.x...~.2..J.F.....]......j.~..).M..K...O#B.T,t.y..J..C.'^..{,.m...f.>..Z.I.....X......~.|../.E..]...C5L.P9{.k..J..T..I..h:.b...d.!..Y.J.....Q......u.|..-.R..T...N#C.N"b.l..H..O.7X..i+.a...~.;..M.C.....@......q.h..(.J..S...M<G.V3s.n..Q..@.(S..h4.......`.'..K.T.....I......j.l..*.K..@...S-G.I a.z..I..D.!P..w1.b...k.2..E.E.....@......q.g..1.L..T...A?X.]<z.v..B..Z.!L..i8.i...`.(..R.@.....@......l.k..4.G..^...Q.J.W%y....S..M.(\..o7.}...e.3..G.E.....H......p.v..5.S..Q...V$R.E*z.t..A..Z.5L..m'.k...e."..W.L.....M......z.e..*.V..M...A7H.J:o.h..N..X.!]..j7..k...g.6..T.J.....C......h.w..".O..

                              C:\Users\user\Downloads\HMPPSXQPQV.docx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.627659067999272
                              Encrypted:false
                              SSDEEP:
                              MD5:66419B67CCEA8AA5F0C3987848631728
                              SHA1:F9C2FE9F9A242B30A595144ADBE80888F858830D
                              SHA-256:08C5C4AE12C6420AC575870E9D59DEA093E18ED3C02AAE754BA4FAD938835F2D
                              SHA-512:D0B35092926B7F550F0FA4E841D18A9A5274405D2DA3192028A4B493E344D79ABDE0B12BFE6B0900C8B6750A657E5EABDAF628439074AF277FA0072602DF6F0E
                              Malicious:false
                              Preview:t0.{....|.%..D.S.....Q......q.|.. .R..X...\&P.^9m.s..K..Y.,^..d0.|...}.&..N.L.....Z......q.r..!.V..I...\*D.@?e.{..H..C.*H..t7..d....}.%..I.W.....V.......h....(.[..[...@>[.]<g.j..^..R.7X..l4.k...n.%..R.T.....^......t.s..).G..V...A-Y.R$c.j..U.._.)V..r).x...|.3..F.K.....Z......m.s..+.W..@...A7N.E$a.{..]..Q. C..j:.b...b.&..I.K.....H......p.o..!.@..M...P;I.W/e.j..P..B.(L..}%.x...~.2..J.F.....]......j.~..).M..K...O#B.T,t.y..J..C.'^..{,.m...f.>..Z.I.....X......~.|../.E..]...C5L.P9{.k..J..T..I..h:.b...d.!..Y.J.....Q......u.|..-.R..T...N#C.N"b.l..H..O.7X..i+.a...~.;..M.C.....@......q.h..(.J..S...M<G.V3s.n..Q..@.(S..h4.......`.'..K.T.....I......j.l..*.K..@...S-G.I a.z..I..D.!P..w1.b...k.2..E.E.....@......q.g..1.L..T...A?X.]<z.v..B..Z.!L..i8.i...`.(..R.@.....@......l.k..4.G..^...Q.J.W%y....S..M.(\..o7.}...e.3..G.E.....H......p.v..5.S..Q...V$R.E*z.t..A..Z.5L..m'.k...e."..W.L.....M......z.e..*.V..M...A7H.J:o.h..N..X.!]..j7..k...g.6..T.J.....C......h.w..".O..

                              C:\Users\user\Downloads\HMPPSXQPQV.jpg

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.548008077832333
                              Encrypted:false
                              SSDEEP:
                              MD5:E58197E52EFD98E75C8B836039A45464
                              SHA1:BDCF44ADBB8F1D6C70EED8823933F70FB399819E
                              SHA-256:145A19264350331816712810C6A9FE1F4F5DBBFCF9F300EA48149915C5A9316B
                              SHA-512:0FD6173D0A15308D0A8D228EC13E9B9C1BA7254358A1BD7349D26A7518AD82E9044E112C2D62FE06A8CCA589D8B7D656F51EB1D132982B885BF7F04704F2ED21
                              Malicious:false
                              Preview:...................0.z.kC..#ee......r...S...Ln....m.^e........................;.`.zG..#mk......f...._...Jf....z.Dj.......................7.~.qQ..:df......u...K...Id.....l.Us..........................?...uQ..&~j.....e...X...Q`....z.Xy.......................;.}.mA..?dj.....g...B...Qb....z.Vp.......................).l.h@.."hv.....u...N...Zf.....~.Ea.......................<.u.oR..8`g.....{....V...Yw....z.Dn.......................9.r.pR..,le.....g...@...Lx....k.Sb.......................0.{.s^..'le.....k...V...Wa....`.Hq.......................!.p.iV..#hq.....d...I...Fp.....m.Gp.........................(.v.rU..8.u.....z...X...Ub....b.Cn.......................!.c.oZ..#d~.....i...J...Iy.....e.]y..........................!.o..L..>kr.....s....[...Pz....l.Jm........................).i.~U.."}o......z...Q..._y....o.]a..........................,.w.mD..(.|......h...B...Ol.....e._z.........................".{.i^..:}n.....n

                              C:\Users\user\Downloads\HMPPSXQPQV.jpg.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.548008077832333
                              Encrypted:false
                              SSDEEP:
                              MD5:E58197E52EFD98E75C8B836039A45464
                              SHA1:BDCF44ADBB8F1D6C70EED8823933F70FB399819E
                              SHA-256:145A19264350331816712810C6A9FE1F4F5DBBFCF9F300EA48149915C5A9316B
                              SHA-512:0FD6173D0A15308D0A8D228EC13E9B9C1BA7254358A1BD7349D26A7518AD82E9044E112C2D62FE06A8CCA589D8B7D656F51EB1D132982B885BF7F04704F2ED21
                              Malicious:false
                              Preview:...................0.z.kC..#ee......r...S...Ln....m.^e........................;.`.zG..#mk......f...._...Jf....z.Dj.......................7.~.qQ..:df......u...K...Id.....l.Us..........................?...uQ..&~j.....e...X...Q`....z.Xy.......................;.}.mA..?dj.....g...B...Qb....z.Vp.......................).l.h@.."hv.....u...N...Zf.....~.Ea.......................<.u.oR..8`g.....{....V...Yw....z.Dn.......................9.r.pR..,le.....g...@...Lx....k.Sb.......................0.{.s^..'le.....k...V...Wa....`.Hq.......................!.p.iV..#hq.....d...I...Fp.....m.Gp.........................(.v.rU..8.u.....z...X...Ub....b.Cn.......................!.c.oZ..#d~.....i...J...Iy.....e.]y..........................!.o..L..>kr.....s....[...Pz....l.Jm........................).i.~U.."}o......z...Q..._y....o.]a..........................,.w.mD..(.|......h...B...Ol.....e._z.........................".{.i^..:}n.....n

                              C:\Users\user\Downloads\HMPPSXQPQV.xlsx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.587885435723995
                              Encrypted:false
                              SSDEEP:
                              MD5:123F053D80C2816526D2792D847F2F1E
                              SHA1:23D784024F498C185CB8096A96E5848707A41149
                              SHA-256:97D9CBE291F0281E1B9B51D70416A1A21288886F4335BC320779CFAF024F2F76
                              SHA-512:3151CF2D41C74A8B7D306D813BBBFA125321F7EC4B2C8784F579D2CE98C315080F4A3A0B42D4FE6B315D0678A6F9414C6C9FB2B7474B63E5DEF59E845DA7AC6C
                              Malicious:false
                              Preview:O....d./........../Y.l.Z9.....w..0.c.......hL_...r.^(........_....t.7..........8N.g.@-.....yj.1..}.......|RA...z.J+.......O....}.*..........&A.k.^;.....tk.8.g.......cJ\...k.N=.......W....p.0..........3P.c._5.....xn.9..e.......aKS...k.Y6.......I....r.>..........5I.g.]4.....x`.;..........v@D...z.K>.......Q....v.<..........9V.u.L+.....dd.1..........qUV...k.O3.......F....w.6..........'S.`.U).....ur.9..~.......zSU...x.K).......@......=..........9M.e.R/.....wr.?..g.......tSQ...j.Y).......S....h.8..........?K.l.[4.....wn.=..........{@O...m.Z+.......R....p.:..........8V.}.P%.....cv.8.a........BW...o.E2.......S....h./..........-Q.t.V4......gs.:.~........[H...{.\*.......L....j.0..........>G.}.C'.....l}.!..|.......`Q\...w.M!.......R....n.;..........0H.}.O5......`j.$..a.......rKV...~.H0.......T....v.7..........3W.u.I,.....}m.%..~.......jGD...u.T".......V....r.;...........R.p.W......nj.:.s.......pQK...i.M-........Q....e.3..........#Q.~.[).....|p.2..e.

                              C:\Users\user\Downloads\HMPPSXQPQV.xlsx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.587885435723995
                              Encrypted:false
                              SSDEEP:
                              MD5:123F053D80C2816526D2792D847F2F1E
                              SHA1:23D784024F498C185CB8096A96E5848707A41149
                              SHA-256:97D9CBE291F0281E1B9B51D70416A1A21288886F4335BC320779CFAF024F2F76
                              SHA-512:3151CF2D41C74A8B7D306D813BBBFA125321F7EC4B2C8784F579D2CE98C315080F4A3A0B42D4FE6B315D0678A6F9414C6C9FB2B7474B63E5DEF59E845DA7AC6C
                              Malicious:false
                              Preview:O....d./........../Y.l.Z9.....w..0.c.......hL_...r.^(........_....t.7..........8N.g.@-.....yj.1..}.......|RA...z.J+.......O....}.*..........&A.k.^;.....tk.8.g.......cJ\...k.N=.......W....p.0..........3P.c._5.....xn.9..e.......aKS...k.Y6.......I....r.>..........5I.g.]4.....x`.;..........v@D...z.K>.......Q....v.<..........9V.u.L+.....dd.1..........qUV...k.O3.......F....w.6..........'S.`.U).....ur.9..~.......zSU...x.K).......@......=..........9M.e.R/.....wr.?..g.......tSQ...j.Y).......S....h.8..........?K.l.[4.....wn.=..........{@O...m.Z+.......R....p.:..........8V.}.P%.....cv.8.a........BW...o.E2.......S....h./..........-Q.t.V4......gs.:.~........[H...{.\*.......L....j.0..........>G.}.C'.....l}.!..|.......`Q\...w.M!.......R....n.;..........0H.}.O5......`j.$..a.......rKV...~.H0.......T....v.7..........3W.u.I,.....}m.%..~.......jGD...u.T".......V....r.;...........R.p.W......nj.:.s.......pQK...i.M-........Q....e.3..........#Q.~.[).....|p.2..e.

                              C:\Users\user\Downloads\HQJBRDYKDE.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.598130702880244
                              Encrypted:false
                              SSDEEP:
                              MD5:81AA613283ED041C1087D96BBE76EDDD
                              SHA1:33D1D3D1B8CFE124C59E6176726B8E26C2D84077
                              SHA-256:43ED9E431A11362410DC0834F30469ABA776AE5CE38435E65C3CA020EC7F82B8
                              SHA-512:FE4A82E3053D3D0E26B3AD7C4B6E2B50895E035C994223C476B320E013C0C68E4649CBFB51C05C023CE07F083808843B66456477E33C470A407A0B1DC4D04AF6
                              Malicious:false
                              Preview:PH.#.8....R`U.3..,.\{.....<p5..5.WZ.&].kX.#...&O...tJV.l....i.NU.../....D~J.7.% .E|.....&. ..!.RG.=M..D.(...4W....RK......t.I]./.&....Mp].0.);.Tr...../t+..7.IC.8P.gW.<...+L...`UV.w....m.U\.,.+....N`G.<.,;.D.......r7..:.IS.)K.fN.-...7H...}BK.c......r.LZ.1.%....G}N.'.;?.@v..... w7..,.HS.<S.bX.3...>Y...gQT.w......u.\X.7.6....NaH.(.(<.X~..... d/..-.UY.'T.uN./...=[...x@A.}......j.U_.9./....IiX.3./;.]f.....:{(..'.AQ.2J.uG.&...&S...eUR.a....n.PR.*.6....VdA.?./1.E|.....,.)..7.NB.0L.pP.0...5K...jLC.u......|._T.".)....R.I...4,.V`.....+g1..?.S^.=G.wT.....9W...z_K.w....j._M.%.$....R~W.0.(<.[{.....0y*..?.\X.&T.aB.+...=\...wRD.`......o._L.0......\x@.(./+.Ut.....<i/..&.PK.#Y.y[.9..."V...kJU.c....}.QJ./.8....\fI.$.*+.]}.....?z4..7.GW."K.d[.,...!_...jFW.p......p.QM.%.>....TiC.9.-<.T|.....8i,..6.BQ.#X.iP.+...<P...h]R.}....p.SV.6.(....L{@.3.< .@x.....0j#..9.HC.=M.zK.8...$@...yUH.v......k.@Z.;.)....J}^.*.>6.Ew...../u4..!.QE.#G.e[."...=B...wBX.f......j.IP.&.7....K|K.7.:;.Vg..... o ..(.^\.#Q.|

                              C:\Users\user\Downloads\HQJBRDYKDE.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.598130702880244
                              Encrypted:false
                              SSDEEP:
                              MD5:81AA613283ED041C1087D96BBE76EDDD
                              SHA1:33D1D3D1B8CFE124C59E6176726B8E26C2D84077
                              SHA-256:43ED9E431A11362410DC0834F30469ABA776AE5CE38435E65C3CA020EC7F82B8
                              SHA-512:FE4A82E3053D3D0E26B3AD7C4B6E2B50895E035C994223C476B320E013C0C68E4649CBFB51C05C023CE07F083808843B66456477E33C470A407A0B1DC4D04AF6
                              Malicious:false
                              Preview:PH.#.8....R`U.3..,.\{.....<p5..5.WZ.&].kX.#...&O...tJV.l....i.NU.../....D~J.7.% .E|.....&. ..!.RG.=M..D.(...4W....RK......t.I]./.&....Mp].0.);.Tr...../t+..7.IC.8P.gW.<...+L...`UV.w....m.U\.,.+....N`G.<.,;.D.......r7..:.IS.)K.fN.-...7H...}BK.c......r.LZ.1.%....G}N.'.;?.@v..... w7..,.HS.<S.bX.3...>Y...gQT.w......u.\X.7.6....NaH.(.(<.X~..... d/..-.UY.'T.uN./...=[...x@A.}......j.U_.9./....IiX.3./;.]f.....:{(..'.AQ.2J.uG.&...&S...eUR.a....n.PR.*.6....VdA.?./1.E|.....,.)..7.NB.0L.pP.0...5K...jLC.u......|._T.".)....R.I...4,.V`.....+g1..?.S^.=G.wT.....9W...z_K.w....j._M.%.$....R~W.0.(<.[{.....0y*..?.\X.&T.aB.+...=\...wRD.`......o._L.0......\x@.(./+.Ut.....<i/..&.PK.#Y.y[.9..."V...kJU.c....}.QJ./.8....\fI.$.*+.]}.....?z4..7.GW."K.d[.,...!_...jFW.p......p.QM.%.>....TiC.9.-<.T|.....8i,..6.BQ.#X.iP.+...<P...h]R.}....p.SV.6.(....L{@.3.< .@x.....0j#..9.HC.=M.zK.8...$@...yUH.v......k.@Z.;.)....J}^.*.>6.Ew...../u4..!.QE.#G.e[."...=B...wBX.f......j.IP.&.7....K|K.7.:;.Vg..... o ..(.^\.#Q.|

                              C:\Users\user\Downloads\LFOPODGVOH.docx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.631885418855797
                              Encrypted:false
                              SSDEEP:
                              MD5:6AFFF9317C3B1594433F6EBAEBF0C15C
                              SHA1:F7E88F74593EC469EAE46D068FF6DF950D7A4A80
                              SHA-256:0F12FFBDE082A04B802AEDC724DF032EAD846DFF89A81136100A03631457B9A9
                              SHA-512:5A982DF81A127297A5005D7C8231283EB78E5A028348325685C2798A1607841EC6021B60E496CF278CB0BC7106CCC36FCE3846D6CCE56338D30A1FF328DCF9C2
                              Malicious:false
                              Preview:.-...<..Jp....B(.F.K.%.d...7.S....M.......^.~s(.......S>..o...'...6..Dy....H ..I.Z.).h... .[....I.......Z.pt>......O'..h...1...>..Tp....H'..^.U.;.d...%.R.....S.......\.vu)......] ..n...$...!..Hh....P&.X.X.2.e.....W....L.......J.}r8......L&..}..."... ..Lr....@9.D.[.2.c...7.\....Y.......Q.}u"......_,..x...2... ..Ta....C4.E.A.).}.../.T....F.......W.nm:......V,..{...;...+.._`....Y .X.A...`...%.T....R.......M.`v&......H#..p...=...7..Dk....Y9.B.A.*.w...$.W....[.......T.mt#......X;..m...9...=..Lj....C6.D.B.%.n...2.D....X.......Y.vh1......R#..s...8...?..My....W&.].I.0.c...,.T....[.......H.om9......[-..a.../...-..Rq....D6.F.E.$.....&.Q....F.......W.xn=......N-..i...)...<..Gn....B<.I._.1.d...7.C....N.......J.sv<......]>..g...8..."..Pu....N;.E.J...w...7._.....R.......Q.xf'......F9..y...!...,..Gs....M'.C.\.).....4.@...._.......K.zv(......R9..a...!...7..@m....L7..V.R.".n...3.A....G.......E.oi$.......S ..k...<...>..Oz....L3.T.Y.$.{...5.E....]...

                              C:\Users\user\Downloads\LFOPODGVOH.docx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.631885418855797
                              Encrypted:false
                              SSDEEP:
                              MD5:6AFFF9317C3B1594433F6EBAEBF0C15C
                              SHA1:F7E88F74593EC469EAE46D068FF6DF950D7A4A80
                              SHA-256:0F12FFBDE082A04B802AEDC724DF032EAD846DFF89A81136100A03631457B9A9
                              SHA-512:5A982DF81A127297A5005D7C8231283EB78E5A028348325685C2798A1607841EC6021B60E496CF278CB0BC7106CCC36FCE3846D6CCE56338D30A1FF328DCF9C2
                              Malicious:false
                              Preview:.-...<..Jp....B(.F.K.%.d...7.S....M.......^.~s(.......S>..o...'...6..Dy....H ..I.Z.).h... .[....I.......Z.pt>......O'..h...1...>..Tp....H'..^.U.;.d...%.R.....S.......\.vu)......] ..n...$...!..Hh....P&.X.X.2.e.....W....L.......J.}r8......L&..}..."... ..Lr....@9.D.[.2.c...7.\....Y.......Q.}u"......_,..x...2... ..Ta....C4.E.A.).}.../.T....F.......W.nm:......V,..{...;...+.._`....Y .X.A...`...%.T....R.......M.`v&......H#..p...=...7..Dk....Y9.B.A.*.w...$.W....[.......T.mt#......X;..m...9...=..Lj....C6.D.B.%.n...2.D....X.......Y.vh1......R#..s...8...?..My....W&.].I.0.c...,.T....[.......H.om9......[-..a.../...-..Rq....D6.F.E.$.....&.Q....F.......W.xn=......N-..i...)...<..Gn....B<.I._.1.d...7.C....N.......J.sv<......]>..g...8..."..Pu....N;.E.J...w...7._.....R.......Q.xf'......F9..y...!...,..Gs....M'.C.\.).....4.@...._.......K.zv(......R9..a...!...7..@m....L7..V.R.".n...3.A....G.......E.oi$.......S ..k...<...>..Oz....L3.T.Y.$.{...5.E....]...

                              C:\Users\user\Downloads\LFOPODGVOH.xlsx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.632116336899848
                              Encrypted:false
                              SSDEEP:
                              MD5:43A8B2656F2067033EEC8979DEA30C6C
                              SHA1:09F4B5A8AABE129754E11AE037CF98B23B7E01D7
                              SHA-256:13EBB13D46AAF2195BB36A0D58E8264C55FCA75B877B5B72BC29884A52AD41B3
                              SHA-512:BD10D31C16EE3ED4A367852C3566714B7432C75AE4B8D632DE381BF13D561F7A621BE915F8403810C72B3773C09067530B033CCC458523B3BA1B9F2E9DE15CC6
                              Malicious:false
                              Preview:..S~....&.3.CO.....E.V..B0....v..{.....wy.9.C.2..~.C.W.%. smu._k...../.*.BE.....W.U..J?....f..f.....lz.=.M.$....K.M.<.'jle.Jz....&.&.DE.....[.]..B+....t..`.....}l.;.K.3..s.S.O.;.!u~y.[w....>.1.N].....].E..@"....f..v.....u}.-.@."..x.P.X.=..2dbp.Pa....$.(.LM.....R.V..[<....q..e.....bc.6.@.8..x.^.C.7.7mb|.Ui....7.3.EN.....P.T..P+....j..y.....cz.0.S. ..d.X.B.7.4mrk.Ra....6.%.NT.....^.X..W9....p..f.....zf.*.].<..|.O.H.8..?k}z.]g....=.5.JT.....C.Z..\.....n..v.....nf.3.P.9..g.M.X. ."rvd.Da.....<.'.IN.....C.X..V.....n..p.....g{.>.K.+..z.Y.D.8.<psg.^a..../.*.UZ.....F._..]#....t..`.....va./.R.#..`.L.T.6..}yb.L~....'.%.[I.....\.W..G6....j..f.....|k.0.E.'..g.K.E.6.&uyi.Kl....8.%.XO.....D.[..]7....h..s.....gn.-.N.&..~.].O.%.(ivf.Ed....#.2.HC.....E.P..J,....i..o.....yl.6.E.=..q.L._.".6dc}.Kh....%.).Y@.....W.^..Q0....y..n.....d`.,.G.2..o.X._."..q.d.Uh.....;.*.QA.....O.[..D<....n..q.....h`.".R.>..s.J.@.;.$mww.Yc....,.2.JA.....P.A..D>....t..p....

                              C:\Users\user\Downloads\LFOPODGVOH.xlsx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.632116336899848
                              Encrypted:false
                              SSDEEP:
                              MD5:43A8B2656F2067033EEC8979DEA30C6C
                              SHA1:09F4B5A8AABE129754E11AE037CF98B23B7E01D7
                              SHA-256:13EBB13D46AAF2195BB36A0D58E8264C55FCA75B877B5B72BC29884A52AD41B3
                              SHA-512:BD10D31C16EE3ED4A367852C3566714B7432C75AE4B8D632DE381BF13D561F7A621BE915F8403810C72B3773C09067530B033CCC458523B3BA1B9F2E9DE15CC6
                              Malicious:false
                              Preview:..S~....&.3.CO.....E.V..B0....v..{.....wy.9.C.2..~.C.W.%. smu._k...../.*.BE.....W.U..J?....f..f.....lz.=.M.$....K.M.<.'jle.Jz....&.&.DE.....[.]..B+....t..`.....}l.;.K.3..s.S.O.;.!u~y.[w....>.1.N].....].E..@"....f..v.....u}.-.@."..x.P.X.=..2dbp.Pa....$.(.LM.....R.V..[<....q..e.....bc.6.@.8..x.^.C.7.7mb|.Ui....7.3.EN.....P.T..P+....j..y.....cz.0.S. ..d.X.B.7.4mrk.Ra....6.%.NT.....^.X..W9....p..f.....zf.*.].<..|.O.H.8..?k}z.]g....=.5.JT.....C.Z..\.....n..v.....nf.3.P.9..g.M.X. ."rvd.Da.....<.'.IN.....C.X..V.....n..p.....g{.>.K.+..z.Y.D.8.<psg.^a..../.*.UZ.....F._..]#....t..`.....va./.R.#..`.L.T.6..}yb.L~....'.%.[I.....\.W..G6....j..f.....|k.0.E.'..g.K.E.6.&uyi.Kl....8.%.XO.....D.[..]7....h..s.....gn.-.N.&..~.].O.%.(ivf.Ed....#.2.HC.....E.P..J,....i..o.....yl.6.E.=..q.L._.".6dc}.Kh....%.).Y@.....W.^..Q0....y..n.....d`.,.G.2..o.X._."..q.d.Uh.....;.*.QA.....O.[..D<....n..q.....h`.".R.>..s.J.@.;.$mww.Yc....,.2.JA.....P.A..D>....t..p....

                              C:\Users\user\Downloads\LHEPQPGEWF.jpg

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.544551188187208
                              Encrypted:false
                              SSDEEP:
                              MD5:4DA8048E5CC5F236674D6EEBDD08FA1D
                              SHA1:94575A70859543C6F5EA700C63482422EFBA610D
                              SHA-256:319515A87A3BD4FAE5D0D04FD0B2E8825EECE0E1142A2BAF2BCEAFC2F29C9246
                              SHA-512:0FE9A992689E25DEEE40E99FC8BB1E2220A57229F39334982993DECE376EA06D013C6847207F1831D8CBEB305EAD18F451A5F29BF58696165CF5E9ADF29EA5F3
                              Malicious:false
                              Preview:[i;Q.X....<K.t@b0_.......G...a)..N...>O,..s4.].B.,9X..G...?....XGi.P.I...'J.qE{&R.......W...z>..N...3C3..}:.A.A.::A..J...(....]]n&K.K...!P.b\u!].......D...y)..S...0S6..o2.O.H.*"C..U...2....UYv,W.A...*E.qEw<[.......O...c2..Q...<A6..w..M.T.4*E..V...3....D]m<[.^...4F.aIa$U.......O...e(..Y...!B+..a".V.T.;(U..T..."....ZNi0Q.B...6H.jMe5U.......E...n?..V...,J9...8.Q.\.?$K..H...>....ZFv7J.M...4N.n_i"C.......M...f1..T...'Q%..y=.Y.B.,4T..N...7....HUr)P.N...$].`Iv>P.......[...b%..P...0N...d2.L.A.&<Q..P........INt1L.A....*X.hQe?C......._...c>..M...*Q<..t<.H.W..#Y..L...5....OMv:U.C...5U.p@h!G.......I...p<..Z...3P7..b'.P.K.+?B..M...%....]]i(O.F...6H.b_z<Q......._...y%..[....S5..q1.J.I.=8Q..M...2....XAh,E.Q...8K.wNv8Z.......K...|6..W...!U-..b .K.X.4!O..U...)....S]l'G.R...5M.wIe [.......M...`%..T.../D;..z4._.K.(&B..T.../....NMb4X.A...6X.kNc:Z.......L...|$..M...&R9..{8.L.H.+9B..S...>....[\l.B.X...2S.mPw:].......[...g!..L...4_...g9.W.Z.<:P..J...$....OBn*H.F...1Z.hFk9I.......V...d)..R...-R9

                              C:\Users\user\Downloads\LHEPQPGEWF.jpg.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.544551188187208
                              Encrypted:false
                              SSDEEP:
                              MD5:4DA8048E5CC5F236674D6EEBDD08FA1D
                              SHA1:94575A70859543C6F5EA700C63482422EFBA610D
                              SHA-256:319515A87A3BD4FAE5D0D04FD0B2E8825EECE0E1142A2BAF2BCEAFC2F29C9246
                              SHA-512:0FE9A992689E25DEEE40E99FC8BB1E2220A57229F39334982993DECE376EA06D013C6847207F1831D8CBEB305EAD18F451A5F29BF58696165CF5E9ADF29EA5F3
                              Malicious:false
                              Preview:[i;Q.X....<K.t@b0_.......G...a)..N...>O,..s4.].B.,9X..G...?....XGi.P.I...'J.qE{&R.......W...z>..N...3C3..}:.A.A.::A..J...(....]]n&K.K...!P.b\u!].......D...y)..S...0S6..o2.O.H.*"C..U...2....UYv,W.A...*E.qEw<[.......O...c2..Q...<A6..w..M.T.4*E..V...3....D]m<[.^...4F.aIa$U.......O...e(..Y...!B+..a".V.T.;(U..T..."....ZNi0Q.B...6H.jMe5U.......E...n?..V...,J9...8.Q.\.?$K..H...>....ZFv7J.M...4N.n_i"C.......M...f1..T...'Q%..y=.Y.B.,4T..N...7....HUr)P.N...$].`Iv>P.......[...b%..P...0N...d2.L.A.&<Q..P........INt1L.A....*X.hQe?C......._...c>..M...*Q<..t<.H.W..#Y..L...5....OMv:U.C...5U.p@h!G.......I...p<..Z...3P7..b'.P.K.+?B..M...%....]]i(O.F...6H.b_z<Q......._...y%..[....S5..q1.J.I.=8Q..M...2....XAh,E.Q...8K.wNv8Z.......K...|6..W...!U-..b .K.X.4!O..U...)....S]l'G.R...5M.wIe [.......M...`%..T.../D;..z4._.K.(&B..T.../....NMb4X.A...6X.kNc:Z.......L...|$..M...&R9..{8.L.H.+9B..S...>....[\l.B.X...2S.mPw:].......[...g!..L...4_...g9.W.Z.<:P..J...$....OBn*H.F...1Z.hFk9I.......V...d)..R...-R9

                              C:\Users\user\Downloads\LHEPQPGEWF.mp3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.570721521176402
                              Encrypted:false
                              SSDEEP:
                              MD5:6A1165D8411F947129656F82947F17C2
                              SHA1:18AE633A7F3B175698C72E5C63FC2C5A735A4E2B
                              SHA-256:DB3FCF27A93D4482A554D584D3CA817F5F2CC98902DD48331E1A35498EFCA9DC
                              SHA-512:1284DF027924AB6985119352E04C99CD915DAE80F170EA4DD327D10CC15E8CE0A4D4B8203C1E748226DAED3523C5C3DE2C39113B6EA41857D5B54181CD9776C2
                              Malicious:false
                              Preview:.....6 '..@.._...0.KV."..;..I..j........,N).[xvf._u.i..V.Qrg.z..;..'6*..[..Z...3.[I.0..6..R..j........"@,2G{dp.Fx.d..C.Gmw....3..% #..]..I.....U@.'..)..Q..w........0H+<Url`.Dq.{..K.O.z.w..9../= ..V..Z...7.VA.8..7..K..u........(T >Rna~.Bs.x..S.Qis.f..)..0,1..H..J...).K@.'..+..M..}........>X,%Xn.q.R}.z..\.Fff.x..%..,)-..J..A...6.HA.<..9..F..r........ B:"Efnu.Ln.f..U.Id}.x.."..# 1..H..E...5.IG.8..%..N..p........&G-*Expf.Sc.`..N.Fac.j..<.. 54..X..K...".V[....;..J..t........;H:?P{kl.Vp.~..W.[ng.k..$../.'..V..C...9.HG.<..?..K..i........+F ;Xmgd.^{.b..K.Pok.m../..-&:..I..[...4.XE.?..?..X..~........=]'#Zqaa.Er.c..C.Rdy....=..( ;..J..I...9.[[.%..%..Q.............K-9Yslw.V}.c..W.O}t.z..9..?);..D..\...4.KA.+..'..T..s........=Z.8Gbj~.Hb.{..A.X.k.q..2..<,%..I..\...!.XC.=..>..H..p........%N9,]qab.Ez.z..G.]ac.l..!../$3..J..@...+.L].'..=..T..i........$B/?Brda.E{.}..V.R.`.y..;..6%...N..F...0.Z].>..%..O..h........8C"$^`vv.Wg.d..T.Ppf.m..?..(43..M..C...9.ZJ.8..9..L..v......

                              C:\Users\user\Downloads\LHEPQPGEWF.mp3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.570721521176402
                              Encrypted:false
                              SSDEEP:
                              MD5:6A1165D8411F947129656F82947F17C2
                              SHA1:18AE633A7F3B175698C72E5C63FC2C5A735A4E2B
                              SHA-256:DB3FCF27A93D4482A554D584D3CA817F5F2CC98902DD48331E1A35498EFCA9DC
                              SHA-512:1284DF027924AB6985119352E04C99CD915DAE80F170EA4DD327D10CC15E8CE0A4D4B8203C1E748226DAED3523C5C3DE2C39113B6EA41857D5B54181CD9776C2
                              Malicious:false
                              Preview:.....6 '..@.._...0.KV."..;..I..j........,N).[xvf._u.i..V.Qrg.z..;..'6*..[..Z...3.[I.0..6..R..j........"@,2G{dp.Fx.d..C.Gmw....3..% #..]..I.....U@.'..)..Q..w........0H+<Url`.Dq.{..K.O.z.w..9../= ..V..Z...7.VA.8..7..K..u........(T >Rna~.Bs.x..S.Qis.f..)..0,1..H..J...).K@.'..+..M..}........>X,%Xn.q.R}.z..\.Fff.x..%..,)-..J..A...6.HA.<..9..F..r........ B:"Efnu.Ln.f..U.Id}.x.."..# 1..H..E...5.IG.8..%..N..p........&G-*Expf.Sc.`..N.Fac.j..<.. 54..X..K...".V[....;..J..t........;H:?P{kl.Vp.~..W.[ng.k..$../.'..V..C...9.HG.<..?..K..i........+F ;Xmgd.^{.b..K.Pok.m../..-&:..I..[...4.XE.?..?..X..~........=]'#Zqaa.Er.c..C.Rdy....=..( ;..J..I...9.[[.%..%..Q.............K-9Yslw.V}.c..W.O}t.z..9..?);..D..\...4.KA.+..'..T..s........=Z.8Gbj~.Hb.{..A.X.k.q..2..<,%..I..\...!.XC.=..>..H..p........%N9,]qab.Ez.z..G.]ac.l..!../$3..J..@...+.L].'..=..T..i........$B/?Brda.E{.}..V.R.`.y..;..6%...N..F...0.Z].>..%..O..h........8C"$^`vv.Wg.d..T.Ppf.m..?..(43..M..C...9.ZJ.8..9..L..v......

                              C:\Users\user\Downloads\LHEPQPGEWF.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.599119455779608
                              Encrypted:false
                              SSDEEP:
                              MD5:F4BD811A3BE36905D201BD25E215D40E
                              SHA1:BCBD8E417E497F47754714F94A19B3180009AC18
                              SHA-256:73BC248C2998EF745345AFF86A95FE6EED5648E768708CE64C79B1D92B8191A2
                              SHA-512:59DEC8CC16DBD8BC1E36CBE65F6A8B2A2F7D6E0DA836BB2E215E2F78B7918ACAC123B3FA24120D39987F68D85F2D9BA44043A235AD141726C1F1EF2A534B3246
                              Malicious:false
                              Preview:.B@p..01.N....<........w..:0...H.+%.64...w..,+..>}.b.:[U....T...BUq..&<.R....9......e..7>...N.+7.<9...y..07..(~.o.7UI....D...E]j..05.E.... ......r..(#...U.6:.(:...k..>%..8f.f.(OO....I...]Wv..-6.F....9.......m..6+...P.48.(6...s..<"..&n.d.+PX....@...FGz..<'.M....5.......r..*)...H.<<.5+...e..'(..)l.j.)R_....U...BKp..9;.F....1........i..86...P.3=.-&...{.. 5..-`.y.5\\....N...]Lk..0'.@....#.......m..$2...N.14."-...}..(5..>p.t.3RI....P...YRq..%".\....5.......{..:<...M.5#.<:...`..= ..4x.g.-SW....T..._Jm..>1.]....-.......i..>*...R.(#.4 ...p..9(..<g.l.1KN....X...]At..6,.Z....<......j..>#...H.?5.49...f..!*..9{.e.0SR....J...BSn..0-.I....#.......p..$+...B.>*.)$...u..;)../|.j.0NH....G...CWd..9-.Z....2.......~..&(...T.2?.*+...f..:7..&e.u.(RO....X...G\f..<3.M....5......h..?*...E.1).<%...~...-..:b.m.)SY....P...IOy..4%.F....2.......r..< ...S.()./,......=2..9}.l..L_....S...GUc..58.B....,......k..$4...O.)*.?>...c..&....~.p.7GY....U...EQi..$%.F....:......m..8!...@.7'. '.

                              C:\Users\user\Downloads\LHEPQPGEWF.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Secret Key
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.599119455779608
                              Encrypted:false
                              SSDEEP:
                              MD5:F4BD811A3BE36905D201BD25E215D40E
                              SHA1:BCBD8E417E497F47754714F94A19B3180009AC18
                              SHA-256:73BC248C2998EF745345AFF86A95FE6EED5648E768708CE64C79B1D92B8191A2
                              SHA-512:59DEC8CC16DBD8BC1E36CBE65F6A8B2A2F7D6E0DA836BB2E215E2F78B7918ACAC123B3FA24120D39987F68D85F2D9BA44043A235AD141726C1F1EF2A534B3246
                              Malicious:false
                              Preview:.B@p..01.N....<........w..:0...H.+%.64...w..,+..>}.b.:[U....T...BUq..&<.R....9......e..7>...N.+7.<9...y..07..(~.o.7UI....D...E]j..05.E.... ......r..(#...U.6:.(:...k..>%..8f.f.(OO....I...]Wv..-6.F....9.......m..6+...P.48.(6...s..<"..&n.d.+PX....@...FGz..<'.M....5.......r..*)...H.<<.5+...e..'(..)l.j.)R_....U...BKp..9;.F....1........i..86...P.3=.-&...{.. 5..-`.y.5\\....N...]Lk..0'.@....#.......m..$2...N.14."-...}..(5..>p.t.3RI....P...YRq..%".\....5.......{..:<...M.5#.<:...`..= ..4x.g.-SW....T..._Jm..>1.]....-.......i..>*...R.(#.4 ...p..9(..<g.l.1KN....X...]At..6,.Z....<......j..>#...H.?5.49...f..!*..9{.e.0SR....J...BSn..0-.I....#.......p..$+...B.>*.)$...u..;)../|.j.0NH....G...CWd..9-.Z....2.......~..&(...T.2?.*+...f..:7..&e.u.(RO....X...G\f..<3.M....5......h..?*...E.1).<%...~...-..:b.m.)SY....P...IOy..4%.F....2.......r..< ...S.()./,......=2..9}.l..L_....S...GUc..58.B....,......k..$4...O.)*.?>...c..&....~.p.7GY....U...EQi..$%.F....:......m..8!...@.7'. '.

                              C:\Users\user\Downloads\LIJDSFKJZG.docx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.610250592409671
                              Encrypted:false
                              SSDEEP:
                              MD5:521F48004BE8B33FB379166B4C076309
                              SHA1:026E78BA9A436C31EA73EB8236E03493B8DBBE2E
                              SHA-256:3F805CD31FB4E2261923B6540C3B5AC9BE288E5AD1983D59A707857628EC6EE4
                              SHA-512:37F8B164B5E98882285127FE03464C5121D80977B5069DD02E801A72DBA3981721347F92C26A33EBD3A1DA4885AD7D44BC6AF2B0DF5E7548EC945494E03DA614
                              Malicious:false
                              Preview:......|,......Aj.(;>...SthCL-.l..H...v...!.H.'...r........S.......n)......Qb.:90...@nnB\+.|..I...i...5.C..#....d...<...J.......y .......G`..)&...Iy`NN2.d..M...k...?.K.*...t...5...F.......m'......Ls.9&&...RgtB^'.p..W...p...;.[.<...m...-...P.......g<......Hp.2=0..._siKO=.p..C...o...-.I.$...n...!...N.......s6......Ia.36+...@{mKT2.`..K...j...1.R.(...p...(...H.......{-......J..)<6...Nc|KP..v..D...q...?.X.!...c...>...H.......y4......F`.;+&...D~eAC8.w..H...h...).S.8...}...5...U.......x)......C..&8=...Yx|I_5.{..H...{...<.R.)...n...0...R.......a*......Fl.$$%...Y~`CS8.m.._...t...;.H.(.......>...V.......{4......Xn./4#...]f}UK6.g..O...y.....[.8...m...>...A.......`$......Qc.!++...]onCS;.y..\...n...).P.=...q...(...L.......o(......Mp.'&=...Ozd\H4.c..A...m...7.F.(...b...1...C.......f6.......Nh.::0...Obz]^6.g..A...{...6.B.-...n...>...S.......s0......D|.2;=...H|hIO1.c..B...v...".A.$...b...1...V.......y-......Nh.%=9...]pjUH*.u..\...g.

                              C:\Users\user\Downloads\LIJDSFKJZG.docx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.610250592409671
                              Encrypted:false
                              SSDEEP:
                              MD5:521F48004BE8B33FB379166B4C076309
                              SHA1:026E78BA9A436C31EA73EB8236E03493B8DBBE2E
                              SHA-256:3F805CD31FB4E2261923B6540C3B5AC9BE288E5AD1983D59A707857628EC6EE4
                              SHA-512:37F8B164B5E98882285127FE03464C5121D80977B5069DD02E801A72DBA3981721347F92C26A33EBD3A1DA4885AD7D44BC6AF2B0DF5E7548EC945494E03DA614
                              Malicious:false
                              Preview:......|,......Aj.(;>...SthCL-.l..H...v...!.H.'...r........S.......n)......Qb.:90...@nnB\+.|..I...i...5.C..#....d...<...J.......y .......G`..)&...Iy`NN2.d..M...k...?.K.*...t...5...F.......m'......Ls.9&&...RgtB^'.p..W...p...;.[.<...m...-...P.......g<......Hp.2=0..._siKO=.p..C...o...-.I.$...n...!...N.......s6......Ia.36+...@{mKT2.`..K...j...1.R.(...p...(...H.......{-......J..)<6...Nc|KP..v..D...q...?.X.!...c...>...H.......y4......F`.;+&...D~eAC8.w..H...h...).S.8...}...5...U.......x)......C..&8=...Yx|I_5.{..H...{...<.R.)...n...0...R.......a*......Fl.$$%...Y~`CS8.m.._...t...;.H.(.......>...V.......{4......Xn./4#...]f}UK6.g..O...y.....[.8...m...>...A.......`$......Qc.!++...]onCS;.y..\...n...).P.=...q...(...L.......o(......Mp.'&=...Ozd\H4.c..A...m...7.F.(...b...1...C.......f6.......Nh.::0...Obz]^6.g..A...{...6.B.-...n...>...S.......s0......D|.2;=...H|hIO1.c..B...v...".A.$...b...1...V.......y-......Nh.%=9...]pjUH*.u..\...g.

                              C:\Users\user\Downloads\LIJDSFKJZG.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.613913344223189
                              Encrypted:false
                              SSDEEP:
                              MD5:1F27D5E16AAD7BB467A5A53AA946AB1F
                              SHA1:5C1582D0071ECC6DAFD74678D880832E0F00161F
                              SHA-256:12E3ACEC339F554EA03383B2F1C6D2C3D6493A1B9488B88703588CF9EA7AD415
                              SHA-512:AB2C07E92F872F05B3E56AFFA998417D479896AFC8988E3DD3C8AB8F4417D692B0B564C27E8809AC50122492D0222A591E314FAFCBFCB4F05343806A761BD5EC
                              Malicious:false
                              Preview:.Qg....H....n.h....' .....!....E..u...m..q.......qn..Tb...j.Lc....K....u.`.....)".....'....D..k...n..z........pi..Bj...q.Ax....D....e.b.... 4.....>....@..~...y..r.......`h..Cj...b.Ih....V....a.q....2#.....+....Z..r...x..b.......go..\i...`.Q~....@....j.r....6:.....1....N..x...z..p.......ch..Cm...r.W|.....T....b.c....% .....>....F..c...e..k.......pk..@}...d.Zf....J....o.}....!#....."....I..v...k..a.......tk.._....y.Bj....Q....j.b.....--.....4....E......|..j.......wt..Cm...j.S}....Q....y.}....8;.....9....E..z...y..k.......dj..Nh...k.Mf....C....s.n....,8.....4....R..t...r..q........r{..[y...{.P~....H....b.l....1%.....:....B..p...u..b.......w~.._v...c.Vj....S....i.a....)%.....7....Q..t...s..i.......uu..Ug...k.S|....C....l.r....7*.....8....L..f...g..........r~..\`...}.Z.....Z....r.j.....0=.....:....L..t...p..{.......ds..Nk...p.Ru.....]....f.~....:=.....=....O..y...e..x.......vh..J{...j.A~....\....n.j....*/.....&....Q..f..

                              C:\Users\user\Downloads\LIJDSFKJZG.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.613913344223189
                              Encrypted:false
                              SSDEEP:
                              MD5:1F27D5E16AAD7BB467A5A53AA946AB1F
                              SHA1:5C1582D0071ECC6DAFD74678D880832E0F00161F
                              SHA-256:12E3ACEC339F554EA03383B2F1C6D2C3D6493A1B9488B88703588CF9EA7AD415
                              SHA-512:AB2C07E92F872F05B3E56AFFA998417D479896AFC8988E3DD3C8AB8F4417D692B0B564C27E8809AC50122492D0222A591E314FAFCBFCB4F05343806A761BD5EC
                              Malicious:false
                              Preview:.Qg....H....n.h....' .....!....E..u...m..q.......qn..Tb...j.Lc....K....u.`.....)".....'....D..k...n..z........pi..Bj...q.Ax....D....e.b.... 4.....>....@..~...y..r.......`h..Cj...b.Ih....V....a.q....2#.....+....Z..r...x..b.......go..\i...`.Q~....@....j.r....6:.....1....N..x...z..p.......ch..Cm...r.W|.....T....b.c....% .....>....F..c...e..k.......pk..@}...d.Zf....J....o.}....!#....."....I..v...k..a.......tk.._....y.Bj....Q....j.b.....--.....4....E......|..j.......wt..Cm...j.S}....Q....y.}....8;.....9....E..z...y..k.......dj..Nh...k.Mf....C....s.n....,8.....4....R..t...r..q........r{..[y...{.P~....H....b.l....1%.....:....B..p...u..b.......w~.._v...c.Vj....S....i.a....)%.....7....Q..t...s..i.......uu..Ug...k.S|....C....l.r....7*.....8....L..f...g..........r~..\`...}.Z.....Z....r.j.....0=.....:....L..t...p..{.......ds..Nk...p.Ru.....]....f.~....:=.....=....O..y...e..x.......vh..J{...j.A~....\....n.j....*/.....&....Q..f..

                              C:\Users\user\Downloads\PWZOQIFCAN.png

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.6095475400689185
                              Encrypted:false
                              SSDEEP:
                              MD5:66FFCE1895704DFFD06E339F97275C91
                              SHA1:83C0155B4102F465B26D55AFB1524F4151C5A832
                              SHA-256:FA4E90739AA7717A2944D1EFABF2C7BC748DF4760AEC9BFE6B7B343E9793EE64
                              SHA-512:49E34387BE7D2B06D30FC11C3CE61DC598EABE75B527CFF05AE3C790BC09ED18166799A9F616582857DC7BD171D134D978C3753EA853BFF9D29AE6F35F8D2661
                              Malicious:false
                              Preview:..v.j......cr....,.v...<?...\.S......1.=c%Q..j-.M.-.O..R.^..u.u......}a....>.y..(4...E.P.....2.8};B..m=.U.;.V....@.B..b.y......{j...../.v...*2...O._.....&.&l,I..p;.W.5.S....Y.Y..c.l......ev....*.j..* ...U._.....'.-};U..e?._. .W..G.Z..o.~......|y.....&.l...1?...B.O.....#.=f1L..e+.K.9.S..W.Z..{.l......g~.....:.t..?<...R.U.....<.+a7F..v>.M.;.[....U.U..`.z......kw.....$.f..4?...K.H..... .$|3J..w!.N.;.X..].E..o.o......~u......).d...((...Q.T.......!.+{*P..w?.Q.*.U..G.T..z.z......xw.....8.l.."6...E.L......%.?c(@..e1.I.-.K..V.Z..{.~......`n.... .f...-3...\.W......!.&a6B..y<.[.8.Q..L._..`.}......}a.....>.z..17...L.Q.....0.'y4C..}5.[.8._..Q.I..o.}......|n.....%.c...>?...W.Q.....1.$z5R..i8.P.<.L.._.F..b.l......~q.....3.l...*1...G.\.......=.#{>K..i-.T...M....U.D..x.t......gv.....8.y...+(...H.B......8./.=F..k(.J.7.P....S.E..}.z......p~.....(.j..82...E.R......0.;}%O..o6.O.9.\..E.B..x.h......eq.....;.m.."7...D.@.....

                              C:\Users\user\Downloads\PWZOQIFCAN.png.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.6095475400689185
                              Encrypted:false
                              SSDEEP:
                              MD5:66FFCE1895704DFFD06E339F97275C91
                              SHA1:83C0155B4102F465B26D55AFB1524F4151C5A832
                              SHA-256:FA4E90739AA7717A2944D1EFABF2C7BC748DF4760AEC9BFE6B7B343E9793EE64
                              SHA-512:49E34387BE7D2B06D30FC11C3CE61DC598EABE75B527CFF05AE3C790BC09ED18166799A9F616582857DC7BD171D134D978C3753EA853BFF9D29AE6F35F8D2661
                              Malicious:false
                              Preview:..v.j......cr....,.v...<?...\.S......1.=c%Q..j-.M.-.O..R.^..u.u......}a....>.y..(4...E.P.....2.8};B..m=.U.;.V....@.B..b.y......{j...../.v...*2...O._.....&.&l,I..p;.W.5.S....Y.Y..c.l......ev....*.j..* ...U._.....'.-};U..e?._. .W..G.Z..o.~......|y.....&.l...1?...B.O.....#.=f1L..e+.K.9.S..W.Z..{.l......g~.....:.t..?<...R.U.....<.+a7F..v>.M.;.[....U.U..`.z......kw.....$.f..4?...K.H..... .$|3J..w!.N.;.X..].E..o.o......~u......).d...((...Q.T.......!.+{*P..w?.Q.*.U..G.T..z.z......xw.....8.l.."6...E.L......%.?c(@..e1.I.-.K..V.Z..{.~......`n.... .f...-3...\.W......!.&a6B..y<.[.8.Q..L._..`.}......}a.....>.z..17...L.Q.....0.'y4C..}5.[.8._..Q.I..o.}......|n.....%.c...>?...W.Q.....1.$z5R..i8.P.<.L.._.F..b.l......~q.....3.l...*1...G.\.......=.#{>K..i-.T...M....U.D..x.t......gv.....8.y...+(...H.B......8./.=F..k(.J.7.P....S.E..}.z......p~.....(.j..82...E.R......0.;}%O..o6.O.9.\..E.B..x.h......eq.....;.m.."7...D.@.....

                              C:\Users\user\Downloads\QFAPOWPAFG.jpg

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.598189028206064
                              Encrypted:false
                              SSDEEP:
                              MD5:A0AA80EB8929F6D579820BD62E148EF9
                              SHA1:94EA63C6B6E5F1225619BAF1697B3B388575ED18
                              SHA-256:5121E96149F3176E8ED69C63EDF448A16D8645179504F9A45955DEB769713C6B
                              SHA-512:FBEC4321CE60A61E4DED248B46C47A8A5797B58591D38885F8C77F8B91D8E9A1E042D44F4E1F31EA3AD9B38DB562C4F2CBCA1CED9341658C6E26E333427406BE
                              Malicious:false
                              Preview:H. J.$.o.r[I;wSUQ-c8M...}].a.........E.L.....K.%c..;....)...Z..].<.g.cOM!|T@G,a#T...|H.{.........X.W.....Q.%u..'../...S.8\.$.l.|OH,aURG.p3J...{].h........Z.^.....[.'{..3....2...T./C.+.h.rTG5.MMI.f![....kH.t........B.I.....Z.;i..=..(...I.'].%.j.aVM!rMDH+a4@....oK.g.........@.Z.....@.:x..9....1...J.*K.>.o.pVE$n]UM5m%M....}S.k........W.X.....B.9...1....,...[."[.).z.e^L6jNGP&r!V...vX.y........U.H.....F.?c..8..>...M.*L.6.o.iLR-dMZW.k6@...}Q.k........X.@.....P.?v..0..1...J.0P.'.`.d]I2kT[K#v!U...{_.c........\.T.....^.1m..&..6...O.'T.;.z.zIE!rLXE$s2P....qB.k.........^.[.....S.)|../../....T.,].2.}.mAG9fIXL7~>B....c^.g.........\.D.....[.>r..$....2...C.6Y.+.k.}L@'jZ[I,p<S....~@.|........T.D.....D.=r..-....4...Q.0Y.&.s.lXK(gQDM#k6Y....{Q.{........[._.....D. t../..4....Q."^.0.|.fEJ9lSPC$s3U...nK.}........X.L.....F.8{.. ..+...J.5O.=.~.y^]+`LUD7s3U...u\...........I.D.....C.6o..:....!...K.*J.?.o.aCI*nPMB6t:E....l[.`.........D

                              C:\Users\user\Downloads\QFAPOWPAFG.jpg.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.598189028206064
                              Encrypted:false
                              SSDEEP:
                              MD5:A0AA80EB8929F6D579820BD62E148EF9
                              SHA1:94EA63C6B6E5F1225619BAF1697B3B388575ED18
                              SHA-256:5121E96149F3176E8ED69C63EDF448A16D8645179504F9A45955DEB769713C6B
                              SHA-512:FBEC4321CE60A61E4DED248B46C47A8A5797B58591D38885F8C77F8B91D8E9A1E042D44F4E1F31EA3AD9B38DB562C4F2CBCA1CED9341658C6E26E333427406BE
                              Malicious:false
                              Preview:H. J.$.o.r[I;wSUQ-c8M...}].a.........E.L.....K.%c..;....)...Z..].<.g.cOM!|T@G,a#T...|H.{.........X.W.....Q.%u..'../...S.8\.$.l.|OH,aURG.p3J...{].h........Z.^.....[.'{..3....2...T./C.+.h.rTG5.MMI.f![....kH.t........B.I.....Z.;i..=..(...I.'].%.j.aVM!rMDH+a4@....oK.g.........@.Z.....@.:x..9....1...J.*K.>.o.pVE$n]UM5m%M....}S.k........W.X.....B.9...1....,...[."[.).z.e^L6jNGP&r!V...vX.y........U.H.....F.?c..8..>...M.*L.6.o.iLR-dMZW.k6@...}Q.k........X.@.....P.?v..0..1...J.0P.'.`.d]I2kT[K#v!U...{_.c........\.T.....^.1m..&..6...O.'T.;.z.zIE!rLXE$s2P....qB.k.........^.[.....S.)|../../....T.,].2.}.mAG9fIXL7~>B....c^.g.........\.D.....[.>r..$....2...C.6Y.+.k.}L@'jZ[I,p<S....~@.|........T.D.....D.=r..-....4...Q.0Y.&.s.lXK(gQDM#k6Y....{Q.{........[._.....D. t../..4....Q."^.0.|.fEJ9lSPC$s3U...nK.}........X.L.....F.8{.. ..+...J.5O.=.~.y^]+`LUD7s3U...u\...........I.D.....C.6o..:....!...K.*J.?.o.aCI*nPMB6t:E....l[.`.........D

                              C:\Users\user\Downloads\QFAPOWPAFG.xlsx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.597101494738964
                              Encrypted:false
                              SSDEEP:
                              MD5:980E24B44DB466F92ED4AE45FA50FD9B
                              SHA1:03ACC8F220AF039DF92B184AB7518B1D6066E8D4
                              SHA-256:B4FBE4ABE66C8FBE8AE7F7B01FFE0020DC81EB1830DE617A314995D78B3CDAD0
                              SHA-512:2BD35246DE5524B04843C6F994C459A5C9525B7AD9DE43ACA4E211D15BC2731DC79AD50168E76378B6AC778F972EC012B46BF15DE3B91F8EA93E61039B36CBF8
                              Malicious:false
                              Preview:.X.u.......Wjvg.U.K...[Y9p.ap._6..5...t.l...QS....#m&'.u..'.Y.F.b.......Maqr.T.P...KI8e.{y.P8..+...a.m...KI....?x76.~../.T.L.c.......@|p`.V.@...M[?p.hv.J ..=...i.z...@C....+i 5.d..5.V.V.|......Ybh..V.R...QI/e.tp.B<..;...a.p...KB.....%d'1.|..".F.J.b.......Mohv.S.G...ZF+f.gj.S(..!...f.b...QX.....!j/".`..'.X.X.t......Hsxg.M.V...Y@9~.k~.Y2..<...m.j...UZ.....)`,-.~..?.K.F.d.......Zwku.^.R...GE2u.y~.C9..6...h.a...E^.... v'-.m..:.D.K.s......Ayhh.V.E...F\9|.kh.Z7..?...f.k...FH....(g9:.|..>.T.K.o.......^vqi.[.R...FI?r.cz.H4..;...q.{...SF.....>x&%.x..>.U.K.k......Moij.\.A...P\5o.km._2.."...j.i...NK....7}$3.j..-.N.T.b......U{lj.O.M...YB's.g`.S'..)...w.e...OC....<i/8.{..%.M.P.f.......Kw.i.T.O...TT:m.|t.A1..(...j.p...N\....5h >.i..8.M.I.f......Dztv.[.E...TY?|.{m.M"..4...h.j...O\....7g.-.~....E.P.a.......Uqvb.\.@...KI*f.}o.B$..7...j.j...[^.....8v96.z..;.^.H.p.......G}ig.O.@...BP1q..q.]<..;...f.z...H[....."m'-.`..2.F.U.u......Fsu..N.I...YJ(v.`{.]3..0...

                              C:\Users\user\Downloads\QFAPOWPAFG.xlsx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:OpenPGP Public Key
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.597101494738964
                              Encrypted:false
                              SSDEEP:
                              MD5:980E24B44DB466F92ED4AE45FA50FD9B
                              SHA1:03ACC8F220AF039DF92B184AB7518B1D6066E8D4
                              SHA-256:B4FBE4ABE66C8FBE8AE7F7B01FFE0020DC81EB1830DE617A314995D78B3CDAD0
                              SHA-512:2BD35246DE5524B04843C6F994C459A5C9525B7AD9DE43ACA4E211D15BC2731DC79AD50168E76378B6AC778F972EC012B46BF15DE3B91F8EA93E61039B36CBF8
                              Malicious:false
                              Preview:.X.u.......Wjvg.U.K...[Y9p.ap._6..5...t.l...QS....#m&'.u..'.Y.F.b.......Maqr.T.P...KI8e.{y.P8..+...a.m...KI....?x76.~../.T.L.c.......@|p`.V.@...M[?p.hv.J ..=...i.z...@C....+i 5.d..5.V.V.|......Ybh..V.R...QI/e.tp.B<..;...a.p...KB.....%d'1.|..".F.J.b.......Mohv.S.G...ZF+f.gj.S(..!...f.b...QX.....!j/".`..'.X.X.t......Hsxg.M.V...Y@9~.k~.Y2..<...m.j...UZ.....)`,-.~..?.K.F.d.......Zwku.^.R...GE2u.y~.C9..6...h.a...E^.... v'-.m..:.D.K.s......Ayhh.V.E...F\9|.kh.Z7..?...f.k...FH....(g9:.|..>.T.K.o.......^vqi.[.R...FI?r.cz.H4..;...q.{...SF.....>x&%.x..>.U.K.k......Moij.\.A...P\5o.km._2.."...j.i...NK....7}$3.j..-.N.T.b......U{lj.O.M...YB's.g`.S'..)...w.e...OC....<i/8.{..%.M.P.f.......Kw.i.T.O...TT:m.|t.A1..(...j.p...N\....5h >.i..8.M.I.f......Dztv.[.E...TY?|.{m.M"..4...h.j...O\....7g.-.~....E.P.a.......Uqvb.\.@...KI*f.}o.B$..7...j.j...[^.....8v96.z..;.^.H.p.......G}ig.O.@...BP1q..q.]<..;...f.z...H[....."m'-.`..2.F.U.u......Fsu..N.I...YJ(v.`{.]3..0...

                              C:\Users\user\Downloads\SNIPGPPREP.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.503820571214351
                              Encrypted:false
                              SSDEEP:
                              MD5:D9CC2936114E6D9310D0414A70864AA5
                              SHA1:F00956693F4A90F7F1A367A7B98B35C16F6DCFD6
                              SHA-256:DEEDE039686E2C45CFB11DBDC5663F3437031126E2901A725142CFBC39A70F9C
                              SHA-512:75BBFC4C1DFB7EF89EBD042447A681342D5BB41FAC23D776EB9A31E01BEE2318FE4363F9D17DE861BFE52A5910C6ED42F422799008EE24DBED0D8676922F0018
                              Malicious:false
                              Preview:S..".A.G#c.T....z.<..f:T..g..}|ID.d~.^.hW..pH.}..p..d..[w.....T..6.P.K+s.O....x./..m E..u..|fSO.~..D.sL..vD.f.n.n..Jm.....V..0.V.R'e.R....~.6.f E..d..|nES.qn.S.fD..kF.u.l..l..[......M..0.C.W;l.V....n.#.f:C..y...~.BA.fl.D.qV..r_.y..x....^g.....T.. .S.A<z.^....i.%..w7B..p...zaX@.uo.A..I..oB.d.x.g..Km.....L..1.Z.T"y.L....}. ..4J..|...z.WU.gr.G.}B..x[.f..{..e..He.....Q..+.S.P:e.Q....~.#.~#R..y..fkFR.vf.Z..F..zI.s..g.p..Wn.....P..7.].C4p.E....v.6.p$H..p..}fVN.db.C.iU..~E.z..v.h..]~.....L..).A.S!t.T....m.5..s4O..r...sxYV.ff.G.jI..jT.b.j..o..Uw.....G...2.[.W?{.^....t.<.{:J..s...|nXN.b{.C.j]..sJ.}.q.x..\a.....L....\.J x.H....t.7.l M..f..{zB\.`{.J.}^..wJ.y..d.`..@j.....Q..7.G.U?s.V....{.+..u9P..f..c{RN.bs.A.}R..lS.f..k.l..He.....T...1.E.N6v.B......#.e:S..p..~kP[.fk.^.pE..s_.r..r..j..T~.....C..7.U.W&c.I....c.7.x=A..q...fjR_.v..P.mK..uS.f..k..d.._n.....U..0.\.[=b.U....a.4..s&D..i...}n\Y.cc.D.x^..x\.y.j.h..Vn.....M..*.^.N4s.O....x.3..z.P..p..rjR@.vh.Y

                              C:\Users\user\Downloads\SNIPGPPREP.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.503820571214351
                              Encrypted:false
                              SSDEEP:
                              MD5:D9CC2936114E6D9310D0414A70864AA5
                              SHA1:F00956693F4A90F7F1A367A7B98B35C16F6DCFD6
                              SHA-256:DEEDE039686E2C45CFB11DBDC5663F3437031126E2901A725142CFBC39A70F9C
                              SHA-512:75BBFC4C1DFB7EF89EBD042447A681342D5BB41FAC23D776EB9A31E01BEE2318FE4363F9D17DE861BFE52A5910C6ED42F422799008EE24DBED0D8676922F0018
                              Malicious:false
                              Preview:S..".A.G#c.T....z.<..f:T..g..}|ID.d~.^.hW..pH.}..p..d..[w.....T..6.P.K+s.O....x./..m E..u..|fSO.~..D.sL..vD.f.n.n..Jm.....V..0.V.R'e.R....~.6.f E..d..|nES.qn.S.fD..kF.u.l..l..[......M..0.C.W;l.V....n.#.f:C..y...~.BA.fl.D.qV..r_.y..x....^g.....T.. .S.A<z.^....i.%..w7B..p...zaX@.uo.A..I..oB.d.x.g..Km.....L..1.Z.T"y.L....}. ..4J..|...z.WU.gr.G.}B..x[.f..{..e..He.....Q..+.S.P:e.Q....~.#.~#R..y..fkFR.vf.Z..F..zI.s..g.p..Wn.....P..7.].C4p.E....v.6.p$H..p..}fVN.db.C.iU..~E.z..v.h..]~.....L..).A.S!t.T....m.5..s4O..r...sxYV.ff.G.jI..jT.b.j..o..Uw.....G...2.[.W?{.^....t.<.{:J..s...|nXN.b{.C.j]..sJ.}.q.x..\a.....L....\.J x.H....t.7.l M..f..{zB\.`{.J.}^..wJ.y..d.`..@j.....Q..7.G.U?s.V....{.+..u9P..f..c{RN.bs.A.}R..lS.f..k.l..He.....T...1.E.N6v.B......#.e:S..p..~kP[.fk.^.pE..s_.r..r..j..T~.....C..7.U.W&c.I....c.7.x=A..q...fjR_.v..P.mK..uS.f..k..d.._n.....U..0.\.[=b.U....a.4..s&D..i...}n\Y.cc.D.x^..x\.y.j.h..Vn.....M..*.^.N4s.O....x.3..z.P..p..rjR@.vh.Y

                              C:\Users\user\Downloads\UNKRLCVOHV.docx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.530718885769281
                              Encrypted:false
                              SSDEEP:
                              MD5:7356DDCB6AD4B386C5CCE1E912DD2DA7
                              SHA1:7551015DD290484530475CFA180A4D5D11C4E4B5
                              SHA-256:0B6CEBF6EFEAB7BFEAFC57A35C40CBE2ABB00C91244DD15B514D51A2FED294CC
                              SHA-512:036A1724D75FD132546F0FF73E9977530016A8D0A4C365D2FD7F04A90FE0F22070FE581B2142FFE6FF17B43070575631A6211587A4ACDBB34F36935E04CC5D37
                              Malicious:false
                              Preview:?4...B.".T.....D..X.R.#........M....R.K"....>R..&bHE..2.E.=7...T.+.W......\..Z.].<...........M....E.Q6....7W..+uJQ..0.X.0<...[. .M......M..].X.(..........S....Z.G4....6G..+h\K..(.E.-7...R.,.I.....U..I.].3..........Y....A.L7....9L.. |LJ..".].0>...J.*.H.....P..T.H."..........N....D.Y ....*^.."hSP..-.T.$/...Y.).V.....T..Z.A.<........G....R.G/....<K.. mUE..4.B..,...T.,.L......Z..\.Q./........F....K.J'....1^..=l]K..7._.?7...Q./.@.....R..X.A."........D....E.V1....7X..5qMX..>.J.<4...E.?.Z.....D..V.B.*..........N...._.I5....%E..)pLP..>.F.(6...G.>.P.......F..R.^.9........B....I.G'...."Y..!wGZ..=.K.(<...B.+.S......W..S.S.,........^....P.\#....7H..1cR[....A.- ...R.=.E.....\..I.@.,........Z....D.N.....0W..7{LS..#.@.?<...N.+.J.....F..S.E.7........_....T.]4....9Y..)bNG..=.\."2...B.?.G.....V..I.D.-..........B....P.E ....$^..2hBA..5.O.% ...N.".R.....P..B.\./..........L....T.]3....&I..3lBW..#.F.<*...W.%.K......\..@.Z.#..........N..

                              C:\Users\user\Downloads\UNKRLCVOHV.docx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.530718885769281
                              Encrypted:false
                              SSDEEP:
                              MD5:7356DDCB6AD4B386C5CCE1E912DD2DA7
                              SHA1:7551015DD290484530475CFA180A4D5D11C4E4B5
                              SHA-256:0B6CEBF6EFEAB7BFEAFC57A35C40CBE2ABB00C91244DD15B514D51A2FED294CC
                              SHA-512:036A1724D75FD132546F0FF73E9977530016A8D0A4C365D2FD7F04A90FE0F22070FE581B2142FFE6FF17B43070575631A6211587A4ACDBB34F36935E04CC5D37
                              Malicious:false
                              Preview:?4...B.".T.....D..X.R.#........M....R.K"....>R..&bHE..2.E.=7...T.+.W......\..Z.].<...........M....E.Q6....7W..+uJQ..0.X.0<...[. .M......M..].X.(..........S....Z.G4....6G..+h\K..(.E.-7...R.,.I.....U..I.].3..........Y....A.L7....9L.. |LJ..".].0>...J.*.H.....P..T.H."..........N....D.Y ....*^.."hSP..-.T.$/...Y.).V.....T..Z.A.<........G....R.G/....<K.. mUE..4.B..,...T.,.L......Z..\.Q./........F....K.J'....1^..=l]K..7._.?7...Q./.@.....R..X.A."........D....E.V1....7X..5qMX..>.J.<4...E.?.Z.....D..V.B.*..........N...._.I5....%E..)pLP..>.F.(6...G.>.P.......F..R.^.9........B....I.G'...."Y..!wGZ..=.K.(<...B.+.S......W..S.S.,........^....P.\#....7H..1cR[....A.- ...R.=.E.....\..I.@.,........Z....D.N.....0W..7{LS..#.@.?<...N.+.J.....F..S.E.7........_....T.]4....9Y..)bNG..=.\."2...B.?.G.....V..I.D.-..........B....P.E ....$^..2hBA..5.O.% ...N.".R.....P..B.\./..........L....T.]3....&I..3lBW..#.F.<*...W.%.K......\..@.Z.#..........N..

                              C:\Users\user\Downloads\VWDFPKGDUF.mp3

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.56242089000152
                              Encrypted:false
                              SSDEEP:
                              MD5:96E7BC43393D0FE4157B624C45E1E60C
                              SHA1:CBF0050ADE65E5825047C15C9F09ABAE6215CCC1
                              SHA-256:F58A39A5E548D0874069E200E3F3F3DE0BE1ED34FA90B67EBC731B53E09918E3
                              SHA-512:17850C91AC9485EDC6A9E4ABAD32D150FB502D788613C4F741156301187AA6A286570049864C26038F9D7ED2FF8799BC71487E561BAF789107952911E941C0F6
                              Malicious:false
                              Preview:..H.k...\.=..HV{/6(.}8.&.K.....8.:.L..G.(..z..D..P.._.X......B.k...]... ..ACd&24.b<.!.\......x=.L..E.4..y..\..T..G.[......K.c...C.7..^Bj9(".h .-.E.....,k+.O..U.8...j..G..B.A.E......V.b...A.;..M^r*+..h2..>.Z.....%m<.F..I.(...c..J..A..H.]......E.u...^.9..XK~2?;.m&.&.K.....,~".]..B.-..j..L..Z.W.E......K.j...O...&..YE}<=;.i1..6.G.....1i=.B..V.,...a..[..[..W.M......M.w...]...;.._Te,=;.b2..6.H.....>m-.E..H.1...f..K..]..N.O......\.a...H...7..XCa8?'.d2..1.X.....:m>.H..B.:..i..O.._.B.H......B.y...X.!..HIo'07.v .-.O.....2.0.\..V.5..c..P..Z.G.N......H.~...B...;..DCj:<..k;.,.R.....>m .T..C.2...b..^..G..E.^......O.s...X..."..[Ea: 2.j<.=.J.....;q2.Y..L.=..}..U..Y..Y.G......J.z...@.<..CL{+0*.}3.>.S.....;d).T..K.3..v..S..P.[.M......A.w...C...=..LAq7"".e'.2.E.....&b'._..A.)...k..Q..Y.E.]......O.~...K.:..YDs-8..f1.%.E.....:{;.B..I.*..x..Z..[..].F......G.q...^...-..AN`4#3.}1.0.H......z8.J..Q.=...z..K..Z.U.\......A.x...J...=..BCq$&'.b,..2.V.....-z .Z.

                              C:\Users\user\Downloads\VWDFPKGDUF.mp3.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.56242089000152
                              Encrypted:false
                              SSDEEP:
                              MD5:96E7BC43393D0FE4157B624C45E1E60C
                              SHA1:CBF0050ADE65E5825047C15C9F09ABAE6215CCC1
                              SHA-256:F58A39A5E548D0874069E200E3F3F3DE0BE1ED34FA90B67EBC731B53E09918E3
                              SHA-512:17850C91AC9485EDC6A9E4ABAD32D150FB502D788613C4F741156301187AA6A286570049864C26038F9D7ED2FF8799BC71487E561BAF789107952911E941C0F6
                              Malicious:false
                              Preview:..H.k...\.=..HV{/6(.}8.&.K.....8.:.L..G.(..z..D..P.._.X......B.k...]... ..ACd&24.b<.!.\......x=.L..E.4..y..\..T..G.[......K.c...C.7..^Bj9(".h .-.E.....,k+.O..U.8...j..G..B.A.E......V.b...A.;..M^r*+..h2..>.Z.....%m<.F..I.(...c..J..A..H.]......E.u...^.9..XK~2?;.m&.&.K.....,~".]..B.-..j..L..Z.W.E......K.j...O...&..YE}<=;.i1..6.G.....1i=.B..V.,...a..[..[..W.M......M.w...]...;.._Te,=;.b2..6.H.....>m-.E..H.1...f..K..]..N.O......\.a...H...7..XCa8?'.d2..1.X.....:m>.H..B.:..i..O.._.B.H......B.y...X.!..HIo'07.v .-.O.....2.0.\..V.5..c..P..Z.G.N......H.~...B...;..DCj:<..k;.,.R.....>m .T..C.2...b..^..G..E.^......O.s...X..."..[Ea: 2.j<.=.J.....;q2.Y..L.=..}..U..Y..Y.G......J.z...@.<..CL{+0*.}3.>.S.....;d).T..K.3..v..S..P.[.M......A.w...C...=..LAq7"".e'.2.E.....&b'._..A.)...k..Q..Y.E.]......O.~...K.:..YDs-8..f1.%.E.....:{;.B..I.*..x..Z..[..].F......G.q...^...-..AN`4#3.}1.0.H......z8.J..Q.=...z..K..Z.U.\......A.x...J...=..BCq$&'.b,..2.V.....-z .Z.

                              C:\Users\user\Downloads\VWDFPKGDUF.pdf

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.532114310261319
                              Encrypted:false
                              SSDEEP:
                              MD5:F5A6D90281FA8585C88445779471E57A
                              SHA1:C63F60011DF1944CF79835566795F3A3EBBFF542
                              SHA-256:5C7EE24125D9FE66D0D661865B831FCD8E9224EDDC4BB0618BA98FE0F29F6472
                              SHA-512:279327097B7966FC380CEDF262AE253D41DD5CCC5E6D510654C7FD877FD065865B6E851D170CB837AE53883F37BC1F78577598FD30FED6CBFA81F2EB7B7B2A0A
                              Malicious:false
                              Preview:y.H..us.....B.b.iZ.D.......LU...-....?...h..t.......e.qbb"r..X.}.B..iw....._.f.|E.@.....UB...5...<...j..q.......~.umb:y..P.k.K..zl.....H.t.}K.Z.....K[...(...&...z..v.......k.c|r<|...F.c.V..kn.....D.z.aS.Y.......JD...0....#...f..n.......r.`h.5x..D.l.E..qd....F.j.t_.M.....LU...1...>...m..v.......p.{qc*g...^.|.K..zs....Y.`.z\.O.......SY...6...&...y..}.......m.zbf*w..V.`.M..of....D.p.kD.O.......WV...+....$...g..s.......a.|i.3}.._.j.\..qe.....H.c.|@.M.......QF...5....6...m..t.......l.~r|?v...K.m.B..df.....^.v.vN.B.....LQ...&....:...y..s.......a.{ut:q..F.|.H..fn....D.g.|K.N.......QL...=....0...l..u.......g.fiu8`..].k.O..ke.....].y.z@.R.....OT...,....<...c..a.......s.xcb$g...Q.~.J..in....C.f.sZ.B.......EM...3....&...d..r.......s.qpe&f.._.k.A..{l.....B.`.~P.P.....W[...;...'...n..p.......m.xeq8z..[.y.O..ys.....E.q.{R.J.......O[...7....9...f..a.......p.z`h }...Z.~.G...w....R.u.qA.Q.......JV...;...6...~..n.......c.{uj(b..P.z.A..om.....B.|.|P.T.....MH...:......

                              C:\Users\user\Downloads\VWDFPKGDUF.pdf.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.532114310261319
                              Encrypted:false
                              SSDEEP:
                              MD5:F5A6D90281FA8585C88445779471E57A
                              SHA1:C63F60011DF1944CF79835566795F3A3EBBFF542
                              SHA-256:5C7EE24125D9FE66D0D661865B831FCD8E9224EDDC4BB0618BA98FE0F29F6472
                              SHA-512:279327097B7966FC380CEDF262AE253D41DD5CCC5E6D510654C7FD877FD065865B6E851D170CB837AE53883F37BC1F78577598FD30FED6CBFA81F2EB7B7B2A0A
                              Malicious:false
                              Preview:y.H..us.....B.b.iZ.D.......LU...-....?...h..t.......e.qbb"r..X.}.B..iw....._.f.|E.@.....UB...5...<...j..q.......~.umb:y..P.k.K..zl.....H.t.}K.Z.....K[...(...&...z..v.......k.c|r<|...F.c.V..kn.....D.z.aS.Y.......JD...0....#...f..n.......r.`h.5x..D.l.E..qd....F.j.t_.M.....LU...1...>...m..v.......p.{qc*g...^.|.K..zs....Y.`.z\.O.......SY...6...&...y..}.......m.zbf*w..V.`.M..of....D.p.kD.O.......WV...+....$...g..s.......a.|i.3}.._.j.\..qe.....H.c.|@.M.......QF...5....6...m..t.......l.~r|?v...K.m.B..df.....^.v.vN.B.....LQ...&....:...y..s.......a.{ut:q..F.|.H..fn....D.g.|K.N.......QL...=....0...l..u.......g.fiu8`..].k.O..ke.....].y.z@.R.....OT...,....<...c..a.......s.xcb$g...Q.~.J..in....C.f.sZ.B.......EM...3....&...d..r.......s.qpe&f.._.k.A..{l.....B.`.~P.P.....W[...;...'...n..p.......m.xeq8z..[.y.O..ys.....E.q.{R.J.......O[...7....9...f..a.......p.z`h }...Z.~.G...w....R.u.qA.Q.......JV...;...6...~..n.......c.{uj(b..P.z.A..om.....B.|.|P.T.....MH...:......

                              C:\Users\user\Downloads\VWDFPKGDUF.xlsx

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.549505746283968
                              Encrypted:false
                              SSDEEP:
                              MD5:71A110D0F5A364531E8EF5CBF117D4DA
                              SHA1:AD6CA09E6B34BCA42A04573E1DEDE8B875CE8B58
                              SHA-256:819667C4C6F45EB1B5ECA5D156BFEE2F376397A06D641AB7AD69245F1C4AB566
                              SHA-512:AB969478150F5CDD1F35A660D5705B0B23052729ED3C4B41863799D1DD4B37CECE01D192041CE8177BAAEB37F965CB6122FBFBBD51C627866E62FE50D814201A
                              Malicious:false
                              Preview:...> .dI..J.@....V.....952zd.>......^.....".]..4..........}..: .`I..J.O....J..... "3}q./......X.....7.^..,..........u..,(.{H..L.\.....\.....>;:jf.%......X.....<.M..7..........c..!).yK..L.V....P.....?$$rg.0......B.....?.D..:..........a....=>.s_..U..]....E.....95(qc.,......@.....1.M..<..........{....;!.d[..J..@....E.....&99x|./......].....9.F..+..........s..1<.q_..K..B.....E....."69|x.?......].....:.A..;..........z..0*.r@..H..W....Y.....$&.x}.7......J.....$.N..?..........n..?2.qG..\.R....I.....91$we./......[.....&.D.. ..........c....45.y^..A.\....P......$,?ve.#......N.....0.E.............x..!8.rD..A.^....L......:4)uf.4......Y.....*.Z..%..........t..31.yY..N..S....T.....0-)wq.3......H.....&.Q..#..........z..;<.{J..N..B....\.....";'~j.+......X.....:.L..!..........~....)5.dG..Y.Y....P......:;:ba.'......D.....&._..*.............2:.`\..K..R....M.....?6.pd./......R.....;.]..;..........u....33.zF..O.[....Y......8()rq./......

                              C:\Users\user\Downloads\VWDFPKGDUF.xlsx.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1340
                              Entropy (8bit):7.549505746283968
                              Encrypted:false
                              SSDEEP:
                              MD5:71A110D0F5A364531E8EF5CBF117D4DA
                              SHA1:AD6CA09E6B34BCA42A04573E1DEDE8B875CE8B58
                              SHA-256:819667C4C6F45EB1B5ECA5D156BFEE2F376397A06D641AB7AD69245F1C4AB566
                              SHA-512:AB969478150F5CDD1F35A660D5705B0B23052729ED3C4B41863799D1DD4B37CECE01D192041CE8177BAAEB37F965CB6122FBFBBD51C627866E62FE50D814201A
                              Malicious:false
                              Preview:...> .dI..J.@....V.....952zd.>......^.....".]..4..........}..: .`I..J.O....J..... "3}q./......X.....7.^..,..........u..,(.{H..L.\.....\.....>;:jf.%......X.....<.M..7..........c..!).yK..L.V....P.....?$$rg.0......B.....?.D..:..........a....=>.s_..U..]....E.....95(qc.,......@.....1.M..<..........{....;!.d[..J..@....E.....&99x|./......].....9.F..+..........s..1<.q_..K..B.....E....."69|x.?......].....:.A..;..........z..0*.r@..H..W....Y.....$&.x}.7......J.....$.N..?..........n..?2.qG..\.R....I.....91$we./......[.....&.D.. ..........c....45.y^..A.\....P......$,?ve.#......N.....0.E.............x..!8.rD..A.^....L......:4)uf.4......Y.....*.Z..%..........t..31.yY..N..S....T.....0-)wq.3......H.....&.Q..#..........z..;<.{J..N..B....\.....";'~j.+......X.....:.L..!..........~....)5.dG..Y.Y....P......:;:ba.'......D.....&._..*.............2:.`\..K..R....M.....?6.pd./......R.....;.]..;..........u....33.zF..O.[....Y......8()rq./......

                              C:\Users\user\Downloads\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\Favorites\Amazon.url

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):425
                              Entropy (8bit):6.4495099851678885
                              Encrypted:false
                              SSDEEP:
                              MD5:0D7E7D0D5F039749903EA1B2BC371D7D
                              SHA1:551485E7086428B9CA93004EBE8E49E70ED50D20
                              SHA-256:ABD0C004BAD297B8FA58A4FC161F3553481936DBD40215C324AD2DAC71859276
                              SHA-512:9AFEFF9DDED972B72AF75C04BD2A30776AAF3E05A7FF670A13C9340D0276FDD4996F553595393A4F5E44803D7BAF5D9AA99C0837620440ED44C953C01B53A112
                              Malicious:false
                              Preview:....&..j.........o......@....D.....v(.A...,....2......Y.hortcut]..IDList=..URL=http://www.amazon.com/....b..)..;.t.|`$VHY..O.|o.....2......L.G..uT.....M^3(\*.x.IYG8.30m.y8...A. .S.X..H..Q.".$...U..ir...E.P.gP.i.5[.%.A./.,..h..|te@.Z....{+...d;.6..R.a..v.Gt..b.p].C.._.2:....gf.......L.y.w.p....W:...{o.-...................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Amazon.url.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):425
                              Entropy (8bit):6.4495099851678885
                              Encrypted:false
                              SSDEEP:
                              MD5:0D7E7D0D5F039749903EA1B2BC371D7D
                              SHA1:551485E7086428B9CA93004EBE8E49E70ED50D20
                              SHA-256:ABD0C004BAD297B8FA58A4FC161F3553481936DBD40215C324AD2DAC71859276
                              SHA-512:9AFEFF9DDED972B72AF75C04BD2A30776AAF3E05A7FF670A13C9340D0276FDD4996F553595393A4F5E44803D7BAF5D9AA99C0837620440ED44C953C01B53A112
                              Malicious:false
                              Preview:....&..j.........o......@....D.....v(.A...,....2......Y.hortcut]..IDList=..URL=http://www.amazon.com/....b..)..;.t.|`$VHY..O.|o.....2......L.G..uT.....M^3(\*.x.IYG8.30m.y8...A. .S.X..H..Q.".$...U..ir...E.P.gP.i.5[.%.A./.,..h..|te@.Z....{+...d;.6..R.a..v.Gt..b.p].C.._.2:....gf.......L.y.w.p....W:...{o.-...................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Bing.url

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):522
                              Entropy (8bit):6.792175785524616
                              Encrypted:false
                              SSDEEP:
                              MD5:6A77C46A43F557F59EC1AFDD2CD17A62
                              SHA1:9893AA5F61212BDA9D3C798CE714AFAAA70B11E3
                              SHA-256:4E2280C1DD6D5279439EA69EB1CDDAF80C2F70DFB9450F293F7D332862E1EDFE
                              SHA-512:A60DA3CE2D57BAE8274C52434BE62A0BB6BD47805506F02B4A541ACDED6732C874E199387B41BC61C5CD198563661A54F3E9ED21E2587F3B15A5AD1D04619074
                              Malicious:false
                              Preview:.%..}.1.;.........g.<d.X.....S.......o...s..(.y...#..lA.Y.S....y.1....t.w.s......].Ck..H.^..L....].R6..{..(.e...f.Ij..._..1...k..y...3.U.......g..n..R.GD.^...S.A4..q.....$...a.F_.G.Y....cmages\bing.ico.....?..H...1('..Q.._..~.>I..].'......Sk..ab.b.......J A..T.n.o...q.....A..7PC.Y..F'.Yph...WD.e..`.`6...cB..).........".[..x...D.?.A.9...e.f.9..'xu77..b.3..@.@oE.+.....< .(.J...wv.-.(.d~..v..09.&|..L-{.............................................................................................tmrk2oxcouu.

                              C:\Users\user\Favorites\Bing.url.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):522
                              Entropy (8bit):6.792175785524616
                              Encrypted:false
                              SSDEEP:
                              MD5:6A77C46A43F557F59EC1AFDD2CD17A62
                              SHA1:9893AA5F61212BDA9D3C798CE714AFAAA70B11E3
                              SHA-256:4E2280C1DD6D5279439EA69EB1CDDAF80C2F70DFB9450F293F7D332862E1EDFE
                              SHA-512:A60DA3CE2D57BAE8274C52434BE62A0BB6BD47805506F02B4A541ACDED6732C874E199387B41BC61C5CD198563661A54F3E9ED21E2587F3B15A5AD1D04619074
                              Malicious:false
                              Preview:.%..}.1.;.........g.<d.X.....S.......o...s..(.y...#..lA.Y.S....y.1....t.w.s......].Ck..H.^..L....].R6..{..(.e...f.Ij..._..1...k..y...3.U.......g..n..R.GD.^...S.A4..q.....$...a.F_.G.Y....cmages\bing.ico.....?..H...1('..Q.._..~.>I..].'......Sk..ab.b.......J A..T.n.o...q.....A..7PC.Y..F'.Yph...WD.e..`.`6...cB..).........".[..x...D.?.A.9...e.f.9..'xu77..b.3..@.@oE.+.....< .(.J...wv.-.(.d~..v..09.&|..L-{.............................................................................................tmrk2oxcouu.

                              C:\Users\user\Favorites\Facebook.url

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):427
                              Entropy (8bit):6.487616169434152
                              Encrypted:false
                              SSDEEP:
                              MD5:B6DED49EE7EE65A16D91FB1901B2B498
                              SHA1:4632CA6E9F92F1E47ABD4D077F23D01D807882AC
                              SHA-256:DF81789F142E9F71C5527C89C3A18F744B25D7EA93AD838F0C707849BC719BF5
                              SHA-512:FFCF2C235CEC41475CC37E68D791CFDD93F164F7D34A7A1BB8D4DF078ED4AA5258DCE0D8F28F53E7203A1550A80E5508687BB1488FE537507430C895FE62FED2
                              Malicious:false
                              Preview:......0b.{4d.A...........'..|.e.).-.9....-.N..I.._......g....>hortcut]..IDList=..URL=http://www.facebook.com/....3_....)!1..KX......@..L...S.j.M[C%0n..."g..3..#v.xt.G...S.......q6].E...}.3'..j..N..@._...RN.....)M\}t.<...z.....h..Ny.........J.j....2/.RW..a.1}[.Q....,...M(.7H..6."M5MvNV'U..L..S6.D9..U.:MQ..2..x....................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Facebook.url.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):427
                              Entropy (8bit):6.487616169434152
                              Encrypted:false
                              SSDEEP:
                              MD5:B6DED49EE7EE65A16D91FB1901B2B498
                              SHA1:4632CA6E9F92F1E47ABD4D077F23D01D807882AC
                              SHA-256:DF81789F142E9F71C5527C89C3A18F744B25D7EA93AD838F0C707849BC719BF5
                              SHA-512:FFCF2C235CEC41475CC37E68D791CFDD93F164F7D34A7A1BB8D4DF078ED4AA5258DCE0D8F28F53E7203A1550A80E5508687BB1488FE537507430C895FE62FED2
                              Malicious:false
                              Preview:......0b.{4d.A...........'..|.e.).-.9....-.N..I.._......g....>hortcut]..IDList=..URL=http://www.facebook.com/....3_....)!1..KX......@..L...S.j.M[C%0n..."g..3..#v.xt.G...S.......q6].E...}.3'..j..N..@._...RN.....)M\}t.<...z.....h..Ny.........J.j....2/.RW..a.1}[.Q....,...M(.7H..6."M5MvNV'U..L..S6.D9..U.:MQ..2..x....................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Google.url

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):425
                              Entropy (8bit):6.322467556991341
                              Encrypted:false
                              SSDEEP:
                              MD5:35B4C7FCEB2985716A19881E06AFB825
                              SHA1:1056CD5D57DB8686FB559C5DB61C1A1B3E1C7A88
                              SHA-256:A4F1D82B6766DA1154CC4A3F955C2159C05E202B98C6DA48FEC6289C476917F5
                              SHA-512:9A4AF57B900303C31A5C9AAB56F8F853C40CFCBEFD6E5C5B91190223CB844A4BB553906318E3C1B88B77A83133C528E53721D4C4BFBE75CEBAAB53310962C6BF
                              Malicious:false
                              Preview:2..]>...-j.]*.../N,.......4yr4l..'....0e..d~...p......5....{hortcut]..IDList=..URL=http://www.google.com/.....'.......w..y5...8" =4HV@yX,......:U..).;..j..QD...0l..-.._/9&QH.....;.m.w,...:..2..u-...t.. E..W...9...;p...'.U.......L..6/5..JfV...(..Z..U.$...G.g.X-.a.%`h...6.fA.k.C|l.`..e.,M.|4.....93...k.F.q...H...................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Google.url.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):425
                              Entropy (8bit):6.322467556991341
                              Encrypted:false
                              SSDEEP:
                              MD5:35B4C7FCEB2985716A19881E06AFB825
                              SHA1:1056CD5D57DB8686FB559C5DB61C1A1B3E1C7A88
                              SHA-256:A4F1D82B6766DA1154CC4A3F955C2159C05E202B98C6DA48FEC6289C476917F5
                              SHA-512:9A4AF57B900303C31A5C9AAB56F8F853C40CFCBEFD6E5C5B91190223CB844A4BB553906318E3C1B88B77A83133C528E53721D4C4BFBE75CEBAAB53310962C6BF
                              Malicious:false
                              Preview:2..]>...-j.]*.../N,.......4yr4l..'....0e..d~...p......5....{hortcut]..IDList=..URL=http://www.google.com/.....'.......w..y5...8" =4HV@yX,......:U..).;..j..QD...0l..-.._/9&QH.....;.m.w,...:..2..u-...t.. E..W...9...;p...'.U.......L..6/5..JfV...(..Z..U.$...G.g.X-.a.%`h...6.fA.k.C|l.`..e.,M.|4.....93...k.F.q...H...................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Live.url

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):423
                              Entropy (8bit):6.444543445945894
                              Encrypted:false
                              SSDEEP:
                              MD5:1ADB91C081347A74BD1D11EAB7ABA2C2
                              SHA1:9E780471732561A902A34EABB85FEB4C813E80E3
                              SHA-256:58D0F7B152E26AF36BA654E219830ADB6E927DED7743534DADA375E690B8E4D5
                              SHA-512:820618AD110B63664556876B9FCF35D9BD1832B51AAA418873B895629612999B1476F0CEA0801ACB4DBBA8134975FE1CBD4A0AAE9DED0A17370A3BE5D930CD03
                              Malicious:false
                              Preview:..'..z.......r,...1.[..G3(.D...[..taK.n..^w..bn_.......=.....hortcut]..IDList=..URL=http://www.live.com/......?..0.....j....H/'...g.?qX..\"z+3....$Xx.A.....S .T.p.(.T.L..}......W...v.U....ND..Mg..\t&.x.Y..........0....k...;.N.BtR.z.t..$.7....z..h5f........b.#...z..<F...8...4..<.NH......1..>......{.yf....................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Live.url.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):423
                              Entropy (8bit):6.444543445945894
                              Encrypted:false
                              SSDEEP:
                              MD5:1ADB91C081347A74BD1D11EAB7ABA2C2
                              SHA1:9E780471732561A902A34EABB85FEB4C813E80E3
                              SHA-256:58D0F7B152E26AF36BA654E219830ADB6E927DED7743534DADA375E690B8E4D5
                              SHA-512:820618AD110B63664556876B9FCF35D9BD1832B51AAA418873B895629612999B1476F0CEA0801ACB4DBBA8134975FE1CBD4A0AAE9DED0A17370A3BE5D930CD03
                              Malicious:false
                              Preview:..'..z.......r,...1.[..G3(.D...[..taK.n..^w..bn_.......=.....hortcut]..IDList=..URL=http://www.live.com/......?..0.....j....H/'...g.?qX..\"z+3....$Xx.A.....S .T.p.(.T.L..}......W...v.U....ND..Mg..\t&.x.Y..........0....k...;.N.BtR.z.t..$.7....z..h5f........b.#...z..<F...8...4..<.NH......1..>......{.yf....................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\NYTimes.url

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):426
                              Entropy (8bit):6.450754132310656
                              Encrypted:false
                              SSDEEP:
                              MD5:E10873155E97CDD80F25EE83BCF637BC
                              SHA1:67BA213C694CFD2B1C207EE61379F1A015CA5302
                              SHA-256:1B4C34A5246FE91BC6E33431510D10788272F390E7028CBC0C93B19B18C4DBA6
                              SHA-512:6EF57EEDCDC86CBB0BF8E2D8BAED75E92365D5E01FF604A2B5AC194D46717AAF967D2A46FC5B7F3007EB46113F35700FAB29AEEF45D4388DCBDBF2220E433DB3
                              Malicious:false
                              Preview:..D..#7.....J...`.`.)...../#fQ.Yg...S-K.............MaH.I......)hortcut]..IDList=..URL=http://www.nytimes.com/......(..b8..O.L.....#._8.|s\.J..)..b.#.!..=.*5E.....s.F......H..5:...j..L.AVg|.@..[.P..B..o......V..u$.l.f._.U....6.%...&7.?F#d..~^....l..h..>h.....q..na..m...\.Z..F....D.....d;..y.)ND}...!.......3..Hz../....................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\NYTimes.url.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):426
                              Entropy (8bit):6.450754132310656
                              Encrypted:false
                              SSDEEP:
                              MD5:E10873155E97CDD80F25EE83BCF637BC
                              SHA1:67BA213C694CFD2B1C207EE61379F1A015CA5302
                              SHA-256:1B4C34A5246FE91BC6E33431510D10788272F390E7028CBC0C93B19B18C4DBA6
                              SHA-512:6EF57EEDCDC86CBB0BF8E2D8BAED75E92365D5E01FF604A2B5AC194D46717AAF967D2A46FC5B7F3007EB46113F35700FAB29AEEF45D4388DCBDBF2220E433DB3
                              Malicious:false
                              Preview:..D..#7.....J...`.`.)...../#fQ.Yg...S-K.............MaH.I......)hortcut]..IDList=..URL=http://www.nytimes.com/......(..b8..O.L.....#._8.|s\.J..)..b.#.!..=.*5E.....s.F......H..5:...j..L.AVg|.@..[.P..B..o......V..u$.l.f._.U....6.%...&7.?F#d..~^....l..h..>h.....q..na..m...\.Z..F....D.....d;..y.)ND}...!.......3..Hz../....................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Reddit.url

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):425
                              Entropy (8bit):6.365722595816277
                              Encrypted:false
                              SSDEEP:
                              MD5:8B2041404AF1F13594573F2D6A56CC26
                              SHA1:E498F240D4A184FC0F502155A4F8C61C26938883
                              SHA-256:957D7251925CAF78AE8555041CE24B6723092963243A7BF887AFE69944850C1F
                              SHA-512:A19682E4E4958CEA3C788F0B475F9F0080FFDDF832BFC0C7CF80AEC1C4B41F1CAD5231CB17C7E34F3FF066F763EBB8D8898BB815929EABAE2338397C45A0735D
                              Malicious:false
                              Preview:I........3.O..y.h.C.VG..H.(.6.B.:!.....&Tz......f3...<@Bb..hortcut]..IDList=..URL=http://www.reddit.com/....&..T.z6b..m....0*....|.d.(.y....:..w..pV.k.n..aN+N.T}p.x.d`..V%........./.5.F'..|.:.~z. &.T..q..]..Z5..3.....d..".[.K....]..C..*...g+?.!.-.N&..;..^.. ..EUUG7.s...p%s.......".....n6u.2.....H...{....<dt....................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Reddit.url.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):425
                              Entropy (8bit):6.365722595816277
                              Encrypted:false
                              SSDEEP:
                              MD5:8B2041404AF1F13594573F2D6A56CC26
                              SHA1:E498F240D4A184FC0F502155A4F8C61C26938883
                              SHA-256:957D7251925CAF78AE8555041CE24B6723092963243A7BF887AFE69944850C1F
                              SHA-512:A19682E4E4958CEA3C788F0B475F9F0080FFDDF832BFC0C7CF80AEC1C4B41F1CAD5231CB17C7E34F3FF066F763EBB8D8898BB815929EABAE2338397C45A0735D
                              Malicious:false
                              Preview:I........3.O..y.h.C.VG..H.(.6.B.:!.....&Tz......f3...<@Bb..hortcut]..IDList=..URL=http://www.reddit.com/....&..T.z6b..m....0*....|.d.(.y....:..w..pV.k.n..aN+N.T}p.x.d`..V%........./.5.F'..|.:.~z. &.T..q..]..Z5..3.....d..".[.K....]..C..*...g+?.!.-.N&..;..^.. ..EUUG7.s...p%s.......".....n6u.2.....H...{....<dt....................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Twitter.url

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):426
                              Entropy (8bit):6.427578260981766
                              Encrypted:false
                              SSDEEP:
                              MD5:80A7DD97C55DB663EE2F5C551C41EA73
                              SHA1:5A9E857E7E9575DAC51E58E0D1ABE58113F6AC64
                              SHA-256:3AB2333EFAEA364098A8E3150B9AE51973D63C4304854836A7AB1EAF2F769201
                              SHA-512:29020AF8020CA8BD8D7D09BA7CFE1BE8BA118BDC5169A34394BCA0AD2D9BD7F593831D80D18779ADC51EC550690EBA724562B1C98820A197287793EF6638FD82
                              Malicious:false
                              Preview:..k..{...V%....V^pZ..'iL.yx@...su1n`h~....M8.oM5>...S.DL.E|..(>hortcut]..IDList=..URL=http://www.twitter.com/.....O...Sv... O,...s"k.Aq"...,.=..-.........h.....Y[.-.+.&....X........Of.#.......W=.L.a.<.......W.O.XfQ9.p9......41..f...SJ%d.w..>Np...C.....g...........i]e.|-.lyy....d.........(Mj....S.... ..-.6.........................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Twitter.url.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):426
                              Entropy (8bit):6.427578260981766
                              Encrypted:false
                              SSDEEP:
                              MD5:80A7DD97C55DB663EE2F5C551C41EA73
                              SHA1:5A9E857E7E9575DAC51E58E0D1ABE58113F6AC64
                              SHA-256:3AB2333EFAEA364098A8E3150B9AE51973D63C4304854836A7AB1EAF2F769201
                              SHA-512:29020AF8020CA8BD8D7D09BA7CFE1BE8BA118BDC5169A34394BCA0AD2D9BD7F593831D80D18779ADC51EC550690EBA724562B1C98820A197287793EF6638FD82
                              Malicious:false
                              Preview:..k..{...V%....V^pZ..'iL.yx@...su1n`h~....M8.oM5>...S.DL.E|..(>hortcut]..IDList=..URL=http://www.twitter.com/.....O...Sv... O,...s"k.Aq"...,.=..-.........h.....Y[.-.+.&....X........Of.#.......W=.L.a.<.......W.O.XfQ9.p9......41..f...SJ%d.w..>Np...C.....g...........i]e.|-.lyy....d.........(Mj....S.... ..-.6.........................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Wikipedia.url

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):428
                              Entropy (8bit):6.407186817304537
                              Encrypted:false
                              SSDEEP:
                              MD5:DFE0B9EADDBFC810B8B5EC40340CFC7F
                              SHA1:1F768F1FDD0BA730F9C6FB3983857FC4C3C1499C
                              SHA-256:B81DAEA2C2C432D28A7219564798E06E1E0D920FCFC1868215FCDE9BCAEC901B
                              SHA-512:04812F10B12EB6008BCFF70C57EE4C1F6AAAA313C8CEFB5B61B459E6EC02F535EC45345D51E40BC271044C1B349A0B1E0B5E23336378FB5978CCD688CDB8C6A0
                              Malicious:false
                              Preview::Q..b.....%.-....%I.,.koCfjO[]l..g..@dE.C..a.N...v/i....oahortcut]..IDList=..URL=http://www.wikipedia.com/....%...u.q.....P...........!.{{.8.7B..x.x....J.o..jpi.l..*..p.W...D.(.\.`.O..zR=6jr.u...Y....ch.R..^.$...}.j..s.~.../9i....^.*....@..,.Ah....Y....K.z&....ym.;.....K.@+.7...u.U.[q.(..&c....<MN......................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Wikipedia.url.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):428
                              Entropy (8bit):6.407186817304537
                              Encrypted:false
                              SSDEEP:
                              MD5:DFE0B9EADDBFC810B8B5EC40340CFC7F
                              SHA1:1F768F1FDD0BA730F9C6FB3983857FC4C3C1499C
                              SHA-256:B81DAEA2C2C432D28A7219564798E06E1E0D920FCFC1868215FCDE9BCAEC901B
                              SHA-512:04812F10B12EB6008BCFF70C57EE4C1F6AAAA313C8CEFB5B61B459E6EC02F535EC45345D51E40BC271044C1B349A0B1E0B5E23336378FB5978CCD688CDB8C6A0
                              Malicious:false
                              Preview::Q..b.....%.-....%I.,.koCfjO[]l..g..@dE.C..a.N...v/i....oahortcut]..IDList=..URL=http://www.wikipedia.com/....%...u.q.....P...........!.{{.8.7B..x.x....J.o..jpi.l..*..p.W...D.(.\.`.O..zR=6jr.u...Y....ch.R..^.$...}.j..s.~.../9i....^.*....@..,.Ah....Y....K.z&....ym.;.....K.@+.7...u.U.[q.(..&c....<MN......................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Youtube.url

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):426
                              Entropy (8bit):6.47704341660243
                              Encrypted:false
                              SSDEEP:
                              MD5:22C9EBCC560938A57BE38D726DF6C566
                              SHA1:015446DB1C62548AFA27F23B84F71391EFEB6083
                              SHA-256:15678B9E191F3086F728AC4D8FE4B8DCC24CEE8FCDAE04E7A54DEA03FD7C5209
                              SHA-512:E99561E65E6F2A5279EF8C69E92E4B0E74B5874057E776BDE6AEA913EE79CD61EEBCA61EC682F060B255FE3E562A2FC3F53AA3764B3477AE9E2EBC8A66118C6A
                              Malicious:false
                              Preview:N.G..}].>#...P.)'.yC..]\..[F..Yw..ww.t..`...h.O1..W.......M.hortcut]..IDList=..URL=http://www.youtube.com/............e.XX......zP|D.@.=..v..J.`....eQ....G^.`{...+t}. R...V....j#!.}]2.r........vw.9..TLx..6..G9.......U8...,......!.z..<ziv..o..A.K......Y}..p.]..d...\..^....f..ulP......*..7C.XUIY8.6.l.G._."!.m...................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\Youtube.url.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):426
                              Entropy (8bit):6.47704341660243
                              Encrypted:false
                              SSDEEP:
                              MD5:22C9EBCC560938A57BE38D726DF6C566
                              SHA1:015446DB1C62548AFA27F23B84F71391EFEB6083
                              SHA-256:15678B9E191F3086F728AC4D8FE4B8DCC24CEE8FCDAE04E7A54DEA03FD7C5209
                              SHA-512:E99561E65E6F2A5279EF8C69E92E4B0E74B5874057E776BDE6AEA913EE79CD61EEBCA61EC682F060B255FE3E562A2FC3F53AA3764B3477AE9E2EBC8A66118C6A
                              Malicious:false
                              Preview:N.G..}].>#...P.)'.yC..]\..[F..Yw..ww.t..`...h.O1..W.......M.hortcut]..IDList=..URL=http://www.youtube.com/............e.XX......zP|D.@.=..v..J.`....eQ....G^.`{...+t}. R...V....j#!.}]2.r........vw.9..TLx..6..G9.......U8...,......!.z..<ziv..o..A.K......Y}..p.]..d...\..^....f..ulP......*..7C.XUIY8.6.l.G._."!.m...................................................................................@.........tmrk2oxcouu.

                              C:\Users\user\Favorites\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\Links\Desktop.lnk

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):820
                              Entropy (8bit):7.072797138219608
                              Encrypted:false
                              SSDEEP:
                              MD5:D2D2FF0F3E21DDA2AF6B71077B98B7CE
                              SHA1:E7138FD1FE8EEA0828AC353D75B644516E4FA805
                              SHA-256:582425D3DDDFDE72E27DC56ADC0FACABFED437A5AC2B36E9C7AC1F62B5AFBD4F
                              SHA-512:FB2257FF835F2EE777FE3DF52398D6AA0D93D7FD8671C6CB781896B6CFEE0883F8A7F422BA0FE66AD04B89A68FC4A8ECAA93A0F64D60A4D8DCC464331665443C
                              Malicious:false
                              Preview: .2*a...N.V..&T0..'..".o.p6...z^7.W.R...3 HH.g.[_...Iq.'.p.....l.2*`...N.V.G&T0P.'9?".o.p6..QsP,.MV...2...I..........k27.p.....9.WX.M.q!.". U?l].TRWMao.z6.2.s...M3..Y...&.`.......I..'.p......\^.t.hc.5.E&T.q.4.`PW..D$Y*q.j0eY..}...(...SRl.._.;7.A.b.....]5&e....f..:.....'0#".R.p6.a. `.......G..........Iq.8.p.....(.W*....:.9.5&T0..'9F".o.#f..;.x<U.G*E.....A........Vq.'.p.....l.2.`b.fN.V.EzTV..'V#L....6.2"s;..M....A...=.........Iq.'.p.....S..mD..pH.H@..=x.....h....H.....K...YM...?...................L........':...s....,...s...Um.IUV.?...5..1...45..h.kk..P.x...{....-....~..rx<..fK......{....%).^.x.!M&....o.d.4.../NB.].....\.;j....b7k...2.Hn..v.|.Bc..]Gm.|.c-H..t.......3...D"....F]...B.v..24r.............................................................................................tmrk2oxcouu.

                              C:\Users\user\Links\Desktop.lnk.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):820
                              Entropy (8bit):7.072797138219608
                              Encrypted:false
                              SSDEEP:
                              MD5:D2D2FF0F3E21DDA2AF6B71077B98B7CE
                              SHA1:E7138FD1FE8EEA0828AC353D75B644516E4FA805
                              SHA-256:582425D3DDDFDE72E27DC56ADC0FACABFED437A5AC2B36E9C7AC1F62B5AFBD4F
                              SHA-512:FB2257FF835F2EE777FE3DF52398D6AA0D93D7FD8671C6CB781896B6CFEE0883F8A7F422BA0FE66AD04B89A68FC4A8ECAA93A0F64D60A4D8DCC464331665443C
                              Malicious:false
                              Preview: .2*a...N.V..&T0..'..".o.p6...z^7.W.R...3 HH.g.[_...Iq.'.p.....l.2*`...N.V.G&T0P.'9?".o.p6..QsP,.MV...2...I..........k27.p.....9.WX.M.q!.". U?l].TRWMao.z6.2.s...M3..Y...&.`.......I..'.p......\^.t.hc.5.E&T.q.4.`PW..D$Y*q.j0eY..}...(...SRl.._.;7.A.b.....]5&e....f..:.....'0#".R.p6.a. `.......G..........Iq.8.p.....(.W*....:.9.5&T0..'9F".o.#f..;.x<U.G*E.....A........Vq.'.p.....l.2.`b.fN.V.EzTV..'V#L....6.2"s;..M....A...=.........Iq.'.p.....S..mD..pH.H@..=x.....h....H.....K...YM...?...................L........':...s....,...s...Um.IUV.?...5..1...45..h.kk..P.x...{....-....~..rx<..fK......{....%).^.x.!M&....o.d.4.../NB.].....\.;j....b7k...2.Hn..v.|.Bc..]Gm.|.c-H..t.......3...D"....F]...B.v..24r.............................................................................................tmrk2oxcouu.

                              C:\Users\user\Links\Downloads.lnk

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1273
                              Entropy (8bit):7.356926107494949
                              Encrypted:false
                              SSDEEP:
                              MD5:459879952DDC3443546291EFCCF1256C
                              SHA1:C663B55F9AF04AB9779AE1DF5CD47C837C7BF70F
                              SHA-256:D14F0CB6D017FF0DBEED33723B677AB0EB0CB24FB8CDBF966F3B8A5011967228
                              SHA-512:22B6AE7FEE5D0EA6F373465D49690AF7E290D3DB70A067EEA383D3D6F54E5064CF313D45CF829AE63B621FFF087893C7A61A98EAC3D6A66BE91B935502ED7B78
                              Malicious:false
                              Preview:#...!8...B;../.....LI...:klE!(..eE.m.....O..~9S..g2....R.&....o... ,...B;.^/....+E..AEB{...S../#l..eZ.3...4....,m]...S....l..o.v...."%CW....21......jxE..3":..l........`q.~.D.3...R.7....o..:....B;.4s.....V...._..6.<MM.u..`......`_+"...\....R.&.....ok.. ,...B.............t+k..b.O.(.\..=1*.B.`q+..D.0....R.&.....w..DI..2X../.w.......M_~.......#...4..bv.......X..:4.4(..~.^..C.Y..P...........&+klt.+..../...g.i...C.D.W....M.&........O,..B_.k/..........k0E..."_.kl.......`q+~(D.3*....~~........J.....B;../.........+8lh..x.:..A.6...)..`C+J.r......R.&....o+.. ....v;........=..M+_lr..x.:..Z.2...0..`@+N.t......R.&..J..o)..s.T.K.|.....hU.n..+alE..g":..l.........qG~.D.3...R.3....o.. ,..E..............4klE..x"i.`l........@qm~.D.3... .&....a... l....4.#p.........+Z?..G.A.....#._KO.<+~.Z.3....R.;.....U...u,..BI.}/........_k.E..."Q.El.........qD~.D.3h...R.&......1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...................[;...^%....x.M..T@*:.....s!.].~~ ..:

                              C:\Users\user\Links\Downloads.lnk.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1273
                              Entropy (8bit):7.356926107494949
                              Encrypted:false
                              SSDEEP:
                              MD5:459879952DDC3443546291EFCCF1256C
                              SHA1:C663B55F9AF04AB9779AE1DF5CD47C837C7BF70F
                              SHA-256:D14F0CB6D017FF0DBEED33723B677AB0EB0CB24FB8CDBF966F3B8A5011967228
                              SHA-512:22B6AE7FEE5D0EA6F373465D49690AF7E290D3DB70A067EEA383D3D6F54E5064CF313D45CF829AE63B621FFF087893C7A61A98EAC3D6A66BE91B935502ED7B78
                              Malicious:false
                              Preview:#...!8...B;../.....LI...:klE!(..eE.m.....O..~9S..g2....R.&....o... ,...B;.^/....+E..AEB{...S../#l..eZ.3...4....,m]...S....l..o.v...."%CW....21......jxE..3":..l........`q.~.D.3...R.7....o..:....B;.4s.....V...._..6.<MM.u..`......`_+"...\....R.&.....ok.. ,...B.............t+k..b.O.(.\..=1*.B.`q+..D.0....R.&.....w..DI..2X../.w.......M_~.......#...4..bv.......X..:4.4(..~.^..C.Y..P...........&+klt.+..../...g.i...C.D.W....M.&........O,..B_.k/..........k0E..."_.kl.......`q+~(D.3*....~~........J.....B;../.........+8lh..x.:..A.6...)..`C+J.r......R.&....o+.. ....v;........=..M+_lr..x.:..Z.2...0..`@+N.t......R.&..J..o)..s.T.K.|.....hU.n..+alE..g":..l.........qG~.D.3...R.3....o.. ,..E..............4klE..x"i.`l........@qm~.D.3... .&....a... l....4.#p.........+Z?..G.A.....#._KO.<+~.Z.3....R.;.....U...u,..BI.}/........_k.E..."Q.El.........qD~.D.3h...R.&......1SPS..mD..pH.H@..=x.....h....H.....K...YM...?...................[;...^%....x.M..T@*:.....s!.].~~ ..:

                              C:\Users\user\Links\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\Music\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\OneDrive\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\Pictures\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\Recent\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\Saved Games\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\Searches\Everywhere.search-ms

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):562
                              Entropy (8bit):6.8963324610224115
                              Encrypted:false
                              SSDEEP:
                              MD5:293F9240588F58026EC4E823DF50E67A
                              SHA1:989223AB5DAB709F825DCD3EA5ABF07D2FB37180
                              SHA-256:5C8304EE548E23C78196E5F099E5F6CC86F6C684939B5BB8A53F826A66FB1844
                              SHA-512:502FB27CEA4931646090F845659D31B97F2A8F5C787EDC5542DBDEB0F9282721BE0BAE2C80D64AB7E051070B54773113D3FDFB6ECAC443FEBA2BB4082E000E16
                              Malicious:false
                              Preview:l..9..R.....\..=...\} .."....pA\...Yc.f...E....j......+J.$2S).w).b^O...M^....wg.J.N'..g.X..$.....q.~...M....2.].$..`.$..|.%p.@?...{....k..3...BP..(...jKO..Dj.Y...W...?....j.<..06.=.g705-d2c5c2264656}" />.. </query>..</persistedQuery>.......:7.z.P-...."....F.X...k...R..v...$...R[.D....T...H......A..z...(.X....M4...Ov8...60|.R.3.....&];..I.....X..B0.M.KxX....<....|.cw..c..^-`R6.D.EFL.^v.n........#E....4...P.mQ....z.T.F.."..8..37&.............................................................................................tmrk2oxcouu.

                              C:\Users\user\Searches\Everywhere.search-ms.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):562
                              Entropy (8bit):6.8963324610224115
                              Encrypted:false
                              SSDEEP:
                              MD5:293F9240588F58026EC4E823DF50E67A
                              SHA1:989223AB5DAB709F825DCD3EA5ABF07D2FB37180
                              SHA-256:5C8304EE548E23C78196E5F099E5F6CC86F6C684939B5BB8A53F826A66FB1844
                              SHA-512:502FB27CEA4931646090F845659D31B97F2A8F5C787EDC5542DBDEB0F9282721BE0BAE2C80D64AB7E051070B54773113D3FDFB6ECAC443FEBA2BB4082E000E16
                              Malicious:false
                              Preview:l..9..R.....\..=...\} .."....pA\...Yc.f...E....j......+J.$2S).w).b^O...M^....wg.J.N'..g.X..$.....q.~...M....2.].$..`.$..|.%p.@?...{....k..3...BP..(...jKO..Dj.Y...W...?....j.<..06.=.g705-d2c5c2264656}" />.. </query>..</persistedQuery>.......:7.z.P-...."....F.X...k...R..v...$...R[.D....T...H......A..z...(.X....M4...Ov8...60|.R.3.....&];..I.....X..B0.M.KxX....<....|.cw..c..^-`R6.D.EFL.^v.n........#E....4...P.mQ....z.T.F.."..8..37&.............................................................................................tmrk2oxcouu.

                              C:\Users\user\Searches\Indexed Locations.search-ms

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):562
                              Entropy (8bit):6.858174677600785
                              Encrypted:false
                              SSDEEP:
                              MD5:909DA510E4CECE8BD1173BA1F1CA6038
                              SHA1:F7935BBD712DA2FD5C065C84BBCE12F0A18E0BC9
                              SHA-256:B87AA06757F7D908BB7AEEC61124CCD1BF648CA224928ABF68FA1C8F32EB8EC4
                              SHA-512:731A67240B4B074F6BBAF400D23FF7D1BE9102ADAAF5A105289E644239ADB3F4EB1D794C3AA1BB5FFBA02D4BDEE72BCD8AD594C57478E12BF3168034BB2D8551
                              Malicious:false
                              Preview:Z../....B@O33........5...?..%.......I*dY...(.....r..1/.x.]b.....H..P.....ae._...........l..q..Z....2e....#..O..=.....x..7.LF..).....B].P.........z...).?...)....E....p.....5..)k.l..s..b2c-40f215767514}" />.. </query>..</persistedQuery>.....,..m.p=......y..A+..q.T.a...-....fL.(9.....`..r'......S..C.0.Q..u...b..)q.....1iX...U....IT....l...#..-.{u..|.v'o..S.;..V.D=).a%....KcG;KO@.(.{RFA;..O.....z.7.U....'p...}.i.[..s!..#.5....j.F........H>q.............................................................................................tmrk2oxcouu.

                              C:\Users\user\Searches\Indexed Locations.search-ms.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):562
                              Entropy (8bit):6.858174677600785
                              Encrypted:false
                              SSDEEP:
                              MD5:909DA510E4CECE8BD1173BA1F1CA6038
                              SHA1:F7935BBD712DA2FD5C065C84BBCE12F0A18E0BC9
                              SHA-256:B87AA06757F7D908BB7AEEC61124CCD1BF648CA224928ABF68FA1C8F32EB8EC4
                              SHA-512:731A67240B4B074F6BBAF400D23FF7D1BE9102ADAAF5A105289E644239ADB3F4EB1D794C3AA1BB5FFBA02D4BDEE72BCD8AD594C57478E12BF3168034BB2D8551
                              Malicious:false
                              Preview:Z../....B@O33........5...?..%.......I*dY...(.....r..1/.x.]b.....H..P.....ae._...........l..q..Z....2e....#..O..=.....x..7.LF..).....B].P.........z...).?...)....E....p.....5..)k.l..s..b2c-40f215767514}" />.. </query>..</persistedQuery>.....,..m.p=......y..A+..q.T.a...-....fL.(9.....`..r'......S..C.0.Q..u...b..)q.....1iX...U....IT....l...#..-.{u..|.v'o..S.;..V.D=).a%....KcG;KO@.(.{RFA;..O.....z.7.U....'p...}.i.[..s!..#.5....j.F........H>q.............................................................................................tmrk2oxcouu.

                              C:\Users\user\Searches\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1003}-.searchconnector-ms

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1173
                              Entropy (8bit):7.511943861517038
                              Encrypted:false
                              SSDEEP:
                              MD5:32376AB074EF383E375715404CBFE9BE
                              SHA1:363C0ED73A737D5C1A5BA7DE01605642EDF98DDD
                              SHA-256:D4881581F7BC9481B98AC5D28FA9B3EF9ADEC8B4FC7C262AE0F85066E1724193
                              SHA-512:FFD6A822A7259885DE986B1AD794FDD2AB4BA7C358A001370B35DB88BA93A1BCB11CB3A576F213F6B173128421F7744AF1BFB751DF8100F151F8400EDBDE8D42
                              Malicious:false
                              Preview:..Yr.W6.FOx..nG..../g.....gGm?.... ..CE..F.N.....f..m...NH....O?..,.G.3..<L....$i....9.W.....|..f..C3Z....O..a..[..$SO....Nm.IM...-../..../:N....9.Q....M!..iY..T.H..0.k=.L.G.NT....RL..2.\s...8....Ta8.....>.q....Qk..'..H,HB....{..E...uO....UR..5.WSa..FV....1h...5.<..f...?..&..U.T...F..%FZl.TQz......Z.5t...)....7....L.yN....>.J?.......iE..B1]....6.}Jb#.Y[OH....mp..4.[R/..lV.....s.....uJC8..2..dK...m.N...R..+G[..HV.....*.As...!...cJ....JL.R..\.).J....Yz..;.f.l:..>.S5.m.8&}`....F^.&..u}P...7...5.E3..=..$y*...b^...8.f.l=..>.S5-h.8&}`....`^.6..u}P...#...6uQ.....6"}....bl..>I..f.j...>.Z5.k..&ui....n^.4..uKt.......D.EC..0..!y....bV..08.f.i=.2.V5]h.7&[e....l^.3..uK\.......1.E...2.j&y....b|..{8..f.i=...1.V5_h.5&ye....l^.3..vK]...7...5.E3..@.).J....Yz.Ds...s^....q..@..Y1+..searchConnectorDescription>...j.,..R.O.7.\u.8.....n.P|....kN...p....e".....S.?..u.qDc.g..x...r.SPy..~..*..... ......^+31>..H.06....f..@.QD....~..I"k....4.s..vo...

                              C:\Users\user\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1003}-.searchconnector-ms.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1173
                              Entropy (8bit):7.511943861517038
                              Encrypted:false
                              SSDEEP:
                              MD5:32376AB074EF383E375715404CBFE9BE
                              SHA1:363C0ED73A737D5C1A5BA7DE01605642EDF98DDD
                              SHA-256:D4881581F7BC9481B98AC5D28FA9B3EF9ADEC8B4FC7C262AE0F85066E1724193
                              SHA-512:FFD6A822A7259885DE986B1AD794FDD2AB4BA7C358A001370B35DB88BA93A1BCB11CB3A576F213F6B173128421F7744AF1BFB751DF8100F151F8400EDBDE8D42
                              Malicious:false
                              Preview:..Yr.W6.FOx..nG..../g.....gGm?.... ..CE..F.N.....f..m...NH....O?..,.G.3..<L....$i....9.W.....|..f..C3Z....O..a..[..$SO....Nm.IM...-../..../:N....9.Q....M!..iY..T.H..0.k=.L.G.NT....RL..2.\s...8....Ta8.....>.q....Qk..'..H,HB....{..E...uO....UR..5.WSa..FV....1h...5.<..f...?..&..U.T...F..%FZl.TQz......Z.5t...)....7....L.yN....>.J?.......iE..B1]....6.}Jb#.Y[OH....mp..4.[R/..lV.....s.....uJC8..2..dK...m.N...R..+G[..HV.....*.As...!...cJ....JL.R..\.).J....Yz..;.f.l:..>.S5.m.8&}`....F^.&..u}P...7...5.E3..=..$y*...b^...8.f.l=..>.S5-h.8&}`....`^.6..u}P...#...6uQ.....6"}....bl..>I..f.j...>.Z5.k..&ui....n^.4..uKt.......D.EC..0..!y....bV..08.f.i=.2.V5]h.7&[e....l^.3..uK\.......1.E...2.j&y....b|..{8..f.i=...1.V5_h.5&ye....l^.3..vK]...7...5.E3..@.).J....Yz.Ds...s^....q..@..Y1+..searchConnectorDescription>...j.,..R.O.7.\u.8.....n.P|....kN...p....e".....S.?..u.qDc.g..x...r.SPy..~..*..... ......^+31>..H.06....f..@.QD....~..I"k....4.s..vo...

                              C:\Users\user\Videos\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\user\_curlrc

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):322
                              Entropy (8bit):5.866446502977971
                              Encrypted:false
                              SSDEEP:
                              MD5:0E47625F4CFE4D762BC4C14DAAE292E7
                              SHA1:112017FA8913C057AFD8C8FEC7008C3B4883A9AD
                              SHA-256:9F05D63C02AEE11915E6899C3CF120D2A5F199333FE510580B8769B89F166770
                              SHA-512:97D9563D7DD5A048E0C676225E3254DF6A99AE047F79B0B98612BB5C873BE5F52D2F3592969CB20E54FAF2D6E514935D0B3FA21C1EB604C0B95F98EF8DE83067
                              Malicious:false
                              Preview:h......N....Y.V.iSg...`....q.\....7...*.....n.g.o..s..7g.\.D.]"Zr./.b%c..I..K$..5K..M.....(...Y.....o....W.#E#.-....Q...{..g./WZ..7}.....-N..ja......."0..\%.../.?.0X...&...s7`.b;R... >!ART...n...y._3K..]..Z).............................................................................................tmrk2oxcouu.

                              C:\Users\user\_curlrc.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):322
                              Entropy (8bit):5.866446502977971
                              Encrypted:false
                              SSDEEP:
                              MD5:0E47625F4CFE4D762BC4C14DAAE292E7
                              SHA1:112017FA8913C057AFD8C8FEC7008C3B4883A9AD
                              SHA-256:9F05D63C02AEE11915E6899C3CF120D2A5F199333FE510580B8769B89F166770
                              SHA-512:97D9563D7DD5A048E0C676225E3254DF6A99AE047F79B0B98612BB5C873BE5F52D2F3592969CB20E54FAF2D6E514935D0B3FA21C1EB604C0B95F98EF8DE83067
                              Malicious:false
                              Preview:h......N....Y.V.iSg...`....q.\....7...*.....n.g.o..s..7g.\.D.]"Zr./.b%c..I..K$..5K..M.....(...Y.....o....W.#E#.-....Q...{..g./WZ..7}.....-N..ja......."0..\%.../.?.0X...&...s7`.b;R... >!ART...n...y._3K..]..Z).............................................................................................tmrk2oxcouu.

                              C:\Users\user\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\.ms-ad\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\3D Objects\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\AppData\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\Contacts\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\Desktop\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\Documents\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\Downloads\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\Favorites\Bing.url

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):522
                              Entropy (8bit):6.829571096388383
                              Encrypted:false
                              SSDEEP:
                              MD5:E46190E14820F469AF4348930CB0F295
                              SHA1:9BDB8E2963360273358B4B054CEB5C1D3B4B435F
                              SHA-256:831B87034EBCDB9AB14041DEDE093D44F17C53D53F73D34A6AF1A27C13734D36
                              SHA-512:F8BCF7457F500B8AF6CBF77C424ADBC1FE5C0BD7F12AB6540AC24679D1987FC316D3BF2DC3DF70F76043F956B0EA185E028971A6EEA4A28E6AA477A2CE8C679A
                              Malicious:false
                              Preview:...-..o...'.. <.U.tz.`2O.."(..O.p..q.{V..z.....X..*..bVG.#J.t..:..i..*...C..y..X.N.Qo?...b"...]n."H"X..........o..I0../V.X.f`..,..S...e.~h...tG.ja...{tD.Zb2.3[ m(...[$....h..|gY.)J.c..mages\bing.ico.....X......7...v..w...9&....3......i..W/.n_......2K .......9..xd#.d..O.j..Z....).......Zm.D0.../.#..L.5...SE(....'....)3..Z.$.h.^E.U&..Fz......>V.........G.!...B.5.X...?...w.Y{..qc.?kR9..s....V.kg.\.%.............................................................................................tmrk2oxcouu.

                              C:\Users\jones\Favorites\Bing.url.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):522
                              Entropy (8bit):6.829571096388383
                              Encrypted:false
                              SSDEEP:
                              MD5:E46190E14820F469AF4348930CB0F295
                              SHA1:9BDB8E2963360273358B4B054CEB5C1D3B4B435F
                              SHA-256:831B87034EBCDB9AB14041DEDE093D44F17C53D53F73D34A6AF1A27C13734D36
                              SHA-512:F8BCF7457F500B8AF6CBF77C424ADBC1FE5C0BD7F12AB6540AC24679D1987FC316D3BF2DC3DF70F76043F956B0EA185E028971A6EEA4A28E6AA477A2CE8C679A
                              Malicious:false
                              Preview:...-..o...'.. <.U.tz.`2O.."(..O.p..q.{V..z.....X..*..bVG.#J.t..:..i..*...C..y..X.N.Qo?...b"...]n."H"X..........o..I0../V.X.f`..,..S...e.~h...tG.ja...{tD.Zb2.3[ m(...[$....h..|gY.)J.c..mages\bing.ico.....X......7...v..w...9&....3......i..W/.n_......2K .......9..xd#.d..O.j..Z....).......Zm.D0.../.#..L.5...SE(....'....)3..Z.$.h.^E.U&..Fz......>V.........G.!...B.5.X...?...w.Y{..qc.?kR9..s....V.kg.\.%.............................................................................................tmrk2oxcouu.

                              C:\Users\jones\Favorites\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\Links\Desktop.lnk

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):808
                              Entropy (8bit):7.053895451656371
                              Encrypted:false
                              SSDEEP:
                              MD5:F79FC16C700BF28A5FBCDD79C4B15BEA
                              SHA1:9C4A32C5119684DF862688E8D6123256F035D549
                              SHA-256:9C5E9D77B275EF1FFF14842126D6E2DF139BE6A7AEE32CE527650DC8003514D0
                              SHA-512:349F8D4A3EB551492E36692D977F49C547530EC0980E29336CF4F7AF4AC6B8EE124E49762ACCC273241154217A96A4FD3686102F42354AD7B0F95A0F3BF2081F
                              Malicious:false
                              Preview:......ll8Q.PM..Db....i....rO..4.a.....Y.:].b......N..o..2K......ll8Q..M...b.....i....C`....{......[..#1......o.....z..Z...]"#.(.z0......G..._$.....{.......[..#.....N..o..Y?.y..c.\.JQ........Pb.......v..;....e... .pk...x.Qwo......[.....&...E.....M..Dbh....X[...E1....,..]g.,..[..#1....N..o...WK.......l.8Q..M...b..5..:....b.T.n:.I46......[..<1....N..o.2..z...t..ldQ.."..D.....-..._......{.......b...b..;.#.{..Bz...=x.....h....H.....K...YM...?..................so...N.8w[.$....K..C...1Of ...[c....Z....z.&c...i..?P.e.1..4{...T...n.XE.....O/.b..~<..3...Mv#..t...D!.W...+"....{.....A.aL..(v.......M..Q&.LI..Ea.u.K/.d.J.F.k.i...R.=T.ny.w...j...O."H#a...AN.*.(...H.ILjjU.............................................................................................tmrk2oxcouu.

                              C:\Users\jones\Links\Desktop.lnk.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):808
                              Entropy (8bit):7.053895451656371
                              Encrypted:false
                              SSDEEP:
                              MD5:F79FC16C700BF28A5FBCDD79C4B15BEA
                              SHA1:9C4A32C5119684DF862688E8D6123256F035D549
                              SHA-256:9C5E9D77B275EF1FFF14842126D6E2DF139BE6A7AEE32CE527650DC8003514D0
                              SHA-512:349F8D4A3EB551492E36692D977F49C547530EC0980E29336CF4F7AF4AC6B8EE124E49762ACCC273241154217A96A4FD3686102F42354AD7B0F95A0F3BF2081F
                              Malicious:false
                              Preview:......ll8Q.PM..Db....i....rO..4.a.....Y.:].b......N..o..2K......ll8Q..M...b.....i....C`....{......[..#1......o.....z..Z...]"#.(.z0......G..._$.....{.......[..#.....N..o..Y?.y..c.\.JQ........Pb.......v..;....e... .pk...x.Qwo......[.....&...E.....M..Dbh....X[...E1....,..]g.,..[..#1....N..o...WK.......l.8Q..M...b..5..:....b.T.n:.I46......[..<1....N..o.2..z...t..ldQ.."..D.....-..._......{.......b...b..;.#.{..Bz...=x.....h....H.....K...YM...?..................so...N.8w[.$....K..C...1Of ...[c....Z....z.&c...i..?P.e.1..4{...T...n.XE.....O/.b..~<..3...Mv#..t...D!.W...+"....{.....A.aL..(v.......M..Q&.LI..Ea.u.K/.d.J.F.k.i...R.=T.ny.w...j...O."H#a...AN.*.(...H.ILjjU.............................................................................................tmrk2oxcouu.

                              C:\Users\jones\Links\Downloads.lnk

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1253
                              Entropy (8bit):7.348428444907953
                              Encrypted:false
                              SSDEEP:
                              MD5:C310DE28F465A0000FFFBFAD283FA409
                              SHA1:CE55214B83CBA00B56E4587F280FA72E64455A9C
                              SHA-256:F16DB104D98E2260E4020F02CFB631189B2E74E952EF22CE94F2679E2DB8523D
                              SHA-512:B25199A4D8BA8BD900EAA43B3953D70A72B7F6D2E474AC77A16B321B75BE8C5E48BA47949E273E53C21E0366A530718A1F5A817A4DA004CC4DA2D3131A9E6588
                              Malicious:false
                              Preview:..6...Hw.P....}.&...f.<..i.\.E......e.....p...J..t..3..]...n]>Y*..6...Jw.P....i.9...=...Vy..)...3...cY.h.C......{EDAu..]..:n..H*..^&..Q.&............h.\!.l..;9.M...t....,.B...3..]...n\>Z*..?.<Zw.P.Ke.(bC....Z.L5X3V.G.b_V.M...Z.\....B..q3..2....\MY:..6.....<F_.}.&.....{.$+c3.n9g........t.`....B.vG3..]....9M2^......>Ge".7.n.e.2..&q'I.=.7fub.4.S..6OY...w..U.......u....$'...F^.k3.].}.&.T...4.l9O..4....b8.......5....B...,..]...n6>6*..S..jw9P..e.!.s.....F.Li5\!.+..;%.....'.SxcY....\....=.q.->Y*..6...Jw...._.}<&....4.?[.m!.+...%.M..F.2....B..23..k...]\.Y...6...J@.}.:_.}&&.....4.?_.o!.+...%.M..t......B...3..H..K...0.o.....u.._.}.&....>.?iX\N.\.m;I."..t......B...3......nY./...7...Js.P..@.}.(.....M.Lih\D.F.#;c."....t......W...=..]...n\.wa.%.K..Jw.1.._..Au8....9...\....~%.M...t......B......]N.on9>+*..j..%w.P..,.!.b.....Z.Sis\@.O.p;%.M...t....0...g.^.Y.k.&....x.....h....H.....K...YM...?.......................6.<r.a.Q..c@.7..'=..C..2..*..H..j...[%....2..'.,._.2

                              C:\Users\jones\Links\Downloads.lnk.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1253
                              Entropy (8bit):7.348428444907953
                              Encrypted:false
                              SSDEEP:
                              MD5:C310DE28F465A0000FFFBFAD283FA409
                              SHA1:CE55214B83CBA00B56E4587F280FA72E64455A9C
                              SHA-256:F16DB104D98E2260E4020F02CFB631189B2E74E952EF22CE94F2679E2DB8523D
                              SHA-512:B25199A4D8BA8BD900EAA43B3953D70A72B7F6D2E474AC77A16B321B75BE8C5E48BA47949E273E53C21E0366A530718A1F5A817A4DA004CC4DA2D3131A9E6588
                              Malicious:false
                              Preview:..6...Hw.P....}.&...f.<..i.\.E......e.....p...J..t..3..]...n]>Y*..6...Jw.P....i.9...=...Vy..)...3...cY.h.C......{EDAu..]..:n..H*..^&..Q.&............h.\!.l..;9.M...t....,.B...3..]...n\>Z*..?.<Zw.P.Ke.(bC....Z.L5X3V.G.b_V.M...Z.\....B..q3..2....\MY:..6.....<F_.}.&.....{.$+c3.n9g........t.`....B.vG3..]....9M2^......>Ge".7.n.e.2..&q'I.=.7fub.4.S..6OY...w..U.......u....$'...F^.k3.].}.&.T...4.l9O..4....b8.......5....B...,..]...n6>6*..S..jw9P..e.!.s.....F.Li5\!.+..;%.....'.SxcY....\....=.q.->Y*..6...Jw...._.}<&....4.?[.m!.+...%.M..F.2....B..23..k...]\.Y...6...J@.}.:_.}&&.....4.?_.o!.+...%.M..t......B...3..H..K...0.o.....u.._.}.&....>.?iX\N.\.m;I."..t......B...3......nY./...7...Js.P..@.}.(.....M.Lih\D.F.#;c."....t......W...=..]...n\.wa.%.K..Jw.1.._..Au8....9...\....~%.M...t......B......]N.on9>+*..j..%w.P..,.!.b.....Z.Sis\@.O.p;%.M...t....0...g.^.Y.k.&....x.....h....H.....K...YM...?.......................6.<r.a.Q..c@.7..'=..C..2..*..H..j...[%....2..'.,._.2

                              C:\Users\jones\Links\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\Music\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\NTUSER.DAT

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3408186
                              Entropy (8bit):6.143370220341449
                              Encrypted:false
                              SSDEEP:
                              MD5:0E722D4101CD1F7625D77F5F4F8649C5
                              SHA1:FD807F0D8620D40D42A4B15B4E414F99EF05D223
                              SHA-256:B5DCE23B012049144C61B27D08E6E992F8D79BA8915A7A36B3AD2557098D78CC
                              SHA-512:8892F0BB9797341505013B19F74884D95D517F8B096D4769C807A2E1B8ED39A125517084C80125C5AC23C0555DC1A1E29796B420F4A0CE195AE7B1AA161D0956
                              Malicious:false
                              Preview:.3.CI....~..........Z.P..!(l.C.......l...!.T.....q.vDeu..s.s.e.r.s.\.j.o.n.e.s.\.N.T.U.S.E.R...D.A.T..........S........:.i+...S........:.i+.......S........:.i+rmtm...7....OfRg.............V.%....?~..........Z.P..!(l.C.......l..Z..T....q.v.eO..&..................................................................................................................................V.%....?~..........Z.P..!(l.C.......l..Z..T....q.v.eO..&............................................................... >.................................................................V.%....?~..........Z.P..!(l.C.......l..Z..T....q.v.eO..&..................................................................................................................................V.%....?~..........Z.P..!(l.C.......l..Z..T....q.v.eO..&..................................................................................................................................V.%....?~..........Z.P..!(l.C.......l.

                              C:\Users\jones\NTUSER.DAT.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):3408186
                              Entropy (8bit):6.143370220341449
                              Encrypted:false
                              SSDEEP:
                              MD5:0E722D4101CD1F7625D77F5F4F8649C5
                              SHA1:FD807F0D8620D40D42A4B15B4E414F99EF05D223
                              SHA-256:B5DCE23B012049144C61B27D08E6E992F8D79BA8915A7A36B3AD2557098D78CC
                              SHA-512:8892F0BB9797341505013B19F74884D95D517F8B096D4769C807A2E1B8ED39A125517084C80125C5AC23C0555DC1A1E29796B420F4A0CE195AE7B1AA161D0956
                              Malicious:false
                              Preview:.3.CI....~..........Z.P..!(l.C.......l...!.T.....q.vDeu..s.s.e.r.s.\.j.o.n.e.s.\.N.T.U.S.E.R...D.A.T..........S........:.i+...S........:.i+.......S........:.i+rmtm...7....OfRg.............V.%....?~..........Z.P..!(l.C.......l..Z..T....q.v.eO..&..................................................................................................................................V.%....?~..........Z.P..!(l.C.......l..Z..T....q.v.eO..&............................................................... >.................................................................V.%....?~..........Z.P..!(l.C.......l..Z..T....q.v.eO..&..................................................................................................................................V.%....?~..........Z.P..!(l.C.......l..Z..T....q.v.eO..&..................................................................................................................................V.%....?~..........Z.P..!(l.C.......l.

                              C:\Users\jones\OneDrive\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\Pictures\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\Saved Games\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\Searches\Everywhere.search-ms

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):562
                              Entropy (8bit):6.857567007547116
                              Encrypted:false
                              SSDEEP:
                              MD5:75019081EB88FC8D336AF6580B0CA8C5
                              SHA1:C52B3BBBE04F48D62723B0A115101EB541FBDE6E
                              SHA-256:19814DCA65227FCD48855CD3F6A1C690DE868740A5888D23509ABFC9E6D0C134
                              SHA-512:728CACD45A24012609A6D2562AB8780AD5416F16F289A7B3D916CC0D25A649D970C76ADE2BE2EF4781BB0AC4C079079EA6D2E9DC9A539414D8F65CAA33931E12
                              Malicious:false
                              Preview:..O&..{...u...f..G.uc.8.D........mq.D.sB..3@)K.Q...A..vC.s.S..!..:A].-...<..-WE;.9)5?........B.84.V.kC..;B"K..O..]..[i.s....s... ..i...h..d..W.j}+..W.........Kw.M.Lc.B!.$@....R..a..g....1705-d2c5c2264656}" />.. </query>..</persistedQuery>....8.U....m.P6HO ...;..h.[..&.:;.x.(.u.r.p..<...M..o....x/y...iG.t...r.&LG~.u..s...Ho.+=]..l19n.~.....{...a.H.....6.V=.|...c.R..[...Ge4y<W~z'.h.k.....~F.b~....I[......@.\....M..i..v.s+\.$...T.K.2...{...l.............................................................................................tmrk2oxcouu.

                              C:\Users\jones\Searches\Everywhere.search-ms.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):562
                              Entropy (8bit):6.857567007547116
                              Encrypted:false
                              SSDEEP:
                              MD5:75019081EB88FC8D336AF6580B0CA8C5
                              SHA1:C52B3BBBE04F48D62723B0A115101EB541FBDE6E
                              SHA-256:19814DCA65227FCD48855CD3F6A1C690DE868740A5888D23509ABFC9E6D0C134
                              SHA-512:728CACD45A24012609A6D2562AB8780AD5416F16F289A7B3D916CC0D25A649D970C76ADE2BE2EF4781BB0AC4C079079EA6D2E9DC9A539414D8F65CAA33931E12
                              Malicious:false
                              Preview:..O&..{...u...f..G.uc.8.D........mq.D.sB..3@)K.Q...A..vC.s.S..!..:A].-...<..-WE;.9)5?........B.84.V.kC..;B"K..O..]..[i.s....s... ..i...h..d..W.j}+..W.........Kw.M.Lc.B!.$@....R..a..g....1705-d2c5c2264656}" />.. </query>..</persistedQuery>....8.U....m.P6HO ...;..h.[..&.:;.x.(.u.r.p..<...M..o....x/y...iG.t...r.&LG~.u..s...Ho.+=]..l19n.~.....{...a.H.....6.V=.|...c.R..[...Ge4y<W~z'.h.k.....~F.b~....I[......@.\....M..i..v.s+\.$...T.K.2...{...l.............................................................................................tmrk2oxcouu.

                              C:\Users\jones\Searches\Indexed Locations.search-ms

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):562
                              Entropy (8bit):6.9114190139273
                              Encrypted:false
                              SSDEEP:
                              MD5:E1504DE667B6EE8945D533ACE58089BC
                              SHA1:5D3E7C8DCAD028A010F44BA0E285A923C9A2AEEA
                              SHA-256:2727FA10A6EFE41D3FD46B3CE0581CC88F81ED45D15250C0646C21A88731BB5A
                              SHA-512:011D9017F573F5FF2D136044ED8EFBF55CFE5289A16CDE974E771C64FC79FF8F99C105125E94B26586D7C29EB9860AAA970F4F006A082BE225BC27FFBA385533
                              Malicious:false
                              Preview:N..HfP......xr;....5....=.......4~...6...;G".{ru.9...c............f.......9d5.S....oG.A....a;.T...3E).{*/.v.&.N:......R...M(B....Op*q...+....?........x..X.2..)Nz.huh.~.;.{T......b2c-40f215767514}" />.. </query>..</persistedQuery>....\..,.`n..K./...yn..... ....A..1l...ml.f..u.?.p.@f..D..wU......k.oEB....Z....{..#...6+...IE>1.7.z.8IdWSX.S...br...Z......t%.moPn...|.l..7F..O7...V....J.(......z.OXA!n...*w.....$.%.TPG.dlY v.U.............................................................................................tmrk2oxcouu.

                              C:\Users\jones\Searches\Indexed Locations.search-ms.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):562
                              Entropy (8bit):6.9114190139273
                              Encrypted:false
                              SSDEEP:
                              MD5:E1504DE667B6EE8945D533ACE58089BC
                              SHA1:5D3E7C8DCAD028A010F44BA0E285A923C9A2AEEA
                              SHA-256:2727FA10A6EFE41D3FD46B3CE0581CC88F81ED45D15250C0646C21A88731BB5A
                              SHA-512:011D9017F573F5FF2D136044ED8EFBF55CFE5289A16CDE974E771C64FC79FF8F99C105125E94B26586D7C29EB9860AAA970F4F006A082BE225BC27FFBA385533
                              Malicious:false
                              Preview:N..HfP......xr;....5....=.......4~...6...;G".{ru.9...c............f.......9d5.S....oG.A....a;.T...3E).{*/.v.&.N:......R...M(B....Op*q...+....?........x..X.2..)Nz.huh.~.;.{T......b2c-40f215767514}" />.. </query>..</persistedQuery>....\..,.`n..K./...yn..... ....A..1l...ml.f..u.?.p.@f..D..wU......k.oEB....Z....{..#...6+...IE>1.7.z.8IdWSX.S...br...Z......t%.moPn...|.l..7F..O7...V....J.(......z.OXA!n...*w.....$.%.TPG.dlY v.U.............................................................................................tmrk2oxcouu.

                              C:\Users\jones\Searches\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1002}-.searchconnector-ms

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1173
                              Entropy (8bit):7.521935376118675
                              Encrypted:false
                              SSDEEP:
                              MD5:171BE3933DC19EEAFE85065372AB95FD
                              SHA1:59DFEF460C7108BF04A74033F579500CAED363AE
                              SHA-256:AF23BBFB82B7F91C6CEC54C2E8F02B8B0325FBCC1121BEDDF967C2BA91ADB2AC
                              SHA-512:5269A3157D1568178BDDE8EBC7BC83B6AA02C069947A0EAA1F61F7A7DCDCCD0338268982FBCFC2119E4F7EB0B78BFDB923BD9E69557F4A7BE6B934901EE525BC
                              Malicious:false
                              Preview:.okq.&N.b..wpR.v...m...3'..9L~.H....,.......j.eX}.E..y[).O....?}<.kT.c.Hpj..}.M`...$`..g.D.a...}..4.....;.!.B..O]2.R....$|n\85f0.V|{..5...Gg...x*..g.B.z.......a...[.cyv.H..XSd.O....9`O.gJ.x..tg&."...$(..9-..`.b.].._......].~S$.X..QK>.t.8.."gQ.hM?s..} b.g.Ke...#+..b..........9...L.p. ....x{w.{.\..g*YSD.X'.R),-.....k0...x(..`.Y.w.......r...H.n.v.^..7.z.N....5_s.gL...T..O.g.\d...9<.M+AP.#... ...oK.....3.+......k...Y..f$)H0.X=.Z(,..{...B6..wn.Kw.Y.o..v...>....j.JwY.p..y...|.*...t]?W|-Q.+Y_.....oI......6E/j.O...S...>....h.JwY.p..|...|.*...R]?Gy-Q.+YO%.....AJ...4..4h)n.....Q...-.....h.JwY.y...Y8.t.*..7\]FEy.Q..YS).3..o8.....6M*j.O....V...1....Q.l{Y.u..|o..Z.*..'^]'ByYQ.'YO+.0..oM....9.64-j.O...V.*1......lxY.u..|o..x.*...^]7ByUR.&Y_.....oI......Xw.Y.o..v...}_...D.gST.R..TQ4.0.W.searchConnectorDescription>....L..........n....J.KXdO..jWm8.>h.S.r...n.....@X..G.....]*u.b......I.3..rZ.C...t..u...D.q..S.`.........^@x.^...*...>... .Aj..z..2

                              C:\Users\jones\Searches\winrt--{S-1-5-21-2246122658-3693405117-2476756634-1002}-.searchconnector-ms.xuy08dak6 (copy)

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):1173
                              Entropy (8bit):7.521935376118675
                              Encrypted:false
                              SSDEEP:
                              MD5:171BE3933DC19EEAFE85065372AB95FD
                              SHA1:59DFEF460C7108BF04A74033F579500CAED363AE
                              SHA-256:AF23BBFB82B7F91C6CEC54C2E8F02B8B0325FBCC1121BEDDF967C2BA91ADB2AC
                              SHA-512:5269A3157D1568178BDDE8EBC7BC83B6AA02C069947A0EAA1F61F7A7DCDCCD0338268982FBCFC2119E4F7EB0B78BFDB923BD9E69557F4A7BE6B934901EE525BC
                              Malicious:false
                              Preview:.okq.&N.b..wpR.v...m...3'..9L~.H....,.......j.eX}.E..y[).O....?}<.kT.c.Hpj..}.M`...$`..g.D.a...}..4.....;.!.B..O]2.R....$|n\85f0.V|{..5...Gg...x*..g.B.z.......a...[.cyv.H..XSd.O....9`O.gJ.x..tg&."...$(..9-..`.b.].._......].~S$.X..QK>.t.8.."gQ.hM?s..} b.g.Ke...#+..b..........9...L.p. ....x{w.{.\..g*YSD.X'.R),-.....k0...x(..`.Y.w.......r...H.n.v.^..7.z.N....5_s.gL...T..O.g.\d...9<.M+AP.#... ...oK.....3.+......k...Y..f$)H0.X=.Z(,..{...B6..wn.Kw.Y.o..v...>....j.JwY.p..y...|.*...t]?W|-Q.+Y_.....oI......6E/j.O...S...>....h.JwY.p..|...|.*...R]?Gy-Q.+YO%.....AJ...4..4h)n.....Q...-.....h.JwY.y...Y8.t.*..7\]FEy.Q..YS).3..o8.....6M*j.O....V...1....Q.l{Y.u..|o..Z.*..'^]'ByYQ.'YO+.0..oM....9.64-j.O...V.*1......lxY.u..|o..x.*...^]7ByUR.&Y_.....oI......Xw.Y.o..v...}_...D.gST.R..TQ4.0.W.searchConnectorDescription>....L..........n....J.KXdO..jWm8.>h.S.r...n.....@X..G.....]*u.b......I.3..rZ.C...t..u...D.q..S.`.........^@x.^...*...>... .Aj..z..2

                              C:\Users\jones\Videos\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\Users\jones\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:false
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              C:\instructions_read_me.txt

                              Download File
                              Process:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1091
                              Entropy (8bit):4.804618998507848
                              Encrypted:false
                              SSDEEP:
                              MD5:6C9D880EC05571BDDCCC87024900A16A
                              SHA1:755249DE858335B5F093AAEDB35702B703A31800
                              SHA-256:AEBC04130914171934740C1815A9C762BDF5D829C5E69A4038E45716402CBF41
                              SHA-512:3E9BC0B1CDF86A19C7C33F0FCD728CEEC86D864C745E736EA5C9D36AC19916CD19C22622158D2344DBD0731E208AB093F06667CF9B6A97A277993404D17180EC
                              Malicious:true
                              Preview:ATTENTION!..Your network has been breached and all data was encrypted. Please contact us at:..https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ ......Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd......*!* To access .onion websites download and install Tor Browser at:.... https://www.torproject.org/ (Tor Browser is not related to us)....*!* To restore all your PCs and get your network working again, follow these instructions:....- Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. It doesn't matter, who are trying to do this, either it will be your IT guys or a recovery agency.....Please follow these simple rules to avoid data corruption:....- Do not modify, rename or delete files. Any attempts to modify, decrypt or rename the files will lead to its fatal corruption. ....- Do not hire a recovery company. They can't decrypt without the key. ..They also don't care about your business. They believe that they are ..good negotiator

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):6.9749779118503
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.94%
                              • Win16/32 Executable Delphi generic (2074/23) 0.02%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:bgsTrRPJh0.exe
                              File size:2'026'496 bytes
                              MD5:7c62976c8d0e7434b327ce3c402d8a62
                              SHA1:0d91b68c7b1a1fb5471258591676fcf89025e238
                              SHA256:2413841b2f5f656e269f61644d3957847b199107bb6b141c3208a03df59f0759
                              SHA512:51e43e3d863ff2f549699653c27bf4e08aaabe1d3853a3ed0b2a713ac627295646ef309906ecf1765d9372fc653891c31c87b6bd39676a59ec5b12876e38d58c
                              SSDEEP:49152:qfM4iMoQz20361ERIJ0UWGtT069FKdqd:qfM4RoQz20KVsG+akdqd
                              TLSH:4895DF40B5838336E7712473456AEAB2096E6C308725D9CB2F843E7B6A723D17D3572B
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......W.....................z.......8............@..........................p............@................................

                              File Icon

                              Icon Hash:3fc7a3c665f3c37d

                              Static PE Info

                              General

                              Entrypoint:0x4238f3
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
                              Time Stamp:0x5706CED3 [Thu Apr 7 21:19:15 2016 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:6
                              OS Version Minor:0
                              File Version Major:6
                              File Version Minor:0
                              Subsystem Version Major:6
                              Subsystem Version Minor:0
                              Import Hash:55debcccb9f46b07c3ac231bd2d82fe4

                              Entrypoint Preview

                              Instruction
                              call 00007F02A085A173h
                              jmp 00007F02A08598C8h
                              retn 0000h
                              push ebp
                              mov ebp, esp
                              mov eax, dword ptr [ebp+08h]
                              mov eax, dword ptr [eax]
                              pop ebp
                              ret
                              push ebp
                              mov ebp, esp
                              mov eax, dword ptr [ebp+08h]
                              mov eax, dword ptr [eax]
                              pop ebp
                              ret
                              push ebp
                              mov ebp, esp
                              mov eax, dword ptr [ebp+08h]
                              mov edx, 0048E840h
                              mov ecx, 0048E840h
                              sub eax, edx
                              sub ecx, edx
                              cmp eax, ecx
                              jnbe 00007F02A0859AA3h
                              int3
                              pop ebp
                              ret
                              push ebp
                              mov ebp, esp
                              mov eax, dword ptr [ebp+08h]
                              mov edx, 0048E840h
                              mov ecx, 0048E840h
                              sub eax, edx
                              sub ecx, edx
                              cmp eax, ecx
                              jnbe 00007F02A0859AA7h
                              push 00000041h
                              pop ecx
                              int 29h
                              pop ebp
                              ret
                              retn 0000h
                              push ebp
                              mov ebp, esp
                              mov eax, dword ptr [ebp+08h]
                              mov edx, 0048E840h
                              mov ecx, 0048E840h
                              sub eax, edx
                              sub ecx, edx
                              cmp eax, ecx
                              jnbe 00007F02A0859AB3h
                              cmp dword ptr [0047E61Ch], 00000000h
                              je 00007F02A0859AAAh
                              mov eax, dword ptr [0047E61Ch]
                              pop ebp
                              jmp eax
                              pop ebp
                              ret
                              push ebp
                              mov ebp, esp
                              cmp dword ptr [0047E61Ch], 00000000h
                              je 00007F02A0859AAAh
                              mov eax, dword ptr [0047E61Ch]
                              pop ebp
                              jmp eax
                              pop ebp
                              ret
                              push ebp
                              mov ebp, esp
                              mov eax, dword ptr [ebp+08h]
                              mov edx, 0048E840h
                              mov ecx, 0048E840h
                              sub eax, edx
                              sub ecx, edx
                              cmp ecx, eax
                              sbb eax, eax
                              inc eax
                              pop ebp
                              ret
                              push ebp
                              mov ebp, esp
                              mov ecx, dword ptr [ebp+08h]
                              mov eax, ecx
                              sub eax, dword ptr [ebp+0Ch]
                              sub eax, 0000E800h

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x90c700xf0.rdata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x1650000x8ba14.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x1f10000x5128.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x8e7900x70.rdata
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x8e8800x18.rdata
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x855780x40.rdata
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x90b680x40.rdata
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x10000x7cafa0x7cc00fb19051309685d132f57d6f9bb6d37d0False0.41848149423847697data6.620753798708146IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rdata0x7e0000x14e5e0x1500013a07e1b69c8653d925d10ca259ce6c0False0.5792992001488095data6.143494678488287IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .data0x930000xd1b500xcbe0079cc67b5bf3130a73db435e9648a39f6False0.9579102161250767data7.703272639276241IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc0x1650000x8ba140x8bc005e3515dd88f307474afa21690c31adafFalse0.29014388137298747data4.673150983084673IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0x1f10000x51280x5200efec1c110c6bee7d5357998f4a8eba33False0.7846798780487805data6.750197029486678IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_CURSOR0x165c280x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4935064935064935
                              RT_BITMAP0x165d5c0x3b6c8Device independent bitmap graphic, 156 x 520 x 24, image size 00.00114215283483977
                              RT_BITMAP0x1a14240x3c28Device independent bitmap graphic, 240 x 16 x 32, image size 15360, resolution 3779 x 3779 px/mEnglishUnited States0.3574675324675325
                              RT_BITMAP0x1a504c0x428Device independent bitmap graphic, 16 x 16 x 32, image size 1024, resolution 3779 x 3779 px/mEnglishUnited States0.46522556390977443
                              RT_ICON0x1a54740x1011aPNG image data, 256 x 256, 8-bit/color RGBA, non-interlacedEnglishUnited States0.9996657449329971
                              RT_ICON0x1b55900x10828Device independent bitmap graphic, 128 x 256 x 32, image size 67584EnglishUnited States0.3587927363066367
                              RT_ICON0x1c5db80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.49120217288615964
                              RT_ICON0x1c9fe00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.5267634854771784
                              RT_ICON0x1cc5880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.6088180112570356
                              RT_ICON0x1cd6300x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.775709219858156
                              RT_ICON0x1cda980x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colorsEnglishUnited States0.1303763440860215
                              RT_ICON0x1cdd800x10828Device independent bitmap graphic, 128 x 256 x 32, image size 0EnglishUnited States0.35873358570921565
                              RT_ICON0x1de5a80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 0EnglishUnited States0.4910840812470477
                              RT_ICON0x1e27d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishUnited States0.5263485477178423
                              RT_ICON0x1e4d780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishUnited States0.6074108818011257
                              RT_ICON0x1e5e200x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishUnited States0.7695035460992907
                              RT_ICON0x1e62880x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.31636960600375236
                              RT_ICON0x1e73300x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.17659474671669795
                              RT_ICON0x1e83d80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.2598499061913696
                              RT_ICON0x1e94800x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.2298311444652908
                              RT_ICON0x1ea5280x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colorsEnglishUnited States0.34139784946236557
                              RT_ICON0x1ea8100x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.3334896810506567
                              RT_ICON0x1eb8b80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colorsEnglishUnited States0.21370967741935484
                              RT_MENU0x1ebba00x53edataEnglishUnited States0.39046199701937406
                              RT_DIALOG0x1ec0e00x1a8dataEnglishUnited States0.46226415094339623
                              RT_DIALOG0x1ec2880x1b0dataEnglishUnited States0.5393518518518519
                              RT_DIALOG0x1ec4380x1dcdataEnglishUnited States0.5315126050420168
                              RT_DIALOG0x1ec6140x1dcdataEnglishUnited States0.5294117647058824
                              RT_DIALOG0x1ec7f00x130dataEnglishUnited States0.569078947368421
                              RT_DIALOG0x1ec9200x210dataEnglishUnited States0.48295454545454547
                              RT_DIALOG0x1ecb300x1d4dataEnglishUnited States0.5512820512820513
                              RT_DIALOG0x1ecd040x130dataEnglishUnited States0.5756578947368421
                              RT_DIALOG0x1ece340x560dataEnglishUnited States0.375
                              RT_DIALOG0x1ed3940x244dataEnglishUnited States0.5017241379310344
                              RT_DIALOG0x1ed5d80x4a2dataEnglishUnited States0.3979763912310287
                              RT_DIALOG0x1eda7c0x4aedataEnglishUnited States0.43906510851419034
                              RT_DIALOG0x1edf2c0x3badataEnglishUnited States0.40146750524109015
                              RT_DIALOG0x1ee2e80x218dataEnglishUnited States0.5093283582089553
                              RT_STRING0x1ee5000xa6dataEnglishUnited States0.6204819277108434
                              RT_STRING0x1ee5a80x1e0Matlab v4 mat-file (little endian) i, numeric, rows 0, columns 0EnglishUnited States0.40625
                              RT_STRING0x1ee7880x1b0dataEnglishUnited States0.41203703703703703
                              RT_STRING0x1ee9380x124dataEnglishUnited States0.6027397260273972
                              RT_STRING0x1eea5c0xb3edataEnglishUnited States0.24009728978457262
                              RT_STRING0x1ef59c0x478dataEnglishUnited States0.388986013986014
                              RT_STRING0x1efa140x48dataEnglishUnited States0.6111111111111112
                              RT_ACCELERATOR0x1efa5c0x1a0dataEnglishUnited States0.5913461538461539
                              RT_GROUP_CURSOR0x1efbfc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                              RT_GROUP_ICON0x1efc100x5aTarga image data - Map 32 x 282 x 1 +1EnglishUnited States0.7777777777777778
                              RT_GROUP_ICON0x1efc6c0x14dataEnglishUnited States1.2
                              RT_GROUP_ICON0x1efc800x14dataEnglishUnited States1.25
                              RT_GROUP_ICON0x1efc940x14dataEnglishUnited States1.2
                              RT_GROUP_ICON0x1efca80x14dataEnglishUnited States1.2
                              RT_GROUP_ICON0x1efcbc0x14dataEnglishUnited States1.2
                              RT_GROUP_ICON0x1efcd00x14dataEnglishUnited States1.2
                              RT_GROUP_ICON0x1efce40x14dataEnglishUnited States1.25
                              RT_GROUP_ICON0x1efcf80x14dataEnglishUnited States1.25
                              RT_GROUP_ICON0x1efd0c0x4cdataEnglishUnited States0.8157894736842105
                              RT_VERSION0x1efd580x22cdataEnglishUnited States0.5269784172661871
                              RT_MANIFEST0x1eff840xa90XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (2644), with CRLF line terminatorsEnglishUnited States0.30547337278106507

                              Imports

                              DLLImport
                              SHLWAPI.dllPathGetDriveNumberW, StrCmpNIW, StrDupW, StrChrA, PathRelativePathToW, PathIsPrefixW, PathFindFileNameW, PathUnExpandEnvStringsW, PathIsRootW, PathCanonicalizeW, PathFindExtensionW, PathCommonPrefixW, PathCompactPathExW, PathRemoveExtensionW, StrFormatByteSizeW, PathStripPathW, PathRemoveBackslashW, StrRetToBufW, PathMatchSpecW, StrCatBuffW, PathUnquoteSpacesW, StrChrW, StrTrimW, SHAutoComplete, StrCpyNW, PathQuoteSpacesW, PathRenameExtensionW, PathIsDirectoryW, StrRChrW, PathAppendW, PathIsRelativeW, PathFileExistsW, PathAddBackslashW, PathRemoveFileSpecW, PathIsSameRootW
                              PSAPI.DLLEnumProcessModules, GetModuleFileNameExW
                              USER32.dllOffsetRect, OpenClipboard, BeginDeferWindowPos, GetSubMenu, TrackPopupMenu, LoadAcceleratorsW, DeleteMenu, ShowOwnedPopups, CopyImage, MessageBoxW, EqualRect, IsWindowVisible, ShowWindowAsync, GetMessagePos, LoadMenuW, CharUpperW, GetKeyState, DefWindowProcW, GetMenuItemInfoW, DeferWindowPos, GetMessageW, CloseClipboard, SetMenuItemInfoW, EmptyClipboard, RegisterClassW, SetWindowPlacement, FrameRect, SetMenuDefaultItem, EnumWindows, GetMessageTime, IntersectRect, SetFocus, BringWindowToTop, TranslateAcceleratorW, GetWindowDC, EndDeferWindowPos, SetClipboardData, CheckMenuItem, IsZoomed, KillTimer, PostQuitMessage, GetSysColorBrush, EnableMenuItem, RegisterWindowMessageW, UpdateWindow, IsIconic, GetWindowThreadProcessId, DrawAnimatedRects, FindWindowExW, GetDC, MonitorFromRect, SetActiveWindow, LoadStringA, SetWindowTextW, LoadStringW, DdeCreateStringHandleW, DdeConnect, GetMonitorInfoW, DdeInitializeW, SetTimer, SetWindowCompositionAttribute, SystemParametersInfoW, SetPropW, RedrawWindow, SendMessageW, wsprintfW, GetSysColor, CharPrevW, GetWindowPlacement, GetSystemMetrics, DdeUninitialize, DialogBoxIndirectParamW, DdeClientTransaction, SetLayeredWindowAttributes, CharUpperBuffW, SetRect, DdeDisconnect, SetForegroundWindow, LoadImageW, ReleaseDC, GetPropW, RemovePropW, DispatchMessageW, PeekMessageW, TranslateMessage, GetWindowLongW, GetWindowTextLengthW, GetSystemMenu, AdjustWindowRectEx, PostMessageW, CheckMenuRadioItem, GetWindowRect, GetFocus, DestroyWindow, SetWindowPos, CheckRadioButton, MessageBoxExW, CreateWindowExW, EndDialog, MessageBeep, CreatePopupMenu, WindowFromPoint, DestroyCursor, ShowWindow, DestroyIcon, GetDlgCtrlID, SetDlgItemTextW, MapWindowPoints, GetDlgItemTextW, SendDlgItemMessageW, IsWindowEnabled, IsDlgButtonChecked, DestroyMenu, GetMenuStringW, CharNextW, LoadIconW, LoadCursorW, GetClassNameW, SetCapture, InsertMenuW, SetCursor, SetWindowLongW, TrackPopupMenuEx, GetComboBoxInfo, GetClientRect, GetDlgItem, AppendMenuW, CheckDlgButton, GetParent, ReleaseCapture, InvalidateRect, ChildWindowFromPoint, GetCursorPos, EnableWindow, GetWindowTextW, DdeFreeStringHandle
                              KERNEL32.dllRaiseException, GetSystemInfo, VirtualQuery, GetModuleHandleW, LoadLibraryExA, EnterCriticalSection, LeaveCriticalSection, DecodePointer, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, WaitForSingleObjectEx, ReadConsoleW, GetConsoleMode, VirtualProtect, CompareStringOrdinal, FreeLibrary, LoadLibraryExW, ReadFile, lstrlenW, WriteFile, lstrcpynW, ExpandEnvironmentStringsW, GetModuleFileNameW, SetFilePointer, SetEndOfFile, UnlockFileEx, CreateFileW, GetSystemDirectoryW, MultiByteToWideChar, lstrcatW, CloseHandle, LockFileEx, GetFileSize, WideCharToMultiByte, lstrcpyW, lstrcmpiW, lstrcmpW, FlushFileBuffers, GetShortPathNameW, LocalAlloc, GetFileAttributesW, SetFileAttributesW, FormatMessageW, GetLastError, GetCurrentDirectoryW, LocalFree, WaitForSingleObject, CreateEventW, SetEvent, GlobalAlloc, GlobalFree, ResetEvent, SizeofResource, SearchPathW, GetLocaleInfoEx, FreeResource, OpenProcess, LockResource, LoadLibraryW, LoadResource, FindResourceW, GetWindowsDirectoryW, GetProcAddress, GlobalLock, GlobalUnlock, MulDiv, CreateDirectoryW, FindFirstFileW, GetCommandLineW, SetErrorMode, FindClose, GetUserPreferredUILanguages, FindFirstChangeNotificationW, GetVersion, ResolveLocaleName, GlobalSize, FileTimeToSystemTime, FindCloseChangeNotification, FileTimeToLocalFileTime, FindNextChangeNotification, SetCurrentDirectoryW, GetTimeFormatW, ExitProcess, VerSetConditionMask, CopyFileW, VerifyVersionInfoW, GetDateFormatW, MapViewOfFile, CreateFileMappingW, LocaleNameToLCID, FindResourceExW, LCIDToLocaleName, UnmapViewOfFile, GetVersionExW, GetLocaleInfoW, GetUserDefaultUILanguage, GetSystemDefaultUILanguage, SetLastError, UnhandledExceptionFilter, GetConsoleOutputCP, HeapReAlloc, HeapSize, SetFilePointerEx, GetFileSizeEx, GetStringTypeW, SetStdHandle, OutputDebugStringW, SetConsoleCtrlHandler, GetProcessHeap, SetEnvironmentVariableW, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineA, GetCPInfo, GetOEMCP, GetACP, IsValidCodePage, FindNextFileW, FindFirstFileExW, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, LCMapStringW, CompareStringW, GetFileType, HeapAlloc, HeapFree, GetCurrentThread, GetStdHandle, GetModuleHandleExW, FreeLibraryAndExitThread, ResumeThread, ExitThread, CreateThread, TlsFree, TlsSetValue, TlsGetValue, TlsAlloc, EncodePointer, InterlockedFlushSList, InterlockedPushEntrySList, RtlUnwind, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, GetCurrentProcessId, QueryPerformanceCounter, GetStartupInfoW, IsDebuggerPresent, IsProcessorFeaturePresent, TerminateProcess, GetCurrentProcess, SetUnhandledExceptionFilter, WriteConsoleW
                              GDI32.dllGetStockObject, SetBkColor, ExtTextOutW, EnumFontsW, GetDeviceCaps, SetTextColor, GetObjectW, DeleteObject, CreateSolidBrush, CreateFontIndirectW
                              COMDLG32.dllGetSaveFileNameW, ChooseColorW, GetOpenFileNameW
                              ADVAPI32.dllRegOpenKeyExW, RegQueryValueExW, RegCloseKey
                              SHELL32.dllSHGetFolderPathW, SHGetSpecialFolderPathW, ShellExecuteW, SHCreateDirectoryExW, SHFileOperationW, SHBrowseForFolderW, SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHGetFileInfoW, SHGetDesktopFolder, SHAppBarMessage, DragQueryFileW, Shell_NotifyIconW, DragAcceptFiles, DragFinish, SHGetDataFromIDListW
                              ole32.dllOleUninitialize, CoCreateInstance, OleInitialize, CoUninitialize, CoTaskMemAlloc, CoTaskMemFree, CoInitialize, DoDragDrop
                              ntdll.dllRtlGetNtVersionNumbers
                              COMCTL32.dllImageList_AddMasked, InitCommonControlsEx, ImageList_Create, ImageList_Destroy, PropertySheetW

                              Possible Origin

                              Language of compilation systemCountry where language is spokenMap
                              EnglishUnited States

                              Network Behavior

                              No network behavior found

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:02:49:04
                              Start date:27/10/2024
                              Path:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\bgsTrRPJh0.exe"
                              Imagebase:0x130000
                              File size:2'026'496 bytes
                              MD5 hash:7C62976C8D0E7434B327CE3C402D8A62
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_BlackBasta, Description: Yara detected BlackBasta ransomware, Source: 00000000.00000003.1343855548.0000000003150000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:3
                              Start time:02:49:09
                              Start date:27/10/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                              Imagebase:0x410000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:02:49:09
                              Start date:27/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff75da10000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:02:49:09
                              Start date:27/10/2024
                              Path:C:\Windows\System32\vssadmin.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                              Imagebase:0x7ff72d220000
                              File size:145'920 bytes
                              MD5 hash:B58073DB8892B67A672906C9358020EC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:10
                              Start time:02:49:22
                              Start date:27/10/2024
                              Path:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\bgsTrRPJh0.exe"
                              Imagebase:0x130000
                              File size:2'026'496 bytes
                              MD5 hash:7C62976C8D0E7434B327CE3C402D8A62
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_BlackBasta, Description: Yara detected BlackBasta ransomware, Source: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_BlackBasta, Description: Yara detected BlackBasta ransomware, Source: 0000000A.00000003.1540348428.00000000027A0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:11
                              Start time:04:35:45
                              Start date:27/10/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                              Imagebase:0x410000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:12
                              Start time:04:35:45
                              Start date:27/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff75da10000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:13
                              Start time:04:35:45
                              Start date:27/10/2024
                              Path:C:\Windows\System32\vssadmin.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                              Imagebase:0x7ff72d220000
                              File size:145'920 bytes
                              MD5 hash:B58073DB8892B67A672906C9358020EC
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              General

                              Target ID:14
                              Start time:04:35:47
                              Start date:27/10/2024
                              Path:C:\Users\user\Desktop\bgsTrRPJh0.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\bgsTrRPJh0.exe"
                              Imagebase:0x130000
                              File size:2'026'496 bytes
                              MD5 hash:7C62976C8D0E7434B327CE3C402D8A62
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_BlackBasta, Description: Yara detected BlackBasta ransomware, Source: 0000000E.00000002.1654369446.00000000028F0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_BlackBasta, Description: Yara detected BlackBasta ransomware, Source: 0000000E.00000003.1624465701.0000000002810000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:15
                              Start time:04:35:53
                              Start date:27/10/2024
                              Path:C:\Windows\SysWOW64\cmd.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Windows\system32\cmd.exe /c C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                              Imagebase:0x410000
                              File size:236'544 bytes
                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:16
                              Start time:04:35:53
                              Start date:27/10/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff75da10000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:17
                              Start time:04:35:54
                              Start date:27/10/2024
                              Path:C:\Windows\System32\vssadmin.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\SysNative\vssadmin.exe delete shadows /all /quiet
                              Imagebase:0x7ff72d220000
                              File size:145'920 bytes
                              MD5 hash:B58073DB8892B67A672906C9358020EC
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:moderate
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:3.3%
                                Dynamic/Decrypted Code Coverage:19.9%
                                Signature Coverage:37.5%
                                Total number of Nodes:658
                                Total number of Limit Nodes:44
                                execution_graph 64071 153716 64098 153fc6 64071->64098 64073 15371b ___scrt_is_nonwritable_in_current_image 64102 153109 64073->64102 64075 153733 64076 153886 64075->64076 64087 15375d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock _set_unexpected 64075->64087 64158 153acd IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter __fpreset 64076->64158 64078 15388d 64159 18ac32 23 API calls _set_unexpected 64078->64159 64080 153893 64160 18abef 23 API calls _set_unexpected 64080->64160 64082 15377c 64083 15389b 64084 1537fd 64110 153be8 64084->64110 64086 153803 64114 148650 GetVersion SetErrorMode 64086->64114 64087->64082 64087->64084 64154 18ac0c 46 API calls 3 library calls 64087->64154 64092 15381f 64092->64078 64093 153823 64092->64093 64094 15382c 64093->64094 64156 18abe0 23 API calls _set_unexpected 64093->64156 64157 15327a 82 API calls ___scrt_uninitialize_crt 64094->64157 64097 153834 64097->64082 64099 153fdc 64098->64099 64101 153fe5 64099->64101 64161 153f79 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 64099->64161 64101->64073 64103 153112 64102->64103 64162 153cd0 IsProcessorFeaturePresent 64103->64162 64105 15311e 64163 155aaa 10 API calls 2 library calls 64105->64163 64107 153123 64109 153127 64107->64109 64164 155adf 7 API calls 2 library calls 64107->64164 64109->64075 64165 155950 64110->64165 64113 153c0e 64113->64086 64167 131e10 64114->64167 64116 148692 14 API calls 64184 14f4e0 GetCommandLineW 64116->64184 64120 148780 64282 134740 lstrcmpiW 64120->64282 64122 148785 64310 134070 64122->64310 64124 14878a 64324 1349f0 64124->64324 64128 148794 64129 14893c 64128->64129 64130 14879c OleInitialize InitCommonControlsEx RegisterWindowMessageW 64128->64130 64155 153c21 GetModuleHandleW 64129->64155 64371 134b90 64130->64371 64133 131e10 67 API calls 64134 1487e2 64133->64134 64136 1487f0 64134->64136 64495 1319e0 SystemParametersInfoW 64134->64495 64137 148801 64136->64137 64138 148808 GetSysColor 64136->64138 64139 14880c CreateSolidBrush 64137->64139 64138->64139 64140 148828 64139->64140 64141 148823 64139->64141 64143 148840 GetSysColor 64140->64143 64144 148839 64140->64144 64496 1319e0 SystemParametersInfoW 64141->64496 64145 148844 CreateSolidBrush GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics 64143->64145 64144->64145 64146 14887e #381 64145->64146 64147 14888f 64145->64147 64146->64147 64148 148898 #381 64147->64148 64149 1488ab LoadCursorW RegisterClassW 64147->64149 64148->64149 64149->64129 64150 148900 64149->64150 64151 148911 LoadLibraryW GlobalAlloc 64150->64151 64151->64151 64152 148922 LoadLibraryW 64151->64152 64153 148934 ExitProcess 64152->64153 64154->64084 64155->64092 64156->64094 64157->64097 64158->64078 64159->64080 64160->64083 64161->64101 64162->64105 64163->64107 64164->64109 64166 153bfb GetStartupInfoW 64165->64166 64166->64113 64168 131e22 RtlGetNtVersionNumbers 64167->64168 64169 131e4e 64167->64169 64168->64169 64170 131f7a 64168->64170 64497 131860 64169->64497 64170->64116 64172 131e5a 64172->64170 64173 131e88 LoadLibraryExW 64172->64173 64512 131990 SystemParametersInfoW 64172->64512 64173->64170 64176 131ec3 64173->64176 64177 131f72 FreeLibrary 64176->64177 64179 131f0d 64176->64179 64180 131f00 FreeLibrary 64176->64180 64502 15edfd 64176->64502 64177->64170 64181 131f71 64179->64181 64182 131f39 VirtualProtect 64179->64182 64180->64116 64181->64177 64182->64181 64183 131f4f VirtualProtect 64182->64183 64183->64181 64185 14f4f5 64184->64185 64186 14877b 64184->64186 64185->64186 64187 14f500 StrChrW 64185->64187 64238 134450 GetModuleFileNameW 64186->64238 64188 14f514 StrChrW 64187->64188 64189 14f525 lstrlenW LocalAlloc lstrlenW LocalAlloc lstrcpyW 64187->64189 64188->64188 64188->64189 64190 14f561 64189->64190 64562 146380 5 API calls __InternalCxxFrameHandler 64190->64562 64192 14f56d 64193 14f586 StrChrW 64192->64193 64231 14f5b7 64192->64231 64563 146380 5 API calls __InternalCxxFrameHandler 64192->64563 64197 14f5b9 64193->64197 64198 14f599 64193->64198 64194 14f5d3 lstrcpyW 64194->64231 64566 146380 5 API calls __InternalCxxFrameHandler 64197->64566 64198->64197 64200 14f5a2 lstrcpyW 64198->64200 64564 146380 5 API calls __InternalCxxFrameHandler 64200->64564 64201 14f5c0 64201->64194 64567 146380 5 API calls __InternalCxxFrameHandler 64201->64567 64202 14f95f LocalFree LocalFree 64202->64186 64204 14f5b0 64565 146380 5 API calls __InternalCxxFrameHandler 64204->64565 64205 14f60a StrChrW 64205->64231 64208 14f61a lstrcpyW 64568 146380 5 API calls __InternalCxxFrameHandler 64208->64568 64210 14f674 StrTrimW CharUpperW 64210->64194 64210->64231 64211 14f8c1 lstrcpyW 64211->64231 64212 14f78e CharUpperW 64215 14f7a2 CharUpperW 64212->64215 64212->64231 64213 14f652 GlobalFree 64214 14f659 GlobalAlloc lstrcpyW 64213->64214 64214->64194 64218 14f7b3 lstrcpyW 64215->64218 64215->64231 64216 14f77d lstrcpyW 64216->64194 64217 14f6d8 CharUpperW 64217->64216 64219 14f6e9 lstrcpyW 64217->64219 64218->64231 64219->64231 64220 146380 CharNextW lstrlenW lstrlenW CharPrevW CharPrevW 64220->64231 64221 14f8f8 StrChrW 64221->64231 64222 14f720 StrChrW 64222->64231 64223 14f908 lstrcpyW 64574 146380 5 API calls __InternalCxxFrameHandler 64223->64574 64224 14f7f0 StrChrW 64224->64231 64226 14f730 lstrcpyW 64569 146380 5 API calls __InternalCxxFrameHandler 64226->64569 64227 14f800 lstrcpyW 64572 146380 5 API calls __InternalCxxFrameHandler 64227->64572 64228 14f933 GlobalFree 64229 14f93a lstrlenW GlobalAlloc lstrcpyW 64228->64229 64229->64194 64231->64194 64231->64202 64231->64205 64231->64208 64231->64210 64231->64211 64231->64212 64231->64213 64231->64214 64231->64216 64231->64217 64231->64220 64231->64221 64231->64222 64231->64223 64231->64224 64231->64226 64231->64227 64231->64228 64231->64229 64233 14f752 StrCpyNW 64231->64233 64570 146380 5 API calls __InternalCxxFrameHandler 64231->64570 64573 144ea0 49 API calls 64231->64573 64571 146380 5 API calls __InternalCxxFrameHandler 64233->64571 64237 14f76d PathUnquoteSpacesW 64237->64194 64239 134567 PathFindFileNameW lstrcpyW PathRenameExtensionW 64238->64239 64240 13448a lstrcmpiW 64238->64240 64243 134160 30 API calls 64239->64243 64241 1344b6 64240->64241 64242 13449e 64240->64242 64582 134160 ExpandEnvironmentStringsW PathIsRelativeW 64241->64582 64575 152d0c 64242->64575 64246 1345a7 64243->64246 64247 1345ab lstrcpyW 64246->64247 64248 1345e8 64246->64248 64251 134160 30 API calls 64247->64251 64601 134320 107 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 64248->64601 64249 1344af 64249->64120 64255 1345c7 64251->64255 64253 1344cb ExpandEnvironmentStringsW 64256 1344e7 lstrcpynW 64253->64256 64257 1344ff PathIsRelativeW 64253->64257 64254 13454a 64258 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64254->64258 64255->64248 64259 1345cb lstrcpyW PathRenameExtensionW 64255->64259 64256->64257 64257->64254 64262 13450e lstrcpyW PathRemoveFileSpecW PathAppendW lstrcpyW 64257->64262 64263 134560 64258->64263 64264 134636 PathRemoveFileSpecW lstrcatW PathFindFileNameW lstrcpyW PathRenameExtensionW 64259->64264 64260 134604 64261 13462a lstrcpyW 64260->64261 64602 134320 107 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 64260->64602 64261->64264 64262->64254 64263->64120 64267 134160 30 API calls 64264->64267 64266 134627 64266->64261 64268 134685 64267->64268 64269 13468b lstrcpyW 64268->64269 64270 1346ca 64268->64270 64272 134160 30 API calls 64269->64272 64603 134320 107 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 64270->64603 64273 1346a7 64272->64273 64273->64270 64275 1346ad lstrcpyW PathRenameExtensionW 64273->64275 64274 1346e6 64276 13470c lstrcpyW 64274->64276 64604 134320 107 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 64274->64604 64277 134718 64275->64277 64276->64277 64280 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64277->64280 64279 134709 64279->64276 64281 134730 64280->64281 64281->64120 64283 134769 lstrcpyW lstrcpyW 64282->64283 64284 13479f PathIsDirectoryW 64282->64284 64287 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64283->64287 64285 1347c5 lstrlenW CharPrevW 64284->64285 64286 1347ed GetModuleFileNameW PathFindFileNameW PathAppendW PathRenameExtensionW PathFileExistsW 64284->64286 64285->64286 64288 134887 PathIsDirectoryW 64285->64288 64289 134838 PathFindFileNameW lstrcpyW PathFileExistsW 64286->64289 64290 13482d PathIsDirectoryW 64286->64290 64291 134798 64287->64291 64294 134892 lstrlenW CharPrevW 64288->64294 64295 1348ba 7 API calls 64288->64295 64292 134852 PathIsDirectoryW 64289->64292 64293 13485d PathFindFileNameW PathFindFileNameW lstrcpyW PathRenameExtensionW 64289->64293 64290->64288 64290->64289 64291->64122 64292->64288 64292->64293 64293->64288 64294->64295 64296 134969 PathFileExistsW 64294->64296 64297 134920 PathFindFileNameW lstrcpyW PathFileExistsW 64295->64297 64298 134915 PathIsDirectoryW 64295->64298 64301 134990 lstrcpyW 64296->64301 64302 13497a PathIsDirectoryW 64296->64302 64299 134945 PathFindFileNameW PathFindFileNameW lstrcpyW PathRenameExtensionW 64297->64299 64300 13493a PathIsDirectoryW 64297->64300 64298->64296 64298->64297 64299->64296 64300->64296 64300->64299 64304 13499c PathFileExistsW 64301->64304 64302->64301 64303 134985 PathIsDirectoryW 64302->64303 64303->64301 64303->64304 64305 1349a7 PathIsDirectoryW 64304->64305 64306 1349b9 lstrcpyW lstrcpyW 64304->64306 64305->64306 64307 1349b2 64305->64307 64306->64307 64308 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64307->64308 64309 1349e5 64308->64309 64309->64122 64311 134081 StrRChrW 64310->64311 64312 134158 64310->64312 64313 1340b0 PathFileExistsW 64311->64313 64314 134096 SHCreateDirectoryExW 64311->64314 64312->64124 64315 13411a CreateFileW 64313->64315 64316 1340bf PathIsDirectoryW 64313->64316 64314->64313 64318 134143 64315->64318 64319 13413c CloseHandle 64315->64319 64316->64315 64317 1340ce CreateFileW 64316->64317 64317->64312 64320 1340f0 GetFileSize CloseHandle 64317->64320 64609 133560 84 API calls 64318->64609 64319->64318 64320->64318 64322 134111 64320->64322 64322->64124 64323 134151 64323->64124 64610 132810 64324->64610 64326 134a32 64621 1329e0 64326->64621 64328 134a4d 64329 134a84 64328->64329 64632 1484f0 64328->64632 64331 134a9e 64329->64331 64332 132ad0 50 API calls 64329->64332 64648 132ad0 64331->64648 64332->64331 64333 134a5f 64651 1333b0 75 API calls 64333->64651 64337 134a81 64337->64329 64338 132ad0 50 API calls 64339 134af4 64338->64339 64340 132ad0 50 API calls 64339->64340 64341 134b19 64340->64341 64342 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64341->64342 64343 134b5b 64342->64343 64344 150030 64343->64344 64345 15022e 64344->64345 64346 15005a 64344->64346 64347 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64345->64347 64346->64345 64348 150067 EnumWindows 64346->64348 64349 15023f 64347->64349 64348->64345 64350 150083 IsWindowEnabled 64348->64350 64681 14ffb0 GetClassNameW 64348->64681 64349->64128 64351 150092 IsIconic 64350->64351 64352 1501aa LoadStringW 64350->64352 64355 1500a0 ShowWindowAsync 64351->64355 64356 1500ac IsWindowVisible 64351->64356 64353 1501e2 StrChrW 64352->64353 64354 1501cb LoadStringW 64352->64354 64359 1501f3 64353->64359 64360 1501fb MessageBoxW 64353->64360 64354->64353 64355->64356 64357 1500e4 SetForegroundWindow 64356->64357 64358 1500c0 SendMessageW SendMessageW 64356->64358 64361 150213 64357->64361 64362 1500fb GlobalSize 64357->64362 64358->64357 64359->64360 64360->64345 64360->64361 64363 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64361->64363 64680 146590 7 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 64362->64680 64365 150227 64363->64365 64365->64128 64366 150111 PathIsRelativeW 64367 150121 GetCurrentDirectoryW PathAppendW lstrcpyW 64366->64367 64368 150153 GlobalSize SendMessageW GlobalFree 64366->64368 64367->64368 64369 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64368->64369 64370 1501a3 64369->64370 64370->64128 64372 132810 75 API calls 64371->64372 64373 134bd2 64372->64373 64687 132cc0 64373->64687 64376 132cc0 47 API calls 64377 134c06 64376->64377 64378 132cc0 47 API calls 64377->64378 64379 134c24 64378->64379 64380 132cc0 47 API calls 64379->64380 64381 134c42 64380->64381 64382 132cc0 47 API calls 64381->64382 64383 134c60 64382->64383 64384 132cc0 47 API calls 64383->64384 64385 134c7e 64384->64385 64386 132cc0 47 API calls 64385->64386 64387 134c9c 64386->64387 64388 132cc0 47 API calls 64387->64388 64389 134cba 64388->64389 64390 132cc0 47 API calls 64389->64390 64391 134cd8 64390->64391 64392 132cc0 47 API calls 64391->64392 64393 134cf6 64392->64393 64394 132cc0 47 API calls 64393->64394 64395 134d14 64394->64395 64396 132cc0 47 API calls 64395->64396 64397 134d32 64396->64397 64398 132ad0 50 API calls 64397->64398 64399 134d55 64398->64399 64400 132ad0 50 API calls 64399->64400 64401 134d8b 64400->64401 64402 1329e0 48 API calls 64401->64402 64403 134dc7 64402->64403 64404 134e0c 64403->64404 64405 134ddc 64403->64405 64406 134e31 64404->64406 64407 134e1c SHGetFolderPathW 64404->64407 64690 1333b0 75 API calls 64405->64690 64691 145e90 21 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 64406->64691 64409 134e43 64407->64409 64413 1329e0 48 API calls 64409->64413 64411 134e09 64411->64404 64412 134e40 64412->64409 64414 134e69 64413->64414 64415 134e70 GetSystemDirectoryW PathAddBackslashW lstrcatW 64414->64415 64416 134e9d 64414->64416 64417 134eaf 64415->64417 64692 145e90 21 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 64416->64692 64420 1325d0 2 API calls 64417->64420 64419 134eac 64419->64417 64421 134eb9 64420->64421 64422 1329e0 48 API calls 64421->64422 64423 134ee4 lstrcpyW 64422->64423 64424 1329e0 48 API calls 64423->64424 64425 134f17 64424->64425 64426 134f44 64425->64426 64427 134f1e 64425->64427 64429 134f67 64426->64429 64430 134f54 SHGetSpecialFolderPathW 64426->64430 64693 1333b0 75 API calls 64427->64693 64694 145e90 21 API calls __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 64429->64694 64431 134f79 64430->64431 64435 132ad0 50 API calls 64431->64435 64433 134f41 64433->64426 64434 134f76 64434->64431 64436 134f97 64435->64436 64437 132ad0 50 API calls 64436->64437 64438 134fd0 64437->64438 64439 132cc0 47 API calls 64438->64439 64440 135000 lstrcpyW 64439->64440 64441 135022 64440->64441 64442 135040 lstrcpynW 64440->64442 64443 1329e0 48 API calls 64441->64443 64444 13503b 64442->64444 64443->64444 64446 132cc0 47 API calls 64444->64446 64447 135081 64446->64447 64448 132cc0 47 API calls 64447->64448 64449 13509f 64448->64449 64450 132cc0 47 API calls 64449->64450 64451 1350bd GetSysColor 64450->64451 64452 132ad0 50 API calls 64451->64452 64453 1350e4 GetSysColor 64452->64453 64454 132ad0 50 API calls 64453->64454 64455 13510c lstrcpyW 64454->64455 64456 1329e0 48 API calls 64455->64456 64457 135145 64456->64457 64458 135158 64457->64458 64459 13514c lstrcpyW 64457->64459 64460 132cc0 47 API calls 64458->64460 64459->64458 64461 13516e 64460->64461 64462 132cc0 47 API calls 64461->64462 64463 13518c 64462->64463 64464 132cc0 47 API calls 64463->64464 64465 1351aa 64464->64465 64466 132ad0 50 API calls 64465->64466 64467 1351cd 64466->64467 64468 132ad0 50 API calls 64467->64468 64469 1351f2 64468->64469 64470 132ad0 50 API calls 64469->64470 64471 135217 64470->64471 64472 132ad0 50 API calls 64471->64472 64473 13523c GetSystemMetrics GetSystemMetrics 64472->64473 64474 1329e0 48 API calls 64473->64474 64475 13527a 64474->64475 64476 1329e0 48 API calls 64475->64476 64477 13529b 64476->64477 64478 1329e0 48 API calls 64477->64478 64479 1352bc 64478->64479 64480 13537f 64479->64480 64481 1352cc wsprintfW wsprintfW wsprintfW wsprintfW 64479->64481 64484 132ad0 50 API calls 64480->64484 64482 132ad0 50 API calls 64481->64482 64483 135325 64482->64483 64485 132ad0 50 API calls 64483->64485 64486 1353b6 64484->64486 64487 135343 64485->64487 64491 132ad0 50 API calls 64486->64491 64488 132ad0 50 API calls 64487->64488 64489 135361 64488->64489 64490 132ad0 50 API calls 64489->64490 64490->64480 64492 1353e2 64491->64492 64493 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64492->64493 64494 13541c 64493->64494 64494->64133 64495->64136 64496->64140 64498 131914 64497->64498 64499 131898 64497->64499 64498->64172 64499->64498 64513 152a3c 64499->64513 64503 15ee34 64502->64503 64504 15ee0b 64502->64504 64561 15ee46 46 API calls 2 library calls 64503->64561 64511 15edad 64504->64511 64559 18f28b 14 API calls __strnicoll 64504->64559 64506 15ee41 64506->64176 64508 15ee16 64560 1811bd 46 API calls __get_errno 64508->64560 64510 15ee21 64510->64176 64511->64176 64512->64173 64515 152a52 ___FUnloadDelayLoadedDLL2@4 64513->64515 64514 1318bb 64514->64172 64515->64514 64517 152a9d 64515->64517 64543 152535 64517->64543 64519 152aad 64520 152b0a 64519->64520 64528 152b2e 64519->64528 64552 152775 6 API calls 2 library calls 64520->64552 64522 152b15 RaiseException 64538 152d03 64522->64538 64523 152ba6 LoadLibraryExA 64524 152c07 64523->64524 64525 152bb9 GetLastError 64523->64525 64526 152c12 FreeLibrary 64524->64526 64527 152c19 64524->64527 64529 152be2 64525->64529 64530 152bcc 64525->64530 64526->64527 64531 152c77 GetProcAddress 64527->64531 64532 152cd5 64527->64532 64528->64523 64528->64524 64528->64527 64528->64532 64553 152775 6 API calls 2 library calls 64529->64553 64530->64524 64530->64529 64531->64532 64533 152c87 GetLastError 64531->64533 64555 152775 6 API calls 2 library calls 64532->64555 64535 152c9a 64533->64535 64535->64532 64554 152775 6 API calls 2 library calls 64535->64554 64537 152bed RaiseException 64537->64538 64538->64515 64540 152cbb RaiseException 64541 152535 DloadAcquireSectionWriteAccess 6 API calls 64540->64541 64542 152cd2 64541->64542 64542->64532 64544 152567 64543->64544 64545 152541 64543->64545 64544->64519 64556 1525de GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 64545->64556 64547 152546 64548 152562 64547->64548 64557 152707 VirtualQuery GetSystemInfo VirtualProtect DloadProtectSection 64547->64557 64558 152568 GetModuleHandleW GetProcAddress GetProcAddress 64548->64558 64551 1527b0 64551->64519 64552->64522 64553->64537 64554->64540 64555->64538 64556->64547 64557->64548 64558->64551 64559->64508 64560->64510 64561->64506 64562->64192 64563->64193 64564->64204 64565->64231 64566->64201 64567->64231 64568->64231 64569->64231 64570->64233 64571->64237 64572->64231 64573->64231 64574->64231 64576 152d15 IsProcessorFeaturePresent 64575->64576 64577 152d14 64575->64577 64579 15337c 64576->64579 64577->64249 64605 15333f SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 64579->64605 64581 15345f 64581->64249 64583 1341a6 lstrcpyW PathFindFileNameW lstrcpyW PathFileExistsW 64582->64583 64584 1342c4 PathFileExistsW 64582->64584 64587 1341df PathIsDirectoryW 64583->64587 64588 1341ee lstrcpyW PathRemoveFileSpecW lstrcatW lstrcatW PathFileExistsW 64583->64588 64585 1342d6 PathIsDirectoryW 64584->64585 64586 1342fe 64584->64586 64585->64586 64589 1342e8 lstrcpyW 64585->64589 64593 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64586->64593 64587->64588 64590 1342b5 lstrcpyW 64587->64590 64591 134231 PathIsDirectoryW 64588->64591 64592 13423c SHGetFolderPathW 64588->64592 64589->64586 64590->64586 64591->64590 64591->64592 64594 134282 SHGetFolderPathW 64592->64594 64595 134255 PathAppendW PathFileExistsW 64592->64595 64596 134312 64593->64596 64594->64586 64598 134295 PathAppendW 64594->64598 64595->64594 64597 134277 PathIsDirectoryW 64595->64597 64596->64253 64596->64254 64597->64590 64597->64594 64606 1325d0 PathFileExistsW 64598->64606 64601->64260 64602->64266 64603->64274 64604->64279 64605->64581 64607 1325e9 64606->64607 64608 1325de PathIsDirectoryW 64606->64608 64607->64586 64607->64590 64608->64607 64609->64323 64611 1328c2 64610->64611 64612 132822 PathFileExistsW 64610->64612 64611->64326 64612->64611 64613 132835 PathIsDirectoryW 64612->64613 64613->64611 64614 132844 64613->64614 64652 1326c0 62 API calls 2 library calls 64614->64652 64616 13287f 64616->64611 64653 1361b0 54 API calls 64616->64653 64618 132891 64654 1327b0 FlushFileBuffers UnlockFileEx CloseHandle 64618->64654 64620 1328b8 64620->64326 64622 1329f2 64621->64622 64623 132a9f 64621->64623 64622->64623 64655 13b340 47 API calls 64622->64655 64626 132abb lstrlenW 64623->64626 64625 132a22 64627 132a35 64625->64627 64656 15efad 47 API calls 2 library calls 64625->64656 64626->64328 64627->64623 64657 139900 47 API calls 64627->64657 64630 132a6f 64630->64623 64658 15efad 47 API calls 2 library calls 64630->64658 64633 155950 __fpreset 64632->64633 64634 14852a GetUserPreferredUILanguages 64633->64634 64635 1485ce 64634->64635 64636 14854b LocalAlloc 64634->64636 64637 1485d5 GetLocaleInfoEx 64635->64637 64643 148618 64635->64643 64638 14860e 64636->64638 64639 148569 GetUserPreferredUILanguages 64636->64639 64640 1485f4 64637->64640 64637->64643 64638->64637 64644 14857c LocalFree 64639->64644 64642 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64640->64642 64645 148607 64642->64645 64646 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64643->64646 64644->64635 64645->64333 64647 148644 64646->64647 64647->64333 64659 1366a0 64648->64659 64651->64337 64652->64616 64653->64618 64654->64620 64655->64625 64656->64627 64657->64630 64658->64623 64661 1366c7 64659->64661 64660 136832 64663 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64660->64663 64661->64660 64675 13b340 47 API calls 64661->64675 64665 132aeb 64663->64665 64664 13670d 64664->64660 64676 15efad 47 API calls 2 library calls 64664->64676 64665->64338 64667 136724 64667->64660 64677 139900 47 API calls 64667->64677 64669 13679b __fpreset 64669->64660 64671 1367c5 WideCharToMultiByte 64669->64671 64670 13675c 64670->64660 64670->64669 64678 137c20 47 API calls 64670->64678 64671->64660 64673 1367f0 64671->64673 64673->64660 64679 1672e7 48 API calls 2 library calls 64673->64679 64675->64664 64676->64667 64677->64670 64678->64669 64679->64660 64680->64366 64682 150010 64681->64682 64683 14ffec lstrcmpiW 64681->64683 64684 152d0c __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 64682->64684 64683->64682 64685 150000 IsWindowEnabled 64683->64685 64686 150023 64684->64686 64685->64682 64695 136c00 64687->64695 64690->64411 64691->64412 64692->64419 64693->64433 64694->64434 64696 136c15 64695->64696 64704 132ce7 64696->64704 64705 13b340 47 API calls 64696->64705 64698 136c5c 64698->64704 64706 15efad 47 API calls 2 library calls 64698->64706 64700 136c73 64700->64704 64707 139900 47 API calls 64700->64707 64702 136cab 64702->64704 64708 137c20 47 API calls 64702->64708 64704->64376 64705->64698 64706->64700 64707->64702 64708->64704 64709 29142f6 64710 291431d 64709->64710 64711 2914305 64709->64711 64710->64711 64712 2914334 _strrchr _strrchr 64710->64712 64713 2914351 64712->64713 64718 2914365 64712->64718 64714 2914355 _strrchr 64713->64714 64715 29143cc _strrchr 64713->64715 64714->64715 64714->64718 64716 29143e2 64715->64716 64719 291440d 64715->64719 64716->64711 64721 29144e9 64716->64721 64718->64711 64718->64715 64719->64711 64720 29144e9 12 API calls 64719->64720 64720->64711 64722 291450c 64721->64722 64739 29144f7 64721->64739 64722->64739 64743 291ea05 64722->64743 64724 29145fb 64725 2914652 GetLastError __dosmaperr 64724->64725 64726 29146ed 64724->64726 64729 2914677 64724->64729 64730 2914618 WaitForSingleObject GetExitCodeProcess 64724->64730 64727 2914663 CloseHandle 64725->64727 64728 291466a 64725->64728 64727->64728 64731 291466e CloseHandle 64728->64731 64728->64739 64732 29146b8 64729->64732 64733 291467c 64729->64733 64730->64725 64734 2914631 64730->64734 64731->64739 64732->64739 64740 29146bc CloseHandle 64732->64740 64735 2914680 CloseHandle 64733->64735 64736 2914687 64733->64736 64737 2914642 64734->64737 64738 291463b CloseHandle 64734->64738 64735->64736 64736->64739 64741 291468b CloseHandle 64736->64741 64737->64739 64742 2914646 CloseHandle 64737->64742 64738->64737 64739->64711 64740->64739 64741->64739 64742->64739 64744 291ea4e 64743->64744 64745 291eac2 64744->64745 64746 291ea9e CreateProcessW 64744->64746 64745->64724 64746->64745 64747 288e161 64748 288e166 64747->64748 64772 2892210 Concurrency::cancel_current_task Concurrency::cancel_current_task 64748->64772 64750 288e23e GetModuleFileNameW 64751 288e2a0 64750->64751 64752 288e2ec __Mtx_init_in_situ 64751->64752 64754 288e332 64752->64754 64753 288e43a __Mtx_destroy_in_situ 64765 288e454 64753->64765 64754->64753 64761 288f06f 64754->64761 64755 288e778 64789 288c0f0 9 API calls 64755->64789 64757 288e754 64757->64755 64758 288e90a 64757->64758 64790 28941a0 FindFirstVolumeW GetVolumePathNamesForVolumeNameW GetVolumeInformationW FindNextVolumeW FindVolumeClose 64758->64790 64760 288e716 GetCurrentThreadId 64760->64761 64760->64765 64762 288e930 64768 288e960 64762->64768 64773 288cb00 64762->64773 64764 288e781 64764->64758 64764->64761 64765->64757 64765->64760 64765->64761 64766 288ec5b GetTickCount 64770 288ecf0 64766->64770 64767 288eac6 64767->64766 64768->64762 64769 288ef01 CreateProcessA 64771 288ef97 64769->64771 64770->64761 64770->64769 64771->64761 64772->64750 64774 288db28 64773->64774 64775 288cb68 64773->64775 64774->64767 64775->64774 64791 288fce0 64775->64791 64777 288db52 64798 2890100 64777->64798 64779 288dbca GetTempPathW 64781 288dc32 64779->64781 64780 288de32 64780->64767 64781->64780 64782 28882c0 Concurrency::cancel_current_task Concurrency::cancel_current_task 64781->64782 64783 288df7b RegCreateKeyExW 64782->64783 64786 288e037 64783->64786 64785 288e0ad 64785->64767 64786->64785 64787 288e0e0 GetTickCount 64786->64787 64788 288c320 64787->64788 64789->64764 64790->64762 64793 288fcea 64791->64793 64792 288fdd4 Concurrency::cancel_current_task 64795 288fda1 64792->64795 64793->64792 64794 288fd43 64793->64794 64793->64795 64794->64777 64796 288fe30 Concurrency::cancel_current_task 64795->64796 64797 288fdb0 64795->64797 64796->64797 64797->64777 64799 2890169 64798->64799 64800 288fce0 2 API calls 64799->64800 64801 2890291 64800->64801 64802 28dab81 GetNativeSystemInfo 64803 291046d 64805 29104a9 64803->64805 64806 291047b 64803->64806 64804 2910496 RtlAllocateHeap 64804->64805 64804->64806 64806->64804 64806->64805 64807 28f1d90 64808 28f1d9c __fread_nolock 64807->64808 64809 28f1ef6 64808->64809 64811 28f1dcd 64808->64811 64827 28f2375 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter 64809->64827 64815 28f1dec 64811->64815 64819 28f1e0c ___scrt_release_startup_lock 64811->64819 64823 290d820 64811->64823 64812 28f1efd 64814 28f1e2d 64816 28f1e35 ___scrt_is_nonwritable_in_current_image 64814->64816 64817 28f1e40 64814->64817 64816->64817 64820 28f1e5b ___scrt_is_nonwritable_in_current_image 64817->64820 64821 28f1e66 64817->64821 64819->64814 64820->64821 64821->64812 64822 28f1e9c ___scrt_uninitialize_crt 64821->64822 64822->64815 64824 290d847 64823->64824 64825 290d82e 64823->64825 64824->64819 64825->64824 64828 28814a0 64825->64828 64827->64812 64829 28814cc 64828->64829 64832 28bf330 64829->64832 64831 28814eb 64831->64825 64833 28bf36e 64832->64833 64842 28bec50 CryptAcquireContextA 64833->64842 64835 28bf3a0 64850 28bf220 64835->64850 64837 28bf3ac CryptGenRandom 64838 28bf3ba 64837->64838 64841 28bf418 64837->64841 64839 28bf3cc CryptReleaseContext 64838->64839 64840 28bf3d5 64838->64840 64839->64840 64840->64831 64843 28bec9b GetLastError CryptAcquireContextA 64842->64843 64845 28becc6 64842->64845 64844 28becb5 CryptAcquireContextA 64843->64844 64843->64845 64844->64845 64846 28bece4 SetLastError 64844->64846 64845->64835 64847 28becf8 64846->64847 64848 28bed19 ___std_exception_copy 64847->64848 64849 28bed89 64848->64849 64849->64835 64851 28bf265 64850->64851 64852 28bf28e 64851->64852 64853 28bec50 6 API calls 64851->64853 64855 28bf2b2 64851->64855 64854 28bf2a9 CryptReleaseContext 64852->64854 64852->64855 64853->64852 64854->64855 64855->64837

                                Executed Functions

                                Function 028835D0 Relevance: 281.7, Strings: 222, Instructions: 4155COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: $ $ $ $ $!$!$!$"$#$#$#$#$$$%$%$%$&$&$&$&$&$&$&$'$'$'$'$'$'$'$'$'$($($)$*$*$*$*$*$*$+$+$+$,$,$,$-$-$-$.$.$/$0$0$0$0$0$1$1$1$1$2$3$3$6$6$6$7$8$9$9$9$9$:$:$:$;$;$;$;$;$<$<$<$=$>$>$>$?$@$@$@$A$B$B$B$B$B$B$B$B$C$C$C$C$C$D$D$E$F$F$G$G$G$H$I$I$I$J$J$J$K$K$M$M$N$N$N$O$O$O$O$O$P$Q$Q$R$R$S$T$T$U$U$U$U$V$V$W$W$W$W$W$W$W$W$W$X$X$X$X$X$Y$Z$Z$Z$\$\$\$\$\$]$]$^$^$^$_$_$`$`$a$a$b$d$f$f$f$g$h$h$h$i$j$j$l$n$n$o$o$q$r$r$s$s$u$u$u$v$y$y$z${${${$|$|$}$}$}$~$~
                                • API String ID: 0-2600806223
                                • Opcode ID: f0dfac77667580c299606f46480e4dfdccc5b7e98195442aa35942830fdde176
                                • Instruction ID: f4fcd79c548602e74eca1a0b1ebab1f19a63316387d77259873a3c5a92529423
                                • Opcode Fuzzy Hash: f0dfac77667580c299606f46480e4dfdccc5b7e98195442aa35942830fdde176
                                • Instruction Fuzzy Hash: B6936A789142A98ACB28DF64CC547EEB7B1AF18304F0495EEC40DEB210E7755B85CF5A
                                Function 00134B90 Relevance: 130.0, APIs: 18, Strings: 56, Instructions: 534stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 526 134b90-134d5f call 132810 call 132cc0 * 12 call 132ad0 555 134d61-134d63 526->555 556 134d65-134d68 526->556 557 134d6b-134d90 call 132ad0 555->557 556->557 560 134d92-134d94 557->560 561 134d96-134d99 557->561 562 134d9c-134dcc call 1329e0 560->562 561->562 565 134dce-134dda 562->565 566 134e0c-134e1a 562->566 565->566 567 134ddc-134e09 call 1333b0 565->567 568 134e31-134e40 call 145e90 566->568 569 134e1c-134e2f SHGetFolderPathW 566->569 567->566 571 134e43-134e6e call 1329e0 568->571 569->571 577 134e70-134e9b GetSystemDirectoryW PathAddBackslashW lstrcatW 571->577 578 134e9d-134eac call 145e90 571->578 579 134eaf-134f1c call 1325d0 call 1329e0 lstrcpyW call 1329e0 577->579 578->579 588 134f44-134f52 579->588 589 134f1e-134f41 call 1333b0 579->589 591 134f67-134f76 call 145e90 588->591 592 134f54-134f65 SHGetSpecialFolderPathW 588->592 589->588 593 134f79-134f9d call 132ad0 591->593 592->593 599 134fa6-134fad 593->599 600 134f9f-134fa4 593->600 601 134fb0-134fd5 call 132ad0 599->601 600->601 604 134fd7-134fd9 601->604 605 134fdb-134fe2 601->605 606 134fe5-135020 call 132cc0 lstrcpyW 604->606 605->606 609 135022-13503e call 1329e0 606->609 610 135040-135044 606->610 616 13506b-13514a call 132cc0 * 3 GetSysColor call 132ad0 GetSysColor call 132ad0 lstrcpyW call 1329e0 609->616 612 135046-135053 610->612 613 135055 610->613 615 13505f-135065 lstrcpynW 612->615 613->615 615->616 629 135158-1352c6 call 132cc0 * 3 call 132ad0 * 4 GetSystemMetrics * 2 call 1329e0 * 3 616->629 630 13514c-135156 lstrcpyW 616->630 651 135387 629->651 652 1352cc-135382 wsprintfW * 4 call 132ad0 * 4 629->652 630->629 653 135389-135392 651->653 652->651 655 1353a5-1353c0 call 132ad0 653->655 656 135394-1353a3 653->656 662 1353c2-1353c4 655->662 663 1353c6-1353c9 655->663 656->653 666 1353cc-1353e7 call 132ad0 662->666 663->666 671 1353e9-1353eb 666->671 672 1353ed-1353f0 666->672 673 1353f3-13541f call 135420 call 152d0c 671->673 672->673
                                APIs
                                  • Part of subcall function 00132810: PathFileExistsW.SHLWAPI(00290388,?,?,00134A32,9AAD4D09), ref: 00132827
                                  • Part of subcall function 00132810: PathIsDirectoryW.SHLWAPI(00290388), ref: 0013283A
                                • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,C:\Users\user\Documents), ref: 00134E29
                                • GetSystemDirectoryW.KERNEL32(C:\Windows\system32\Viewers\Quikview.exe,00000104), ref: 00134E7A
                                • PathAddBackslashW.SHLWAPI(C:\Windows\system32\Viewers\Quikview.exe), ref: 00134E85
                                • lstrcatW.KERNEL32(C:\Windows\system32\Viewers\Quikview.exe,Viewers\Quikview.exe), ref: 00134E95
                                • lstrcpyW.KERNEL32(002925BC,%USERPROFILE%\Desktop), ref: 00134EF7
                                  • Part of subcall function 00145E90: StrCmpNIW.SHLWAPI(C:\Users\user\Documents,%CSIDL:MYDOCUMENTS%,00000013,?,00000002), ref: 00145EB3
                                  • Part of subcall function 00145E90: SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?,?,00000002), ref: 00145ED3
                                  • Part of subcall function 00145E90: PathAppendW.SHLWAPI(?,?,?,00000002), ref: 00145EE5
                                  • Part of subcall function 00145E90: ExpandEnvironmentStringsW.KERNEL32(?,?,00000138,?,00000002), ref: 00145F0B
                                  • Part of subcall function 00145E90: lstrcpynW.KERNEL32(?,?,00000104,?,00000002), ref: 00145F2A
                                  • Part of subcall function 00145E90: PathIsRelativeW.SHLWAPI(?,?,00000002), ref: 00145F34
                                  • Part of subcall function 00145E90: GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,?,00000002), ref: 00145F4A
                                  • Part of subcall function 00145E90: PathRemoveFileSpecW.SHLWAPI(?,?,00000002), ref: 00145F55
                                  • Part of subcall function 00145E90: PathAppendW.SHLWAPI(?,?,?,00000002), ref: 00145F68
                                  • Part of subcall function 00145E90: PathCanonicalizeW.SHLWAPI(?,?,?,00000002), ref: 00145F8C
                                  • Part of subcall function 00145E90: lstrcpyW.KERNEL32(?,?,?,00000002), ref: 00145FA3
                                  • Part of subcall function 00145E90: PathGetDriveNumberW.SHLWAPI(?,?,00000002), ref: 00145FAE
                                  • Part of subcall function 00145E90: CharUpperBuffW.USER32(00000001,00000001,?,00000002), ref: 00145FC0
                                  • Part of subcall function 00145E90: lstrcpynW.KERNEL32(C:\Users\user\Documents,00000104,00000104,?,00000002), ref: 00145FE6
                                  • Part of subcall function 00145E90: lstrcpynW.KERNEL32(?,C:\Users\user\Documents,00000104,?,00000002), ref: 00145EF4
                                  • Part of subcall function 00145E90: lstrcpynW.KERNEL32(?,?,00000104,?,00000002), ref: 00145F7D
                                  • Part of subcall function 001333B0: lstrlenW.KERNEL32(?,?), ref: 00133516
                                • SHGetSpecialFolderPathW.SHELL32(00000000,C:\Users\user\Desktop,00000010,00000001), ref: 00134F5F
                                • lstrcpyW.KERNEL32(*.*,*.*), ref: 00135012
                                • lstrcpynW.KERNEL32(0029493C,00000000,00000100), ref: 00135065
                                • GetSysColor.USER32(00000008), ref: 001350CD
                                • GetSysColor.USER32(0000000D), ref: 001350F5
                                • lstrcpyW.KERNEL32(002927C4,1 2 3 4 5 0 8), ref: 00135125
                                • lstrcpyW.KERNEL32(00293F24,002927C4), ref: 00135156
                                • GetSystemMetrics.USER32(00000000), ref: 00135252
                                • GetSystemMetrics.USER32(00000001), ref: 00135258
                                • wsprintfW.USER32 ref: 001352DD
                                • wsprintfW.USER32 ref: 001352ED
                                • wsprintfW.USER32 ref: 001352FD
                                • wsprintfW.USER32 ref: 0013530D
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Path$lstrcpylstrcpyn$wsprintf$FileFolderSystem$AppendColorDirectoryMetrics$BackslashBuffCanonicalizeCharDriveEnvironmentExistsExpandModuleNameNumberRelativeRemoveSpecSpecialStringsUpperlstrcatlstrlen
                                • String ID: %USERPROFILE%\Desktop$%ix%i PosX$%ix%i PosY$%ix%i SizeX$%ix%i SizeY$*.*$*.*$1 2 3 4 5 0 8$AlwaysOnTop$BitmapDefault$BitmapDisabled$BitmapHot$C:\Users\user\Desktop$C:\Users\user\Documents$C:\Windows\system32\Viewers\Quikview.exe$ClearReadOnly$ColorFilter$ColorNoFilter$CopyMoveDlgSizeX$DefColorFilter$DefColorNoFilter$EscFunction$Favorites$FileFilter$FillMask$FocusEdit$FocusLostOpacity$FullRowSelect$GotoDlgSizeX$MinimizeToTray$NegativeFilter$NoConfirmDelete$OpacityLevel$OpenWithDir$OpenWithDlgSizeX$OpenWithDlgSizeY$Quikview.exe$QuikviewParams$RenameOnCollision$SaveSettings$Settings$Settings2$ShowDriveBox$ShowStatusbar$ShowToolbar$SingleClick$SortOptions$SortReverse$StartupDirectory$Toolbar Images$ToolbarButtons$TrackSelect$TransparentMode$UseRecycleBin$Viewers\Quikview.exe$Window
                                • API String ID: 3534769242-3254790454
                                • Opcode ID: c62c474db70e6baf5dc62db761a75a140e0dd81650bcd713e03e2d6e3b0ba1fe
                                • Instruction ID: bf3ac72cbc11e41213b44f2dcb5827591fbf1412551df7fdd0a5befef9b85d50
                                • Opcode Fuzzy Hash: c62c474db70e6baf5dc62db761a75a140e0dd81650bcd713e03e2d6e3b0ba1fe
                                • Instruction Fuzzy Hash: AE12F5F4B403416BEB18EB65BD0B7AA35A1E79470CF00403AE509EB3D2FBB199548B52
                                Function 00148650 Relevance: 70.2, APIs: 35, Strings: 5, Instructions: 210registrylibrarycomCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetVersion.KERNEL32 ref: 00148662
                                • SetErrorMode.KERNELBASE(00008001), ref: 00148685
                                  • Part of subcall function 00131E10: RtlGetNtVersionNumbers.NTDLL ref: 00131E31
                                  • Part of subcall function 00131E10: LoadLibraryExW.KERNEL32(comctl32.dll,00000000,00000800), ref: 00131EB3
                                  • Part of subcall function 00131E10: FreeLibrary.KERNEL32(00000000), ref: 00131F01
                                • GetSysColor.USER32(00000008), ref: 001486EC
                                • GetSysColor.USER32(00000005), ref: 001486F5
                                • GetSysColor.USER32(00000017), ref: 001486FE
                                • GetSysColor.USER32(00000018), ref: 00148707
                                • GetSysColor.USER32(0000000E), ref: 00148710
                                • GetSysColor.USER32(0000000D), ref: 00148719
                                • GetSysColor.USER32(00000002), ref: 00148722
                                • GetSysColor.USER32(00000001), ref: 0014872B
                                • GetSysColor.USER32(0000000F), ref: 00148734
                                • GetSysColor.USER32(0000000F), ref: 0014873D
                                • GetSysColor.USER32(0000000F), ref: 00148746
                                • GetSysColor.USER32(0000000F), ref: 0014874F
                                • GetSysColor.USER32(0000000F), ref: 00148758
                                • GetSysColor.USER32(0000000F), ref: 00148761
                                  • Part of subcall function 0014F4E0: GetCommandLineW.KERNEL32(?,75A3CF90,?,?,?,0014877B), ref: 0014F4E5
                                  • Part of subcall function 0014F4E0: StrChrW.SHLWAPI(00000000,00000009,?,?,?,0014877B), ref: 0014F509
                                  • Part of subcall function 0014F4E0: StrChrW.SHLWAPI(00000000,00000009,?,?,?,0014877B), ref: 0014F51A
                                  • Part of subcall function 0014F4E0: lstrlenW.KERNEL32(00000000,?,?,?,0014877B), ref: 0014F52C
                                  • Part of subcall function 0014F4E0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,0014877B), ref: 0014F53E
                                  • Part of subcall function 0014F4E0: lstrlenW.KERNEL32(00000000,?,?,?,0014877B), ref: 0014F543
                                  • Part of subcall function 0014F4E0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,0014877B), ref: 0014F54F
                                  • Part of subcall function 0014F4E0: lstrcpyW.KERNEL32(00000000,00000000,?,?,?,0014877B), ref: 0014F55B
                                  • Part of subcall function 0014F4E0: StrChrW.SHLWAPI(00000000,00000020,?,?,?,0014877B), ref: 0014F593
                                  • Part of subcall function 0014F4E0: lstrcpyW.KERNEL32(00000000,-00000002,?,?,?,0014877B), ref: 0014F5A7
                                  • Part of subcall function 0014F4E0: lstrcpyW.KERNEL32(00000000,00000000,?,?,?,0014877B), ref: 0014F5D5
                                  • Part of subcall function 0014F4E0: StrChrW.SHLWAPI(00000000,00000020,?,?,?,0014877B), ref: 0014F60B
                                  • Part of subcall function 00134450: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,75A3CF90), ref: 00134476
                                  • Part of subcall function 00134450: lstrcmpiW.KERNEL32(00290388,001BD624), ref: 00134494
                                  • Part of subcall function 00134740: lstrcmpiW.KERNEL32(00290388,001BD624,75A3CF90), ref: 0013475F
                                  • Part of subcall function 00134740: lstrcpyW.KERNEL32(C:\Users\user\Desktop\bgsTrRPJh0.ini,001BD420), ref: 00134779
                                  • Part of subcall function 00134740: lstrcpyW.KERNEL32(00290388,001BD420), ref: 00134785
                                  • Part of subcall function 00134070: StrRChrW.SHLWAPI(00290388,00000000,0000005C,?,?,?,001354A3), ref: 0013408A
                                  • Part of subcall function 00134070: SHCreateDirectoryExW.SHELL32(00000000,00290388,00000000,?,?,?,001354A3), ref: 001340A2
                                  • Part of subcall function 00134070: PathFileExistsW.SHLWAPI(00290388,?,?,?,001354A3), ref: 001340B5
                                  • Part of subcall function 00134070: PathIsDirectoryW.SHLWAPI(00290388), ref: 001340C4
                                  • Part of subcall function 00134070: CreateFileW.KERNEL32(00290388,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,001354A3), ref: 001340E3
                                  • Part of subcall function 00134070: GetFileSize.KERNEL32(00000000,?), ref: 001340FE
                                  • Part of subcall function 00134070: CloseHandle.KERNEL32(00000000), ref: 00134107
                                  • Part of subcall function 00150030: EnumWindows.USER32(0014FFB0,00000000), ref: 00150071
                                  • Part of subcall function 00150030: IsWindowEnabled.USER32(00000000), ref: 00150084
                                  • Part of subcall function 00150030: IsIconic.USER32(00000000), ref: 00150096
                                  • Part of subcall function 00150030: ShowWindowAsync.USER32(00000009,00000009), ref: 001500A6
                                  • Part of subcall function 00150030: IsWindowVisible.USER32(00000000), ref: 001500B0
                                  • Part of subcall function 00150030: SendMessageW.USER32(00000400,00000400,00000000,00000203), ref: 001500D0
                                  • Part of subcall function 00150030: SendMessageW.USER32(00000400,00000400,00000000,00000202), ref: 001500E2
                                  • Part of subcall function 00150030: SetForegroundWindow.USER32(00000000), ref: 001500E8
                                  • Part of subcall function 00150030: GlobalSize.KERNEL32(?), ref: 001500FC
                                  • Part of subcall function 00150030: PathIsRelativeW.SHLWAPI ref: 00150117
                                  • Part of subcall function 00150030: GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0015012B
                                  • Part of subcall function 00150030: PathAppendW.SHLWAPI(?), ref: 0015013C
                                  • Part of subcall function 00150030: lstrcpyW.KERNEL32(?), ref: 0015014D
                                  • Part of subcall function 00150030: GlobalSize.KERNEL32 ref: 00150161
                                  • Part of subcall function 00150030: SendMessageW.USER32(?,0000004A,00000000,?), ref: 00150181
                                  • Part of subcall function 00150030: GlobalFree.KERNEL32 ref: 00150189
                                • OleInitialize.OLE32(00000000), ref: 0014879D
                                • InitCommonControlsEx.COMCTL32(?), ref: 001487BC
                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001487C7
                                  • Part of subcall function 00131E10: VirtualProtect.KERNELBASE(00000000,00000004,00000004,?,?), ref: 00131F49
                                  • Part of subcall function 00131E10: VirtualProtect.KERNELBASE(00000000,00000004,?,?), ref: 00131F6F
                                  • Part of subcall function 00131E10: FreeLibrary.KERNEL32(00000000), ref: 00131F73
                                • GetSysColor.USER32(00000005), ref: 0014880A
                                • CreateSolidBrush.GDI32(00000000), ref: 00148813
                                • GetSysColor.USER32(0000000F), ref: 00148842
                                • CreateSolidBrush.GDI32(00000000), ref: 00148845
                                • GetSystemMetrics.USER32(0000000B), ref: 00148854
                                • GetSystemMetrics.USER32(0000000C), ref: 0014885A
                                • GetSystemMetrics.USER32(00000031), ref: 00148861
                                • GetSystemMetrics.USER32(00000032), ref: 00148868
                                • #381.COMCTL32(?,00000064,00000000,?,00290E68), ref: 0014888A
                                • #381.COMCTL32(?,00000064,?,00000000,00290840), ref: 001488A4
                                • LoadCursorW.USER32(?,00007F00), ref: 001488D3
                                • RegisterClassW.USER32(00002000), ref: 001488F5
                                • LoadLibraryW.KERNELBASE(erherthgrgherhre.erhgerg), ref: 00148916
                                • GlobalAlloc.KERNELBASE(00000000,00000000), ref: 0014891B
                                • LoadLibraryW.KERNEL32(00000000), ref: 0014892A
                                • ExitProcess.KERNEL32 ref: 00148936
                                  • Part of subcall function 001319E0: SystemParametersInfoW.USER32(00000042,0000000C,00000000), ref: 00131A11
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Color$lstrcpy$LibrarySystemWindow$CreateFileGlobalLoadMessageMetricsPath$AllocDirectoryFreeSendSize$#381BrushLocalProtectRegisterSolidVersionVirtuallstrcmpilstrlen$AppendAsyncClassCloseCommandCommonControlsCurrentCursorEnabledEnumErrorExistsExitForegroundHandleIconicInfoInitInitializeLineModeModuleNameNumbersParametersProcessRelativeShowVisibleWindows
                                • String ID: *.*$333$MiniPath$TaskbarCreated$erherthgrgherhre.erhgerg
                                • API String ID: 1151885106-3872912507
                                • Opcode ID: 12c332d36bdaa6e485f2ef781984ace4bbf0064fd66a09217db991c95bdc9370
                                • Instruction ID: cd215cd67f7281f49b19ba19aa9e82d7328fb73ccbbb29108c01626a33fc9582
                                • Opcode Fuzzy Hash: 12c332d36bdaa6e485f2ef781984ace4bbf0064fd66a09217db991c95bdc9370
                                • Instruction Fuzzy Hash: 4B814274E40319AAEB10AFB6FD4D7AE3FA4EF09754F00442BE5049B2A1EB754454CFA1
                                Function 0288CB00 Relevance: 33.7, APIs: 3, Strings: 16, Instructions: 404COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetTempPathW.KERNEL32(00000000,00000000,00000104,00000000,6B22EED2,00000000,00000000), ref: 0288DBD9
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: PathTemp
                                • String ID: -$-bomb$-file$-nomutex$-threads$.xuy08dak6$E$F$b$cesses$g$ivate$o$t$u$vices
                                • API String ID: 2920410445-1226628546
                                • Opcode ID: adb68a1d77dc16c68050b6b4c2450c0735bcb42745caa6b4be363b3f9abde49a
                                • Instruction ID: dff1e27fe6ce440f7b16b6a3165aa37ba2fca6faf0597331a386bf9c413081dd
                                • Opcode Fuzzy Hash: adb68a1d77dc16c68050b6b4c2450c0735bcb42745caa6b4be363b3f9abde49a
                                • Instruction Fuzzy Hash: 13E19E78A10208DFDB14DFA8D858BEEBBF5FF48708F104659E909AB680E7746A44CF54
                                Function 00150030 Relevance: 30.1, APIs: 20, Instructions: 137windowstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • EnumWindows.USER32(0014FFB0,00000000), ref: 00150071
                                • IsWindowEnabled.USER32(00000000), ref: 00150084
                                • IsIconic.USER32(00000000), ref: 00150096
                                • ShowWindowAsync.USER32(00000009,00000009), ref: 001500A6
                                • IsWindowVisible.USER32(00000000), ref: 001500B0
                                • SendMessageW.USER32(00000400,00000400,00000000,00000203), ref: 001500D0
                                • SendMessageW.USER32(00000400,00000400,00000000,00000202), ref: 001500E2
                                • SetForegroundWindow.USER32(00000000), ref: 001500E8
                                • GlobalSize.KERNEL32(?), ref: 001500FC
                                • PathIsRelativeW.SHLWAPI ref: 00150117
                                • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0015012B
                                • PathAppendW.SHLWAPI(?), ref: 0015013C
                                • lstrcpyW.KERNEL32(?), ref: 0015014D
                                • GlobalSize.KERNEL32 ref: 00150161
                                • SendMessageW.USER32(?,0000004A,00000000,?), ref: 00150181
                                • GlobalFree.KERNEL32 ref: 00150189
                                • LoadStringW.USER32(0000C35F,?,00000100), ref: 001501C5
                                • LoadStringW.USER32(0000C35F,?,00000100), ref: 001501E0
                                • StrChrW.SHLWAPI(?,0000000A), ref: 001501E9
                                • MessageBoxW.USER32(00000000,00000000,?,00010024), ref: 00150208
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageWindow$GlobalSend$LoadPathSizeString$AppendAsyncCurrentDirectoryEnabledEnumForegroundFreeIconicRelativeShowVisibleWindowslstrcpy
                                • String ID:
                                • API String ID: 648661597-0
                                • Opcode ID: e5f97daa65a21c6cfc590d1c83cf6c64a690952c4c9f62d7da5bad3d8ee84367
                                • Instruction ID: 4ab7ad9b31f08f37e3d6adcc862742c8acfb7ac814ee388afbcbe4f9c174f081
                                • Opcode Fuzzy Hash: e5f97daa65a21c6cfc590d1c83cf6c64a690952c4c9f62d7da5bad3d8ee84367
                                • Instruction Fuzzy Hash: 8B516B71640306EFEB219F60EC4EB5A3BE8FF49701F00441AF959DA1B0DB719898CB52
                                Function 028BEC50 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 123encryptionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,6B22EED2,02956E58,00000000,?), ref: 028BEC95
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,00000000,02924FCD,000000FF,?,028BF3A0), ref: 028BEC9B
                                • CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000008), ref: 028BECAF
                                • CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000028), ref: 028BECC0
                                • SetLastError.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,02924FCD,000000FF), ref: 028BECE5
                                • ___std_exception_copy.LIBVCRUNTIME ref: 028BED62
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: AcquireContextCrypt$ErrorLast$___std_exception_copy
                                • String ID: CryptAcquireContext$Crypto++ RNG
                                • API String ID: 616088579-1159690233
                                • Opcode ID: a23b111f514e1b622e3e07919694d978fce6c7246498cc1a82057806a816cfd9
                                • Instruction ID: 01b1b5580f08cf11bcf542b70e4adcf171a849fee2e80165c026b3f0c8549c34
                                • Opcode Fuzzy Hash: a23b111f514e1b622e3e07919694d978fce6c7246498cc1a82057806a816cfd9
                                • Instruction Fuzzy Hash: 5E4193B6A44719ABE711DF98CC41FDAB7ECFF44B10F00462AF915E7680EB74A5048BA0
                                Function 001484F0 Relevance: 7.6, APIs: 5, Instructions: 109memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1207 1484f0-148545 call 155950 GetUserPreferredUILanguages 1210 1485ce-1485d3 1207->1210 1211 14854b-148563 LocalAlloc 1207->1211 1212 1485d5-1485f2 GetLocaleInfoEx 1210->1212 1213 148618-14864a call 13d900 call 152d0c 1210->1213 1214 14860e-148616 1211->1214 1215 148569-14857a GetUserPreferredUILanguages 1211->1215 1212->1213 1216 1485f4-14860d call 152d0c 1212->1216 1214->1212 1218 14857c-148581 1215->1218 1219 1485bf 1215->1219 1218->1219 1223 148583-148590 1218->1223 1220 1485c7-1485c8 LocalFree 1219->1220 1220->1210 1226 148592-14859a 1223->1226 1228 1485b0-1485bd 1226->1228 1229 14859c-1485a3 1226->1229 1228->1220 1229->1228 1230 1485a5-1485ae 1229->1230 1230->1226 1230->1228
                                APIs
                                • GetUserPreferredUILanguages.KERNELBASE(00000008,?,00000000,00000000), ref: 00148541
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00148559
                                • GetUserPreferredUILanguages.KERNEL32(00000008,?,00000000,?), ref: 00148576
                                • LocalFree.KERNEL32(00000000), ref: 001485C8
                                • GetLocaleInfoEx.KERNEL32(00000000,0000005C,?,00000055), ref: 001485E0
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: LanguagesLocalPreferredUser$AllocFreeInfoLocale
                                • String ID:
                                • API String ID: 1113077726-0
                                • Opcode ID: 7723e9623b4fc4cd4d1fae970324d41bcd92b356dbe46e0f4cb0dd87236ef8e1
                                • Instruction ID: ad77b030042c629279fad0d954364c707ef57a5f650881996c75a5e099a843ca
                                • Opcode Fuzzy Hash: 7723e9623b4fc4cd4d1fae970324d41bcd92b356dbe46e0f4cb0dd87236ef8e1
                                • Instruction Fuzzy Hash: D6316DB26043059FE314DF14DC45B6FB7E8EB85711F40842EF955CA291EB74D909CBA2
                                Function 028BF330 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 105encryptionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1231 28bf330-28bf36c 1232 28bf36e-28bf370 1231->1232 1233 28bf372-28bf37b call 28a79d0 1231->1233 1234 28bf37d-28bf3a7 call 28a2fd0 call 28bec50 call 28bf220 1232->1234 1233->1234 1242 28bf3ac-28bf3b8 CryptGenRandom 1234->1242 1243 28bf3ba-28bf3ca 1242->1243 1244 28bf418-28bf443 call 2895d90 call 28bedb0 call 28f2b24 1242->1244 1246 28bf3cc-28bf3cf CryptReleaseContext 1243->1246 1247 28bf3d5-28bf3e7 1243->1247 1246->1247 1252 28bf3fa-28bf415 call 28f16ea 1247->1252 1253 28bf3e9-28bf3f7 call 28a7a30 1247->1253 1253->1252
                                APIs
                                • CryptGenRandom.ADVAPI32(00000000,?,00000000,00000001), ref: 028BF3B0
                                • CryptReleaseContext.ADVAPI32(?,00000000), ref: 028BF3CF
                                  • Part of subcall function 028BEDB0: GetLastError.KERNEL32(6B22EED2,7686FC30,?), ref: 028BEDF8
                                  • Part of subcall function 028F2B24: RaiseException.KERNEL32(E06D7363,00000001,00000003,0288FBAC,?,?,?,?,0288FBAC,?,02944280), ref: 028F2B84
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: Crypt$ContextErrorExceptionLastRaiseRandomRelease
                                • String ID: CryptGenRandom
                                • API String ID: 2561026028-3616286655
                                • Opcode ID: f6e3f92b08e17a20cc4f12b7a0913a27e5c32049fe8bee0cdfcac0e6ecc9db52
                                • Instruction ID: 6ec986e31706c3e8eb65299f6d3ef34d2f058a4500f5aa8ac2c0470d3f630df1
                                • Opcode Fuzzy Hash: f6e3f92b08e17a20cc4f12b7a0913a27e5c32049fe8bee0cdfcac0e6ecc9db52
                                • Instruction Fuzzy Hash: C231B279D00258ABEB11DFA8C854FDEBBB8EF18714F040529E916A7384DB746A08CB61
                                Function 028BF220 Relevance: 1.6, APIs: 1, Instructions: 84encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptReleaseContext.ADVAPI32(00000000,00000000), ref: 028BF2AC
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: ContextCryptRelease
                                • String ID:
                                • API String ID: 829835001-0
                                • Opcode ID: a437a11c57daedcaa5647e65d0fb6e564a3d50010c3eb59bf373e6fc8afd242d
                                • Instruction ID: 48348b831fdff194ef1916de6bb36b6476321b4387e7a8b63577f43206685279
                                • Opcode Fuzzy Hash: a437a11c57daedcaa5647e65d0fb6e564a3d50010c3eb59bf373e6fc8afd242d
                                • Instruction Fuzzy Hash: FC21A27DF44310DBE721CB68DC05BA5B3E5EF55A21F104929EA09D3B80E771A9108BD1
                                Function 00134740 Relevance: 91.2, APIs: 47, Strings: 5, Instructions: 199stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 678 134740-134767 lstrcmpiW 679 134769-13479e lstrcpyW * 2 call 152d0c 678->679 680 13479f-1347c3 PathIsDirectoryW 678->680 681 1347c5-1347e7 lstrlenW CharPrevW 680->681 682 1347ed-13482b GetModuleFileNameW PathFindFileNameW PathAppendW PathRenameExtensionW PathFileExistsW 680->682 681->682 684 134887-134890 PathIsDirectoryW 681->684 685 134838-134850 PathFindFileNameW lstrcpyW PathFileExistsW 682->685 686 13482d-134836 PathIsDirectoryW 682->686 690 134892-1348b4 lstrlenW CharPrevW 684->690 691 1348ba-134913 GetModuleFileNameW PathRemoveFileSpecW lstrcatW PathFindFileNameW PathAppendW PathRenameExtensionW PathFileExistsW 684->691 688 134852-13485b PathIsDirectoryW 685->688 689 13485d-134881 PathFindFileNameW * 2 lstrcpyW PathRenameExtensionW 685->689 686->684 686->685 688->684 688->689 689->684 690->691 692 134969-134978 PathFileExistsW 690->692 693 134920-134938 PathFindFileNameW lstrcpyW PathFileExistsW 691->693 694 134915-13491e PathIsDirectoryW 691->694 697 134990-13499a lstrcpyW 692->697 698 13497a-134983 PathIsDirectoryW 692->698 695 134945-134963 PathFindFileNameW * 2 lstrcpyW PathRenameExtensionW 693->695 696 13493a-134943 PathIsDirectoryW 693->696 694->692 694->693 695->692 696->692 696->695 700 13499c-1349a5 PathFileExistsW 697->700 698->697 699 134985-13498e PathIsDirectoryW 698->699 699->697 699->700 701 1349a7-1349b0 PathIsDirectoryW 700->701 702 1349b9-1349d1 lstrcpyW * 2 700->702 701->702 703 1349b2-1349b7 701->703 704 1349d3-1349eb call 152d0c 702->704 703->704
                                APIs
                                • lstrcmpiW.KERNEL32(00290388,001BD624,75A3CF90), ref: 0013475F
                                • lstrcpyW.KERNEL32(C:\Users\user\Desktop\bgsTrRPJh0.ini,001BD420), ref: 00134779
                                • lstrcpyW.KERNEL32(00290388,001BD420), ref: 00134785
                                • PathIsDirectoryW.SHLWAPI(00290388), ref: 001347AD
                                • lstrlenW.KERNEL32(00290388), ref: 001347CA
                                • CharPrevW.USER32(00290388,00000000), ref: 001347DD
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 001347F9
                                • PathFindFileNameW.SHLWAPI(?), ref: 00134804
                                • PathAppendW.SHLWAPI(00290388,00000000), ref: 0013480C
                                • PathRenameExtensionW.SHLWAPI(00290388,.ini), ref: 0013481C
                                • PathFileExistsW.SHLWAPI(00290388), ref: 00134827
                                • PathIsDirectoryW.SHLWAPI(00290388), ref: 00134832
                                • PathFindFileNameW.SHLWAPI(00290388,minipath.ini), ref: 00134842
                                • lstrcpyW.KERNEL32(00000000), ref: 00134845
                                • PathFileExistsW.SHLWAPI(00290388), ref: 0013484C
                                • PathIsDirectoryW.SHLWAPI(00290388), ref: 00134857
                                • PathFindFileNameW.SHLWAPI(?), ref: 00134862
                                • PathFindFileNameW.SHLWAPI(00290388), ref: 0013486B
                                • lstrcpyW.KERNEL32(00000000,00000000), ref: 0013486F
                                • PathRenameExtensionW.SHLWAPI(00290388,.ini), ref: 0013487B
                                • PathIsDirectoryW.SHLWAPI(00290180), ref: 0013488C
                                • lstrlenW.KERNEL32(00290180), ref: 00134897
                                • CharPrevW.USER32(00290180,00000000), ref: 001348AA
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 001348C6
                                • PathRemoveFileSpecW.SHLWAPI(?), ref: 001348D1
                                • lstrcatW.KERNEL32(?,\Notepad3.exe), ref: 001348E1
                                • PathFindFileNameW.SHLWAPI(?), ref: 001348EC
                                • PathAppendW.SHLWAPI(00290180,00000000), ref: 001348F4
                                • PathRenameExtensionW.SHLWAPI(00290180,.ini), ref: 00134904
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Path$File$Name$Find$Directorylstrcpy$ExtensionRename$AppendCharExistsModulePrevlstrlen$RemoveSpeclstrcatlstrcmpi
                                • String ID: .ini$C:\Users\user\Desktop\bgsTrRPJh0.ini$\Notepad3.exe$minipath.ini$notepad3.ini
                                • API String ID: 882991028-2059742083
                                • Opcode ID: 4c6ef488b8c922e1384c92c24b91cc1542159403383ae6bad79ef68dc639b288
                                • Instruction ID: 5aebfe574a2b93373e9f0fd768a7f9d8d03241787af38e50b6256056888b9071
                                • Opcode Fuzzy Hash: 4c6ef488b8c922e1384c92c24b91cc1542159403383ae6bad79ef68dc639b288
                                • Instruction Fuzzy Hash: 3051447275030DBFDF50A7F59C86E6A3AD8AF4AB84F010555FD04D24E0EBA0E8548A7E
                                Function 00134160 Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 145stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,75DA4E90,771EF860,?,75DAA6F0), ref: 0013418A
                                • PathIsRelativeW.SHLWAPI(?,?,75DAA6F0), ref: 00134198
                                • lstrcpyW.KERNEL32(?,?,?,75DAA6F0), ref: 001341B2
                                • PathFindFileNameW.SHLWAPI(?,?,?,75DAA6F0), ref: 001341C1
                                • lstrcpyW.KERNEL32(00000000,?,75DAA6F0), ref: 001341C8
                                • PathFileExistsW.KERNELBASE(?,?,75DAA6F0), ref: 001341CF
                                • PathIsDirectoryW.SHLWAPI(?), ref: 001341E4
                                • lstrcpyW.KERNEL32(?,?,?,75DAA6F0), ref: 001341F4
                                • PathRemoveFileSpecW.SHLWAPI(?,?,75DAA6F0), ref: 001341FB
                                • lstrcatW.KERNEL32(?,\np3\,?,75DAA6F0), ref: 00134211
                                • lstrcatW.KERNEL32(?,?,?,75DAA6F0), ref: 00134220
                                • PathFileExistsW.KERNELBASE(?,?,75DAA6F0), ref: 00134227
                                • PathIsDirectoryW.SHLWAPI(?), ref: 00134236
                                • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,75DAA6F0), ref: 0013424F
                                • PathAppendW.SHLWAPI(?,?,?,75DAA6F0), ref: 00134262
                                • PathFileExistsW.KERNELBASE(?,?,75DAA6F0), ref: 0013426D
                                • PathIsDirectoryW.SHLWAPI(?), ref: 0013427C
                                • SHGetFolderPathW.SHELL32(00000000,00000028,00000000,00000000,?,?,75DAA6F0), ref: 0013428F
                                • PathAppendW.SHLWAPI(?,?,?,75DAA6F0), ref: 001342A2
                                • lstrcpyW.KERNEL32(?,?,?,75DAA6F0), ref: 001342BB
                                • PathFileExistsW.SHLWAPI(?,?,75DAA6F0), ref: 001342CC
                                • PathIsDirectoryW.SHLWAPI(?), ref: 001342DE
                                • lstrcpyW.KERNEL32(?,?,?,75DAA6F0), ref: 001342F1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Path$File$lstrcpy$DirectoryExists$AppendFolderlstrcat$EnvironmentExpandFindNameRelativeRemoveSpecStrings
                                • String ID: \np3\
                                • API String ID: 3472113900-578766168
                                • Opcode ID: 4e82ad9165e2ef041882cad38f9894b9ba17ea115a5b2377bf51ec1c21fdabfa
                                • Instruction ID: a64dab8e2758c046cc6bf4b824e05324d496576e8b79449747a8ae9ca8912774
                                • Opcode Fuzzy Hash: 4e82ad9165e2ef041882cad38f9894b9ba17ea115a5b2377bf51ec1c21fdabfa
                                • Instruction Fuzzy Hash: B941DAB260434AABDB20DBA0EC48FEB77ECBF45740F44082AF645D3050EB74E5898B61
                                Function 029144E9 Relevance: 16.7, APIs: 11, Instructions: 188synchronizationCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 873 29144e9-29144f5 874 29144f7-291450b call 2903f2a call 28fcb7f 873->874 875 291450c-2914510 873->875 875->874 876 2914512-2914516 875->876 878 2914522-2914547 call 291e9fa 876->878 879 2914518-2914520 call 2903f17 876->879 887 2914560-2914580 call 2914833 878->887 888 2914549-291455e call 290f887 * 2 878->888 879->874 893 2914582-29145a0 call 290f887 * 3 887->893 894 29145aa-29145b1 887->894 902 29145a3-29145a5 888->902 893->902 897 29145b3-29145b5 894->897 898 29145b6-2914606 call 2903f17 call 28f34d0 call 291ea05 894->898 897->898 913 2914652-2914661 GetLastError __dosmaperr 898->913 914 2914608-291460e 898->914 904 29146e9-29146ec 902->904 917 2914663-2914664 CloseHandle 913->917 918 291466a-291466c 913->918 915 2914614-2914616 914->915 916 29146ed-29146f4 call 2902ecc 914->916 919 2914677-291467a 915->919 920 2914618-291462f WaitForSingleObject GetExitCodeProcess 915->920 917->918 922 2914694-29146b6 call 290f887 * 3 918->922 923 291466e-2914675 CloseHandle 918->923 924 29146b8-29146ba 919->924 925 291467c-291467e 919->925 920->913 926 2914631-2914639 920->926 949 29146e5-29146e8 922->949 923->922 934 29146c3-29146e3 call 290f887 * 3 924->934 935 29146bc-29146bd CloseHandle 924->935 929 2914680-2914681 CloseHandle 925->929 930 2914687-2914689 925->930 931 2914642-2914644 926->931 932 291463b-291463c CloseHandle 926->932 929->930 936 2914692 930->936 937 291468b-291468c CloseHandle 930->937 939 2914646-2914647 CloseHandle 931->939 940 291464d-2914650 931->940 932->931 934->949 935->934 936->922 937->936 939->940 940->922 949->904
                                APIs
                                  • Part of subcall function 0290F887: HeapFree.KERNEL32(00000000,00000000,?,0291A993,?,00000000,?,?,0291AC34,?,00000007,?,?,0291B12D,?,?), ref: 0290F89D
                                  • Part of subcall function 0290F887: GetLastError.KERNEL32(?,?,0291A993,?,00000000,?,?,0291AC34,?,00000007,?,?,0291B12D,?,?), ref: 0290F8A8
                                • WaitForSingleObject.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0291461A
                                • GetExitCodeProcess.KERNELBASE(?,?), ref: 02914627
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0291463C
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02914647
                                • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02914652
                                • __dosmaperr.LIBCMT ref: 02914659
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02914664
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0291466F
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 02914681
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0291468C
                                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 029146BD
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandle$ErrorLast$CodeExitFreeHeapObjectProcessSingleWait__dosmaperr
                                • String ID:
                                • API String ID: 2764183375-0
                                • Opcode ID: 5ab28786b609b410116c206899bf2451bf3117622b487da8c7f26cb43849dbcd
                                • Instruction ID: 50ebb3d71653ea1211a750dbef9cc190066cfc3ae6007f4a53bfb135c2781392
                                • Opcode Fuzzy Hash: 5ab28786b609b410116c206899bf2451bf3117622b487da8c7f26cb43849dbcd
                                • Instruction Fuzzy Hash: 9251D372D0024CEFCF22AF91C884BFE7BB9EF88319F204465E915A6180DB354A55DF65
                                Function 00131E10 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 115memorylibraryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 951 131e10-131e20 952 131e22-131e48 RtlGetNtVersionNumbers 951->952 953 131e4e-131e5f call 131860 951->953 952->953 954 131f7b-131f7e 952->954 953->954 957 131e65-131e81 953->957 961 131e83-131e8a call 131990 957->961 962 131e90 957->962 961->962 966 131e8c-131e8e 961->966 963 131e92-131ebd LoadLibraryExW 962->963 968 131ec3-131ed4 963->968 969 131f7a 963->969 966->963 970 131f72-131f79 FreeLibrary 968->970 971 131eda 968->971 969->954 970->969 972 131ee0-131ef5 call 15edfd 971->972 975 131ef7-131efe 972->975 976 131f0d-131f1c 972->976 975->972 977 131f00-131f0c FreeLibrary 975->977 978 131f33 976->978 979 131f1e 976->979 980 131f35-131f37 978->980 981 131f20-131f24 979->981 982 131f26-131f31 979->982 983 131f71 980->983 984 131f39-131f4d VirtualProtect 980->984 981->980 981->982 982->978 982->979 983->970 984->983 985 131f4f-131f6f VirtualProtect 984->985 985->983
                                APIs
                                • RtlGetNtVersionNumbers.NTDLL ref: 00131E31
                                • LoadLibraryExW.KERNEL32(comctl32.dll,00000000,00000800), ref: 00131EB3
                                • FreeLibrary.KERNEL32(00000000), ref: 00131F01
                                • VirtualProtect.KERNELBASE(00000000,00000004,00000004,?,?), ref: 00131F49
                                • VirtualProtect.KERNELBASE(00000000,00000004,?,?), ref: 00131F6F
                                • FreeLibrary.KERNEL32(00000000), ref: 00131F73
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Library$FreeProtectVirtual$LoadNumbersVersion
                                • String ID: P#t@~t)t$comctl32.dll$uxtheme.dll
                                • API String ID: 1860271146-1336577754
                                • Opcode ID: 5119eed09b2d85f63283ce6daf33ff389a51cbdbc59293bd747fc74e328cd8dd
                                • Instruction ID: d350188f6e6bb83664147488ff4c3a3743f611b44ca819f4241b149ab4a9436c
                                • Opcode Fuzzy Hash: 5119eed09b2d85f63283ce6daf33ff389a51cbdbc59293bd747fc74e328cd8dd
                                • Instruction Fuzzy Hash: 04412279601301ABDB209B68FD49B6637E8BF16784F084039FA05D72A2DB21D80DC721
                                Function 0288FCE0 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 181COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1001 288fce0-288fd41 call 28da96c * 2 call 28da98c * 2 call 28f144d 1018 288fd6c-288fd8b call 28fcb8f 1001->1018 1019 288fd43-288fd4d 1001->1019 1023 288fd8d-288fd98 1018->1023 1024 288fdd4 Concurrency::cancel_current_task 1018->1024 1026 288fd9a-288fd9f 1023->1026 1027 288fdbd-288fdbf 1023->1027 1025 288fdd9-288fdeb call 28fcb8f 1024->1025 1039 288fded-288fdf4 1025->1039 1040 288fe30 Concurrency::cancel_current_task 1025->1040 1026->1024 1028 288fda1-288fdae call 28f144d 1026->1028 1029 288fdce-288fdd1 1027->1029 1030 288fdc1-288fdcb call 28f144d 1027->1030 1028->1025 1038 288fdb0-288fdba 1028->1038 1042 288fe19-288fe1b 1039->1042 1043 288fdf6-288fdfb 1039->1043 1041 288fe35-288fe6d call 28fcb8f 1040->1041 1056 288fe6f 1041->1056 1057 288fe71-288fe8e call 28f34d0 1041->1057 1045 288fe2a-288fe2d 1042->1045 1046 288fe1d-288fe1e call 28f144d 1042->1046 1043->1040 1044 288fdfd-288fe0a call 28f144d 1043->1044 1044->1041 1054 288fe0c-288fe16 1044->1054 1052 288fe23-288fe27 1046->1052 1056->1057
                                APIs
                                  • Part of subcall function 028DA96C: std::invalid_argument::invalid_argument.LIBCONCRT ref: 028DA978
                                  • Part of subcall function 028DA98C: std::invalid_argument::invalid_argument.LIBCONCRT ref: 028DA998
                                • Concurrency::cancel_current_task.LIBCPMT ref: 0288FD67
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::invalid_argument::invalid_argument$Concurrency::cancel_current_task
                                • String ID: invalid string position$invalid vector subscript$string too long$vector too long
                                • API String ID: 213144200-272296199
                                • Opcode ID: 93184426694706acb8acad29ce5ce7d7ba9a4eee48264d7074aa359d0c787e08
                                • Instruction ID: 345d5f08fa679dc41eae59fcbff13d47e81afb56ce89ec325daccd39d9af428b
                                • Opcode Fuzzy Hash: 93184426694706acb8acad29ce5ce7d7ba9a4eee48264d7074aa359d0c787e08
                                • Instruction Fuzzy Hash: 89415BBE2002085BD308F778A844AAE73DADF74354B944136FB1DCBA41E735E965C662
                                Function 029142F6 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 206COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1060 29142f6-2914303 1061 2914305-2914318 call 2903f2a call 28fcb7f 1060->1061 1062 291431d-2914320 1060->1062 1073 29144aa-29144ac 1061->1073 1062->1061 1064 2914322-2914327 1062->1064 1064->1061 1066 2914329-291432d 1064->1066 1066->1061 1067 291432f-2914332 1066->1067 1067->1061 1069 2914334-291434f _strrchr * 2 1067->1069 1071 2914351-2914353 1069->1071 1072 29143c2-29143c4 1069->1072 1074 2914355-2914363 _strrchr 1071->1074 1075 29143cc-29143e0 _strrchr 1071->1075 1076 29143c6-29143c8 1072->1076 1077 29143ca 1072->1077 1074->1075 1078 2914365-2914367 1074->1078 1079 29143e2-29143ee call 2914c75 1075->1079 1080 291440d-291440f 1075->1080 1076->1075 1076->1077 1077->1075 1081 291436a-291436f 1078->1081 1089 29143f4-29143fe call 29144e9 1079->1089 1090 291449e 1079->1090 1083 2914412-2914417 1080->1083 1081->1081 1084 2914371-2914384 call 290f82a 1081->1084 1083->1083 1086 2914419-291442f call 290f82a 1083->1086 1098 2914386-2914387 1084->1098 1099 291438c-291439d call 290f16d 1084->1099 1095 2914431-291443b call 290f887 1086->1095 1096 2914440-2914450 call 290f16d 1086->1096 1100 2914403-2914408 1089->1100 1092 291449f-29144a5 call 290f887 1090->1092 1109 29144a8-29144a9 1092->1109 1105 29144d1-29144da call 290f887 1095->1105 1112 2914456-291446a call 2903f2a 1096->1112 1113 29144dc-29144e8 call 28fcbac 1096->1113 1098->1092 1099->1113 1114 29143a3-29143b0 call 291e56b 1099->1114 1100->1105 1105->1109 1109->1073 1122 291446d-291447d call 290f16d 1112->1122 1114->1113 1121 29143b6-29143c0 call 290f887 1114->1121 1121->1075 1122->1113 1127 291447f-291448a call 2914c75 1122->1127 1130 29144ad-29144ce call 2903f2a call 29144e9 call 290f887 1127->1130 1131 291448c-2914495 1127->1131 1130->1105 1131->1122 1132 2914497-291449d call 290f887 1131->1132 1132->1090
                                APIs
                                • _strrchr.LIBCMT ref: 02914339
                                • _strrchr.LIBCMT ref: 02914343
                                • _strrchr.LIBCMT ref: 02914358
                                  • Part of subcall function 0290F887: HeapFree.KERNEL32(00000000,00000000,?,0291A993,?,00000000,?,?,0291AC34,?,00000007,?,?,0291B12D,?,?), ref: 0290F89D
                                  • Part of subcall function 0290F887: GetLastError.KERNEL32(?,?,0291A993,?,00000000,?,?,0291AC34,?,00000007,?,?,0291B12D,?,?), ref: 0290F8A8
                                  • Part of subcall function 028FCBAC: IsProcessorFeaturePresent.KERNEL32(00000017,028FCB7E,?,?,?,0288AA00,0288FBC1,?,00000016,?,028FCAF5,?,0288FBC1,0288AA00,?,?), ref: 028FCBAE
                                  • Part of subcall function 028FCBAC: GetCurrentProcess.KERNEL32(C0000417,?,?,00000000,?,?,?,?,?,?,0288AA00,0288FBC1,?,?,0288FBC1), ref: 028FCBD1
                                  • Part of subcall function 028FCBAC: TerminateProcess.KERNEL32(00000000,?,?,?,0288AA00,0288FBC1,?,?,0288FBC1), ref: 028FCBD8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: _strrchr$Process$CurrentErrorFeatureFreeHeapLastPresentProcessorTerminate
                                • String ID: .com
                                • API String ID: 3694955208-4200470757
                                • Opcode ID: 95c3409a8c344a24116204a64bdf385e6967b16443c7870f89ee60eb741f3c4f
                                • Instruction ID: 107689dd2110e75517fa7ffd3028ca4be4bd4c47c592e21a0ec0be2075cc6ecc
                                • Opcode Fuzzy Hash: 95c3409a8c344a24116204a64bdf385e6967b16443c7870f89ee60eb741f3c4f
                                • Instruction Fuzzy Hash: 66515C766003096EEF256B72AC81BBF37ADDFCD364F201229ED15971C1FF2189028660
                                Function 00153716 Relevance: 7.6, APIs: 5, Instructions: 117COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1141 153716-153736 call 153fc6 call 153ec0 call 153109 1149 153886-153888 call 153acd 1141->1149 1150 15373c-153757 call 15300e 1141->1150 1154 15388d-1538a8 call 18ac32 call 18abef call 153ea4 call 18b3de 1149->1154 1150->1149 1155 15375d-15375f 1150->1155 1157 153761-153771 call 18c828 1155->1157 1158 1537aa-1537ac 1155->1158 1163 153776-15377a 1157->1163 1162 1537af-1537c3 call 15325d call 15408e 1158->1162 1177 1537c5-1537ce call 1531c9 1162->1177 1178 1537e0-1537e9 call 154094 1162->1178 1166 15378d-1537a8 call 18c7fd 1163->1166 1167 15377c-153788 1163->1167 1166->1162 1170 153876-153885 1167->1170 1177->1178 1184 1537d0-1537de 1177->1184 1185 1537fe-153813 call 153be8 call 18c7b3 call 148650 1178->1185 1186 1537eb-1537f4 call 1531c9 1178->1186 1184->1178 1198 153818-153821 call 153c21 1185->1198 1186->1185 1193 1537f6-1537fd call 18ac0c 1186->1193 1193->1185 1198->1154 1201 153823-153825 1198->1201 1202 153827 call 18abe0 1201->1202 1203 15382c-15383f call 15327a 1201->1203 1202->1203 1203->1170
                                APIs
                                • ___security_init_cookie.LIBCMT ref: 00153716
                                  • Part of subcall function 00153FC6: ___get_entropy.LIBCMT ref: 00153FE0
                                • ___scrt_release_startup_lock.LIBCMT ref: 001537B2
                                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 001537C6
                                • ___scrt_is_nonwritable_in_current_image.LIBCMT ref: 001537EC
                                • ___scrt_uninitialize_crt.LIBCMT ref: 0015382F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ___scrt_is_nonwritable_in_current_image$___get_entropy___scrt_release_startup_lock___scrt_uninitialize_crt___security_init_cookie
                                • String ID:
                                • API String ID: 2539496024-0
                                • Opcode ID: b4f3b05b46cd5632b1162d52de1a60b9f21737c1289b36dfafd98d6383598653
                                • Instruction ID: 209fae23fef05021999ef31f9e8e4cd60dbcdbc5f83fbc90061065b435fcf2cd
                                • Opcode Fuzzy Hash: b4f3b05b46cd5632b1162d52de1a60b9f21737c1289b36dfafd98d6383598653
                                • Instruction Fuzzy Hash: 5B314971948201DBDB287B74A803B9D77A19F623E2F20041AFC716F1C2DF714B088B65
                                Function 00131860 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1260 131860-131896 1261 131914 1260->1261 1262 131898-13189f 1260->1262 1264 131916-131927 1261->1264 1262->1261 1263 1318a1-1318a8 1262->1263 1263->1264 1265 1318aa-1318b6 call 152a3c 1263->1265 1267 1318bb-1318dd 1265->1267
                                APIs
                                • ___HrLoadAllImportsForDll@4.DELAYIMP ref: 001318B6
                                  • Part of subcall function 00152A3C: ___delayLoadHelper2@8.DELAYIMP ref: 00152A85
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Load$Dll@4Helper2@8Imports___delay
                                • String ID: UxTheme.dll$cE
                                • API String ID: 138266689-328260853
                                • Opcode ID: 5c682228b8843a5e51a607521c8730945be53b2e6f74b87555fa9845fc6cfb95
                                • Instruction ID: b7d311fa154e2a58b03df4f36a20088297ff39fa26dc7dd46740105361a5f706
                                • Opcode Fuzzy Hash: 5c682228b8843a5e51a607521c8730945be53b2e6f74b87555fa9845fc6cfb95
                                • Instruction Fuzzy Hash: 16012276A04748EFCB24CF58ED417EABBB8F706724F10027EE81893690D7351504C760
                                Function 001325D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                Download Yara Rule
                                APIs
                                • PathFileExistsW.KERNELBASE(C:\Windows\system32\Viewers\Quikview.exe,00000002,00134EB9), ref: 001325D4
                                • PathIsDirectoryW.SHLWAPI(C:\Windows\system32\Viewers\Quikview.exe), ref: 001325DF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Path$DirectoryExistsFile
                                • String ID: C:\Windows\system32\Viewers\Quikview.exe
                                • API String ID: 1302732169-377476166
                                • Opcode ID: 3c0bf63d45774b2072e72e3d969b7964ae51a6eaa1537e83e1ce03d02d33c313
                                • Instruction ID: 78fab3f1fba6dc1f090ff71933c2e0147b9826d5255e4f86582768c270f115e5
                                • Opcode Fuzzy Hash: 3c0bf63d45774b2072e72e3d969b7964ae51a6eaa1537e83e1ce03d02d33c313
                                • Instruction Fuzzy Hash: 83C012322154219EEF102A287C18BD71288AF02210F094465F401C3048FB64DEC295D4
                                Function 0291EA05 Relevance: 1.6, APIs: 1, Instructions: 89processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateProcessW.KERNELBASE(?,00000001,?,?,?,00000000,?,00000000,00000001,00000000,?,?,?,?,00000000,?), ref: 0291EABA
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: e44cc9c471e956a7b1e559a367ab644f058c7293684a307dc5353a4440edf7f7
                                • Instruction ID: dae7b4112b44cc33dd8fcdadd78cbad836ef1b1bf17d94dbaded33a58a1f154f
                                • Opcode Fuzzy Hash: e44cc9c471e956a7b1e559a367ab644f058c7293684a307dc5353a4440edf7f7
                                • Instruction Fuzzy Hash: 383107B2D0125CAFDF219FEAD9809DEBFB9BF08304F58416AE918B2151D7318951CF60
                                Function 0291046D Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON
                                Download Yara Rule
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000,?,?,?,028F1467,?,?,02881029,00000024,6B22EED2,?,02922599,000000FF), ref: 0291049F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeap
                                • String ID:
                                • API String ID: 1279760036-0
                                • Opcode ID: 022eb7678f1009101577c202d349d5b0b1d9a89b38006b40950c75be1875e302
                                • Instruction ID: 61605ac9bf71b8c442fe881656cccd4ff079bd3d607d292e0757ccb538e25944
                                • Opcode Fuzzy Hash: 022eb7678f1009101577c202d349d5b0b1d9a89b38006b40950c75be1875e302
                                • Instruction Fuzzy Hash: 3BE0E52154022CDEF6316677ACD2B6B374CAF817B0F050821AC4E920C0EF12D880C5E0
                                Function 028DAB81 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                Download Yara Rule
                                APIs
                                • GetNativeSystemInfo.KERNELBASE(?,?,?,0288CA2C,?,00000000,811C9DC5,?,00000000,00000000,?,-file,00000005,00000000,00000000,?), ref: 028DAB8B
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoNativeSystem
                                • String ID:
                                • API String ID: 1721193555-0
                                • Opcode ID: acbe6ba65176b30f1785eecdb8d9fc77d2fbb35b8c4d14e0aca24f94b5914ad7
                                • Instruction ID: 11646d2a823e45f02d29a6b7fc976a8febdbe86cf1021dc3ebe3d70508e4c99e
                                • Opcode Fuzzy Hash: acbe6ba65176b30f1785eecdb8d9fc77d2fbb35b8c4d14e0aca24f94b5914ad7
                                • Instruction Fuzzy Hash: 47C09B74D0411D97CB00E7E5D54989EB7FCA609108B400451D911E3141E670F95D87A1

                                Non-executed Functions

                                Function 0014A930 Relevance: 163.8, APIs: 77, Strings: 16, Instructions: 1025windowlibrarystringCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNEL32(uxtheme.dll,9AAD4D09,75A45540,?), ref: 0014A9AF
                                • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0014A9C1
                                • FreeLibrary.KERNEL32(00000000), ref: 0014A9D4
                                • CreateWindowExW.USER32(00000080,ToolbarWindow32,00000000,54001D68,00000000,00000000,00000000,00000000,?,000000A1,?,00000000), ref: 0014AA22
                                • SendMessageW.USER32(0000041E,00000014,00000000), ref: 0014AA79
                                • LoadImageW.USER32(?,00000064,00000000,00000000,00000000,00002000), ref: 0014AABB
                                • CopyImage.USER32(00000000,00000000,00000000,00000000,00002000), ref: 0014AACF
                                • GetObjectW.GDI32(00000000,00000018,?), ref: 0014AAEB
                                • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 0014AB44
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014AB48
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014AB4C
                                • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0014AB76
                                • GetSysColor.USER32(0000000F), ref: 0014AB82
                                • ImageList_Create.COMCTL32(?,?,?,00000021,00000000,00000000), ref: 0014ABB9
                                • ImageList_AddMasked.COMCTL32(00000000,00000000,FF000000), ref: 0014ABC8
                                • DeleteObject.GDI32(00000000), ref: 0014ABCF
                                • SendMessageW.USER32(00000430,00000000,00000000), ref: 0014ABE3
                                • GetObjectW.GDI32(00000000,00000018,?), ref: 0014AC13
                                • ImageList_Create.COMCTL32(?,?,?,00000021,00000000,00000000), ref: 0014AC3D
                                • ImageList_AddMasked.COMCTL32(00000000,00000000,FF000000), ref: 0014AC4C
                                • DeleteObject.GDI32(00000000), ref: 0014AC53
                                • SendMessageW.USER32(00000434,00000000,00000000), ref: 0014AC67
                                • GetObjectW.GDI32(00000000,00000018,?), ref: 0014AC97
                                • ImageList_Create.COMCTL32(?,?,?,00000021,00000000,00000000), ref: 0014ACC1
                                • ImageList_AddMasked.COMCTL32(00000000,00000000,FF000000), ref: 0014ACD0
                                • DeleteObject.GDI32(00000000), ref: 0014ACD7
                                • SendMessageW.USER32(00000436,00000000,00000000), ref: 0014ACEB
                                • GetSysColor.USER32(0000000F), ref: 0014AD18
                                • GetObjectW.GDI32(00000000,00000018,?), ref: 0014AD33
                                • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 0014AE79
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014AE7D
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014AE81
                                • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0014AEAB
                                • GetObjectW.GDI32(00000000,00000018,?), ref: 0014AED4
                                • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 0014AFE8
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014AFEC
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014AFF0
                                • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0014B01A
                                • GetSysColor.USER32(0000000F), ref: 0014B026
                                • ImageList_Create.COMCTL32(?,?,?,00000021,00000000,00000000), ref: 0014B06F
                                • ImageList_AddMasked.COMCTL32(00000000,00000000,FF000000), ref: 0014B07E
                                • SendMessageW.USER32(00000436,00000000,00000000), ref: 0014B092
                                • DeleteObject.GDI32(00000000), ref: 0014B0A3
                                • wsprintfW.USER32 ref: 0014B0F3
                                • lstrcmpiW.KERNEL32(?,(none)), ref: 0014B130
                                • lstrcmpiW.KERNEL32(?,(none)), ref: 0014B150
                                • SendMessageW.USER32(0000044D,00000000,?), ref: 0014B187
                                • SendMessageW.USER32(00000455,00000000,00000000), ref: 0014B1DC
                                • SendMessageW.USER32(00000454,00000000,00000000), ref: 0014B1EF
                                • SendMessageW.USER32(00000444,00000006,0028E7B0), ref: 0014B203
                                • SendMessageW.USER32(00000444,00000006,0028E7B0), ref: 0014B22B
                                • SendMessageW.USER32(0000041D,00000000,?), ref: 0014B241
                                • CreateWindowExW.USER32(02000000,msctls_statusbar32,00000000,44000000,00000000,00000000,00000000,00000000,?,000000A0,?,00000000), ref: 0014B275
                                • SystemParametersInfoW.USER32(00000042,0000000C,0000000C,00000000), ref: 0014B2CC
                                • CreateWindowExW.USER32(00000080,ReBarWindow32,00000000,?,00000000,00000000,00000000,00000000,?,000000A2,?,00000000), ref: 0014B36E
                                • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 0014B3D0
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014B3D4
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014B3D8
                                • VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 0014B402
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ConditionMask$MessageSend$Image$Object$List_$Create$Info$DeleteMaskedVerifyVersion$ColorWindow$LibraryLoadlstrcmpi$AddressCopyFreeParametersProcSystemwsprintf
                                • String ID: $$C)$%02i$(none)$,E)$3$333$4G)$Explorer$IsAppThemed$ReBarWindow32$Toolbar Labels$ToolbarWindow32$d$msctls_statusbar32$uxtheme.dll
                                • API String ID: 3633255068-3099737550
                                • Opcode ID: 700d3033d987eaf2c9c19fcad5c20f02fc0ca2043c29c0c96792397fbcd187ed
                                • Instruction ID: e19989adc9a296c193c27eb9cf7ed77689e7759e31f9b4e726e7bd85c8765858
                                • Opcode Fuzzy Hash: 700d3033d987eaf2c9c19fcad5c20f02fc0ca2043c29c0c96792397fbcd187ed
                                • Instruction Fuzzy Hash: AA82C570A40719AEEB308B25DC59FAABBB9EF45705F04409AF508E71E1DBB49E84CF14
                                Function 028DE145 Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(kernel32.dll), ref: 028DE14B
                                • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 028DE159
                                • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 028DE16A
                                • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 028DE17B
                                • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 028DE18C
                                • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 028DE19D
                                • GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 028DE1AE
                                • GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 028DE1BF
                                • GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 028DE1D0
                                • GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 028DE1E1
                                • GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 028DE1F2
                                • GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 028DE203
                                • GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 028DE214
                                • GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 028DE225
                                • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 028DE236
                                • GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 028DE247
                                • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 028DE258
                                • GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 028DE269
                                • GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 028DE27A
                                • GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 028DE28B
                                • GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 028DE29C
                                • GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 028DE2AD
                                • GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 028DE2BE
                                • GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 028DE2CF
                                • GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 028DE2E0
                                • GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 028DE2F1
                                • GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 028DE302
                                • GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 028DE313
                                • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 028DE324
                                • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 028DE335
                                • GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 028DE346
                                • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 028DE357
                                • GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 028DE368
                                • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 028DE379
                                • GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 028DE38A
                                • GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 028DE39B
                                • GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 028DE3AC
                                • GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 028DE3BD
                                • GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 028DE3CE
                                • GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 028DE3DF
                                • GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 028DE3F0
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$HandleModule
                                • String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
                                • API String ID: 667068680-295688737
                                • Opcode ID: 9fdde1a462be24492a7336ab532df044e0c62fecb5c7802715edc27e4d90ebe1
                                • Instruction ID: 767aafaa81ff22dcb37a707938f0cb7fcb0336b7bfac5d1587b889f01cfd3254
                                • Opcode Fuzzy Hash: 9fdde1a462be24492a7336ab532df044e0c62fecb5c7802715edc27e4d90ebe1
                                • Instruction Fuzzy Hash: EA618A71EDA338BFFB519FB4A82ED763BE8BA596093150E1EF102D2141E7B440648F90
                                Function 0014BF90 Relevance: 111.1, APIs: 60, Strings: 3, Instructions: 880windowCOMMON
                                Download Yara Rule
                                APIs
                                • DialogBoxIndirectParamW.USER32(00000000,00000000,?,Function_0000DC80,00000000), ref: 0014C233
                                • LocalFree.KERNEL32(00000000,?,Function_0000DC80,00000000), ref: 0014C242
                                • ShellExecuteExW.SHELL32(?), ref: 0014C30B
                                • GetShortPathNameW.KERNEL32(?,?,00000104), ref: 0014C3D1
                                • StrCatBuffW.SHLWAPI(?,0029390C,00000104,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0014C3F9
                                • StrCatBuffW.SHLWAPI(?,001BDDEC,00000104,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0014C40D
                                • StrCatBuffW.SHLWAPI(?,?,00000104,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0014C424
                                • SendMessageW.USER32(?,00000111,00019D0E,00000000), ref: 0014E2E4
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Buff$DialogExecuteFreeIndirectLocalMessageNameParamPathSendShellShort
                                • String ID: $<$C:\Windows\system32\Viewers\Quikview.exe
                                • API String ID: 1759457118-124786596
                                • Opcode ID: 27e5bac2977e56e9a4b144940bf8910834eb7bd48977b4d0e6756dfb5b5708c7
                                • Instruction ID: 9503465714b35fdba335dfc1e8e63dd8cbe92b9f8b25c1c11c2e6f83ce11e3e2
                                • Opcode Fuzzy Hash: 27e5bac2977e56e9a4b144940bf8910834eb7bd48977b4d0e6756dfb5b5708c7
                                • Instruction Fuzzy Hash: 2B6225B0644301ABE730DB64EC5AFAB77E8BB95314F00442AF699D61F2EBB09544CB53
                                Function 00149100 Relevance: 103.9, APIs: 56, Strings: 3, Instructions: 657timewindowCOMMON
                                Download Yara Rule
                                APIs
                                • SetTimer.USER32(?,0000A000,00000000,00000000), ref: 001491A4
                                • KillTimer.USER32(?,0000A000), ref: 001491DE
                                • FindCloseChangeNotification.KERNEL32 ref: 001491EA
                                • GetWindowPlacement.USER32(?,?), ref: 001491FE
                                • DragAcceptFiles.SHELL32(?,00000000), ref: 0014923C
                                • LocalFree.KERNEL32(00000000), ref: 00149257
                                • PostQuitMessage.USER32(00000000), ref: 00149297
                                • IsWindowVisible.USER32(?), ref: 0014A151
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: TimerWindow$AcceptChangeCloseDragFilesFindFreeKillLocalMessageNotificationPlacementPostQuitVisible
                                • String ID: ,$AutoRefreshRate$Settings2
                                • API String ID: 1545102215-821157459
                                • Opcode ID: 0bfd902c16f015f84aa3f374e33419427275d45f0c51a9e9dff5c141554b5884
                                • Instruction ID: 3026c2baf1306d6ce5efe8bc7ea78319dba7744a8dc96a05361da0ef8a33889a
                                • Opcode Fuzzy Hash: 0bfd902c16f015f84aa3f374e33419427275d45f0c51a9e9dff5c141554b5884
                                • Instruction Fuzzy Hash: 42223432740204ABD720AB24FC4AFBF37E9EFDA711F00452AF94A961E1DB755850D792
                                Function 0014A370 Relevance: 84.3, APIs: 39, Strings: 9, Instructions: 349windowlibraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0014A930: LoadLibraryW.KERNEL32(uxtheme.dll,9AAD4D09,75A45540,?), ref: 0014A9AF
                                  • Part of subcall function 0014A930: GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0014A9C1
                                  • Part of subcall function 0014A930: FreeLibrary.KERNEL32(00000000), ref: 0014A9D4
                                  • Part of subcall function 0014A930: CreateWindowExW.USER32(00000080,ToolbarWindow32,00000000,54001D68,00000000,00000000,00000000,00000000,?,000000A1,?,00000000), ref: 0014AA22
                                  • Part of subcall function 0014A930: SendMessageW.USER32(0000041E,00000014,00000000), ref: 0014AA79
                                  • Part of subcall function 0014A930: GetObjectW.GDI32(00000000,00000018,?), ref: 0014AAEB
                                • CreateWindowExW.USER32(00000200,SysListView32,00000000,5600414D,00000000,00000000,00000000,00000000,?,0000A001,?,00000000), ref: 0014A401
                                • LoadLibraryW.KERNEL32(uxtheme.dll), ref: 0014A413
                                • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 0014A425
                                • FreeLibrary.KERNEL32(00000000), ref: 0014A434
                                • GetWindowLongW.USER32(000000EC), ref: 0014A446
                                • SetWindowLongW.USER32(000000EC,00000000), ref: 0014A45A
                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000027), ref: 0014A472
                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0014A4CE
                                • #410.COMCTL32(?,00131550,00000000,00000000), ref: 0014A4F6
                                • SendMessageW.USER32(?,00001036,00000000,00010030), ref: 0014A509
                                • SendMessageW.USER32(?,00000127,00010001,00000000), ref: 0014A518
                                • SendMessageW.USER32(00001036,00000000,00014000), ref: 0014A54E
                                • SendMessageW.USER32(00001061,00000000,00000005), ref: 0014A562
                                • SendMessageW.USER32(00001036,00000048,00000048), ref: 0014A57C
                                • SendMessageW.USER32(00001036,00000020,00000020), ref: 0014A596
                                • SendMessageW.USER32(00001047,00000000,0000000A), ref: 0014A5B6
                                • GetSystemMetrics.USER32(00000011), ref: 0014A5DA
                                • CreateWindowExW.USER32(00000000,ComboBoxEx32,00000000,44200003,00000000,00000000,00000000,00000000), ref: 0014A5F1
                                • SendMessageW.USER32(?,0000200B,00000000,Explorer), ref: 0014A644
                                • SendMessageW.USER32(?,00000155,00000001,00000000), ref: 0014A650
                                • SHGetFileInfoW.SHELL32(C:\,00000000,?,000002B4,00004001), ref: 0014A682
                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0014A691
                                • SendMessageW.USER32(?,0000040E,00000008,00000008), ref: 0014A69D
                                • SendMessageW.USER32(?,0000040E,00000020,00000020), ref: 0014A6A9
                                • DragAcceptFiles.SHELL32(?,00000001), ref: 0014A6AE
                                • SendMessageW.USER32(?,?,00000423,00000000), ref: 0014A73E
                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0014A74D
                                • GetSystemMenu.USER32(?,00000000,?,?,00000423,00000000,00000000), ref: 0014A752
                                • DeleteMenu.USER32(00000000,0000F120,00000000,?,?,00000423,00000000,00000000), ref: 0014A768
                                • DeleteMenu.USER32(00000000,0000F030,00000000,?,?,00000423,00000000,00000000), ref: 0014A772
                                • GetMenuItemInfoW.USER32(00000000,0000F020,00000000,?), ref: 0014A791
                                • SetMenuItemInfoW.USER32(00000000,0000F020,00000000,00000030), ref: 0014A7AC
                                • LoadStringW.USER32(0000EA61,?,00000040), ref: 0014A7CD
                                • LoadStringW.USER32(0000EA61,?,00000040), ref: 0014A7E8
                                • InsertMenuW.USER32(00000000,0000F010,00000000,0000EA61,?), ref: 0014A805
                                • LoadStringW.USER32(0000EA62,?,00000040), ref: 0014A81C
                                • LoadStringW.USER32(0000EA62,?,00000040), ref: 0014A837
                                • InsertMenuW.USER32(00000000,0000F060,00000000,0000EA62,?), ref: 0014A84E
                                • InsertMenuW.USER32(00000000,0000F060,00000800,00000000,00000000), ref: 0014A85F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$Menu$LoadWindow$LibraryString$CreateInfoInsert$AddressDeleteFreeItemLongProcSystem$#410AcceptDragFileFilesMetricsObject
                                • String ID: 0$0$C:\$ComboBoxEx32$Explorer$IsAppThemed$ItemsView$SysListView32$uxtheme.dll
                                • API String ID: 1504807357-4163490857
                                • Opcode ID: c0cebfe506d951b34f5cd659bba9b6a28aa4bf2fc718ffd2197ae7cee38aa2b8
                                • Instruction ID: bf43be1447d7d7bbe86fb3d430a4a689992eda6010d95f206cd128b88b820eec
                                • Opcode Fuzzy Hash: c0cebfe506d951b34f5cd659bba9b6a28aa4bf2fc718ffd2197ae7cee38aa2b8
                                • Instruction Fuzzy Hash: 78C1D2707C0345BBF7319B60EC4BFAA7AA8AB85B44F10401AF7447A1E1DBF16544CB6A
                                Function 001505C0 Relevance: 73.9, APIs: 40, Strings: 2, Instructions: 406stringwindowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpyW.KERNEL32(00291298,00290850), ref: 0015062D
                                • EnumWindows.USER32(00150310,00000000), ref: 0015063D
                                • IsWindowEnabled.USER32(00000000), ref: 00150650
                                • IsIconic.USER32(00000000), ref: 00150662
                                • ShowWindowAsync.USER32(00000009,00000009), ref: 00150672
                                • SetForegroundWindow.USER32(00000000), ref: 00150685
                                • lstrlenW.KERNEL32(?), ref: 00150694
                                • GlobalAlloc.KERNEL32(00002042,00000000), ref: 001506A7
                                • GlobalLock.KERNEL32(00000000), ref: 001506B4
                                • lstrcpyW.KERNEL32(-00000014,?), ref: 001506E5
                                • GlobalUnlock.KERNEL32(00000000), ref: 001506E8
                                • PostMessageW.USER32(00000233,00000233,00000000,00000000), ref: 001506FA
                                • StrChrW.SHLWAPI(?,0000000A,?,?), ref: 00150744
                                • MessageBoxW.USER32(00000000,?,00010024), ref: 0015076A
                                • GetShortPathNameW.KERNEL32(?,?,00000104), ref: 001507AC
                                • StrCpyNW.SHLWAPI(?,00290E70,00000104), ref: 001507D1
                                • StrCatBuffW.SHLWAPI(?,001BDDEC,00000104), ref: 001507E6
                                • StrCatBuffW.SHLWAPI(?,?,00000104), ref: 001507F3
                                • lstrcpyW.KERNEL32(?,00290C60), ref: 00150802
                                • ShellExecuteExW.SHELL32 ref: 00150883
                                  • Part of subcall function 00144FE0: LoadStringW.USER32(0000A411,?,00000000,00000001), ref: 00144FF2
                                  • Part of subcall function 00144FE0: LoadStringW.USER32(0000A411,?,?), ref: 00145008
                                • lstrcpynW.KERNEL32(?,00291080,00000100), ref: 00150923
                                • wsprintfW.USER32 ref: 0015095C
                                • DdeInitializeW.USER32(?,00146930,00000010,00000000), ref: 00150973
                                • DdeCreateStringHandleW.USER32(?,00290640,000004B0), ref: 00150995
                                • DdeCreateStringHandleW.USER32(?,00290A60,000004B0), ref: 001509A7
                                • DdeConnect.USER32(?,00000000,00000000,00000000), ref: 001509C0
                                • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00004050,000000FF,00000000,?,?,?,?,?,?,?,?,?), ref: 001509E4
                                • DdeClientTransaction.USER32(?,00000000), ref: 001509FA
                                • DdeDisconnect.USER32(?), ref: 00150A04
                                • DdeUninitialize.USER32(?), ref: 00150A39
                                • GetShortPathNameW.KERNEL32(?,?,00000104), ref: 00150A90
                                • StrCpyNW.SHLWAPI(?,00290E70,00000104,?,?,?,?), ref: 00150AB8
                                • StrCatBuffW.SHLWAPI(?,001BDDEC,00000104,?,?,?,?), ref: 00150AD0
                                • StrCatBuffW.SHLWAPI(?,?,00000104,?,?,?,?), ref: 00150AE0
                                • lstrcpyW.KERNEL32(?,00290C60,?,?,?,?), ref: 00150AEC
                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000138,?,?,?,?), ref: 00150B04
                                • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?), ref: 00150B20
                                • ShellExecuteExW.SHELL32(0000003C), ref: 00150BBC
                                • DialogBoxIndirectParamW.USER32(00000000,00000000,?,Function_000123D0,00000000), ref: 00150BE6
                                • LocalFree.KERNEL32(00000000), ref: 00150BF1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: BuffStringlstrcpy$GlobalWindow$CreateExecuteHandleLoadMessageNamePathShellShortlstrcpynlstrlen$AllocAsyncClientConnectDialogDisconnectEnabledEnumEnvironmentExpandForegroundFreeIconicIndirectInitializeLocalLockParamPostShowStringsTransactionUninitializeUnlockWindowswsprintf
                                • String ID: <$<
                                • API String ID: 2206026705-213342407
                                • Opcode ID: f51f5116a2b6d83739dc9c0b97c31b5567c1d2edbea6a15e51209a96082659f4
                                • Instruction ID: 88b77a139a85d7be5da32f0e95ff8b52d884722d2fe9cbc0bf40de20863a90e5
                                • Opcode Fuzzy Hash: f51f5116a2b6d83739dc9c0b97c31b5567c1d2edbea6a15e51209a96082659f4
                                • Instruction Fuzzy Hash: D4F1CF71904305EFD721DF90DC89BAB77E8BF89705F040919F9949B1A0EBB19988CB92
                                Function 0014E510 Relevance: 70.6, APIs: 35, Strings: 5, Instructions: 569windowCOMMON
                                Download Yara Rule
                                APIs
                                • PathCompactPathExW.SHLWAPI(?,002934AC,00000050,00000000), ref: 0014E592
                                • LoadStringW.USER32(?,?,00000100), ref: 0014E5B9
                                • LoadStringW.USER32(?,?,00000100), ref: 0014E5D3
                                • SendMessageW.USER32 ref: 0014EB14
                                • CoTaskMemFree.OLE32(?), ref: 0014EB26
                                • CoTaskMemFree.OLE32(?), ref: 0014EB34
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: FreeLoadPathStringTask$CompactMessageSend
                                • String ID: $ $%s | %s %s | %s$*.*$1 2 3 4 5 0 8
                                • API String ID: 1377716363-2071259183
                                • Opcode ID: 5062687df54aa1732ea1471d9c81a306ee4382135b526a786a31b694c9ea4715
                                • Instruction ID: a2023590d250e2a83725b7770dea9c6adbe2b5a36a57e41d1f4912a6bf9c7536
                                • Opcode Fuzzy Hash: 5062687df54aa1732ea1471d9c81a306ee4382135b526a786a31b694c9ea4715
                                • Instruction Fuzzy Hash: C722D271A04745AFD720DBA4DC49FAB77E8FF88314F00492AF689D71A1EB70E9448B52
                                Function 0288E161 Relevance: 49.9, APIs: 6, Strings: 22, Instructions: 904threadCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 028A10A0: CoInitializeEx.OLE32(00000000,00000000,00000001,00000000), ref: 028A10A4
                                  • Part of subcall function 028A10A0: CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000000,00000003,00000000,00000000,00000000), ref: 028A10C0
                                  • Part of subcall function 0289FDE0: GetComputerNameExW.KERNEL32(00000002,?,?,6B22EED2,?,?,?), ref: 0289FE69
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000104), ref: 0288E251
                                • __Mtx_init_in_situ.LIBCPMT ref: 0288E313
                                • __Mtx_destroy_in_situ.LIBCPMT ref: 0288E441
                                • GetCurrentThreadId.KERNEL32 ref: 0288E716
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: InitializeName$ComputerCurrentFileModuleMtx_destroy_in_situMtx_init_in_situSecurityThread
                                • String ID: !$"$$$/$5$;$Checking arguments$D$J$^$c:\$currentFilePath: %ls$d$d$d$e$l$n$n$u$}$|V
                                • API String ID: 1916696450-4113272198
                                • Opcode ID: 06c35a4474fcae28b6b74c3ecd9822fea059b83f679c2cf2a533f7fef14c24e4
                                • Instruction ID: efcb170802ac5aa7e32f9db90862329be1b4d6abe1e9ce90f11f6ebe664139f3
                                • Opcode Fuzzy Hash: 06c35a4474fcae28b6b74c3ecd9822fea059b83f679c2cf2a533f7fef14c24e4
                                • Instruction Fuzzy Hash: 2282BD79D002188FDB28EF68CC947EDBBB6BF59304F148199E549E7281E7706A84CF91
                                Function 00157F03 Relevance: 46.6, APIs: 25, Strings: 1, Instructions: 1103COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DName::DName.LIBVCRUNTIME ref: 00157F61
                                • operator+.LIBVCRUNTIME ref: 00157F7B
                                • DName::operator+.LIBCMT ref: 001580AF
                                • DName::operator+.LIBCMT ref: 001580CC
                                • DName::operator+.LIBCMT ref: 0015811B
                                  • Part of subcall function 00159280: DName::DName.LIBVCRUNTIME ref: 001592C3
                                  • Part of subcall function 00157C69: shared_ptr.LIBCMT ref: 00157C85
                                  • Part of subcall function 0015997C: shared_ptr.LIBCMT ref: 00159A2D
                                • DName::operator+.LIBCMT ref: 00158192
                                • DName::operator+.LIBCMT ref: 001581A1
                                • DName::operator+.LIBCMT ref: 00158694
                                • DName::operator+.LIBCMT ref: 001586A2
                                • DName::operator+.LIBCMT ref: 0015891F
                                  • Part of subcall function 00157B58: DName::operator+.LIBCMT ref: 00157B79
                                • DName::operator+.LIBCMT ref: 00158A23
                                • DName::operator+.LIBCMT ref: 00158AF8
                                • DName::operator+.LIBCMT ref: 00158BA6
                                • DName::operator+.LIBCMT ref: 00158BE3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Name::operator+$NameName::shared_ptr$operator+
                                • String ID: /
                                • API String ID: 1847427470-2043925204
                                • Opcode ID: 0adbbff2549bffea489d1670abba7f8f259e93f4bb716b0587d601ea41034816
                                • Instruction ID: 9248463a647486b9dab66a2493a748f5a55c07d188af406e0d2b22e980a7d609
                                • Opcode Fuzzy Hash: 0adbbff2549bffea489d1670abba7f8f259e93f4bb716b0587d601ea41034816
                                • Instruction Fuzzy Hash: 49826F75D10219DBDF18DBA4D895AEEB7B8BF58301F14452AEC21FB280EF749A48CB50
                                Function 00159A51 Relevance: 46.2, APIs: 25, Strings: 1, Instructions: 661COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 00159B42
                                • shared_ptr.LIBCMT ref: 00159C4C
                                  • Part of subcall function 0015A98F: DName::operator+.LIBCMT ref: 0015AA25
                                • DName::operator+.LIBCMT ref: 00159D7B
                                • DName::operator+.LIBCMT ref: 00159DB0
                                • DName::operator+.LIBCMT ref: 00159DFF
                                • DName::DName.LIBVCRUNTIME ref: 0015A197
                                • DName::operator+.LIBCMT ref: 0015A1A3
                                • DName::operator+.LIBCMT ref: 0015A1B1
                                • DName::operator+.LIBCMT ref: 0015A1BC
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Name::operator+$NameName::shared_ptr
                                • String ID: &&
                                • API String ID: 1350545318-993083564
                                • Opcode ID: 554145bb933be176d5ef5161e8c6d987d3f012bc07dd0ec75ef8d5670002a552
                                • Instruction ID: 821055aa4f86d032b6fe20e1d0631043298d7bb21308eb2812b0019595b5f5b8
                                • Opcode Fuzzy Hash: 554145bb933be176d5ef5161e8c6d987d3f012bc07dd0ec75ef8d5670002a552
                                • Instruction Fuzzy Hash: A042A171D04209DFDF18DFA4D596AEEBBF4AF18301F10815AED26AF281DB309A48CB51
                                Function 00150C10 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 129windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpyW.KERNEL32(00291298,Notepad3), ref: 00150C86
                                • EnumWindows.USER32(Function_00020310,?), ref: 00150C9E
                                • IsIconic.USER32(00000000), ref: 00150CB1
                                • IsZoomed.USER32(00000000), ref: 00150CBF
                                • SendMessageW.USER32(?,00000112,0000F120,00000000), ref: 00150CD9
                                • SetForegroundWindow.USER32(00000000), ref: 00150CE9
                                • BringWindowToTop.USER32(00000000), ref: 00150CEF
                                • SetForegroundWindow.USER32 ref: 00150CF6
                                • GetSystemMetrics.USER32(00000000), ref: 00150CFA
                                • GetWindowRect.USER32(?,?), ref: 00150D0E
                                • GetWindowRect.USER32(?,?), ref: 00150D19
                                • EqualRect.USER32(?,?), ref: 00150D63
                                • SystemParametersInfoW.USER32(00000048,00000008,?,00000000), ref: 00150D7F
                                • DrawAnimatedRects.USER32(?,00000003,?,?,?,?), ref: 00150D99
                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 00150DB0
                                  • Part of subcall function 001333B0: lstrlenW.KERNEL32(?,?), ref: 00133516
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Window$Rect$ForegroundSystem$AnimatedBringDrawEnumEqualIconicInfoMessageMetricsParametersRectsSendWindowsZoomedlstrcpylstrlen
                                • String ID: Notepad3$Target Application$TargetApplicationWndClass$UseTargetApplication
                                • API String ID: 1367193657-1024641697
                                • Opcode ID: ce310d6b563db98f878d29cd111bec01b8199597e3a2697777b28b7591b98fd9
                                • Instruction ID: 1d087c72f0f15f71e54c175e1dd2f87e451ec454a64c662b94d1935d8880186c
                                • Opcode Fuzzy Hash: ce310d6b563db98f878d29cd111bec01b8199597e3a2697777b28b7591b98fd9
                                • Instruction Fuzzy Hash: B541AC71608301AFD710DFA4DC8AF9F7BE8FB89701F004929F991E6690D770E9488B52
                                Function 0014DAEB Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 124windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpyW.KERNEL32(00291298,Notepad3), ref: 0014DB4E
                                • EnumWindows.USER32(00150310,?), ref: 0014DB66
                                • IsIconic.USER32(00000000), ref: 0014DB79
                                • IsZoomed.USER32(00000000), ref: 0014DB87
                                • SendMessageW.USER32(?,00000112,0000F120,00000000), ref: 0014DBA1
                                • SetForegroundWindow.USER32(00000000), ref: 0014DBB1
                                • BringWindowToTop.USER32(00000000), ref: 0014DBB7
                                • SetForegroundWindow.USER32 ref: 0014DBBE
                                • GetSystemMetrics.USER32(00000000), ref: 0014DBC2
                                • GetWindowRect.USER32(?,?), ref: 0014DBD9
                                • GetWindowRect.USER32(?,?), ref: 0014DBE4
                                • EqualRect.USER32(?,?), ref: 0014DC3D
                                • SystemParametersInfoW.USER32(00000048,00000008,?,00000000), ref: 0014DC5D
                                • DrawAnimatedRects.USER32(?,00000003,?,?,?,?), ref: 0014DC7A
                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005,?,?), ref: 0014DC97
                                  • Part of subcall function 001333B0: lstrlenW.KERNEL32(?,?), ref: 00133516
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Window$Rect$ForegroundSystem$AnimatedBringDrawEnumEqualIconicInfoMessageMetricsParametersRectsSendWindowsZoomedlstrcpylstrlen
                                • String ID: Notepad3$Target Application$TargetApplicationWndClass$UseTargetApplication
                                • API String ID: 1367193657-1024641697
                                • Opcode ID: 20a54e2c84220d70822b453fa06eedca2b672e30ce3e774b709cd6f1d0bec66e
                                • Instruction ID: a1e45b906c9ac83fd7c824fb0c480e810fbbb1a7b9eabe8ce8d810964bd5abff
                                • Opcode Fuzzy Hash: 20a54e2c84220d70822b453fa06eedca2b672e30ce3e774b709cd6f1d0bec66e
                                • Instruction Fuzzy Hash: EF41AF71348301ABEB209F64EC49FAF77E8FB89701F044929F585E22A0DB70D8448F62
                                Function 00142F30 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 69windowstringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,00000000,?,?,00132773), ref: 00142F39
                                  • Part of subcall function 00148460: ResolveLocaleName.KERNEL32(en-GB,?,00000055), ref: 0014848A
                                  • Part of subcall function 00148460: GetLocaleInfoEx.KERNEL32(?,20000001,00000002), ref: 001484AD
                                • FormatMessageW.KERNEL32 ref: 00142F63
                                • lstrlenW.KERNEL32(00000000,00000000,00290388), ref: 00142F7A
                                • lstrlenW.KERNEL32(00000000), ref: 00142F82
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00142F92
                                • GetFocus.USER32 ref: 00142FBF
                                • MessageBoxExW.USER32(?,00000000,MiniPath - ERROR,00000010,?), ref: 00142FDA
                                • LocalFree.KERNEL32(00000000,?,?,00132773), ref: 00142FE1
                                • LocalFree.KERNEL32(?), ref: 00142FE7
                                Strings
                                • Error: '%s' failed with error id %d:%s., xrefs: 00142FAD
                                • MiniPath - ERROR, xrefs: 00142FD0
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Local$FreeLocaleMessagelstrlen$AllocErrorFocusFormatInfoLastNameResolve
                                • String ID: Error: '%s' failed with error id %d:%s.$MiniPath - ERROR
                                • API String ID: 2054022804-1590999508
                                • Opcode ID: e32f21e0018314139d58295a6a90ad8c34a4dba36213cc6a48f54baf617dd6c6
                                • Instruction ID: 5ef6a167e42a511c8d6ecb0219098d6f24756a2fd0669805410dccd069c9b140
                                • Opcode Fuzzy Hash: e32f21e0018314139d58295a6a90ad8c34a4dba36213cc6a48f54baf617dd6c6
                                • Instruction Fuzzy Hash: 7E11B6757043147FD3016F65EC05F6B7BE8EB85B54F050429F940A22A0D775D8448AA2
                                Function 0019FEDC Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1436COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: __floor_pentium4
                                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                • API String ID: 4168288129-2761157908
                                • Opcode ID: 1b0cc5e6a61bba246a661444b0404abbed21dc7e8d530f0ac6d987e2658128f5
                                • Instruction ID: 38e898c3caa290092c56e7293d086d645f05a72a9d9405c8cacd5f8474a78805
                                • Opcode Fuzzy Hash: 1b0cc5e6a61bba246a661444b0404abbed21dc7e8d530f0ac6d987e2658128f5
                                • Instruction Fuzzy Hash: 65D23A75E082289FDB65CE28CD407EAB7B5FB4A305F1441EAD40DE7240E778AE858F40
                                Function 001466E0 Relevance: 9.1, APIs: 6, Instructions: 75stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoEx.KERNEL32(00000000,0000000F,00000008,00000008,00000000,?,?,?,?,?,0014F380), ref: 0014670F
                                • lstrlenW.KERNEL32(?,771B3070,75A45540,?,?,?,?,0014F380), ref: 0014672C
                                • CharPrevW.USER32(?,00000000,?,?,?,?,0014F380), ref: 00146733
                                • lstrlenW.KERNEL32(00000000,?,?,?,?,0014F380), ref: 00146749
                                • CharPrevW.USER32(?,00000000,?,?,?,?,0014F380), ref: 0014676A
                                • lstrlenW.KERNEL32(?,?,?,?,?,0014F380), ref: 00146777
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: lstrlen$CharPrev$InfoLocale
                                • String ID:
                                • API String ID: 1002616787-0
                                • Opcode ID: b466f92740bc4962105db4f3b121b522fabe3cc75de7d223cee0890d58108495
                                • Instruction ID: af3d321e526a0d8f8c7b60709f6a8b3f21aa1aec096e7c22fe1b144499057430
                                • Opcode Fuzzy Hash: b466f92740bc4962105db4f3b121b522fabe3cc75de7d223cee0890d58108495
                                • Instruction Fuzzy Hash: 6B11D6B66002155BD710AF649CC5A7B77ECEF8A355F410839F916C7121EB359C4883A2
                                Function 0291C13E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(000000FF,2000000B,0291C45C,00000002,00000000,?,?,?,0291C45C,?,00000000), ref: 0291C1D7
                                • GetLocaleInfoW.KERNEL32(000000FF,20001004,0291C45C,00000002,00000000,?,?,?,0291C45C,?,00000000), ref: 0291C200
                                • GetACP.KERNEL32(?,?,0291C45C,?,00000000), ref: 0291C215
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: InfoLocale
                                • String ID: ACP$OCP
                                • API String ID: 2299586839-711371036
                                • Opcode ID: a435166b73c34d209a87be6126431a989e8072d21a3d62404780d18418454d69
                                • Instruction ID: 7fa8f0d61a62f52c706429c3b33e7e512b9ccd77c1ce17e5dacdd8d9e4325863
                                • Opcode Fuzzy Hash: a435166b73c34d209a87be6126431a989e8072d21a3d62404780d18418454d69
                                • Instruction Fuzzy Hash: E321B672BC4108ABDB359F66C900B9773ABFB54F54B468866E80AD7100E732DA40C352
                                Function 0019C946 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(?,2000000B,0019CC64,00000002,00000000,?,?,?,0019CC64,?,00000000), ref: 0019C9DF
                                • GetLocaleInfoW.KERNEL32(?,20001004,0019CC64,00000002,00000000,?,?,?,0019CC64,?,00000000), ref: 0019CA08
                                • GetACP.KERNEL32(?,?,0019CC64,?,00000000), ref: 0019CA1D
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: InfoLocale
                                • String ID: ACP$OCP
                                • API String ID: 2299586839-711371036
                                • Opcode ID: cd0b3ccc6d4c543984c0aa56ebc818467f75a2410ea0f3dfc03521a59c7607ee
                                • Instruction ID: e822acf58bb14c9c659be5b0ace46752bc6121b719e9f12c537f56727867b885
                                • Opcode Fuzzy Hash: cd0b3ccc6d4c543984c0aa56ebc818467f75a2410ea0f3dfc03521a59c7607ee
                                • Instruction Fuzzy Hash: 0A21C532A04115AAEF34CF14C901B97B3A7EF55B68B568024E9CADB101F732DE41D3D0
                                Function 0291C313 Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0290F53F: GetLastError.KERNEL32(00000010,00000000,0291B1F7,0294BD50,0000000C,02910514,0000000C,?,029010CD,00000000,0000000C,?,00000000,00000000,00000000), ref: 0290F543
                                  • Part of subcall function 0290F53F: SetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,0288FBC1,?,0288FBC1,0288FBC1,?,02905A35,F4458D02,F4458D02), ref: 0290F5E5
                                • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0291C41F
                                • IsValidCodePage.KERNEL32(00000000), ref: 0291C468
                                • IsValidLocale.KERNEL32(?,00000001), ref: 0291C477
                                • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0291C4BF
                                • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0291C4DE
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                • String ID:
                                • API String ID: 415426439-0
                                • Opcode ID: b604b6bc1181da392a097cc76604c9a0820453e73300fa57ee3e730d57515cd5
                                • Instruction ID: d75025da582383dce4b45044e6c5e7a226aeb26df1ef33a86468dc6ad304b548
                                • Opcode Fuzzy Hash: b604b6bc1181da392a097cc76604c9a0820453e73300fa57ee3e730d57515cd5
                                • Instruction Fuzzy Hash: DC517F71A4421DAFEB20DFA6DC41BBE73B9EF44704F05442AE915E7180EB70DA45CB62
                                Function 0019CB1B Relevance: 7.7, APIs: 5, Instructions: 183COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0018FB0E: GetLastError.KERNEL32(?,00000008,00199020), ref: 0018FB12
                                  • Part of subcall function 0018FB0E: SetLastError.KERNEL32(00000000,001C07B0,00000024,0018EADA), ref: 0018FBB4
                                • GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 0019CC27
                                • IsValidCodePage.KERNEL32(00000000), ref: 0019CC70
                                • IsValidLocale.KERNEL32(?,00000001), ref: 0019CC7F
                                • GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 0019CCC7
                                • GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 0019CCE6
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Locale$ErrorInfoLastValid$CodeDefaultPageUser
                                • String ID:
                                • API String ID: 415426439-0
                                • Opcode ID: 3f31daf514110d075c7b1ce2d04b291ce8bcef9247d91297695aa51ff192c126
                                • Instruction ID: efc38fc99c4cb469e17609e316c767d0470295b870cb93dbc77b2bf5e0d7e2db
                                • Opcode Fuzzy Hash: 3f31daf514110d075c7b1ce2d04b291ce8bcef9247d91297695aa51ff192c126
                                • Instruction Fuzzy Hash: DC519F71A0020AAFEF14DFA4DC41ABEB7B8FF58700F044569F985E7191EB709A45CBA1
                                Function 0019C199 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 251COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0018FB0E: GetLastError.KERNEL32(?,00000008,00199020), ref: 0018FB12
                                  • Part of subcall function 0018FB0E: SetLastError.KERNEL32(00000000,001C07B0,00000024,0018EADA), ref: 0018FBB4
                                • GetACP.KERNEL32(?,?,?,?,?,?,0018D733,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0019C25A
                                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,0018D733,?,?,?,00000055,?,-00000050,?,?), ref: 0019C285
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 0019C3E8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ErrorLast$CodeInfoLocalePageValid
                                • String ID: utf8
                                • API String ID: 607553120-905460609
                                • Opcode ID: eacc041104f67fe293634fe32104e1f12bbfa6ea9ae69df470ae1c573ca78d67
                                • Instruction ID: cbab4c48cc96df571e95a9dfdb7f5f242b59ca6ee0e4a253cc14620c683e6b5f
                                • Opcode Fuzzy Hash: eacc041104f67fe293634fe32104e1f12bbfa6ea9ae69df470ae1c573ca78d67
                                • Instruction Fuzzy Hash: B471C371600206AAEF24AB75DC86BAB73A8EF55700F14446AF985DB181EB70EE4187E1
                                Function 00190FE2 Relevance: 6.3, APIs: 4, Instructions: 337COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: _strrchr
                                • String ID:
                                • API String ID: 3213747228-0
                                • Opcode ID: b9ce8829aa55823898c93105159777da1834c8f04776191766cce1f8929c9103
                                • Instruction ID: aac1e35845c8dedf26c4a8f507471aed834bba4a0be0e57b11fdbf62c91ca634
                                • Opcode Fuzzy Hash: b9ce8829aa55823898c93105159777da1834c8f04776191766cce1f8929c9103
                                • Instruction Fuzzy Hash: BFB15832A04246BFDF159F68C881BFEBBB5EF55310F25826AE914EB241D3359D81C7A0
                                Function 00196566 Relevance: 6.1, APIs: 4, Instructions: 129fileCOMMON
                                Download Yara Rule
                                APIs
                                • FindFirstFileExW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,00000000,?,00000000), ref: 00196601
                                • FindNextFileW.KERNEL32(00000000,?), ref: 0019667C
                                • FindClose.KERNEL32(00000000), ref: 0019669E
                                • FindClose.KERNEL32(00000000), ref: 001966C1
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Find$CloseFile$FirstNext
                                • String ID:
                                • API String ID: 1164774033-0
                                • Opcode ID: 6c0b486fdd2c76d5997ad6fa4ee688763e325eb6944356c2478db88b4828fa3f
                                • Instruction ID: 7ab443efde02178d4196a4909079583cfeec91d8815b9de27772ec6a81206040
                                • Opcode Fuzzy Hash: 6c0b486fdd2c76d5997ad6fa4ee688763e325eb6944356c2478db88b4828fa3f
                                • Instruction Fuzzy Hash: 2441E172D00629AEDF20EF68DC89EAEB7B8EB95344F004195E405D7184EB349E84CF70
                                Function 00146080 Relevance: 6.1, APIs: 4, Instructions: 102stringcomCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.OLE32(001B378C,00000000,00000001,001AFD7C,?,0000C356,?), ref: 001460AF
                                • lstrcpyW.KERNEL32(?,?), ref: 001460DB
                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000138), ref: 00146152
                                • lstrcpynW.KERNEL32(?,?,?), ref: 0014616C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: CreateEnvironmentExpandInstanceStringslstrcpylstrcpyn
                                • String ID:
                                • API String ID: 4041286039-0
                                • Opcode ID: fbef28df33a7ccb82c681da6ecd7740ca8514e62aafd67583bac4a55fe45b97d
                                • Instruction ID: 9b23f65a62960808c6d39cf98281841efb669d07a41d1947082fa88a10c01cad
                                • Opcode Fuzzy Hash: fbef28df33a7ccb82c681da6ecd7740ca8514e62aafd67583bac4a55fe45b97d
                                • Instruction Fuzzy Hash: 34311CB1304246AFD320DB58DC44EABB7E9EFC9704F404829F659D7261EB31E909CB62
                                Function 028F2375 Relevance: 6.1, APIs: 4, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 028F2381
                                • IsDebuggerPresent.KERNEL32 ref: 028F244D
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 028F246D
                                • UnhandledExceptionFilter.KERNEL32(?), ref: 028F2477
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                • String ID:
                                • API String ID: 254469556-0
                                • Opcode ID: a1b52a38c2fbf525d16ca8aaad64b8406212b6b9015fc63586e966c3a7cfec66
                                • Instruction ID: 0898db1fdf61b5210c91193b09335d0f4d965c19e6416288d06fdaa4338c3997
                                • Opcode Fuzzy Hash: a1b52a38c2fbf525d16ca8aaad64b8406212b6b9015fc63586e966c3a7cfec66
                                • Instruction Fuzzy Hash: E4313A79D4521CDBDB60DFA4D9997CCBBF8AF08304F1040DAE50DAB240EB719A888F05
                                Function 00153ACD Relevance: 6.1, APIs: 4, Instructions: 73COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 00153AD9
                                • IsDebuggerPresent.KERNEL32 ref: 00153BA5
                                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00153BC5
                                • UnhandledExceptionFilter.KERNEL32(?), ref: 00153BCF
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ExceptionFilterPresentUnhandled$DebuggerFeatureProcessor
                                • String ID:
                                • API String ID: 254469556-0
                                • Opcode ID: ed378fc3b04fdc2d797d7a1c8946b02accaab2013aad71f63d1dd289a5784baf
                                • Instruction ID: ca2d943d7b8d1c9a5dba63a7e7f2c16e044249fd2c8a7b071a48f3d66688f636
                                • Opcode Fuzzy Hash: ed378fc3b04fdc2d797d7a1c8946b02accaab2013aad71f63d1dd289a5784baf
                                • Instruction Fuzzy Hash: 96313675D0521CDBDB21DFA4D989BCDBBF8AF08305F1040AAE41CAB250EB719B888F44
                                Function 0015261D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • VirtualQuery.KERNEL32(80000000,00152562,0000001C,00152757,00000000,00000000,00000000,?,?,?,?,?,00152562,00000004,0028EC84,00152AAD), ref: 0015262E
                                • GetSystemInfo.KERNEL32(?,?,00000000,?,?,?,00152562,00000004,0028EC84,00152AAD,?), ref: 00152649
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: InfoQuerySystemVirtual
                                • String ID: D
                                • API String ID: 401686933-2746444292
                                • Opcode ID: fcdd1fa24b1af27cfc22b8549630c4c04545132403c5b6d38bc4a742944789f5
                                • Instruction ID: 4f569c57f220f40e8908277e768bc7435bc57cb39fbbab652c2c7f5cf705d2b9
                                • Opcode Fuzzy Hash: fcdd1fa24b1af27cfc22b8549630c4c04545132403c5b6d38bc4a742944789f5
                                • Instruction Fuzzy Hash: 3901F273A40109ABDB14DE29DC05BEE7BEAAFD5325F0CC220ED29DB250EB74D8458680
                                Function 00148460 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                • ResolveLocaleName.KERNEL32(en-GB,?,00000055), ref: 0014848A
                                • GetLocaleInfoEx.KERNEL32(?,20000001,00000002), ref: 001484AD
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Locale$InfoNameResolve
                                • String ID: en-GB
                                • API String ID: 2669342117-1534501853
                                • Opcode ID: d78f9b7f4bacc088dffe2279cd99e7dbf8e9fac5875c9bd9361fb60655233ef3
                                • Instruction ID: 65a2da61d3c9b65fae246cae6fb6b5cb1ae42ea0595e50b0aa29e6d79535a76c
                                • Opcode Fuzzy Hash: d78f9b7f4bacc088dffe2279cd99e7dbf8e9fac5875c9bd9361fb60655233ef3
                                • Instruction Fuzzy Hash: 82F04FB56043459FE320EF24EC4AB6B77E4BB48700F844818F959C72A1E7789998CB43
                                Function 0019C5CA Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0018FB0E: GetLastError.KERNEL32(?,00000008,00199020), ref: 0018FB12
                                  • Part of subcall function 0018FB0E: SetLastError.KERNEL32(00000000,001C07B0,00000024,0018EADA), ref: 0018FBB4
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0019C61E
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0019C668
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0019C72E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: InfoLocale$ErrorLast
                                • String ID:
                                • API String ID: 661929714-0
                                • Opcode ID: df5e469b2d4de28585a09fceaa220137e989a7af8a67a7346b5a3865ce7b6347
                                • Instruction ID: f4cda1bf6d7f27f87f9d6eb500d920c2835898bc587ab6b883ce5b1112e1a2b4
                                • Opcode Fuzzy Hash: df5e469b2d4de28585a09fceaa220137e989a7af8a67a7346b5a3865ce7b6347
                                • Instruction Fuzzy Hash: E561AF719102179BEF28DF68CC82BBAB7A8EF14300F10407AED45D6285EB34DA95CF90
                                Function 00180F9D Relevance: 4.6, APIs: 3, Instructions: 77COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 00181095
                                • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 0018109F
                                • UnhandledExceptionFilter.KERNEL32(-00000227,?,?,?,?,?,00000000), ref: 001810AC
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                • String ID:
                                • API String ID: 3906539128-0
                                • Opcode ID: 194d57e9b3230511cb4d77ee50eb4d29d01c84e57e8b2129a9789e0b9bf065a8
                                • Instruction ID: 8f3eb91fb75d0d9760705de54ef85228b795d0047b46fbc4e1c75cf4083a157f
                                • Opcode Fuzzy Hash: 194d57e9b3230511cb4d77ee50eb4d29d01c84e57e8b2129a9789e0b9bf065a8
                                • Instruction Fuzzy Hash: B531B27590122DEBCB21DF64D889B9DBBB8BF18310F5041EAE81CA7251E7749B858F44
                                Function 00163CF0 Relevance: 3.4, APIs: 2, Instructions: 449COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e403865b37332d6e4d28a3e02ac7cefa5516ed0a8134db23adcc442601ab295d
                                • Instruction ID: 4a912b8f12597a1c3aa04ec1fafc87acfe9cb7c8743d8339123845e20369f914
                                • Opcode Fuzzy Hash: e403865b37332d6e4d28a3e02ac7cefa5516ed0a8134db23adcc442601ab295d
                                • Instruction Fuzzy Hash: E3F13E71E012199FDF14CFA8CC906AEBBB1FF89314F158269E925A7380D731AE51CB90
                                Function 0015126B Relevance: 3.0, APIs: 2, Instructions: 38COMMON
                                Download Yara Rule
                                APIs
                                • LCIDToLocaleName.KERNEL32(?,?,00000055,08000000), ref: 0015128B
                                • GetLocaleInfoEx.KERNEL32(?,0000006D,00000000,00000055), ref: 0015129D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Locale$InfoName
                                • String ID:
                                • API String ID: 3347482803-0
                                • Opcode ID: ac10d18384c9187c282a594a2e2abcc6c715a8621506de156d7c10edfd6617fc
                                • Instruction ID: 40c4d5e90543d139205c4de74d15bc09333c1bd9830f22094af8874e20b9b7f3
                                • Opcode Fuzzy Hash: ac10d18384c9187c282a594a2e2abcc6c715a8621506de156d7c10edfd6617fc
                                • Instruction Fuzzy Hash: 7CF03A31700629FBEB225F658C09BAB369CFF06B52F140525BE21DA590D7B1D854DAA0
                                Function 0019EBAA Relevance: 2.8, APIs: 1, Instructions: 1260COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: __floor_pentium4
                                • String ID:
                                • API String ID: 4168288129-0
                                • Opcode ID: 06cc7a2c2c44189bbf37be8f78f9aee025c0dfcdcf919e04d6649bc7649184a9
                                • Instruction ID: 8d21b9648712347843be7c2e40a73397268ddd8ebf8a37036ec3896cde76ebdc
                                • Opcode Fuzzy Hash: 06cc7a2c2c44189bbf37be8f78f9aee025c0dfcdcf919e04d6649bc7649184a9
                                • Instruction Fuzzy Hash: 7AB24971E046299FDF69CE28DD407EAB7B5EB48305F1541EAD84EE7240E734AE828F40
                                Function 001A86E0 Relevance: 1.8, APIs: 1, Instructions: 274COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,001A86DB,?,?,00000008,?,?,001A81D0,00000000), ref: 001A890D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ExceptionRaise
                                • String ID:
                                • API String ID: 3997070919-0
                                • Opcode ID: 0905f85f73dd75ed41c29b7f751fe4ab23e9a3a5fd547974d4d6afc72fb6f7f0
                                • Instruction ID: 0bc6ae0406d5a965f89fc3051b345df98d0117a619ce44352094b954ba8922b0
                                • Opcode Fuzzy Hash: 0905f85f73dd75ed41c29b7f751fe4ab23e9a3a5fd547974d4d6afc72fb6f7f0
                                • Instruction Fuzzy Hash: 14B14C39610608CFD719CF28C486B657BE0FF46364F658658E8D9CF2A2CB35E991CB40
                                Function 0019617C Relevance: 1.7, APIs: 1, Instructions: 191COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2ed1de6c50f6748a1ce3b59820844d2796307fb77105718bf900ccf336df415e
                                • Instruction ID: 801576ef7e30c187b3764d62cf6258c92b12f080b5e5e21f52d3252129777ae5
                                • Opcode Fuzzy Hash: 2ed1de6c50f6748a1ce3b59820844d2796307fb77105718bf900ccf336df415e
                                • Instruction Fuzzy Hash: 0651A2B5804219AFDF24DFB8CC89AAABBB9EF55304F14429DE419D3201EB319E458F60
                                Function 02918138 Relevance: 1.7, APIs: 1, Instructions: 156timeCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0290F887: HeapFree.KERNEL32(00000000,00000000,?,0291A993,?,00000000,?,?,0291AC34,?,00000007,?,?,0291B12D,?,?), ref: 0290F89D
                                  • Part of subcall function 0290F887: GetLastError.KERNEL32(?,?,0291A993,?,00000000,?,?,0291AC34,?,00000007,?,?,0291B12D,?,?), ref: 0290F8A8
                                • GetTimeZoneInformation.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,029182EB,00000000,00000000,00000000), ref: 029181AA
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorFreeHeapInformationLastTimeZone
                                • String ID:
                                • API String ID: 3335090040-0
                                • Opcode ID: f7bbedcbbd42afb4d8a98fd35a8aa9fad390d4cfba5bed8234207d27b8a732aa
                                • Instruction ID: a48c25d5a320b7893d6580fc7b65e05a73a23073fda66171621e923277ba7e60
                                • Opcode Fuzzy Hash: f7bbedcbbd42afb4d8a98fd35a8aa9fad390d4cfba5bed8234207d27b8a732aa
                                • Instruction Fuzzy Hash: E2412876E0022DABDB15AFB6DC049AEBBBAFF45360B104566E814E7190DB309D40DFD0
                                Function 00153CD0 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                Download Yara Rule
                                APIs
                                • IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00153CE6
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: FeaturePresentProcessor
                                • String ID:
                                • API String ID: 2325560087-0
                                • Opcode ID: 93af52609a0f90709d265fffb068fde97fce810694031fe142ef22bc0bd6fd2e
                                • Instruction ID: 71c995f5430103fe7157c257843e28208742083fa6bc54cc7ba74209efe8b24e
                                • Opcode Fuzzy Hash: 93af52609a0f90709d265fffb068fde97fce810694031fe142ef22bc0bd6fd2e
                                • Instruction Fuzzy Hash: 86519EB2A01225CFDB24CF94E889BAABBF4FB44351F24846AD835EB650D374DA44DF50
                                Function 0017A6C5 Relevance: 1.6, Strings: 1, Instructions: 392COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 72fd03e10af6bf8b1a4eaca57d330281b18602ec783b6e853943c51aca21e919
                                • Instruction ID: 2fb78f623cefaf233a65e6acd02c35347acdae8a939c2c2beb3ee12e8d17a4b1
                                • Opcode Fuzzy Hash: 72fd03e10af6bf8b1a4eaca57d330281b18602ec783b6e853943c51aca21e919
                                • Instruction Fuzzy Hash: 7CE1A930A006058FCB28CF68C580AAEB7F1FF89314BA5C65DD59E9B291D731AD46CB53
                                Function 0017A2A4 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 9e19d4c9e280e44aa8e9f33e80381f4f2387d3da367555284123de4ef6631a55
                                • Instruction ID: 6547199c0b6d89944de0f45b64ebf51414ac90457eddb3fbc18c50a3d43b8323
                                • Opcode Fuzzy Hash: 9e19d4c9e280e44aa8e9f33e80381f4f2387d3da367555284123de4ef6631a55
                                • Instruction Fuzzy Hash: 78E1CF706006058FCB28CF68C584A6EB7F1FF99314BA8C65DE45E9B290D731ED46CB52
                                Function 0017AAF5 Relevance: 1.6, Strings: 1, Instructions: 388COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 9a19cb6f12f8577c32c4e68775e51ed28998403334637dd392ed2d8beb9a6085
                                • Instruction ID: e109f1128d385305ba09c57a0de862000b27ddd1973e5c21575669a1740bd48a
                                • Opcode Fuzzy Hash: 9a19cb6f12f8577c32c4e68775e51ed28998403334637dd392ed2d8beb9a6085
                                • Instruction Fuzzy Hash: C5E190706006059FCB29CF68C580AAEB7F2FF99310BA4C65DD49E9B690D730ED85CB52
                                Function 0017913B Relevance: 1.6, Strings: 1, Instructions: 348COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 173db9ebc62fc553579b2fe76c63bea463b635eef33069a3d9c1b674057a87ba
                                • Instruction ID: 66908d719fb05981d7a3ea8209760f50e84b5c490681181573b78522f08687a3
                                • Opcode Fuzzy Hash: 173db9ebc62fc553579b2fe76c63bea463b635eef33069a3d9c1b674057a87ba
                                • Instruction Fuzzy Hash: BFC1E03090464A9FCB28DF68C584ABEB7F2BF56320F14C619D45E9B792C730AD4ACB51
                                Function 029001BC Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 443abdf25008e83d20753e5c6f5a12df452bfb1a6c3f7020cb34caa83805ab80
                                • Instruction ID: 25e333af8201753cb74001606bccf099c04a5e23c6529983c4499df4cff9d5eb
                                • Opcode Fuzzy Hash: 443abdf25008e83d20753e5c6f5a12df452bfb1a6c3f7020cb34caa83805ab80
                                • Instruction Fuzzy Hash: 52C1CE70A0464ECFCB29CF68C4D0BBEB7BABF49308F144A19D49A9B2D1D730A945CB51
                                Function 00178DAD Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 5feb3d35649ae637dfb59597e11380f02a342b92608a7555b47578895ace0265
                                • Instruction ID: 34ab68d38b763ec4f730f7ad53893de83fa566876287faa254f5a3fd679eba0d
                                • Opcode Fuzzy Hash: 5feb3d35649ae637dfb59597e11380f02a342b92608a7555b47578895ace0265
                                • Instruction Fuzzy Hash: 10C1C170A446068FCB28CF68C4986BEBBB6EF15310F24C65DE45E97291CF31AD4ACB51
                                Function 001794D8 Relevance: 1.6, Strings: 1, Instructions: 344COMMONLIBRARYCODE
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: a5e3e72989abdcbdf5dac47b58b3993af2776bb779f14cf321f0919f62a037ab
                                • Instruction ID: c80a2a7ea8ad3bdf6243f1e7a04a64cbce64d5324941f548cdcde5e64f0ccc25
                                • Opcode Fuzzy Hash: a5e3e72989abdcbdf5dac47b58b3993af2776bb779f14cf321f0919f62a037ab
                                • Instruction Fuzzy Hash: 82C1DF70A0065A8FCB29CF68C490A7EBBB1AF55314F64C61EE45E9B291C730ED4DCB91
                                Function 0291C015 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0290F53F: GetLastError.KERNEL32(00000010,00000000,0291B1F7,0294BD50,0000000C,02910514,0000000C,?,029010CD,00000000,0000000C,?,00000000,00000000,00000000), ref: 0290F543
                                  • Part of subcall function 0290F53F: SetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,0288FBC1,?,0288FBC1,0288FBC1,?,02905A35,F4458D02,F4458D02), ref: 0290F5E5
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0291C069
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$InfoLocale
                                • String ID:
                                • API String ID: 3736152602-0
                                • Opcode ID: 4fd8220bee8011d473aef6d4f3a7d144dd996076a2f5e2e3597cb80ebcdaf236
                                • Instruction ID: d83c22abdb4ddb58e513539e1d2fde6db1a91721709370a724751ff4a75a79fb
                                • Opcode Fuzzy Hash: 4fd8220bee8011d473aef6d4f3a7d144dd996076a2f5e2e3597cb80ebcdaf236
                                • Instruction Fuzzy Hash: DE219572A8020AABDF289E26DD41BBE73ADEF44315F10407BE905D7141EB34D9448B56
                                Function 0019C81D Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0018FB0E: GetLastError.KERNEL32(?,00000008,00199020), ref: 0018FB12
                                  • Part of subcall function 0018FB0E: SetLastError.KERNEL32(00000000,001C07B0,00000024,0018EADA), ref: 0018FBB4
                                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0019C871
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ErrorLast$InfoLocale
                                • String ID:
                                • API String ID: 3736152602-0
                                • Opcode ID: b36b57a8103baa7d859237c277e60d09abd89a08e1c84f3765f987d65874d195
                                • Instruction ID: f25543530928671007b1950e75d6f6acd89161ef7d54c88c925fff6c54576952
                                • Opcode Fuzzy Hash: b36b57a8103baa7d859237c277e60d09abd89a08e1c84f3765f987d65874d195
                                • Instruction Fuzzy Hash: 9E21D472A50216ABEF28AB28DC51EBA73A8EF54314F10007AFD01CA141EB74ED44DB90
                                Function 00179BCB Relevance: 1.6, Strings: 1, Instructions: 326COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: fb86e92931fce306bd94436b094cd8b0a837e549f3a011743939ab6243354648
                                • Instruction ID: 0f6e3b1e490e9638accca17247fe9d9cc1230ea9fe715454c36ded013dd3cefe
                                • Opcode Fuzzy Hash: fb86e92931fce306bd94436b094cd8b0a837e549f3a011743939ab6243354648
                                • Instruction Fuzzy Hash: 4AB1B030A006098ACF39DFA8C5806BEB7F1EF59700F14891DD45EE7290DB31AE4ACB51
                                Function 00179866 Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 030ce58d9364b125186fd4c8947a71ccded7b5e9e2f91701699155f7eff8f991
                                • Instruction ID: eee691737cbf023c7c5994df7b56668c0e9113037e4ace98653cf202ad8418a6
                                • Opcode Fuzzy Hash: 030ce58d9364b125186fd4c8947a71ccded7b5e9e2f91701699155f7eff8f991
                                • Instruction Fuzzy Hash: 93B1B070A0060A8BDF28CF68C581ABEB7F1EF55304F14C91EE55EA7290D730AD4ACB51
                                Function 00179F3F Relevance: 1.6, Strings: 1, Instructions: 322COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: e7cda2b2b53ba42dde31aeea3cbb8d265446a5f4dea331dad46555f80954daaf
                                • Instruction ID: e9b45091f98b2b6e3aaac033252bf064011ae6a55a3d8b9595c896b42db79780
                                • Opcode Fuzzy Hash: e7cda2b2b53ba42dde31aeea3cbb8d265446a5f4dea331dad46555f80954daaf
                                • Instruction Fuzzy Hash: 9CB19F70A006098FDB28CF68C581ABEBBF1AF94710F94C91DE45EE7690D731AD46CB52
                                Function 0017870E Relevance: 1.6, Strings: 1, Instructions: 318COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 6c710cba0eab63826505fe5ee24ae198a903062e3a0729cdef392cfd012e1c58
                                • Instruction ID: f27da161b4ce0003d51f7a91fd2668d6c3bda21ee83f3fd40be95032179300a8
                                • Opcode Fuzzy Hash: 6c710cba0eab63826505fe5ee24ae198a903062e3a0729cdef392cfd012e1c58
                                • Instruction Fuzzy Hash: D1B1F570A8060A8BCF28CF68C5996BEB7B1AF44308F24C51ED55FE7691DF309A45CB52
                                Function 001783C6 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: ed6eebe1b51824205fcc9042bf234d2b9892ab7d23c0a1e49db4dd2c2db3abc2
                                • Instruction ID: abc26b1ce0739a245a6176a5d11291d75b112c5091b87681cca23008bb8a6d6d
                                • Opcode Fuzzy Hash: ed6eebe1b51824205fcc9042bf234d2b9892ab7d23c0a1e49db4dd2c2db3abc2
                                • Instruction Fuzzy Hash: E7B1E370A8460B9BCB28CF68C8996BEB7B1AF04314F14861DE55BE7691CF70ED42CB51
                                Function 00178A65 Relevance: 1.6, Strings: 1, Instructions: 314COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID: 0
                                • API String ID: 0-4108050209
                                • Opcode ID: 4d10c5fedd608b66c0421a78a8a9a11d3d10ea5cd9ba2917030e787f0b42c169
                                • Instruction ID: ead025ae35a8fb712282d240ddabec04afae9fcd506e1dd176c42979f6d76155
                                • Opcode Fuzzy Hash: 4d10c5fedd608b66c0421a78a8a9a11d3d10ea5cd9ba2917030e787f0b42c169
                                • Instruction Fuzzy Hash: 0CB1E37098060A9BCF39CF68C89D6BEBBB1AF14314F148A1ED55EDB691CF30A941CB51
                                Function 0019C4A4 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0018FB0E: GetLastError.KERNEL32(?,00000008,00199020), ref: 0018FB12
                                  • Part of subcall function 0018FB0E: SetLastError.KERNEL32(00000000,001C07B0,00000024,0018EADA), ref: 0018FBB4
                                • EnumSystemLocalesW.KERNEL32(0019C5CA,00000001,00000000,?,-00000050,?,0019CBFB,00000000,?,?,?,00000055,?), ref: 0019C516
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem
                                • String ID:
                                • API String ID: 2417226690-0
                                • Opcode ID: cc65e11739c47fc28056e959d1bb7c03ea505e9625f140620e9de7752f2b1d50
                                • Instruction ID: 268eab66084f9180a4358fdb54e02596100fe30aae6b0829fd1fb46d7ce17f01
                                • Opcode Fuzzy Hash: cc65e11739c47fc28056e959d1bb7c03ea505e9625f140620e9de7752f2b1d50
                                • Instruction Fuzzy Hash: 7B11C6372007015FEF18AF39D8A16BABB91FB84358B15842DE98687A40D371B943CB80
                                Function 0291C244 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0290F53F: GetLastError.KERNEL32(00000010,00000000,0291B1F7,0294BD50,0000000C,02910514,0000000C,?,029010CD,00000000,0000000C,?,00000000,00000000,00000000), ref: 0290F543
                                  • Part of subcall function 0290F53F: SetLastError.KERNEL32(00000000,00000000,00000000,?,00000000,0288FBC1,?,0288FBC1,0288FBC1,?,02905A35,F4458D02,F4458D02), ref: 0290F5E5
                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0291BFDE,00000000,00000000,?), ref: 0291C270
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast$InfoLocale
                                • String ID:
                                • API String ID: 3736152602-0
                                • Opcode ID: 4c97fe543d6a5d1a4fe6a990123c807e241e48a87e476a5b377a9c6deac55b2f
                                • Instruction ID: 33910456cbc5e7f54b4a54758756f4f6a6b620b18c701b279a72962f6926036d
                                • Opcode Fuzzy Hash: 4c97fe543d6a5d1a4fe6a990123c807e241e48a87e476a5b377a9c6deac55b2f
                                • Instruction Fuzzy Hash: A1F023325501197BDB3C5666CC057BA779DEF80B58F050C25DC06A3540DB30FD41C591
                                Function 0019CA4C Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0018FB0E: GetLastError.KERNEL32(?,00000008,00199020), ref: 0018FB12
                                  • Part of subcall function 0018FB0E: SetLastError.KERNEL32(00000000,001C07B0,00000024,0018EADA), ref: 0018FBB4
                                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,0019C7E6,00000000,00000000,?), ref: 0019CA78
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ErrorLast$InfoLocale
                                • String ID:
                                • API String ID: 3736152602-0
                                • Opcode ID: 3d4b95b606f7ff558bc07afb9b0bd1c3f7ed4ade02dead8d21f43966c55b7a1a
                                • Instruction ID: 1cb435a12bf90636b70e37390871e6313cdb367f826c3d8b6b71d1c8f8d440f8
                                • Opcode Fuzzy Hash: 3d4b95b606f7ff558bc07afb9b0bd1c3f7ed4ade02dead8d21f43966c55b7a1a
                                • Instruction Fuzzy Hash: 33F0A9366001156BDF28DA24CC45BBA7764EB40754F154429EC85A3580FB74FE41C6D0
                                Function 0019C53F Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0018FB0E: GetLastError.KERNEL32(?,00000008,00199020), ref: 0018FB12
                                  • Part of subcall function 0018FB0E: SetLastError.KERNEL32(00000000,001C07B0,00000024,0018EADA), ref: 0018FBB4
                                • EnumSystemLocalesW.KERNEL32(0019C81D,00000001,00000000,?,-00000050,?,0019CBBF,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 0019C589
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem
                                • String ID:
                                • API String ID: 2417226690-0
                                • Opcode ID: 064cf2b5894c6c8c5286edd1bcebda3a2b3147486672fe4f3295608366f17a78
                                • Instruction ID: d6d3bcfc3b4ecabbe96b7c45ca27361789a660298e3f1e08da56c0e98bfb0d8f
                                • Opcode Fuzzy Hash: 064cf2b5894c6c8c5286edd1bcebda3a2b3147486672fe4f3295608366f17a78
                                • Instruction Fuzzy Hash: 0AF0F6363003045FEF249F79D881A7A7B95EFC5368B16846DFA858B680D7B1AD42CB90
                                Function 00150FE9 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000404,00000008,?,00000020), ref: 0015100E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: f0c1a4cee69f5181bdd99a0826a84e7667c9be17232d65b8fefde17f154cab21
                                • Instruction ID: 036e9f62a7080c004afeb7232951b7124454c77c001ae7ea3e330966d20df28a
                                • Opcode Fuzzy Hash: f0c1a4cee69f5181bdd99a0826a84e7667c9be17232d65b8fefde17f154cab21
                                • Instruction Fuzzy Hash: CAF082B6A50208ABEB20EAB49C06F9A77E89B11754F440120BA15E72C0EA74EF09C695
                                Function 00192C34 Relevance: 1.5, APIs: 1, Instructions: 33COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00195BEF: EnterCriticalSection.KERNEL32(?,?,0018A519,00000000,001C02D0,0000000C,0018A4E0,?,?,00192BF7,?,?,0018FCAC,00000001,00000364,?), ref: 00195BFE
                                • EnumSystemLocalesW.KERNEL32(00192C21,00000001,001C06B0,0000000C,00193561,00000000), ref: 00192C6C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: CriticalEnterEnumLocalesSectionSystem
                                • String ID:
                                • API String ID: 1272433827-0
                                • Opcode ID: 28771072bd6fa60e7e3f7fabe5f8dde6580b380439cec3a7ff7a8105633e405e
                                • Instruction ID: 719b51cb8cae5aa551ab981b9783f2c18d0d938fae8c81f9d43d42baa44a8b94
                                • Opcode Fuzzy Hash: 28771072bd6fa60e7e3f7fabe5f8dde6580b380439cec3a7ff7a8105633e405e
                                • Instruction Fuzzy Hash: 7AF06D76A00204EFDB11DF98E806B9C7BF0FB59721F00812AF911DB2A1CB799944CF80
                                Function 0019C43B Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0018FB0E: GetLastError.KERNEL32(?,00000008,00199020), ref: 0018FB12
                                  • Part of subcall function 0018FB0E: SetLastError.KERNEL32(00000000,001C07B0,00000024,0018EADA), ref: 0018FBB4
                                • EnumSystemLocalesW.KERNEL32(0019C394,00000001,00000000,?,?,0019CC1D,-00000050,?,?,?,00000055,?,-00000050,?,?,00000000), ref: 0019C472
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ErrorLast$EnumLocalesSystem
                                • String ID:
                                • API String ID: 2417226690-0
                                • Opcode ID: 0a75263fc0fc7c259a40f490728bafc8dd1bfadb065a2d159099f0579092da20
                                • Instruction ID: 0145a2837acef20879523529fcd1a8269c4cd86b1d62e7789d6bdc3b5dab51af
                                • Opcode Fuzzy Hash: 0a75263fc0fc7c259a40f490728bafc8dd1bfadb065a2d159099f0579092da20
                                • Instruction Fuzzy Hash: A3F0E53630024557CF14AF39D85567ABF94EFC1714B0A4059EA458B651C771D942C7D0
                                Function 001936F0 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                • GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,0018E523,?,20001004,00000000,00000002,?,?,0018D89B), ref: 00193724
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: InfoLocale
                                • String ID:
                                • API String ID: 2299586839-0
                                • Opcode ID: 3f5abd616ea30d6d0b88f9106e041f71871687d065bf93d6c92c872cc14ffd3d
                                • Instruction ID: ceae6045831753f05aecc5428223e17f9b06bf42d04fa56c27960a82e2432609
                                • Opcode Fuzzy Hash: 3f5abd616ea30d6d0b88f9106e041f71871687d065bf93d6c92c872cc14ffd3d
                                • Instruction Fuzzy Hash: 36E0867250022CBBCF162FA1DC05EAE3F6AFF55B61F044010FC1566161CB718E61AAD5
                                Function 00192DC5 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                Download Yara Rule
                                APIs
                                • EnumSystemLocalesW.KERNEL32(Function_00062C21,00000001), ref: 00192DDF
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: EnumLocalesSystem
                                • String ID:
                                • API String ID: 2099609381-0
                                • Opcode ID: 4384f8faad1930b407ad206055425c83c808153e75dbaed7c822b8e404d5bf30
                                • Instruction ID: 7230dba3ac8ddeaf2cb3f2192dbf2812dee4812db70de59fcef6f502e1e84ac5
                                • Opcode Fuzzy Hash: 4384f8faad1930b407ad206055425c83c808153e75dbaed7c822b8e404d5bf30
                                • Instruction Fuzzy Hash: 0ED0C975545308BBDF146F95FC0FE147FA9F781760B00802AF908066A2DFB6A890CB80
                                Function 0015144D Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00151431: FindResourceExW.KERNEL32(00000000,MUI,00000001,00000000,?,0015145C,00000000,00000000,?,0015156E,00000000,?,?,?,00151635,?), ref: 00151443
                                • LoadResource.KERNEL32(00000000,00000000,00000000,00000000,?,0015156E,00000000,?,?,?,00151635,?,00000000,00000000,00000000), ref: 00151464
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Resource$FindLoad
                                • String ID:
                                • API String ID: 2619053042-0
                                • Opcode ID: cd22602157c59d84d37279836114bcd107499a468871acddebcdfd6aaa11c8b1
                                • Instruction ID: b24fc1541d5993708a768c5f4f64cd940a75504fca5e5ec1173e2be79c5b3f72
                                • Opcode Fuzzy Hash: cd22602157c59d84d37279836114bcd107499a468871acddebcdfd6aaa11c8b1
                                • Instruction Fuzzy Hash: 66C08C31000208FBEB122F62DC09F6A7F5DEBA1792F248030FD1988161CB32DCA2D5A4
                                Function 00192D93 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                                Download Yara Rule
                                APIs
                                • EnumSystemLocalesW.KERNEL32(Function_00062C21,00000001), ref: 00192DA9
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: EnumLocalesSystem
                                • String ID:
                                • API String ID: 2099609381-0
                                • Opcode ID: 310951e6ecb8dfc80b1e0b7bfd576a0e185727b98fc53b891e0583f422803015
                                • Instruction ID: ac0c47741bce2299522168b269bd49cd5ab26a7bf25baf87ceca76b04f8d8ac7
                                • Opcode Fuzzy Hash: 310951e6ecb8dfc80b1e0b7bfd576a0e185727b98fc53b891e0583f422803015
                                • Instruction Fuzzy Hash: 8BD01274542300AFDF149F64FC4EE043BB1F746300710406AF9014B6B2CFB55490DB40
                                Function 00153C63 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                Download Yara Rule
                                APIs
                                • SetUnhandledExceptionFilter.KERNEL32(Function_00023C72,00153709), ref: 00153C68
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ExceptionFilterUnhandled
                                • String ID:
                                • API String ID: 3192549508-0
                                • Opcode ID: 2415bc31130fe39db01aefb04bdbc48db88677d0c726c96f6ffe14d7aaf066ea
                                • Instruction ID: ce4abaa759818d9e74302082e6b2b46e13d2dcf996310208ff5fc10634e28e8c
                                • Opcode Fuzzy Hash: 2415bc31130fe39db01aefb04bdbc48db88677d0c726c96f6ffe14d7aaf066ea
                                • Instruction Fuzzy Hash:
                                Function 0019372F Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID: GetSystemTimePreciseAsFileTime
                                • API String ID: 0-595813830
                                • Opcode ID: 538891cf84112a9ba8437a7076e69f5e0cea739d5c8dbdb2da388628f8451cf9
                                • Instruction ID: bd4d62d410f71b01e18b1a4f9c5980b825a91c6b23a78c309c7a571e3a82b2e1
                                • Opcode Fuzzy Hash: 538891cf84112a9ba8437a7076e69f5e0cea739d5c8dbdb2da388628f8451cf9
                                • Instruction Fuzzy Hash: 82E0C23268022467C62037846E46AD97A48C7A0BB2F044122FB185A28197A14953C2E2
                                Function 00198AA2 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: HeapProcess
                                • String ID:
                                • API String ID: 54951025-0
                                • Opcode ID: a2e4f69710dcbbbb439318226493e17c6c50aed1bf306df6ab4a76bc1be1f7b0
                                • Instruction ID: 8d47d7201a2f12dff9da0c1678d889313c53a7c63a6078125edb032dc9eba47e
                                • Opcode Fuzzy Hash: a2e4f69710dcbbbb439318226493e17c6c50aed1bf306df6ab4a76bc1be1f7b0
                                • Instruction Fuzzy Hash: B4A011302022028B83808F30BB08B083AE8AA0A380B0280AAA000C2C30EA3088A08B00
                                Function 029161D9 Relevance: .6, Instructions: 637COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4434a614f2c0d372ccd99db8132998cee24dbd11983ea83ffed5cb38a2aeb8b9
                                • Instruction ID: 83d62624d947cfb119d70b25d17e83b20046586f0c2126728fa3cf7c6e11f069
                                • Opcode Fuzzy Hash: 4434a614f2c0d372ccd99db8132998cee24dbd11983ea83ffed5cb38a2aeb8b9
                                • Instruction Fuzzy Hash: E8323622D69F054DE7279539C832335A39CAFB72D8F15DB37F81AB5A99EB28C4934100
                                Function 0016119A Relevance: .5, Instructions: 481COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9c435e1b3671dcea9430edcc1095ec18e34d99518b26342cc3247aa3e620b3e5
                                • Instruction ID: ba2ba69be15790df73077955aea5727a5e464b05be852da081854218e134bc7f
                                • Opcode Fuzzy Hash: 9c435e1b3671dcea9430edcc1095ec18e34d99518b26342cc3247aa3e620b3e5
                                • Instruction Fuzzy Hash: BA124D71A00225AFDB29CF18CC90BAAB7B9FF45305F1941EAD949EB244E7709E91CF41
                                Function 028D03F0 Relevance: .4, Instructions: 425COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b507ecf0efb74023db79dab04fc89f6b000649675c1e4ddc02e9b37bea2b7543
                                • Instruction ID: 5f2d4f4458238776efc1a0c00ddf65193e92ce0fea6ea65d0090613a0918e7ea
                                • Opcode Fuzzy Hash: b507ecf0efb74023db79dab04fc89f6b000649675c1e4ddc02e9b37bea2b7543
                                • Instruction Fuzzy Hash: 71028726D28BC88AD707D63980532A7F3A4AFFB2C8F05DB1BB98431522FB6175D75600
                                Function 028AA150 Relevance: .4, Instructions: 391COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fb185eb5fe01eae7f9216000ee7366fe0afa4eee8323e4efd43781e6c1f25385
                                • Instruction ID: dc7a1596ac467c577f5fb0c2f944efc84ecc2f3f7613fd9419e39ba1a503525e
                                • Opcode Fuzzy Hash: fb185eb5fe01eae7f9216000ee7366fe0afa4eee8323e4efd43781e6c1f25385
                                • Instruction Fuzzy Hash: 72E1B0396043068FDB28CF28D89066AB7F2FFC4314F194A2DE959D7650DB31E905CB92
                                Function 001646B0 Relevance: .4, Instructions: 386COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 289c6f12252c0116c5377a11579027704d4fb07d1395b1801757c2c65905dd31
                                • Instruction ID: cdceaed165aa501cacab8024760bfbf15e3685184249e0a99c06b1eadd99c8cf
                                • Opcode Fuzzy Hash: 289c6f12252c0116c5377a11579027704d4fb07d1395b1801757c2c65905dd31
                                • Instruction Fuzzy Hash: 13E17075A002289FDB25DF58CC80BAAB7B9FF8A304F1541EAD949A7241E7709E91CF41
                                Function 0019BC04 Relevance: .3, Instructions: 327COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ErrorLastProcess$CurrentFeatureInfoLocalePresentProcessorTerminate
                                • String ID:
                                • API String ID: 3471368781-0
                                • Opcode ID: 5564d9237bdcc2c44a926061e7d996ad3035bae4f0ec0087fa2d3a449d6eff66
                                • Instruction ID: 3352e1ecd382fbb2edb1eeffc31427df4f0f9dea8b0b5f3b52a2e1388f434a3d
                                • Opcode Fuzzy Hash: 5564d9237bdcc2c44a926061e7d996ad3035bae4f0ec0087fa2d3a449d6eff66
                                • Instruction Fuzzy Hash: DFB113755047019BCF38AF65DDD2AB7B3E8EF54308F14442DEA8786680EB75EA86CB10
                                Function 00164270 Relevance: .3, Instructions: 259COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4c85bfeee9b8da6e9d1c5d5a96315d30e8ea21a9777f79b8c79c08eb7e4e3cef
                                • Instruction ID: 0033ed3f6d9a6e06c2d3e1d50b377057c2c562ce8be4b8c4768d3629a6dda00d
                                • Opcode Fuzzy Hash: 4c85bfeee9b8da6e9d1c5d5a96315d30e8ea21a9777f79b8c79c08eb7e4e3cef
                                • Instruction Fuzzy Hash: EEA11C76A001299BCB24DF58DC81BEDB7F6FF89304F1541EAD909AB241E7719E918F80
                                Function 028DA0C0 Relevance: .2, Instructions: 247COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e9b42760f00b200037e87a164a4a9bd26d151540ff02d39d070e2beb0f26fd1a
                                • Instruction ID: b78f40d9de763a34ba5caaf0dd4d2a63547de26f2fcb64e18f0f740f0387b9cc
                                • Opcode Fuzzy Hash: e9b42760f00b200037e87a164a4a9bd26d151540ff02d39d070e2beb0f26fd1a
                                • Instruction Fuzzy Hash: 22B1603580C7859BE716CF2CC8416AAB7E0AF9930CF189719FDD8A2251E731E699C781
                                Function 00161C71 Relevance: .2, Instructions: 158COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 840b5a77ad91a39dc638c83b90b9d70509c78b4c9d6c6a222e3d5daa85d8efa2
                                • Instruction ID: b024b40b58f4252fea584827913978fdbba2bf845d534ea97da38bac6e8d952a
                                • Opcode Fuzzy Hash: 840b5a77ad91a39dc638c83b90b9d70509c78b4c9d6c6a222e3d5daa85d8efa2
                                • Instruction Fuzzy Hash: 57515172E00219AFDF14CF99CD81AEEBBB6EF89310F19845DE815AB241D7349E50CB90
                                Function 00193F1B Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0441168fa10e427467ec03429ecf8a0809e59f4a6ab32bd78e93e39ea3177d6f
                                • Instruction ID: 527a19e05ca47e86bd4c1aab27c41f64926bffe810fff6cbf33f4de6fc2d5560
                                • Opcode Fuzzy Hash: 0441168fa10e427467ec03429ecf8a0809e59f4a6ab32bd78e93e39ea3177d6f
                                • Instruction Fuzzy Hash: D8F0B432E55228ABCF2ADA6CDA0DB59B3B8E709B14F120052F221DB291C3B0DF00D7C1
                                Function 00193D41 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bad616c4adf0a0aa67541ac74f3756163b6e96af5c91ee3d9c6a77a779c368cd
                                • Instruction ID: 08d117d7d77c07d14da335050dc29c5a2f508558b33e103e47d8c547a9bd318c
                                • Opcode Fuzzy Hash: bad616c4adf0a0aa67541ac74f3756163b6e96af5c91ee3d9c6a77a779c368cd
                                • Instruction Fuzzy Hash: 8BF09A35645204ABCF1ACAACCA6DB1873EAE705300FA14065E229DB291E330EF408741
                                Function 00193E62 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f0aa80665ab258e4330d09f3a040308dc08a63ddb7dfe695799be8e26bcd2a7b
                                • Instruction ID: c676fe4bf441b6024a761824be4c2f5d808403a5fab0b8ee08793ec28c39f56f
                                • Opcode Fuzzy Hash: f0aa80665ab258e4330d09f3a040308dc08a63ddb7dfe695799be8e26bcd2a7b
                                • Instruction Fuzzy Hash: 4BF06D32A21324EBCF26DB4CD909A9973ACEB55B61F1200A6F511EB262C3B4DE00C7D0
                                Function 00193EA6 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b6a30cd1d12a8a1e8e642e0252584164bf213d6507231618c013f745d584e45
                                • Instruction ID: e512cf75673b0fd2999ec07ef9ac57aaeccf30081654747a8fc2b4887570033f
                                • Opcode Fuzzy Hash: 6b6a30cd1d12a8a1e8e642e0252584164bf213d6507231618c013f745d584e45
                                • Instruction Fuzzy Hash: 85F03931A11224EBCF26DB4CD909A8973ACEB44B50F2140A6F521E7291D7B4EE40C7D0
                                Function 00193CBB Relevance: .0, Instructions: 26COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4735ab9f4a11332d8ec5f11e119e19d93e45dbf1bb96b21ff6381e4fa3cba45d
                                • Instruction ID: 98466e2edb0bca81906b5242e7f9786107236e5984f377027861046d9614ac0f
                                • Opcode Fuzzy Hash: 4735ab9f4a11332d8ec5f11e119e19d93e45dbf1bb96b21ff6381e4fa3cba45d
                                • Instruction Fuzzy Hash: 84E06539601344EFCF66CB69C644A4AB3E9EB49344F2040B8E819D7292D338EF40CB90
                                Function 00193CFE Relevance: .0, Instructions: 26COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 51d14c7975886ac9a905217ae63a25cf5de849315f72459bb69c30f01c3a16f2
                                • Instruction ID: 8a52bd7a8fd8e30d3baf2f44404187cf2db55889a419748119d5769b9fd7817b
                                • Opcode Fuzzy Hash: 51d14c7975886ac9a905217ae63a25cf5de849315f72459bb69c30f01c3a16f2
                                • Instruction Fuzzy Hash: 0BE03239601348EFCF55CBA8D658A4AB3F9EF48354F6080A8A429C7291E778DE40CB80
                                Function 00193EEA Relevance: .0, Instructions: 22COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 64d0b50f5c1755b60d15d8b32736556bdf1cbbff35e9f1474ebf1b80bec4e9ca
                                • Instruction ID: edb3a180cbcf86908f0061d9d6c50f78488595174f04bf72f4eedccae1d0ef3b
                                • Opcode Fuzzy Hash: 64d0b50f5c1755b60d15d8b32736556bdf1cbbff35e9f1474ebf1b80bec4e9ca
                                • Instruction Fuzzy Hash: 96E0EC72915228EBCB25DBD8D94498AF7FCFB45B50B154496B511D3151C770DF00C7D1
                                Function 00193D9C Relevance: .0, Instructions: 18COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3d9fb71b9a8c4f5850e043095178f0b06b91ffed8a18884ade8fe223d7ecf91d
                                • Instruction ID: 7f044bdd0715b0882d0fcf0b2d59f3bc9ca49066fe965e3701fe34673ca4f576
                                • Opcode Fuzzy Hash: 3d9fb71b9a8c4f5850e043095178f0b06b91ffed8a18884ade8fe223d7ecf91d
                                • Instruction Fuzzy Hash: 24E0E235925248EFCB04DBA8C549A8EB7F8EB48794F5188A4E415D7251D734EF80DA50
                                Function 0018AB08 Relevance: .0, Instructions: 12COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f8e246b7ee4e2f83597375a329377244b5beee491bb525a7555bed5adbfa73e
                                • Instruction ID: cad20daeb5c0a874799fffe2413d1349fa33f1a55b9bdd799ca4f213f06ad814
                                • Opcode Fuzzy Hash: 3f8e246b7ee4e2f83597375a329377244b5beee491bb525a7555bed5adbfa73e
                                • Instruction Fuzzy Hash: C9C08C3400098087DE29AD109271BA43357AFA178AFC0248FC4030BA42C71EAEC2DB12
                                Function 0013F4F0 Relevance: 103.7, APIs: 54, Strings: 5, Instructions: 415stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItemTextW.USER32(?,00000064,?,00000104), ref: 0013F577
                                • GetSystemDirectoryW.KERNEL32(C:\Windows\system32\Viewers\Quikview.exe,00000104), ref: 0013F587
                                • PathAddBackslashW.SHLWAPI(C:\Windows\system32\Viewers\Quikview.exe), ref: 0013F592
                                • lstrcatW.KERNEL32(C:\Windows\system32\Viewers\Quikview.exe,Viewers\Quikview.exe), ref: 0013F5A2
                                • PathQuoteSpacesW.SHLWAPI(C:\Windows\system32\Viewers\Quikview.exe), ref: 0013F5AD
                                • lstrcpyW.KERNEL32(0029390C,001BD420), ref: 0013F5C3
                                • lstrcpyW.KERNEL32(C:\Windows\system32\Viewers\Quikview.exe,?), ref: 0013F5DD
                                • StrChrW.SHLWAPI(C:\Windows\system32\Viewers\Quikview.exe,00000020), ref: 0013F61F
                                • lstrcpyW.KERNEL32(0029390C,-00000002), ref: 0013F637
                                • lstrcpyW.KERNEL32(?,C:\Users\user\Documents), ref: 0013F65A
                                • GetDlgItemTextW.USER32(?,00000066,C:\Users\user\Documents,00000104), ref: 0013F669
                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000005,?), ref: 0013F678
                                • SHGetPathFromIDListW.SHELL32(?,C:\Users\user\Documents), ref: 0013F68B
                                • CoTaskMemFree.OLE32(?), ref: 0013F695
                                • GetWindowsDirectoryW.KERNEL32(C:\Users\user\Documents,00000104), ref: 0013F6A7
                                • lstrcmpiW.KERNEL32(?,C:\Users\user\Documents), ref: 0013F6CC
                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 0013F6E8
                                • GetDlgItem.USER32(?,00000065), ref: 0013F6FC
                                • SendMessageW.USER32(00000000,00001603,00000000,?), ref: 0013F70B
                                • ImageList_Destroy.COMCTL32(?), ref: 0013F71F
                                • GetDlgItem.USER32(?,00000067), ref: 0013F724
                                • SendMessageW.USER32(00000000,00001603,00000000,?), ref: 0013F733
                                • ImageList_Destroy.COMCTL32(?), ref: 0013F741
                                • SendMessageW.USER32(?,00000080,00000000,00080493), ref: 0013F76E
                                • lstrcpyW.KERNEL32(?,C:\Windows\system32\Viewers\Quikview.exe), ref: 0013F7AC
                                • PathQuoteSpacesW.SHLWAPI(?), ref: 0013F7BA
                                • StrCatBuffW.SHLWAPI(?,001BDDEC,00000104), ref: 0013F7E2
                                • StrCatBuffW.SHLWAPI(?,0029390C,00000104), ref: 0013F7F6
                                • SendDlgItemMessageW.USER32(?,00000064,000000C5,00000102,00000000), ref: 0013F807
                                • SetDlgItemTextW.USER32(?,00000064,?), ref: 0013F81E
                                • GetDlgItem.USER32(?,00000064), ref: 0013F82B
                                • SHAutoComplete.SHLWAPI(00000000), ref: 0013F834
                                • SendDlgItemMessageW.USER32(?,00000066,000000C5,00000102,00000000), ref: 0013F848
                                • SetDlgItemTextW.USER32(?,00000066,C:\Users\user\Documents), ref: 0013F859
                                • GetDlgItem.USER32(?,00000066), ref: 0013F863
                                • SHAutoComplete.SHLWAPI(00000000), ref: 0013F866
                                • GetDlgItemTextW.USER32(?,00000066,?,00000104), ref: 0013F89A
                                • StrTrimW.SHLWAPI(?,001BDF90), ref: 0013F8AD
                                • GetDlgItemTextW.USER32(?,00000064,?,00000104), ref: 0013F904
                                • lstrcpyW.KERNEL32(?,?), ref: 0013F920
                                • StrChrW.SHLWAPI(?,00000020), ref: 0013F96E
                                • lstrcpyW.KERNEL32(?,-00000002), ref: 0013F989
                                • LoadStringW.USER32(00002AF9,?,00000020), ref: 0013F9BE
                                • LoadStringW.USER32(00002AF9,?,00000020), ref: 0013F9D9
                                • LoadStringW.USER32(00002AFD,?,00000100), ref: 0013F9F3
                                • LoadStringW.USER32(00002AFD,?,00000100), ref: 0013FA11
                                • GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000058), ref: 0013FA61
                                • StrCpyNW.SHLWAPI(?,?,00000104), ref: 0013FA80
                                • PathQuoteSpacesW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000058), ref: 0013FA8E
                                • StrCatBuffW.SHLWAPI(?,001BDDEC,00000104), ref: 0013FAB7
                                • StrCatBuffW.SHLWAPI(?,?,00000104), ref: 0013FACE
                                • SetDlgItemTextW.USER32(?,00000064,?), ref: 0013FADB
                                • PostMessageW.USER32(?,00000028,00000001,00000000), ref: 0013FAE8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Item$Textlstrcpy$Message$PathSend$BuffLoadString$QuoteSpaces$AutoCompleteDestroyDirectoryImageList_$BackslashFileFolderFreeFromListLocationLongNameOpenPostSpecialSystemTaskTrimWindowWindowslstrcatlstrcmpi
                                • String ID: "$C:\Users\user\Documents$C:\Windows\system32\Viewers\Quikview.exe$Viewers\Quikview.exe$X
                                • API String ID: 583393450-254308440
                                • Opcode ID: 7f31330420d890dabb70e9a8c353d2c2a7760769e52d58f671a3c13705e331a0
                                • Instruction ID: 4f68dcd20b10567e2de804b94b887935e3966ea1db932688f6f989116487e5e4
                                • Opcode Fuzzy Hash: 7f31330420d890dabb70e9a8c353d2c2a7760769e52d58f671a3c13705e331a0
                                • Instruction Fuzzy Hash: 73E1A471A44345ABEB20DBA0DC4AFAF77E8FB85704F00052AF649D71E0EBB09955CB52
                                Function 0014EEE0 Relevance: 103.6, APIs: 53, Strings: 6, Instructions: 387stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • SetCurrentDirectoryW.KERNEL32(?,?,?), ref: 0014EF0C
                                • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?), ref: 0014EF28
                                • PathFileExistsW.SHLWAPI(?), ref: 0014EF32
                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0014EF49
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0014EF57
                                • LoadCursorW.USER32(00000000,00007F02), ref: 0014EF7B
                                • SetCursor.USER32(00000000), ref: 0014EF82
                                • DestroyCursor.USER32(00000000), ref: 0014EF89
                                • SendMessageW.USER32(00001027,00000000,00000000), ref: 0014EFA4
                                • GetCurrentDirectoryW.KERNEL32(0000012C,002934AC), ref: 0014EFB4
                                • PathIsRootW.SHLWAPI(002934AC), ref: 0014EFE6
                                • SHGetFileInfoW.SHELL32(002934AC,00000000,?,000002B4,00000200), ref: 0014F020
                                • PathFindFileNameW.SHLWAPI(002934AC), ref: 0014F038
                                • lstrcpyW.KERNEL32(?,00000000), ref: 0014F047
                                • lstrcpyW.KERNEL32(?,002934AC), ref: 0014F06D
                                • PathRemoveFileSpecW.SHLWAPI(?), ref: 0014F077
                                • lstrcatW.KERNEL32(?, - [), ref: 0014F090
                                • lstrcatW.KERNEL32(?,?), ref: 0014F0A2
                                • lstrlenW.KERNEL32(00000000), ref: 0014F0B7
                                • lstrcatW.KERNEL32(?,001BE27C), ref: 0014F0D5
                                • SetWindowTextW.USER32(?,?), ref: 0014F102
                                • lstrcmpW.KERNEL32(0029493C,*.*,?,?), ref: 0014F112
                                • SendMessageW.USER32(00001024,00000000,00000000), ref: 0014F161
                                • SendMessageW.USER32(00000440,0000A41E,00000020), ref: 0014F1EF
                                • GetPropW.USER32(?,DirListData), ref: 0014F238
                                • ResetEvent.KERNEL32(?,?,?,?,?,?,?), ref: 0014F24F
                                • ResetEvent.KERNEL32(?,?,?,?,?,?,?), ref: 0014F257
                                • GetPropW.USER32(DirListData), ref: 0014F274
                                • SHGetPathFromIDListW.SHELL32(?,?), ref: 0014F281
                                • lstrcpyW.KERNEL32(002934AC,?,?,?,?,?,?,?,?,?,?), ref: 0014F298
                                • SetCurrentDirectoryW.KERNEL32(002934AC,?,?,?,?,?,?,?,?,?), ref: 0014F2A3
                                • SendMessageW.USER32(0000102B,00000000,?), ref: 0014F2D3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Directory$CurrentPath$FileMessageSend$Cursorlstrcatlstrcpy$EventPropReset$DestroyExistsFindFromInfoListLoadNameRemoveRootSpecTextWindowWindowslstrcmplstrlen
                                • String ID: $ $ - [$*.*$DirListData$\
                                • API String ID: 2993255122-2785365950
                                • Opcode ID: b2eb8e6d368065e570ba172cf0f3042eb2e0831ed78556edfd8168e5c64d17d9
                                • Instruction ID: a0f26e6ad7bda28307bcbb8d0bc896c3b16c41b0f1fbf2a85ea68b0eac718915
                                • Opcode Fuzzy Hash: b2eb8e6d368065e570ba172cf0f3042eb2e0831ed78556edfd8168e5c64d17d9
                                • Instruction Fuzzy Hash: 86E1D175640301EBEB21AB60EC4EF9A7BE8BB45709F00442AF644D72E1DBB0A955CB52
                                Function 00141F70 Relevance: 75.3, APIs: 50, Instructions: 333windowthreadCOMMON
                                Download Yara Rule
                                APIs
                                • ReleaseCapture.USER32 ref: 00141FE1
                                • SendMessageW.USER32(?,00000202,00000000,00000000), ref: 00141FF1
                                • GetDlgItemTextW.USER32(?,00000066,?,00000104), ref: 00142043
                                • PathQuoteSpacesW.SHLWAPI(?), ref: 00142062
                                • GetParent.USER32(?), ref: 00142070
                                • SetDlgItemTextW.USER32(00000000), ref: 00142077
                                • GetDlgItemTextW.USER32(?,00000065,?,00000104), ref: 0014208A
                                • DestroyCursor.USER32 ref: 001420D5
                                • DestroyCursor.USER32 ref: 001420DD
                                • DestroyCursor.USER32 ref: 001420E5
                                • EndDialog.USER32(?,00000001), ref: 001420EE
                                • LoadIconW.USER32(0000006B), ref: 00142124
                                • LoadIconW.USER32(0000006C), ref: 00142133
                                • LoadCursorW.USER32(00000064), ref: 00142142
                                • SendMessageW.USER32(?,00000080,00000000,00080493), ref: 0014215F
                                • ReleaseCapture.USER32 ref: 00142192
                                • GetCursorPos.USER32(?), ref: 001421B9
                                • WindowFromPoint.USER32(?,?), ref: 001421C7
                                • GetWindowLongW.USER32(00000000,000000F0), ref: 001421D8
                                • GetParent.USER32(00000000), ref: 001421E2
                                • GetWindowLongW.USER32(00000000,000000F0), ref: 001421ED
                                • GetWindowTextW.USER32(00000000,?,00000100), ref: 00142209
                                • SetDlgItemTextW.USER32(?,00000064,?), ref: 0014221D
                                • GetClassNameW.USER32(00000000,?,00000100), ref: 0014222A
                                • SetDlgItemTextW.USER32(?,00000065,?), ref: 00142238
                                • GetWindowThreadProcessId.USER32(00000000,?), ref: 00142248
                                • OpenProcess.KERNEL32(00000410,00000000,?), ref: 00142259
                                • EnumProcessModules.PSAPI(00000000,?,00000004,00000000), ref: 0014226E
                                • GetModuleFileNameExW.PSAPI(00000000,?,?,00000100), ref: 00142283
                                • CloseHandle.KERNEL32(00000000), ref: 0014228A
                                • SetDlgItemTextW.USER32(?,00000066,?), ref: 00142298
                                • SetDlgItemTextW.USER32(?,00000064,001BD420), ref: 001422AD
                                • SetDlgItemTextW.USER32(?,00000065,001BD420), ref: 001422B7
                                • SetDlgItemTextW.USER32(?,00000066,001BD420), ref: 001422C1
                                • LoadCursorW.USER32(?,00007F00), ref: 001422E2
                                • SetCursor.USER32(00000000), ref: 001422E9
                                • SendDlgItemMessageW.USER32(?,00000067,00000170,00000000), ref: 001422FF
                                • ReleaseCapture.USER32 ref: 00142305
                                • GetDlgItemTextW.USER32(?,00000065,?,00000100), ref: 00142322
                                • GetDlgItem.USER32(?,00000001), ref: 00142332
                                • EnableWindow.USER32(00000000), ref: 00142335
                                • GetDlgItem.USER32(?,00000001), ref: 0014233E
                                • IsWindowEnabled.USER32(00000000), ref: 00142341
                                • GetDlgItem.USER32(?,00000001), ref: 00142350
                                • PostMessageW.USER32(?,00000028,00000000), ref: 00142356
                                • ChildWindowFromPoint.USER32(?,?,?), ref: 00142367
                                • GetDlgCtrlID.USER32(00000000), ref: 0014236E
                                • SetCapture.USER32(?), ref: 0014237A
                                • SetCursor.USER32 ref: 00142390
                                • SendDlgItemMessageW.USER32(?,00000067,00000170,00000000), ref: 001423A6
                                  • Part of subcall function 00145CA0: GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00145CE5
                                  • Part of subcall function 00145CA0: PathRemoveFileSpecW.SHLWAPI(?), ref: 00145CF3
                                  • Part of subcall function 00145CA0: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00145D06
                                  • Part of subcall function 00145CA0: SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 00145D19
                                  • Part of subcall function 00145CA0: PathIsRelativeW.SHLWAPI(C:\Windows\system32\Viewers\Quikview.exe), ref: 00145D2E
                                  • Part of subcall function 00145CA0: PathIsPrefixW.SHLWAPI(?,?), ref: 00145D4B
                                  • Part of subcall function 00145CA0: PathIsPrefixW.SHLWAPI(?,C:\Windows\system32\Viewers\Quikview.exe), ref: 00145D57
                                  • Part of subcall function 00145CA0: PathRelativePathToW.SHLWAPI(?,?,00000010,C:\Windows\system32\Viewers\Quikview.exe,?), ref: 00145D72
                                  • Part of subcall function 00145CA0: lstrcpyW.KERNEL32(?,%CSIDL:MYDOCUMENTS%), ref: 00145D8C
                                  • Part of subcall function 00145CA0: PathAppendW.SHLWAPI(?,?), ref: 00145D9B
                                  • Part of subcall function 00145CA0: lstrcpyW.KERNEL32(?,?), ref: 00145DAE
                                  • Part of subcall function 00145CA0: PathUnExpandEnvStringsW.SHLWAPI(?,?,00000104), ref: 00145E1F
                                  • Part of subcall function 00145CA0: lstrcpynW.KERNEL32(?,?,00000104), ref: 00145E3E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Item$Text$Path$CursorWindow$Message$CaptureLoadSend$DestroyFileNameProcessRelease$FromIconLongModuleParentPointPrefixRelativelstrcpy$AppendChildClassCloseCtrlDialogDirectoryEnableEnabledEnumExpandFolderHandleModulesOpenPostQuoteRemoveSpacesSpecStringsThreadWindowslstrcpyn
                                • String ID:
                                • API String ID: 4248756809-0
                                • Opcode ID: 9e634d00ab4eb4e76288eace0bf3e5b18a9974729f9b0ccf03ddfa963fb0d350
                                • Instruction ID: 6aecdf0b79e48b7aab8624d91446e2418373928e716736433bfaad6e0726cc49
                                • Opcode Fuzzy Hash: 9e634d00ab4eb4e76288eace0bf3e5b18a9974729f9b0ccf03ddfa963fb0d350
                                • Instruction Fuzzy Hash: 15B1C176A00304ABE7209F60FC4DFAA3BECFB49714F000926FA05D65E1EB759994CB61
                                Function 0013EE20 Relevance: 72.3, APIs: 48, Instructions: 305windowCOMMON
                                Download Yara Rule
                                APIs
                                • IsDlgButtonChecked.USER32(?,?), ref: 0013EE54
                                • GetDlgItem.USER32(?,00000065), ref: 0013EE69
                                • EnableWindow.USER32(00000000), ref: 0013EE72
                                • GetDlgItem.USER32(?,00000066), ref: 0013EE79
                                • EnableWindow.USER32(00000000), ref: 0013EE7C
                                • GetDlgItem.USER32(?,00000065), ref: 0013EE8E
                                • EnableWindow.USER32(00000000), ref: 0013EE97
                                • GetDlgItem.USER32(?,00000066), ref: 0013EE9E
                                • EnableWindow.USER32(00000000), ref: 0013EEA1
                                • IsDlgButtonChecked.USER32(?,?), ref: 0013EEBD
                                • GetDlgItem.USER32(?,0000006C), ref: 0013EED2
                                • EnableWindow.USER32(00000000), ref: 0013EEDB
                                • GetDlgItem.USER32(?,0000006D), ref: 0013EEE2
                                • EnableWindow.USER32(00000000), ref: 0013EEE5
                                • SendMessageW.USER32(?,00000080,00000000,00080493), ref: 0013EF2D
                                • CheckDlgButton.USER32(?,00000067,00000001), ref: 0013EF47
                                • CheckDlgButton.USER32(?,00000068,00000001), ref: 0013EF57
                                • CheckDlgButton.USER32(?,00000069,00000001), ref: 0013EF67
                                • CheckDlgButton.USER32(?,0000006A,00000001), ref: 0013EF77
                                • CheckDlgButton.USER32(?,00000064,00000001), ref: 0013EF8E
                                • CheckRadioButton.USER32(?,00000065,00000066,00000065), ref: 0013EFA6
                                • CheckDlgButton.USER32(?,0000006B,00000001), ref: 0013EFEE
                                • CheckRadioButton.USER32(?,0000006C,0000006D,0000006C), ref: 0013F000
                                • IsDlgButtonChecked.USER32(?,00000067), ref: 0013F074
                                • IsDlgButtonChecked.USER32(?,00000068), ref: 0013F084
                                • IsDlgButtonChecked.USER32(?,00000069), ref: 0013F094
                                • IsDlgButtonChecked.USER32(?,0000006A), ref: 0013F0A4
                                • IsDlgButtonChecked.USER32(?,00000064), ref: 0013F0B4
                                • IsDlgButtonChecked.USER32(?,00000065), ref: 0013F0BD
                                • IsDlgButtonChecked.USER32(?,0000006B), ref: 0013F0DA
                                • IsDlgButtonChecked.USER32(?,0000006C), ref: 0013F0E3
                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 0013F102
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Button$Checked$Check$Window$EnableItem$Radio$LongMessageSend
                                • String ID:
                                • API String ID: 1884937005-0
                                • Opcode ID: 2f11762525e5d0c9365e6c63406df73159baf201edc8d52769c35a80c7893015
                                • Instruction ID: 8342b26c616d4a7fe433d930b237341f53ca886d60e81b99aee499797a8d8826
                                • Opcode Fuzzy Hash: 2f11762525e5d0c9365e6c63406df73159baf201edc8d52769c35a80c7893015
                                • Instruction Fuzzy Hash: 9381C935B8071576F630AB78BC4EF6B26CD9B41B15F010426F201FA1D1DBF7D9918AA4
                                Function 0014F4E0 Relevance: 70.4, APIs: 39, Strings: 1, Instructions: 370stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCommandLineW.KERNEL32(?,75A3CF90,?,?,?,0014877B), ref: 0014F4E5
                                • StrChrW.SHLWAPI(00000000,00000009,?,?,?,0014877B), ref: 0014F509
                                • StrChrW.SHLWAPI(00000000,00000009,?,?,?,0014877B), ref: 0014F51A
                                • lstrlenW.KERNEL32(00000000,?,?,?,0014877B), ref: 0014F52C
                                • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,0014877B), ref: 0014F53E
                                • lstrlenW.KERNEL32(00000000,?,?,?,0014877B), ref: 0014F543
                                • LocalAlloc.KERNEL32(00000040,00000000,?,?,?,0014877B), ref: 0014F54F
                                • lstrcpyW.KERNEL32(00000000,00000000,?,?,?,0014877B), ref: 0014F55B
                                • StrChrW.SHLWAPI(00000000,00000020,?,?,?,0014877B), ref: 0014F593
                                • lstrcpyW.KERNEL32(00000000,-00000002,?,?,?,0014877B), ref: 0014F5A7
                                • lstrcpyW.KERNEL32(00000000,00000000,?,?,?,0014877B), ref: 0014F5D5
                                • StrChrW.SHLWAPI(00000000,00000020,?,?,?,0014877B), ref: 0014F60B
                                • lstrcpyW.KERNEL32(00000000,-00000002,?,?,?,0014877B), ref: 0014F61F
                                • GlobalFree.KERNEL32(?), ref: 0014F653
                                • GlobalAlloc.KERNEL32(00000040,0000020C,?,?,?,0014877B), ref: 0014F660
                                • lstrcpyW.KERNEL32(00000000,00000000,?,?,?,0014877B), ref: 0014F66D
                                • StrTrimW.SHLWAPI(00000000,001BE72C,?,?,?,0014877B), ref: 0014F67A
                                • CharUpperW.USER32(00000000,?,?,?,0014877B), ref: 0014F681
                                • CharUpperW.USER32(00000002,?,?,?,0014877B), ref: 0014F6D9
                                • lstrcpyW.KERNEL32(00000000,00000000,?,?,?,0014877B), ref: 0014F6EB
                                • StrChrW.SHLWAPI(00000000,00000020,?,?,?,0014877B), ref: 0014F721
                                • lstrcpyW.KERNEL32(00000000,-00000002,?,?,?,0014877B), ref: 0014F735
                                • StrCpyNW.SHLWAPI(00290388,00000000,00000104,?,?,?,0014877B), ref: 0014F75D
                                • PathUnquoteSpacesW.SHLWAPI(00290388,?,?,?,0014877B), ref: 0014F772
                                • lstrcpyW.KERNEL32(00290388,001BD624,?,?,?,0014877B), ref: 0014F787
                                • CharUpperW.USER32(00000002,00000022,?,?,?,0014877B), ref: 0014F792
                                • CharUpperW.USER32(00000002,?,?,?,0014877B), ref: 0014F7A3
                                • lstrcpyW.KERNEL32(00000000,00000000,?,?,?,0014877B), ref: 0014F7BB
                                • StrChrW.SHLWAPI(00000000,00000020,?,?,?,0014877B), ref: 0014F7F1
                                • lstrcpyW.KERNEL32(00000000,-00000002,?,?,?,0014877B), ref: 0014F805
                                  • Part of subcall function 00146380: CharNextW.USER32(?,?,771EF860,?,0013F938), ref: 001463A1
                                  • Part of subcall function 00146380: lstrlenW.KERNEL32(?,?,771EF860,?,0013F938), ref: 001463B2
                                  • Part of subcall function 00146380: lstrlenW.KERNEL32(?,?,?,0013F938), ref: 001463C7
                                  • Part of subcall function 00146380: CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463D4
                                  • Part of subcall function 00146380: CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463E7
                                • lstrcpyW.KERNEL32(00000000,00000000,00000022,?,?,?,0014877B), ref: 0014F8C3
                                • StrChrW.SHLWAPI(00000000,00000020,?,?,?,0014877B), ref: 0014F8F9
                                • lstrcpyW.KERNEL32(00000000,-00000002,?,?,?,0014877B), ref: 0014F90D
                                • GlobalFree.KERNEL32(00000000), ref: 0014F934
                                • lstrlenW.KERNEL32(00000000,?,?,?,0014877B), ref: 0014F93B
                                • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,0014877B), ref: 0014F94B
                                • lstrcpyW.KERNEL32(00000000,00000000,?,?,?,0014877B), ref: 0014F958
                                • LocalFree.KERNEL32(00000000,?,?,?,0014877B), ref: 0014F966
                                • LocalFree.KERNEL32(00000000,?,?,?,0014877B), ref: 0014F969
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: lstrcpy$Char$lstrlen$AllocFreeGlobalLocalUpper$Prev$CommandLineNextPathSpacesTrimUnquote
                                • String ID: %i,%i,%i,%i
                                • API String ID: 792320778-2825437791
                                • Opcode ID: c7b2b995219d121023d1a0cef1df4896287c7791aa12a1b257ec6b25775d5f0d
                                • Instruction ID: 73c1aae3008d21832dee003ec84683d695cb404d155477990b62f1442e36beb6
                                • Opcode Fuzzy Hash: c7b2b995219d121023d1a0cef1df4896287c7791aa12a1b257ec6b25775d5f0d
                                • Instruction Fuzzy Hash: 7EB19331600346A6EF156F64AC89B3F36E8AF56704F05443EF506DB3B1EFA898438766
                                Function 0013F120 Relevance: 63.3, APIs: 34, Strings: 2, Instructions: 265windowCOMMON
                                Download Yara Rule
                                APIs
                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 0013F181
                                • DeleteObject.GDI32 ref: 0013F1A0
                                • DeleteObject.GDI32 ref: 0013F1A8
                                • SendMessageW.USER32(?,00000080,00000000,00080493), ref: 0013F1CA
                                • CreateSolidBrush.GDI32(00000000), ref: 0013F201
                                • CreateSolidBrush.GDI32 ref: 0013F20E
                                • CheckRadioButton.USER32(?,00000064,00000065,00000064), ref: 0013F22B
                                • GetDlgItem.USER32(?,00000067), ref: 0013F232
                                • EnableWindow.USER32(00000000), ref: 0013F239
                                • CheckRadioButton.USER32(?,00000064,00000065,00000065), ref: 0013F248
                                • CheckRadioButton.USER32(?,00000068,00000069,00000068), ref: 0013F25A
                                • GetDlgItem.USER32(?,0000006B), ref: 0013F261
                                • EnableWindow.USER32(00000000), ref: 0013F268
                                • CheckRadioButton.USER32(?,00000068,00000069,00000069), ref: 0013F282
                                • GetDlgCtrlID.USER32(?), ref: 0013F2B1
                                • GetDlgCtrlID.USER32(?), ref: 0013F2D3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ButtonCheckRadio$Window$BrushCreateCtrlDeleteEnableItemObjectSolid$LongMessageSend
                                • String ID: $$P4)
                                • API String ID: 3681293412-1209467803
                                • Opcode ID: d73f69eb379f44b343789171f3a327cfe23e98f5ffd63d0209cb2241b4f64d61
                                • Instruction ID: f4ef026a1e8fa103af453dce58583429c037a4a71fe4f8b29badf276782d9c41
                                • Opcode Fuzzy Hash: d73f69eb379f44b343789171f3a327cfe23e98f5ffd63d0209cb2241b4f64d61
                                • Instruction Fuzzy Hash: CAA1AE75A00301EBE720CF25FC5DB9B3BE4BB89714F00042AF144A62E0E7B599A5CF92
                                Function 0013EA00 Relevance: 59.7, APIs: 27, Strings: 7, Instructions: 191windowCOMMON
                                Download Yara Rule
                                APIs
                                • EndDialog.USER32(?,00000001), ref: 0013EA53
                                • SendMessageW.USER32(?,00000080,00000000,00080493), ref: 0013EA75
                                • SetDlgItemTextW.USER32(?,00000064,MiniPath (x86) 1 Build 191), ref: 0013EA89
                                • SetDlgItemTextW.USER32(?,00000065,001BDE28), ref: 0013EA93
                                • SetDlgItemTextW.USER32(?,00000068,Florian Balmer et al. ( metapath )), ref: 0013EA9D
                                • DeleteObject.GDI32(?), ref: 0013EAA9
                                • SendDlgItemMessageW.USER32(?,00000064,00000031,00000000,00000000), ref: 0013EABE
                                • GetStockObject.GDI32(00000011), ref: 0013EACB
                                • GetObjectW.GDI32(00000000,0000005C,?), ref: 0013EADE
                                • CreateFontIndirectW.GDI32(?), ref: 0013EB01
                                • SendDlgItemMessageW.USER32(?,00000064,00000030,00000000,00000001), ref: 0013EB14
                                • GetDlgItem.USER32(?,00000066), ref: 0013EB1F
                                • SetDlgItemTextW.USER32(?,00000067,https://www.rizonesoft.com), ref: 0013EB2D
                                • GetDlgItem.USER32(?,00000067), ref: 0013EB34
                                • ShowWindow.USER32(00000000), ref: 0013EB37
                                • wsprintfW.USER32 ref: 0013EB49
                                • SetDlgItemTextW.USER32(?,00000066,?), ref: 0013EB5A
                                • GetDlgItem.USER32(?,00000069), ref: 0013EB5F
                                • SetDlgItemTextW.USER32(?,0000006A,https://www.flos-freeware.ch), ref: 0013EB6D
                                • GetDlgItem.USER32(?,0000006A), ref: 0013EB74
                                • ShowWindow.USER32(00000000), ref: 0013EB77
                                • wsprintfW.USER32 ref: 0013EB89
                                • SetDlgItemTextW.USER32(?,00000069,?), ref: 0013EB9A
                                • LoadStringW.USER32(0000C366,?,00000100), ref: 0013EBB7
                                • LoadStringW.USER32(0000C366,?,00000100), ref: 0013EBD2
                                • SetDlgItemTextW.USER32(?,00000072,?), ref: 0013EBDC
                                • ShellExecuteW.SHELL32(?,open,mailto:florian.balmer@gmail.com,00000000,00000000,00000001), ref: 0013EC2B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Item$Text$MessageObjectSend$LoadShowStringWindowwsprintf$CreateDeleteDialogExecuteFontIndirectShellStock
                                • String ID: <A>%s</A>$Florian Balmer et al. ( metapath )$MiniPath (x86) 1 Build 191$https://www.flos-freeware.ch$https://www.rizonesoft.com$mailto:florian.balmer@gmail.com$open
                                • API String ID: 2852744854-2807268571
                                • Opcode ID: 79977b8fb0c38d73e3a6eb8ecda6e75defd1158b387747452383ab8d3995037c
                                • Instruction ID: 7070ed92a74f5f4ae3d1b2f76c69a412b2dc7ce1d52f4dc7250a3277c16d4911
                                • Opcode Fuzzy Hash: 79977b8fb0c38d73e3a6eb8ecda6e75defd1158b387747452383ab8d3995037c
                                • Instruction Fuzzy Hash: FC51E270784704BBE630AB34AC8AFAF76EDBF45B04F000415F205EA1D0E7B5E9418BA6
                                Function 00142739 Relevance: 56.2, APIs: 23, Strings: 9, Instructions: 231stringCOMMON
                                Download Yara Rule
                                APIs
                                • IsDlgButtonChecked.USER32(?,00000065), ref: 00142742
                                • GetDlgItemTextW.USER32(?,00000066,?,00000104), ref: 0014275D
                                • IsDlgButtonChecked.USER32(?,00000069), ref: 00142766
                                • IsDlgButtonChecked.USER32(?,0000006A), ref: 0014277F
                                • GetDlgItemTextW.USER32(?,0000006C,?,00000104), ref: 00142794
                                • GetDlgItemTextW.USER32(?,0000006D,?,00000104), ref: 001427A9
                                • GetDlgItemTextW.USER32(?,0000006E,?,00000104), ref: 001427BE
                                • IsDlgButtonChecked.USER32(?,00000064), ref: 001427EC
                                • GetDlgItemTextW.USER32(?,00000066,?,00000104), ref: 00142835
                                • lstrcpyW.KERNEL32(00290C60,001BD420), ref: 00142867
                                • lstrcpyW.KERNEL32(00290E70,001BD420), ref: 00142873
                                • IsDlgButtonChecked.USER32(?,00000068), ref: 001428BD
                                • IsDlgButtonChecked.USER32(?,00000069), ref: 001428D9
                                • IsDlgButtonChecked.USER32(?,00000069), ref: 00142910
                                • lstrcpyW.KERNEL32(00290850,001BD420,?,00000069,00000068), ref: 00142944
                                • IsDlgButtonChecked.USER32(?,0000006A), ref: 00142960
                                • GetDlgItemTextW.USER32(?,0000006C,00291080,00000100), ref: 00142983
                                • lstrcpyW.KERNEL32(00291080,001BD420,?,0000006A,00000069,00000068), ref: 00142991
                                • GetDlgItemTextW.USER32(?,0000006D,00290640,00000100), ref: 001429C0
                                • lstrcpyW.KERNEL32(00290640,001BD420), ref: 001429CE
                                • GetDlgItemTextW.USER32(?,0000006E,00290A60,00000100), ref: 001429FD
                                • lstrcpyW.KERNEL32(00290A60,001BD420), ref: 00142A0B
                                • EndDialog.USER32(?,00000001), ref: 00142A43
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ButtonCheckedItemText$lstrcpy$Dialog
                                • String ID: DDEApplication$DDEMessage$DDETopic$Target Application$TargetApplicationMode$TargetApplicationParams$TargetApplicationPath$TargetApplicationWndClass$UseTargetApplication
                                • API String ID: 469813264-1845030746
                                • Opcode ID: f0398e0ef1e354f15469e4772af970bedd7f332afc0fd93574f5d2b56d10572c
                                • Instruction ID: 88c8499db885886c9e14f3ca9dfc7d98d37b5ee99b355b78697cc1fe128f7156
                                • Opcode Fuzzy Hash: f0398e0ef1e354f15469e4772af970bedd7f332afc0fd93574f5d2b56d10572c
                                • Instruction Fuzzy Hash: 0071D371B50309BAEB246720AC86FBE31A5E755B04F504439F506BA1E0EBF1DCE19B62
                                Function 0013FEA0 Relevance: 54.5, APIs: 28, Strings: 3, Instructions: 249windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • CreatePopupMenu.USER32 ref: 0013FF12
                                • GetDlgItemTextW.USER32(?,00000064,002914E8,00000200), ref: 0013FF2A
                                • CheckMenuRadioItem.USER32(00000000,0000FFFF,00000400), ref: 0013FF59
                                • GetDlgItem.USER32(?,00000065), ref: 0013FF74
                                • GetWindowRect.USER32(00000000), ref: 0013FF7B
                                • TrackPopupMenuEx.USER32(00000102,?,?,?,00000000), ref: 0013FF9B
                                • GetMenuStringW.USER32(00000000,?,00000100,00000000), ref: 0013FFBF
                                • SetDlgItemTextW.USER32(?,00000064,00000000), ref: 0014000A
                                • CheckDlgButton.USER32(?,00000066,00000001), ref: 00140015
                                • SetDlgItemTextW.USER32(?,00000064,0000002D), ref: 00140025
                                • CheckDlgButton.USER32(?,00000066,00000000), ref: 00140030
                                • DestroyMenu.USER32 ref: 00140057
                                • GetDlgItem.USER32(?,00000064), ref: 0014006C
                                • PostMessageW.USER32(?,00000028,00000000), ref: 00140076
                                • EndDialog.USER32(?,00000002), ref: 00140099
                                • GetDlgItemTextW.USER32(?,00000064,0029493C,000000FF), ref: 001400C6
                                • IsDlgButtonChecked.USER32(?,00000066), ref: 001400D3
                                • EndDialog.USER32(?,00000001), ref: 001400E7
                                • lstrcpyW.KERNEL32(0029493C,*.*), ref: 00140111
                                • EndDialog.USER32(?,00000001), ref: 00140124
                                • SendMessageW.USER32(?,00000080,00000000,00080493), ref: 00140156
                                • SendDlgItemMessageW.USER32(?,00000064,000000C5,000000FF,00000000), ref: 00140181
                                • SetDlgItemTextW.USER32(?,00000064,0029493C), ref: 0014018F
                                • CheckDlgButton.USER32(?,00000066,00000000), ref: 001401A4
                                • GetDlgItem.USER32(?,00000065), ref: 001401CE
                                • SendMessageW.USER32(00000000,00001603,00000000,?), ref: 001401E1
                                • ImageList_Destroy.COMCTL32(?), ref: 001401EF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Item$MenuText$ButtonCheckMessage$DialogSend$DestroyPopup$CheckedCreateImageList_PostRadioRectStringTrackWindowlstrcpy
                                • String ID: *.*$-$Filters
                                • API String ID: 2651413375-1911857017
                                • Opcode ID: 3c4ad0d388b3032aa2a5b5f1137966960a670161fed78fdb7c7d6518597bab00
                                • Instruction ID: 2f842ed0805c3852828c9b954a3908c7e66c6b60256378dbd29e8008623cef36
                                • Opcode Fuzzy Hash: 3c4ad0d388b3032aa2a5b5f1137966960a670161fed78fdb7c7d6518597bab00
                                • Instruction Fuzzy Hash: 5E81E635740301ABE7219F64FC0EFAB37E8EB4E709F000116F605DA1E1EBB599A08B56
                                Function 00134450 Relevance: 54.5, APIs: 25, Strings: 6, Instructions: 207stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,75A3CF90), ref: 00134476
                                • lstrcmpiW.KERNEL32(00290388,001BD624), ref: 00134494
                                • ExpandEnvironmentStringsW.KERNEL32(00290388,?,00000138), ref: 001344DD
                                • lstrcpynW.KERNEL32(00290388,?,00000104), ref: 001344F9
                                • PathIsRelativeW.SHLWAPI(00290388), ref: 00134504
                                • lstrcpyW.KERNEL32(?,?), ref: 00134521
                                • PathRemoveFileSpecW.SHLWAPI(?), ref: 00134528
                                • PathAppendW.SHLWAPI(?,00290388), ref: 00134538
                                • lstrcpyW.KERNEL32(00290388,?), ref: 00134548
                                • PathFindFileNameW.SHLWAPI(?), ref: 00134575
                                • lstrcpyW.KERNEL32(?,00000000), ref: 00134583
                                • PathRenameExtensionW.SHLWAPI(?,.ini), ref: 00134595
                                • lstrcpyW.KERNEL32(?,minipath.ini), ref: 001345B5
                                • lstrcpyW.KERNEL32(00290388,?), ref: 001345D8
                                • PathRenameExtensionW.SHLWAPI(00290388,.ini), ref: 001345E4
                                • PathRemoveFileSpecW.SHLWAPI(?), ref: 0013463E
                                • lstrcatW.KERNEL32(?,\Notepad3.exe), ref: 00134651
                                • PathFindFileNameW.SHLWAPI(?), ref: 0013465F
                                • lstrcpyW.KERNEL32(?,00000000), ref: 00134667
                                • PathRenameExtensionW.SHLWAPI(?,.ini), ref: 00134673
                                • lstrcpyW.KERNEL32(?,notepad3.ini), ref: 00134695
                                • lstrcpyW.KERNEL32(00290180,?), ref: 001346BA
                                • PathRenameExtensionW.SHLWAPI(00290180,.ini), ref: 001346C6
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Path$lstrcpy$File$ExtensionRename$Name$FindRemoveSpec$AppendEnvironmentExpandModuleRelativeStringslstrcatlstrcmpilstrcpyn
                                • String ID: .ini$\Notepad3.exe$minipath$minipath.ini$notepad3$notepad3.ini
                                • API String ID: 3294106345-3709775904
                                • Opcode ID: 8ecab72293f052c8a1ff245ebfc9a3731cdd2d219e36f868ee4dbce2d7497ca1
                                • Instruction ID: 970a9e42e3c02ba4796c851492737a839599cd6ac4174fd9802285d580b62fb1
                                • Opcode Fuzzy Hash: 8ecab72293f052c8a1ff245ebfc9a3731cdd2d219e36f868ee4dbce2d7497ca1
                                • Instruction Fuzzy Hash: F96181B26443499BCB60DBA0EC85DDB77EDEBD4700F40092AF949D3150FB70E5488AA6
                                Function 00148A60 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 303windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • MonitorFromRect.USER32(?,00000002), ref: 00148AD9
                                • GetMonitorInfoW.USER32(00000000,?), ref: 00148AF3
                                • SetRect.USER32(00000028,?,?,?,?), ref: 00148BCF
                                • IntersectRect.USER32(?,?,?), ref: 00148BED
                                • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00148C51
                                • CreateWindowExW.USER32(00000000,MiniPath,MinPath,82CC0000,?,?,00000110,00000280,00000000,00000000,?,00000000), ref: 00148CA4
                                • SetWindowPos.USER32(00000000,000000FF,00000000,00000000,00000000,00000000,00000003), ref: 00148CC8
                                • GetWindowLongW.USER32(00000000,000000EC), ref: 00148CE6
                                • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00148CF5
                                • MulDiv.KERNEL32(?,000000FF,00000064), ref: 00148D03
                                • SetLayeredWindowAttributes.USER32(00000000,00000000,?,00000002), ref: 00148D16
                                • GetWindowLongW.USER32(00000000,000000EC), ref: 00148D1E
                                • SetWindowLongW.USER32(00000000,000000EC,00000000), ref: 00148D2D
                                • ShowWindow.USER32(?), ref: 00148D49
                                • UpdateWindow.USER32 ref: 00148D55
                                • ShowWindow.USER32(00000000), ref: 00148D68
                                • LoadImageW.USER32(00000064,00000001,00000010,00000010,?), ref: 00148D8D
                                • lstrcpyW.KERNEL32(?,?,?,MiniPath), ref: 00148DE1
                                • Shell_NotifyIconW.SHELL32(00000000,000003BC), ref: 00148DEE
                                • GlobalFree.KERNEL32 ref: 00148E0E
                                • SendMessageW.USER32(00001004,00000000,00000000), ref: 00148E9E
                                • PostMessageW.USER32(00000111,00019D0D,00000000), ref: 00148EB9
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Window$Long$Rect$InfoMessageMonitorShow$AttributesCreateFreeFromGlobalIconImageIntersectLayeredLoadNotifyParametersPostSendShell_SystemUpdatelstrcpy
                                • String ID: ($C:\Users\user\Documents$MRUDirectory$MinPath$MiniPath$Settings
                                • API String ID: 3277733087-1557788385
                                • Opcode ID: 1e255bd4a7405abe68a0aacadb5d166d64798e9cef52fb8a72b89630b9b8525e
                                • Instruction ID: ed1286dafbc1a765870ae3f5699e48d55e2415cc2469babe2915362294a84fca
                                • Opcode Fuzzy Hash: 1e255bd4a7405abe68a0aacadb5d166d64798e9cef52fb8a72b89630b9b8525e
                                • Instruction Fuzzy Hash: BFC11471A043059FD7249F64EC89BAEB7E9FB84704F00462EF544E72E0DB70A984CB96
                                Function 0014FBF0 Relevance: 48.3, APIs: 32, Instructions: 259windowstringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00146080: CoCreateInstance.OLE32(001B378C,00000000,00000001,001AFD7C,?,0000C356,?), ref: 001460AF
                                  • Part of subcall function 00146080: lstrcpyW.KERNEL32(?,?), ref: 001460DB
                                  • Part of subcall function 00146080: ExpandEnvironmentStringsW.KERNEL32(?,?,00000138), ref: 00146152
                                  • Part of subcall function 00146080: lstrcpynW.KERNEL32(?,?,?), ref: 0014616C
                                • PathFileExistsW.SHLWAPI(?,771EF860), ref: 0014FC25
                                • PathIsDirectoryW.SHLWAPI(?), ref: 0014FC34
                                • lstrcpyW.KERNEL32(?,?), ref: 0014FC5E
                                • PathRemoveFileSpecW.SHLWAPI(?), ref: 0014FC6C
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0014FC7A
                                • SendMessageW.USER32(00000111,00019D0D,00000000), ref: 0014FC98
                                • SendMessageW.USER32(00001013,00000000,00000000), ref: 0014FCD0
                                • PathFileExistsW.SHLWAPI(?), ref: 0014FED7
                                • PathIsDirectoryW.SHLWAPI(?), ref: 0014FEE6
                                • lstrcpyW.KERNEL32(?,?), ref: 0014FF10
                                • PathRemoveFileSpecW.SHLWAPI(?), ref: 0014FF1A
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0014FF28
                                • SendMessageW.USER32(00000111,00019D0D,00000000), ref: 0014FF46
                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000200), ref: 0014FF5A
                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000200), ref: 0014FCAC
                                  • Part of subcall function 00144140: GetShortPathNameW.KERNEL32(?,?,00000104), ref: 001441A1
                                  • Part of subcall function 00144140: SendMessageW.USER32 ref: 00144229
                                  • Part of subcall function 00144140: GetShortPathNameW.KERNEL32(?,?,00000104), ref: 00144254
                                  • Part of subcall function 00144140: lstrcmpiW.KERNEL32(?,?), ref: 00144266
                                  • Part of subcall function 00144140: SendMessageW.USER32(?,00001053,00000000,?), ref: 0014427C
                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000138,771EF860), ref: 0014FCEE
                                • lstrcpynW.KERNEL32(?,?,00000104), ref: 0014FD0A
                                • lstrcpyW.KERNEL32(?,?), ref: 0014FD41
                                • GetFileAttributesW.KERNEL32(?), ref: 0014FD4B
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0014FD66
                                • PostMessageW.USER32(00000111,00019D0D,00000000), ref: 0014FD86
                                • SendMessageW.USER32(00001013,00000000,00000000), ref: 0014FD9B
                                • lstrcpyW.KERNEL32(?,?), ref: 0014FDDA
                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000200), ref: 0014FDF5
                                • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 0014FE07
                                • PathIsRootW.SHLWAPI(?), ref: 0014FE21
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0014FE36
                                • SendMessageW.USER32 ref: 0014FE64
                                • SendMessageW.USER32(00001053,000000FF,00000111), ref: 0014FE78
                                • SendMessageW.USER32(0000102B,00000000,?), ref: 0014FEA2
                                • SendMessageW.USER32(00001013,00000000,00000000), ref: 0014FEB8
                                • SendMessageW.USER32(00001013,00000000,00000000), ref: 0014FF7E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Message$Send$Path$File$Directory$lstrcpy$Current$Info$EnvironmentExistsExpandNameRemoveShortSpecStringslstrcpyn$AttributesCreateInstancePostRootlstrcmpi
                                • String ID:
                                • API String ID: 622217630-0
                                • Opcode ID: f1a482f773a0f4c860e9f2b2813f92e1dc284ab5a37ca8cf2233b84d22f9c242
                                • Instruction ID: 77e965d9c4c54d9288c0300f275e2d3c25eb23b4de3fad50f1556a2212b0b5e8
                                • Opcode Fuzzy Hash: f1a482f773a0f4c860e9f2b2813f92e1dc284ab5a37ca8cf2233b84d22f9c242
                                • Instruction Fuzzy Hash: 6891A572644344ABEB20AB60EC49FDB77ECBF89705F00082AF645D61E1EB74E549CB52
                                Function 0014BD00 Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 208windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00001032,00000000,00000000,?), ref: 0014BD29
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00143D18
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00143D28
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,?,?,0000104B), ref: 00143D4D
                                • EnableMenuItem.USER32(?,00009C44,00000000), ref: 0014BD76
                                • EnableMenuItem.USER32(?,00009C44,00000001), ref: 0014BD88
                                • EnableMenuItem.USER32(?,00009C45,00000001), ref: 0014BDB1
                                • EnableMenuItem.USER32(?,00009C46,00000000), ref: 0014BDC1
                                • EnableMenuItem.USER32(?,00009C4A,00000000), ref: 0014BDCA
                                • EnableMenuItem.USER32(?,00009C4B,00000001), ref: 0014BDEA
                                • EnableMenuItem.USER32(?,00009C4C,00000000), ref: 0014BDF3
                                • EnableMenuItem.USER32(?,00009C4D,00000000), ref: 0014BDFC
                                • EnableMenuItem.USER32(?,00009C50,00000000), ref: 0014BE05
                                • SendMessageW.USER32(00000147,00000000,00000000), ref: 0014BE16
                                • EnableMenuItem.USER32(?,00009C53,00000000), ref: 0014BE2B
                                • CheckMenuItem.USER32(?,00009D0A,000000E0), ref: 0014BE45
                                • CheckMenuItem.USER32(?,00009D0B,000000E0), ref: 0014BE59
                                • CheckMenuItem.USER32(?,00009D0C,000000E0), ref: 0014BE6D
                                • lstrcmpW.KERNEL32(0029493C,*.*), ref: 0014BE79
                                • EnableMenuItem.USER32(?,00009D11,00000000), ref: 0014BE9B
                                • CheckMenuItem.USER32(?,00009D13,00000001), ref: 0014BEB0
                                • EnableMenuItem.USER32(?,00009D14,00000000), ref: 0014BEC4
                                • CheckMenuItem.USER32(?,00009D15,00000001), ref: 0014BED9
                                • CheckMenuItem.USER32(?,00009D12,00000001), ref: 0014BEEE
                                • CheckMenuRadioItem.USER32(?,00009D6D,00009D70,-00009D6B,00000000), ref: 0014BF08
                                • CheckMenuItem.USER32(?,00009D71,00000000), ref: 0014BF21
                                • CheckMenuItem.USER32(?,0000EA61,00000000), ref: 0014BF36
                                • EnableMenuItem.USER32(?,00009D16,00000000), ref: 0014BF5C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ItemMenu$Enable$Check$MessageSend$Radiolstrcmp
                                • String ID: *.*$C:\Users\user\Desktop\bgsTrRPJh0.ini
                                • API String ID: 4226156974-1748775979
                                • Opcode ID: 125552f26f2cfc2155b9c78968d1ae918c131fef4d1956cdcd440029a0e97883
                                • Instruction ID: 166705a987e47a5b92390982fd307ae8261f5ba4506e5115b823d95d437566c3
                                • Opcode Fuzzy Hash: 125552f26f2cfc2155b9c78968d1ae918c131fef4d1956cdcd440029a0e97883
                                • Instruction Fuzzy Hash: AC5157727D8704BAF721A774EC86FAB72DCEB96709F014012F600E60E2D7A8D9418969
                                Function 001423D0 Relevance: 44.0, APIs: 23, Strings: 2, Instructions: 253windowCOMMON
                                Download Yara Rule
                                APIs
                                • CreateWindowExW.USER32(00000000,tooltips_class32,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,9AAD4D09), ref: 00142A71
                                • GetDlgItem.USER32(?,00000067), ref: 00142A9F
                                • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00142AC9
                                • DestroyWindow.USER32(00000000), ref: 00142AD0
                                • SendMessageW.USER32(?,00000080,00000000,00080493), ref: 00142AE8
                                • SendDlgItemMessageW.USER32(?,00000066,000000C5,00000103,00000000), ref: 00142B16
                                • GetDlgItem.USER32(?,00000066), ref: 00142B1D
                                • SHAutoComplete.SHLWAPI(00000000), ref: 00142B24
                                • SendDlgItemMessageW.USER32(?,0000006C,000000C5,00000080,00000000), ref: 00142B39
                                • SendDlgItemMessageW.USER32(?,0000006D,000000C5,00000080,00000000), ref: 00142B4A
                                • SendDlgItemMessageW.USER32(?,0000006E,000000C5,00000080,00000000), ref: 00142B5B
                                • CheckRadioButton.USER32(?,00000064,00000065,00000064), ref: 00142B7C
                                • GetDlgItem.USER32(?,00000067), ref: 00142CB2
                                • SendMessageW.USER32(00000000,00001603,00000000,?), ref: 00142CC4
                                • ImageList_Destroy.COMCTL32(?), ref: 00142CD1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ItemMessageSend$DestroyWindow$AutoButtonCheckCompleteCreateImageList_Radio
                                • String ID: 0$tooltips_class32
                                • API String ID: 2672803554-3619404913
                                • Opcode ID: e3c839b26a86e074a6c77c624cbc7ded39189776f3d22fa433c9ecca697f015d
                                • Instruction ID: b8d62a9a3df3c5a25b0ab1ea70d2b077be1b8e7965eec6e8a96ddd6b6434b1d7
                                • Opcode Fuzzy Hash: e3c839b26a86e074a6c77c624cbc7ded39189776f3d22fa433c9ecca697f015d
                                • Instruction Fuzzy Hash: 6681B435B40318ABEB249F60EC89F7E7BB9FB45B10F500119F601EA5E0EBB59881CB54
                                Function 00143320 Relevance: 42.4, APIs: 20, Strings: 4, Instructions: 386windowstringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetPropW.USER32(00000000,DirListData), ref: 001433AC
                                • SHGetFileInfoW.SHELL32(Icon,00000010,?,000002B4,00004011), ref: 001433D5
                                • SHGetFileInfoW.SHELL32(Icon,00000080,?,000002B4,00004011), ref: 00143404
                                  • Part of subcall function 00143280: GetPropW.USER32(?,DirListData), ref: 0014328A
                                  • Part of subcall function 00143280: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00143420,?,?), ref: 00143298
                                  • Part of subcall function 00143280: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00143420,?,?), ref: 001432A6
                                  • Part of subcall function 00143280: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001432D2
                                  • Part of subcall function 00143280: TranslateMessage.USER32(?), ref: 001432DD
                                  • Part of subcall function 00143280: DispatchMessageW.USER32(?), ref: 001432E4
                                  • Part of subcall function 00143280: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00143420,?,?), ref: 001432EE
                                  • Part of subcall function 00143280: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00143420,?,?), ref: 00143301
                                  • Part of subcall function 00143280: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00143420,?,?), ref: 0014330D
                                • lstrcpyW.KERNEL32(?,C:\Users\user\Desktop,?,?), ref: 00143437
                                • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00143448
                                • SendMessageW.USER32(?,00001009,00000000,00000000), ref: 00143458
                                • lstrcmpW.KERNEL32(?,*.*,?,?,?,?,?,?), ref: 001434CA
                                • StrChrW.SHLWAPI ref: 001434F3
                                • StrChrW.SHLWAPI(?,0000003B), ref: 00143520
                                • lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0014356C
                                • SHGetDesktopFolder.SHELL32(?,?,?,?,?,?,?,?,?), ref: 00143577
                                • SHGetDataFromIDListW.SHELL32(?,?,00000001,?,00000250), ref: 0014367F
                                • PathMatchSpecW.SHLWAPI(?,?), ref: 001436C6
                                • CoTaskMemAlloc.OLE32(00000008), ref: 001436E9
                                • SendMessageW.USER32(?,0000104D,00000000,?), ref: 00143747
                                • CoTaskMemFree.OLE32(?,?,?,?,?,?,?,?,?), ref: 00143792
                                • SendMessageW.USER32(?,0000101E,00000000,0000FFFE), ref: 001437FF
                                • SendMessageW.USER32(?,00001030,00000000,00143C30), ref: 00143824
                                • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 0014382D
                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00143839
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Message$Send$Event$FileInfoObjectPropSingleTaskWaitlstrcpy$AllocDataDesktopDispatchFolderFreeFromListMatchPathPeekResetSpecTranslatelstrcmp
                                • String ID: *.*$C:\Users\user\Desktop$DirListData$Icon
                                • API String ID: 2929906256-1945651812
                                • Opcode ID: 9f015bcf9e82adec684e6828f62dd9385169eaa52207a0eca5b394325e366d8d
                                • Instruction ID: 01732fa80ee4491ff434a2057199ee95dba2c01bffc99dc3f72951cc2c04d938
                                • Opcode Fuzzy Hash: 9f015bcf9e82adec684e6828f62dd9385169eaa52207a0eca5b394325e366d8d
                                • Instruction Fuzzy Hash: 7BE16CB1204341AFE724CF64C884FABB7F8AF88704F14491DF5A99B2A1D771EA45CB52
                                Function 00140EB0 Relevance: 42.2, APIs: 23, Strings: 1, Instructions: 237stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00143D18
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00143D28
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,?,?,0000104B), ref: 00143D4D
                                  • Part of subcall function 001464F0: lstrlenW.KERNEL32(?,?,?,0013E260), ref: 001464F5
                                  • Part of subcall function 001464F0: CharPrevW.USER32(?,?,?,?,0013E260), ref: 00146512
                                  • Part of subcall function 001464F0: CharPrevW.USER32(?,?,?,?,?,0013E260), ref: 0014651C
                                • lstrcpyW.KERNEL32(?,00000000), ref: 00140F1B
                                  • Part of subcall function 00147A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00147A37
                                  • Part of subcall function 00147A20: LoadResource.KERNEL32(00000000,00000000), ref: 00147A4A
                                  • Part of subcall function 00147A20: LockResource.KERNEL32(00000000), ref: 00147A5B
                                  • Part of subcall function 00147A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00147A6E
                                  • Part of subcall function 00147A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00147A84
                                  • Part of subcall function 00147A20: FreeResource.KERNEL32(00000000), ref: 00147AA0
                                  • Part of subcall function 00147A20: lstrlenW.KERNEL32(?), ref: 00147B1D
                                • DialogBoxIndirectParamW.USER32(00000000,00000000,?,Function_00010610,?), ref: 00140F3C
                                • LocalFree.KERNEL32(00000000,?,Function_00010610,?), ref: 00140F49
                                • LocalAlloc.KERNEL32(00000040,00000268), ref: 00140FCC
                                • lstrcpynW.KERNEL32(00000000,Copy/Move MRU,00000100,?,Function_00010610,?), ref: 00140FFD
                                • lstrcmpiW.KERNEL32(00000000,00000000), ref: 00141044
                                • lstrcmpW.KERNEL32(00000000,00000000), ref: 0014104C
                                • LocalFree.KERNEL32(?), ref: 0014106B
                                • StrDupW.SHLWAPI(00000000), ref: 001410A6
                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000138), ref: 001410E1
                                • lstrcpynW.KERNEL32(?,?,00000104), ref: 00141100
                                • lstrcpyW.KERNEL32(?,?,?,?,?,?,Function_00010610,?), ref: 00141140
                                • lstrcpyW.KERNEL32(?,?,?,?,?,?,Function_00010610,?), ref: 00141152
                                • PathIsRelativeW.SHLWAPI(?,?,?,?,?,Function_00010610,?), ref: 0014115C
                                • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?,Function_00010610,?), ref: 00141179
                                • PathAppendW.SHLWAPI(?,?,?,?,?,?,Function_00010610,?), ref: 0014118F
                                • lstrcpyW.KERNEL32(?,?,?,?,?,?,Function_00010610,?), ref: 001411A1
                                • PathIsDirectoryW.SHLWAPI(?), ref: 001411AB
                                • PathFindFileNameW.SHLWAPI(?,?,?,?,?,Function_00010610,?), ref: 001411BD
                                • PathAppendW.SHLWAPI(?,00000000,?,?,?,?,Function_00010610,?), ref: 001411CC
                                • SHFileOperationW.SHELL32(?,?,?,?,?,Function_00010610,?), ref: 001411D3
                                • GetFileAttributesW.KERNEL32(?,?,?,?,?,Function_00010610,?), ref: 001411ED
                                • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,Function_00010610,?), ref: 00141203
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: PathResource$FileLocallstrcpy$FreeMessageSend$AllocAppendAttributesCharDirectoryFindPrevlstrcpynlstrlen$CurrentDialogEnvironmentExpandIndirectLoadLockNameOperationParamRelativeSizeofStringslstrcmplstrcmpi
                                • String ID: Copy/Move MRU
                                • API String ID: 3598563394-4109381532
                                • Opcode ID: 13350dbd1ce500f0853fcd64523c97747829eac76cb1b1556d01e62465a692fe
                                • Instruction ID: 526f3c5fc9b59c641ac0e48e425a1056ab1cb87121612d2e245f885bbba33fdc
                                • Opcode Fuzzy Hash: 13350dbd1ce500f0853fcd64523c97747829eac76cb1b1556d01e62465a692fe
                                • Instruction Fuzzy Hash: 649194B2604345ABD720DF60DC89B9BB7ECFF85300F014929F699D31A1EB75A584CB92
                                Function 0013EC50 Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 170windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00000080,00000000,00080493), ref: 0013EC81
                                • CheckDlgButton.USER32(?,0000006B,00000001), ref: 0013ECA5
                                • GetDlgItem.USER32(?,0000006B), ref: 0013ECAE
                                • EnableWindow.USER32(00000000), ref: 0013ECB5
                                • CheckDlgButton.USER32(?,00000064,00000001), ref: 0013ECC9
                                • CheckDlgButton.USER32(?,00000065,00000001), ref: 0013ECD9
                                • CheckDlgButton.USER32(?,00000066,00000001), ref: 0013ECE9
                                • CheckDlgButton.USER32(?,00000067,00000001), ref: 0013ECF9
                                • CheckDlgButton.USER32(?,00000068,00000001), ref: 0013ED09
                                • CheckDlgButton.USER32(?,00000069,00000001), ref: 0013ED19
                                • CheckDlgButton.USER32(?,0000006A,00000001), ref: 0013ED3C
                                • GetDlgItem.USER32(?,0000006B), ref: 0013ED65
                                • IsWindowEnabled.USER32(00000000), ref: 0013ED6C
                                • IsDlgButtonChecked.USER32(?,0000006B), ref: 0013ED7F
                                • IsDlgButtonChecked.USER32(?,00000064), ref: 0013ED8F
                                • IsDlgButtonChecked.USER32(?,00000065), ref: 0013ED9F
                                • IsDlgButtonChecked.USER32(?,00000066), ref: 0013EDAF
                                • IsDlgButtonChecked.USER32(?,00000067), ref: 0013EDBF
                                • IsDlgButtonChecked.USER32(?,00000068), ref: 0013EDCF
                                • IsDlgButtonChecked.USER32(?,00000069), ref: 0013EDDF
                                • IsDlgButtonChecked.USER32(?,0000006A), ref: 0013EDEF
                                • SetWindowLongW.USER32(?,00000000,00000000), ref: 0013EE06
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Button$CheckChecked$Window$Item$EnableEnabledLongMessageSend
                                • String ID: ReuseWindow$Settings2
                                • API String ID: 803896276-719659277
                                • Opcode ID: 5f9bab5aebfecba1dfe1743e619a05731dab036f76407527043c4d7654dba25c
                                • Instruction ID: 3be7e6b2637d53126ba9f2c776c76fb14aa999d19ee6088a6672a309467673b9
                                • Opcode Fuzzy Hash: 5f9bab5aebfecba1dfe1743e619a05731dab036f76407527043c4d7654dba25c
                                • Instruction Fuzzy Hash: 9641B9317D1715BAF721AB38FC0DFBA32D9AB41701F011A25F501EA1D0DBF68A91CA95
                                Function 0013FB10 Relevance: 40.4, APIs: 14, Strings: 9, Instructions: 173windowstringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00147A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00147A37
                                  • Part of subcall function 00147A20: LoadResource.KERNEL32(00000000,00000000), ref: 00147A4A
                                  • Part of subcall function 00147A20: LockResource.KERNEL32(00000000), ref: 00147A5B
                                  • Part of subcall function 00147A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00147A6E
                                  • Part of subcall function 00147A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00147A84
                                  • Part of subcall function 00147A20: FreeResource.KERNEL32(00000000), ref: 00147AA0
                                  • Part of subcall function 00147A20: lstrlenW.KERNEL32(?), ref: 00147B1D
                                • PropertySheetW.COMCTL32(?,?,?,?,?), ref: 0013FC75
                                • LocalFree.KERNEL32(?,?,?,?,?,?), ref: 0013FC8C
                                • LocalFree.KERNEL32(?,?,?,?,?,?), ref: 0013FC9A
                                • LocalFree.KERNEL32(?,?,?,?,?,?), ref: 0013FCA8
                                • LocalFree.KERNEL32(?,?,?,?,?,?), ref: 0013FCB6
                                • SetWindowPos.USER32(?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0013FCDA
                                • SendMessageW.USER32(00001036,00000048,00000000), ref: 0013FD02
                                • SendMessageW.USER32(00001036,00000020,00000020), ref: 0013FD1C
                                • SendMessageW.USER32(00001036,00000020,00000000), ref: 0013FD36
                                • lstrcmpW.KERNEL32(0029493C,*.*,?,000000FE,00000000,00000000,00000000,00000000,00000003,?,?,?,?,?), ref: 0013FD55
                                • GetSysColor.USER32(00000012), ref: 0013FD9A
                                  • Part of subcall function 001319E0: SystemParametersInfoW.USER32(00000042,0000000C,00000000), ref: 00131A11
                                • SendMessageW.USER32(00001024,00000000,00D77800), ref: 0013FDB5
                                • SendMessageW.USER32(00001004,00000000,00000000), ref: 0013FDC6
                                • SendMessageW.USER32(00001015,00000000,-00000001), ref: 0013FDD7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$FreeLocalResource$AllocColorFindInfoLoadLockParametersPropertySheetSizeofSystemWindowlstrcmplstrlen
                                • String ID: *.*$4$8$8$8$8$Explorer$Listview$MiniPath
                                • API String ID: 2619407685-1146650878
                                • Opcode ID: 4cabd1fbea237774bd5178f746c682632cfa59931f6cb788c690c2855c41623d
                                • Instruction ID: 52e046f857e3900909d548cb795b6449db300bdb7c16774f18b7f9a38ee782b0
                                • Opcode Fuzzy Hash: 4cabd1fbea237774bd5178f746c682632cfa59931f6cb788c690c2855c41623d
                                • Instruction Fuzzy Hash: CA61D070A48341ABE7308F10ED4DB5B7BE4AB84744F10492EF658AA2E0DBB59949CF52
                                Function 00145CA0 Relevance: 35.1, APIs: 18, Strings: 2, Instructions: 148stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00145CE5
                                • PathRemoveFileSpecW.SHLWAPI(?), ref: 00145CF3
                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00145D06
                                • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?), ref: 00145D19
                                • PathIsRelativeW.SHLWAPI(C:\Windows\system32\Viewers\Quikview.exe), ref: 00145D2E
                                • PathIsPrefixW.SHLWAPI(?,?), ref: 00145D4B
                                • PathIsPrefixW.SHLWAPI(?,C:\Windows\system32\Viewers\Quikview.exe), ref: 00145D57
                                • PathRelativePathToW.SHLWAPI(?,?,00000010,C:\Windows\system32\Viewers\Quikview.exe,?), ref: 00145D72
                                • lstrcpyW.KERNEL32(?,%CSIDL:MYDOCUMENTS%), ref: 00145D8C
                                • PathAppendW.SHLWAPI(?,?), ref: 00145D9B
                                • lstrcpyW.KERNEL32(?,?), ref: 00145DAE
                                • PathIsRelativeW.SHLWAPI(C:\Windows\system32\Viewers\Quikview.exe), ref: 00145DB7
                                • PathCommonPrefixW.SHLWAPI(?,?,00000000), ref: 00145DD2
                                • PathRelativePathToW.SHLWAPI(?,?,00000010,C:\Windows\system32\Viewers\Quikview.exe,?), ref: 00145DF0
                                • lstrcpynW.KERNEL32(?,C:\Windows\system32\Viewers\Quikview.exe,00000104), ref: 00145E08
                                • PathUnExpandEnvStringsW.SHLWAPI(?,?,00000104), ref: 00145E1F
                                • lstrcpynW.KERNEL32(?,?,00000104), ref: 00145E3E
                                • lstrcpynW.KERNEL32(C:\Windows\system32\Viewers\Quikview.exe,?,00000104), ref: 00145E66
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Path$Relative$Prefixlstrcpyn$Filelstrcpy$AppendCommonDirectoryExpandFolderModuleNameRemoveSpecStringsWindows
                                • String ID: %CSIDL:MYDOCUMENTS%$C:\Windows\system32\Viewers\Quikview.exe
                                • API String ID: 3942253345-3867429074
                                • Opcode ID: 2eff640fb80b7748f86202eaeeec0d7038025a7ba262a70cc546d7f886902eec
                                • Instruction ID: 0056fa99ad7f9fdaacba100409507cb06b6cceb242de24d8485734eda9d5910f
                                • Opcode Fuzzy Hash: 2eff640fb80b7748f86202eaeeec0d7038025a7ba262a70cc546d7f886902eec
                                • Instruction Fuzzy Hash: 5F51BCB2604349ABD720DBA09C49FEB77EDBB89701F44082AF645D3051EB74E548CBA2
                                Function 0014CFB2 Relevance: 33.4, APIs: 14, Strings: 5, Instructions: 103stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0014CFC1
                                • lstrcpyW.KERNEL32(?,002934AC), ref: 0014CFD4
                                • PathQuoteSpacesW.SHLWAPI(?), ref: 0014CFE2
                                • lstrcatW.KERNEL32(?, -f), ref: 0014CFFB
                                • lstrcatW.KERNEL32(?,001BDF90), ref: 0014D014
                                • lstrcatW.KERNEL32(?,00290388), ref: 0014D023
                                • lstrcatW.KERNEL32(?,001BE6B8), ref: 0014D039
                                • lstrcatW.KERNEL32(?, -n), ref: 0014D048
                                • GetWindowPlacement.USER32(?,?), ref: 0014D05E
                                • MonitorFromRect.USER32(?,00000002), ref: 0014D06E
                                • GetMonitorInfoW.USER32(00000000,?), ref: 0014D082
                                • wsprintfW.USER32 ref: 0014D0E1
                                • lstrcatW.KERNEL32(?,?), ref: 0014D0FA
                                • ShellExecuteW.SHELL32(?,00000000,?,?,00000000,00000001), ref: 0014D113
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: lstrcat$Monitor$ExecuteFileFromInfoModuleNamePathPlacementQuoteRectShellSpacesWindowlstrcpywsprintf
                                • String ID: -f$ -n$ -p %i,%i,%i,%i$($,
                                • API String ID: 3816053248-2039397706
                                • Opcode ID: c96aa781eab2b34638888fade5006caa40d8d848afe7e3498a0e285bf45bb67e
                                • Instruction ID: 5e6aefec8abfc141c1b46a0fb246e17ed41c2f8cca52b2d11ac039850eb2cd17
                                • Opcode Fuzzy Hash: c96aa781eab2b34638888fade5006caa40d8d848afe7e3498a0e285bf45bb67e
                                • Instruction Fuzzy Hash: 8841EC72548349AFEB30DB60DC89EDBB7ECFB89740F40481AF589C3151DB74A5498BA2
                                Function 00145E90 Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 114stringCOMMON
                                Download Yara Rule
                                APIs
                                • StrCmpNIW.SHLWAPI(C:\Users\user\Documents,%CSIDL:MYDOCUMENTS%,00000013,?,00000002), ref: 00145EB3
                                • SHGetFolderPathW.SHELL32(00000000,00000005,00000000,00000000,?,?,00000002), ref: 00145ED3
                                • PathAppendW.SHLWAPI(?,?,?,00000002), ref: 00145EE5
                                • lstrcpynW.KERNEL32(?,C:\Users\user\Documents,00000104,?,00000002), ref: 00145EF4
                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000138,?,00000002), ref: 00145F0B
                                • lstrcpynW.KERNEL32(?,?,00000104,?,00000002), ref: 00145F2A
                                • PathIsRelativeW.SHLWAPI(?,?,00000002), ref: 00145F34
                                • GetModuleFileNameW.KERNEL32(00000000,00000104,00000104,?,00000002), ref: 00145F4A
                                • PathRemoveFileSpecW.SHLWAPI(?,?,00000002), ref: 00145F55
                                • PathAppendW.SHLWAPI(?,?,?,00000002), ref: 00145F68
                                • lstrcpynW.KERNEL32(?,?,00000104,?,00000002), ref: 00145F7D
                                • PathCanonicalizeW.SHLWAPI(?,?,?,00000002), ref: 00145F8C
                                • lstrcpyW.KERNEL32(?,?,?,00000002), ref: 00145FA3
                                • PathGetDriveNumberW.SHLWAPI(?,?,00000002), ref: 00145FAE
                                • CharUpperBuffW.USER32(00000001,00000001,?,00000002), ref: 00145FC0
                                • lstrcpynW.KERNEL32(C:\Users\user\Documents,00000104,00000104,?,00000002), ref: 00145FE6
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Path$lstrcpyn$AppendFile$BuffCanonicalizeCharDriveEnvironmentExpandFolderModuleNameNumberRelativeRemoveSpecStringsUpperlstrcpy
                                • String ID: %CSIDL:MYDOCUMENTS%$C:\Users\user\Documents
                                • API String ID: 1371384388-418798591
                                • Opcode ID: edb2dabffb9e101339397b72f6878dbd04061ab0eccd5f3b0ffef65cab0a080f
                                • Instruction ID: 0d1bcdaccf817c653f9dd7b82c3f0a12701aac0b60847be152bcb4dd9676c5b7
                                • Opcode Fuzzy Hash: edb2dabffb9e101339397b72f6878dbd04061ab0eccd5f3b0ffef65cab0a080f
                                • Instruction Fuzzy Hash: 52410FB2644349ABD720DBA0DC89FEB77EDBB84710F04492AF255C3490DB70D548CB62
                                Function 001476A0 Relevance: 26.5, APIs: 9, Strings: 6, Instructions: 218COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00148460: ResolveLocaleName.KERNEL32(en-GB,?,00000055), ref: 0014848A
                                  • Part of subcall function 00148460: GetLocaleInfoEx.KERNEL32(?,20000001,00000002), ref: 001484AD
                                • GetDC.USER32 ref: 00147752
                                • EnumFontsW.GDI32(00000000,Segoe UI,00147510,00000000), ref: 00147766
                                • ReleaseDC.USER32(00000000,00000000), ref: 0014776F
                                • GetDC.USER32(00000000), ref: 001477B2
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001477BD
                                • ReleaseDC.USER32(00000000,00000000), ref: 001477CA
                                • MulDiv.KERNEL32(?,00000048,00000000), ref: 0014781E
                                • SystemParametersInfoW.USER32(00000029,000001F8,000001F4,00000000), ref: 001478DC
                                • MulDiv.KERNEL32(?,00000048,?), ref: 001478FD
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: InfoLocaleRelease$CapsDeviceEnumFontsNameParametersResolveSystem
                                • String ID: Malgun Gothic$Microsoft JhengHei UI$Microsoft YaHei UI$Segoe UI$WINDOWSTYLE;WINDOW$Yu Gothic UI
                                • API String ID: 1673905233-1160875775
                                • Opcode ID: 4e7c3e860585c2a62c49d970d3961466cdb642b58a66d7ab62570da9bb3876f2
                                • Instruction ID: 04e1f9fbe049e6db409c0d5a2b1e8381b7989194afd77f29dc69ad7fbe09e278
                                • Opcode Fuzzy Hash: 4e7c3e860585c2a62c49d970d3961466cdb642b58a66d7ab62570da9bb3876f2
                                • Instruction Fuzzy Hash: 6571DE356083028BE7249F24D889BBA77E9FF85715F44092EE956CB2E0EB35C804C792
                                Function 001454F0 Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 103stringCOMMON
                                Download Yara Rule
                                APIs
                                • PathIsRootW.SHLWAPI ref: 00145534
                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000200), ref: 00145568
                                • PathFindFileNameW.SHLWAPI(?,?,00000000,?,000002B4,00000200), ref: 00145579
                                • lstrcpyW.KERNEL32(?,00000000,?,?,00000000,?,000002B4,00000200), ref: 0014558E
                                • lstrcpyW.KERNEL32(?,?,?,000002B4,00000200), ref: 001455B0
                                • PathRemoveFileSpecW.SHLWAPI(?,?,?,000002B4,00000200), ref: 001455BA
                                • lstrcatW.KERNEL32(?, - [,?,?,000002B4,00000200), ref: 001455D3
                                • lstrcatW.KERNEL32(?,?,?,?,000002B4,00000200), ref: 001455E5
                                • lstrlenW.KERNEL32(?), ref: 001455FB
                                • lstrcatW.KERNEL32(?,001BE27C), ref: 00145619
                                • lstrcatW.KERNEL32(?,001BE280), ref: 0014562A
                                • lstrcpyW.KERNEL32(?), ref: 00145637
                                • SetWindowTextW.USER32(?,?), ref: 00145646
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: lstrcat$FilePathlstrcpy$FindInfoNameRemoveRootSpecTextWindowlstrlen
                                • String ID: - [$\
                                • API String ID: 572060143-3704741174
                                • Opcode ID: c29791ce3a6497c1da84f469ffc7304b0010764dffac07d613351efebc6d6b8c
                                • Instruction ID: 83f7dfac3d9dc37f6a2e9849cc378fb00a99cf8b0796aede6770d8a9d1ce15b3
                                • Opcode Fuzzy Hash: c29791ce3a6497c1da84f469ffc7304b0010764dffac07d613351efebc6d6b8c
                                • Instruction Fuzzy Hash: 6F3152B2905704ABE770EB60DC49FDF77EDAF88700F410829F649D3192E774A5488BA6
                                Function 00133F80 Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 61COMMON
                                Download Yara Rule
                                APIs
                                • GetSysColor.USER32(00000008), ref: 00133FDB
                                • GetSysColor.USER32(00000005), ref: 00133FE4
                                • GetSysColor.USER32(00000017), ref: 00133FED
                                • GetSysColor.USER32(00000018), ref: 00133FF6
                                • GetSysColor.USER32(0000000E), ref: 00133FFF
                                • GetSysColor.USER32(0000000D), ref: 00134008
                                • GetSysColor.USER32(00000002), ref: 00134011
                                • GetSysColor.USER32(00000001), ref: 0013401A
                                • GetSysColor.USER32(0000000F), ref: 00134023
                                • GetSysColor.USER32(0000000F), ref: 0013402C
                                • GetSysColor.USER32(0000000F), ref: 00134035
                                • GetSysColor.USER32(0000000F), ref: 0013403E
                                • GetSysColor.USER32(0000000F), ref: 00134047
                                • GetSysColor.USER32(0000000F), ref: 00134050
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Color
                                • String ID: *.*
                                • API String ID: 2811717613-438819550
                                • Opcode ID: 38221a049901912b35bf29645269c8bb01c11d4dfed0ac03589b07c35f5f87f3
                                • Instruction ID: c6e40262b2c4cf78ebeb080514e0094ade22c47f5bc88c2b32ac134ae1d73011
                                • Opcode Fuzzy Hash: 38221a049901912b35bf29645269c8bb01c11d4dfed0ac03589b07c35f5f87f3
                                • Instruction Fuzzy Hash: F521EF64D5035AAAD724AFB3BC0DB453EA0FF18750F00582BD218CB2B0EBB540A4CFA5
                                Function 00150390 Relevance: 25.6, APIs: 6, Strings: 11, Instructions: 123stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00132810: PathFileExistsW.SHLWAPI(00290388,?,?,00134A32,9AAD4D09), ref: 00132827
                                  • Part of subcall function 00132810: PathIsDirectoryW.SHLWAPI(00290388), ref: 0013283A
                                • lstrcpyW.KERNEL32(00290C60,Notepad3.exe,75A45540), ref: 0015053A
                                • lstrcpyW.KERNEL32(00290E70,001BD420), ref: 00150546
                                • lstrcpyW.KERNEL32(00290850,Notepad3), ref: 00150552
                                • lstrcpyW.KERNEL32(00291080,001BD420), ref: 0015055E
                                • lstrcpyW.KERNEL32(00290640,001BD420), ref: 0015056A
                                • lstrcpyW.KERNEL32(00290A60,001BD420), ref: 00150576
                                  • Part of subcall function 001329E0: lstrlenW.KERNEL32(?,?,?,?,?,001BD420,en-GB,00000055,9AAD4D09), ref: 00132ABC
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: lstrcpy$Path$DirectoryExistsFilelstrlen
                                • String ID: DDEApplication$DDEMessage$DDETopic$Notepad3$Notepad3.exe$Target Application$TargetApplicationMode$TargetApplicationParams$TargetApplicationPath$TargetApplicationWndClass$UseTargetApplication
                                • API String ID: 3318512330-1779093258
                                • Opcode ID: ddb3d1ff0102f6d97e1f5bf25c815f0d31671195f91863aba23a44d87eb59ade
                                • Instruction ID: d0ed0c7d5a723bc3bdf2a8c20ab410583a681404b4f44871fe90ac2b89fef41b
                                • Opcode Fuzzy Hash: ddb3d1ff0102f6d97e1f5bf25c815f0d31671195f91863aba23a44d87eb59ade
                                • Instruction Fuzzy Hash: 0E414970B90308ABDF107B91BD87BDB3AD1E746B54F100935F90A3A2C1EBF168648792
                                Function 00144510 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 201windowmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32 ref: 0014453B
                                • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00144547
                                • SHGetSpecialFolderLocation.SHELL32(?,00000011,?), ref: 0014457E
                                • SHGetDesktopFolder.SHELL32(?), ref: 00144591
                                • SHGetDataFromIDListW.SHELL32(00000000,00000000,00000003,?,00000014), ref: 00144643
                                • CoTaskMemAlloc.OLE32(00000008), ref: 0014465F
                                • SendMessageW.USER32(?,0000040D,00000000,?), ref: 001446A1
                                • SendMessageW.USER32(?,0000040D,00000000,00000020), ref: 001446D2
                                • SendMessageW.USER32(?,0000040B,00000000,?), ref: 001446F1
                                • CoTaskMemFree.OLE32(?), ref: 0014472E
                                • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 00144747
                                • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00144753
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$FolderTask$AllocDataDesktopFreeFromListLocationSpecial
                                • String ID: $'
                                • API String ID: 202417901-2481900351
                                • Opcode ID: 63a0dfd516463bda98b298ea79b78361cba94c3a76964fc31d0344a2113d1de1
                                • Instruction ID: f62ca1316543c5746fdf851da1ec64c70726527cf1749d490379b0fd69dc943d
                                • Opcode Fuzzy Hash: 63a0dfd516463bda98b298ea79b78361cba94c3a76964fc31d0344a2113d1de1
                                • Instruction Fuzzy Hash: 62710871244302AFE710CF58DC91F6AB7E9BF89B04F10491CF694DB2A0DBB1E9468B56
                                Function 0013DF6B Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 152stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItemTextW.USER32(?,00000064,?,00000104), ref: 0013DF7B
                                • EndDialog.USER32(?,00000001), ref: 0013DF9B
                                • StrChrW.SHLWAPI(?,00000020,?,00000001), ref: 0013E005
                                • lstrcpyW.KERNEL32(?,-00000002,?,00000001), ref: 0013E020
                                • lstrcpyW.KERNEL32(?,?,?,00000001), ref: 0013DFB7
                                  • Part of subcall function 00146380: CharNextW.USER32(?,?,771EF860,?,0013F938), ref: 001463A1
                                  • Part of subcall function 00146380: lstrlenW.KERNEL32(?,?,771EF860,?,0013F938), ref: 001463B2
                                  • Part of subcall function 00146380: lstrlenW.KERNEL32(?,?,?,0013F938), ref: 001463C7
                                  • Part of subcall function 00146380: CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463D4
                                  • Part of subcall function 00146380: CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463E7
                                • lstrcpyW.KERNEL32(0000002F,0000002F), ref: 0013E084
                                • StrChrW.SHLWAPI(?,00000020), ref: 0013E0D2
                                • lstrcpyW.KERNEL32(?,-00000002), ref: 0013E0ED
                                • ShellExecuteExW.SHELL32(?), ref: 0013E18E
                                • GetDlgItem.USER32(?,00000064), ref: 0013E19D
                                • PostMessageW.USER32(?,00000028,00000000), ref: 0013E1A7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: lstrcpy$Char$ItemPrevlstrlen$DialogExecuteMessageNextPostShellText
                                • String ID: "$<
                                • API String ID: 2186483312-437245629
                                • Opcode ID: f20e36b5a14599d44308258d07a0c4ad11d900beb4ca5f04edf551c4aef8e132
                                • Instruction ID: 4e685a3041b07ec6aa90c8aa08faecf95fa86fd49d1c1892505137e8cb26af7c
                                • Opcode Fuzzy Hash: f20e36b5a14599d44308258d07a0c4ad11d900beb4ca5f04edf551c4aef8e132
                                • Instruction Fuzzy Hash: AB5151B16043859AD770DB60D885BEFB3E8FF95314F00481EE68997191EF705488CB6B
                                Function 0014244D Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 146stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItemTextW.USER32(?,00000066,?,00000104), ref: 0014246F
                                • lstrcpyW.KERNEL32(?,?,?,00000066,?,00000104), ref: 0014248B
                                  • Part of subcall function 00146380: CharNextW.USER32(?,?,771EF860,?,0013F938), ref: 001463A1
                                  • Part of subcall function 00146380: lstrlenW.KERNEL32(?,?,771EF860,?,0013F938), ref: 001463B2
                                  • Part of subcall function 00146380: lstrlenW.KERNEL32(?,?,?,0013F938), ref: 001463C7
                                  • Part of subcall function 00146380: CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463D4
                                  • Part of subcall function 00146380: CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463E7
                                • StrChrW.SHLWAPI(00000022,00000020), ref: 001424DC
                                • lstrcpyW.KERNEL32(?,-00000002), ref: 001424F6
                                • GetOpenFileNameW.COMDLG32(00000058), ref: 0014259F
                                • StrCpyNW.SHLWAPI(?,?,00000104), ref: 001425C0
                                • PathQuoteSpacesW.SHLWAPI(?), ref: 001425E3
                                • StrCatBuffW.SHLWAPI(?,001BDDEC,00000104), ref: 00142610
                                • StrCatBuffW.SHLWAPI(?,?,00000104), ref: 00142625
                                • SetDlgItemTextW.USER32(?,00000066,?), ref: 00142631
                                • PostMessageW.USER32(?,00000028,00000001,00000000), ref: 0014263E
                                • CheckRadioButton.USER32(?,00000064,00000065,00000065), ref: 0014264B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Char$BuffItemPrevTextlstrcpylstrlen$ButtonCheckFileMessageNameNextOpenPathPostQuoteRadioSpaces
                                • String ID: "$X
                                • API String ID: 1396828129-1355838460
                                • Opcode ID: 77c3dbdb6f1f94b6555b886ce6391c4f621e6353429a9293041dffaf98ed7553
                                • Instruction ID: 6b09d490c375dc9d066c8121c68c17027e3390d99ccf44bf741e9576b87d81e5
                                • Opcode Fuzzy Hash: 77c3dbdb6f1f94b6555b886ce6391c4f621e6353429a9293041dffaf98ed7553
                                • Instruction Fuzzy Hash: 4C516F71A442189BEB60DB60DC89BDA73B9FF04704F4041A6E649E71A0EF759AC8CF91
                                Function 00148950 Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 83libraryregistrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemMetrics.USER32(0000000B), ref: 00148963
                                • GetSystemMetrics.USER32(0000000C), ref: 00148969
                                • GetSystemMetrics.USER32(00000031), ref: 00148970
                                • GetSystemMetrics.USER32(00000032), ref: 00148977
                                • #381.COMCTL32(?,00000064,00000000,?,00290E68), ref: 00148999
                                • #381.COMCTL32(?,00000064,?,00000000,00290840), ref: 001489B3
                                • LoadCursorW.USER32(?,00007F00), ref: 001489E2
                                • RegisterClassW.USER32(00002000), ref: 00148A04
                                • LoadLibraryW.KERNEL32(erherthgrgherhre.erhgerg,?,00007F00), ref: 00148A27
                                • GlobalAlloc.KERNEL32(00000000,00000000,?,00007F00), ref: 00148A2C
                                • LoadLibraryW.KERNEL32(00000000,?,00007F00), ref: 00148A3B
                                • ExitProcess.KERNEL32 ref: 00148A47
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MetricsSystem$Load$#381Library$AllocClassCursorExitGlobalProcessRegister
                                • String ID: MiniPath$erherthgrgherhre.erhgerg
                                • API String ID: 1239210744-3810413429
                                • Opcode ID: 281fa89d7584b131a61d22d53d69cf42cec35164050568d8389c0c8e43e6e7b9
                                • Instruction ID: ca416a92d55a6ac3359ccb3f550807a12d76e4f955e2d5bb9882675e5eba9b3b
                                • Opcode Fuzzy Hash: 281fa89d7584b131a61d22d53d69cf42cec35164050568d8389c0c8e43e6e7b9
                                • Instruction Fuzzy Hash: 09212171E4031CABEB109FA5ED49BAF7BF8EB49715F100026E608A7290D7B55944CFA1
                                Function 001402C0 Relevance: 24.1, APIs: 16, Instructions: 123windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,00000065), ref: 00140304
                                • GetWindowTextLengthW.USER32(00000000), ref: 00140307
                                • GetDlgItem.USER32(?,00000001), ref: 00140311
                                • EnableWindow.USER32(00000000), ref: 00140314
                                • SetWindowLongW.USER32(?,00000008,?), ref: 001403A7
                                • SendMessageW.USER32(?,00000080,00000000,00080493), ref: 001403BF
                                • SetDlgItemTextW.USER32(?,00000064,?), ref: 001403CF
                                • SetDlgItemTextW.USER32(?,00000065,?), ref: 001403D5
                                • SendDlgItemMessageW.USER32(?,00000065,000000C5,00000103,00000000), ref: 001403EC
                                • SendDlgItemMessageW.USER32(?,00000065,000000B9,00000000,00000000), ref: 001403FA
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Item$MessageSendTextWindow$EnableLengthLong
                                • String ID:
                                • API String ID: 2189001810-0
                                • Opcode ID: 20810b23c250121c4e5f1fc901ee1f9367b3491e21594280c8bc45a881a3f14c
                                • Instruction ID: 1c1c3206d646dcc6ab523b6dc7e97f08a9cf18d9be5d42b24e75c73c1c72cb15
                                • Opcode Fuzzy Hash: 20810b23c250121c4e5f1fc901ee1f9367b3491e21594280c8bc45a881a3f14c
                                • Instruction Fuzzy Hash: 5431D7367803103BF2215B65BC8DF6B3B5CEB8AB12F044416F700EA1D0D7A698929B61
                                Function 00147688 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 169COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00148460: ResolveLocaleName.KERNEL32(en-GB,?,00000055), ref: 0014848A
                                  • Part of subcall function 00148460: GetLocaleInfoEx.KERNEL32(?,20000001,00000002), ref: 001484AD
                                • GetDC.USER32 ref: 00147752
                                • EnumFontsW.GDI32(00000000,Segoe UI,00147510,00000000), ref: 00147766
                                • ReleaseDC.USER32(00000000,00000000), ref: 0014776F
                                • GetDC.USER32(00000000), ref: 001477B2
                                • GetDeviceCaps.GDI32(00000000,0000005A), ref: 001477BD
                                • ReleaseDC.USER32(00000000,00000000), ref: 001477CA
                                • MulDiv.KERNEL32(?,00000048,00000000), ref: 0014781E
                                • SystemParametersInfoW.USER32(00000029,000001F8,000001F4,00000000), ref: 001478DC
                                • MulDiv.KERNEL32(?,00000048,?), ref: 001478FD
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: InfoLocaleRelease$CapsDeviceEnumFontsNameParametersResolveSystem
                                • String ID: Malgun Gothic$Microsoft JhengHei UI$Microsoft YaHei UI$Segoe UI$WINDOWSTYLE;WINDOW$Yu Gothic UI
                                • API String ID: 1673905233-1160875775
                                • Opcode ID: d3447cd737885eb3a3f2a4cfcc0e1eeebba5d7ea2bdb46a26fdd27927e68f6f9
                                • Instruction ID: 880b8db80ffb443d75819538e26bfeea084608251b87492ed652c5ed2ddeebda
                                • Opcode Fuzzy Hash: d3447cd737885eb3a3f2a4cfcc0e1eeebba5d7ea2bdb46a26fdd27927e68f6f9
                                • Instruction Fuzzy Hash: 7951CC756083029BE7259F24D888BBA77E9FF85311F45092EE946CB2F0EB34C905C792
                                Function 00148EF0 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 121windowstringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00143D18
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00143D28
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,?,?,0000104B), ref: 00143D4D
                                • lstrcpyW.KERNEL32(?,00290C60,?,?,?,?,?,?,?,?,?,?,00000208), ref: 00148FCD
                                • PathStripPathW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,00000208), ref: 00148FD7
                                • PathRemoveExtensionW.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,00000208), ref: 00148FE5
                                • lstrcpyW.KERNEL32(?,Notepad3,?,?,?,?,?,?,?,?,?,?,00000208), ref: 00148FFD
                                • lstrcpyW.KERNEL32(?,...,?,?,?,?,?,?,?,?,?,?,00000208), ref: 00149025
                                • GetMenuItemInfoW.USER32(?,00009C41,00000000,00000030), ref: 00149096
                                • SetMenuItemInfoW.USER32(?,00009C41,00000000,00000030), ref: 001490B4
                                • GetSubMenu.USER32(?,00000000), ref: 001490C4
                                • SetMenuDefaultItem.USER32(00000000,?,00000000,00009C41,00000000), ref: 001490CB
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Menu$ItemMessagePathSendlstrcpy$Info$DefaultExtensionRemoveStrip
                                • String ID: ...$0$0$Notepad3
                                • API String ID: 2793067833-1122624146
                                • Opcode ID: 584987181442ebc1b58468ac28e9bcfeaa81ddf22db858eac58f60dfd0a712ae
                                • Instruction ID: ec19597387447957dc0c2a2a55d30bd5d1a189df771ec9f87683e737d2dd415a
                                • Opcode Fuzzy Hash: 584987181442ebc1b58468ac28e9bcfeaa81ddf22db858eac58f60dfd0a712ae
                                • Instruction Fuzzy Hash: 6341E2B1904345ABE730DB60DC49FAB77ECBF85709F04091DF69893191EBB4A188CB92
                                Function 0014B890 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 121stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetSysColor.USER32(0000000F), ref: 0014B8EF
                                • SetBkColor.GDI32(?,00000000), ref: 0014B8F3
                                • GetSysColor.USER32(00000012), ref: 0014B914
                                • SetTextColor.GDI32(?,00000000), ref: 0014B918
                                • GetSystemMetrics.USER32(00000021), ref: 0014B93D
                                • GetWindowDC.USER32(?), ref: 0014B946
                                • FrameRect.USER32(00000000,?), ref: 0014B970
                                • GetSysColorBrush.USER32(00000015), ref: 0014B989
                                • FrameRect.USER32(00000000,?,00000000), ref: 0014B996
                                • ReleaseDC.USER32(?,00000000), ref: 0014B99D
                                • lstrlenW.KERNEL32(?,00000000), ref: 0014B9AD
                                • ExtTextOutW.GDI32(?,?,?,00000402,?,?,00000000), ref: 0014B9CC
                                  • Part of subcall function 001319E0: SystemParametersInfoW.USER32(00000042,0000000C,00000000), ref: 00131A11
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Color$FrameRectSystemText$BrushInfoMetricsParametersReleaseWindowlstrlen
                                • String ID: 333
                                • API String ID: 1993733190-2463598333
                                • Opcode ID: dfbe4111edd86caa68e06496947d7e4a1de55f683603e8ee948859bcb62cef65
                                • Instruction ID: ce5dceda59054f441722796d101962841373edb8cf73d43d99b3032d02202ad0
                                • Opcode Fuzzy Hash: dfbe4111edd86caa68e06496947d7e4a1de55f683603e8ee948859bcb62cef65
                                • Instruction Fuzzy Hash: 9E4116715082449FE7009F64DC85B7BBBE8FB4D358F04441AFE9992262D730D985CB62
                                Function 00145900 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 120stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpyW.KERNEL32(?,001BD420,75A45540,75A48510), ref: 00145933
                                • SendMessageW.USER32(?,00000418,00000000,00000000), ref: 00145949
                                • SendMessageW.USER32(?,00000418,00000000,00000000), ref: 00145963
                                • SendMessageW.USER32(?,00000417,00000000,?), ref: 0014597C
                                • wsprintfW.USER32 ref: 00145996
                                • lstrcatW.KERNEL32(?,?), ref: 001459A9
                                • CharNextW.USER32(?), ref: 001459D1
                                • lstrlenW.KERNEL32(?), ref: 001459E2
                                • lstrlenW.KERNEL32(?), ref: 001459FF
                                • CharPrevW.USER32(?,00000000), ref: 00145A12
                                • CharPrevW.USER32(?,00000000), ref: 00145A2B
                                • lstrcpynW.KERNEL32(?,?,00000200), ref: 00145A41
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: CharMessageSend$Prevlstrlen$Nextlstrcatlstrcpylstrcpynwsprintf
                                • String ID: %i
                                • API String ID: 2047470491-1318497599
                                • Opcode ID: d3c9634d77d4bc1760020aeb1ba51f26395895c7dbf90c1916fb66a3187f0688
                                • Instruction ID: af018cf547953eb81a9da78a6e58f64be0d55f51637d40036ce853c73800028e
                                • Opcode Fuzzy Hash: d3c9634d77d4bc1760020aeb1ba51f26395895c7dbf90c1916fb66a3187f0688
                                • Instruction Fuzzy Hash: 1A419472904704AFD7109B64DC85FABB7EDFB89704F40482AF650D71A2E770E845CBA6
                                Function 001492B5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 114windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetSysColor.USER32(0000000F), ref: 001492F8
                                • SetBkColor.GDI32(?,00000000), ref: 00149300
                                • GetSysColor.USER32(00000012), ref: 00149321
                                • SetTextColor.GDI32(?,00000000), ref: 00149329
                                • GetSystemMetrics.USER32(00000021), ref: 00149352
                                • GetWindowDC.USER32(?), ref: 0014935D
                                • FrameRect.USER32(?,?), ref: 0014938F
                                • GetSysColorBrush.USER32(00000015), ref: 001493B4
                                • FrameRect.USER32(00000000,?,00000000), ref: 001493C1
                                • ReleaseDC.USER32(?,00000000), ref: 001493CC
                                • lstrlenW.KERNEL32(?,00000000), ref: 001493DC
                                • ExtTextOutW.GDI32(?,?,?,00000402,?,?,00000000), ref: 001493FB
                                  • Part of subcall function 001319E0: SystemParametersInfoW.USER32(00000042,0000000C,00000000), ref: 00131A11
                                • LoadMenuW.USER32(00000064), ref: 0014A196
                                • GetSubMenu.USER32(00000000,00000004), ref: 0014A1A1
                                • SetForegroundWindow.USER32(?), ref: 0014A1AD
                                • GetCursorPos.USER32(?), ref: 0014A1B8
                                • SetMenuDefaultItem.USER32(00000000,00009E99,00000000), ref: 0014A1C6
                                • TrackPopupMenu.USER32(00000000,00000182,?,?,00000000,?,00000000), ref: 0014A1E2
                                • PostMessageW.USER32(?,00000000,00000000,00000000), ref: 0014A1F7
                                • DestroyMenu.USER32(00000000), ref: 0014A1FE
                                • ShowOwnedPopups.USER32(?,00000001), ref: 0014A256
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ColorMenu$FrameRectSystemTextWindow$BrushCursorDefaultDestroyForegroundInfoItemLoadMessageMetricsOwnedParametersPopupPopupsPostReleaseShowTracklstrlen
                                • String ID: 333
                                • API String ID: 3530067508-2463598333
                                • Opcode ID: 8d8e050ab269e4d1046c1b6f1f022fc0972554dfe57e517f48449e957dc230ce
                                • Instruction ID: 40dd0e883ad52f13a19de4e66fad2f07843ff85a6042090f5232947636db9c00
                                • Opcode Fuzzy Hash: 8d8e050ab269e4d1046c1b6f1f022fc0972554dfe57e517f48449e957dc230ce
                                • Instruction Fuzzy Hash: 0441CF32108344AFD7119F64E949A7FB7F8FF9A310F04450AF986D72A1D770A886CB62
                                Function 0014F9A0 Relevance: 22.7, APIs: 15, Instructions: 159stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpyW.KERNEL32(?,?,?,?), ref: 0014F9D9
                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000138), ref: 0014F9ED
                                • lstrcpynW.KERNEL32(?,?,00000104), ref: 0014FA09
                                • lstrcpyW.KERNEL32(?,?), ref: 0014FA3A
                                • GetFileAttributesW.KERNEL32(?), ref: 0014FA77
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0014FA92
                                • PostMessageW.USER32(00000111,00019D0D,00000000), ref: 0014FAB2
                                • SendMessageW.USER32(00001013,00000000,00000000), ref: 0014FAC7
                                • lstrcpyW.KERNEL32(?,?), ref: 0014FAF1
                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000200), ref: 0014FB20
                                • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 0014FB32
                                • PathIsRootW.SHLWAPI(?), ref: 0014FB4C
                                • SetCurrentDirectoryW.KERNEL32(?), ref: 0014FB61
                                • SendMessageW.USER32(00000111,00019D0D,00000000), ref: 0014FB7F
                                • SendMessageW.USER32(00001013,00000000,00000000), ref: 0014FBA6
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Message$Sendlstrcpy$CurrentDirectoryFile$AttributesEnvironmentExpandInfoPathPostRootStringslstrcpyn
                                • String ID:
                                • API String ID: 3189554786-0
                                • Opcode ID: d60b01fb27a2bbb00e5803b0eed05a4a934f7896d4d1e708b8c1c28b9a784725
                                • Instruction ID: 7c01ce463b08981e4c4e53707a0523413ac0f0328cc88014c5ebc2379eebb18a
                                • Opcode Fuzzy Hash: d60b01fb27a2bbb00e5803b0eed05a4a934f7896d4d1e708b8c1c28b9a784725
                                • Instruction Fuzzy Hash: 40517FB6600340ABE7209B60EC5AFEF77ECAF94300F44482EF649D71E1EB7495588B52
                                Function 00141BB0 Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 140stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00147A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00147A37
                                  • Part of subcall function 00147A20: LoadResource.KERNEL32(00000000,00000000), ref: 00147A4A
                                  • Part of subcall function 00147A20: LockResource.KERNEL32(00000000), ref: 00147A5B
                                  • Part of subcall function 00147A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00147A6E
                                  • Part of subcall function 00147A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00147A84
                                  • Part of subcall function 00147A20: FreeResource.KERNEL32(00000000), ref: 00147AA0
                                  • Part of subcall function 00147A20: lstrlenW.KERNEL32(?), ref: 00147B1D
                                • DialogBoxIndirectParamW.USER32(00000000,00000000,?,Function_00011240,00000001), ref: 00141BF3
                                • LocalFree.KERNEL32(00000000,?,Function_00011240,00000001), ref: 00141C00
                                  • Part of subcall function 00146000: PathFindExtensionW.SHLWAPI(?,.lnk,771EF860), ref: 00146027
                                  • Part of subcall function 00146000: lstrcmpiW.KERNEL32(00000000), ref: 0014602E
                                • lstrcpyW.KERNEL32(?,?), ref: 00141C69
                                • PathFindFileNameW.SHLWAPI(?), ref: 00141C77
                                • PathAppendW.SHLWAPI(?,00000000), ref: 00141C86
                                • SHFileOperationW.SHELL32(?), ref: 00141CCE
                                • GetFileAttributesW.KERNEL32(?), ref: 00141CE8
                                • SetFileAttributesW.KERNEL32(?,00000000), ref: 00141CFE
                                • lstrcpyW.KERNEL32(?,?), ref: 00141D98
                                • GetShortPathNameW.KERNEL32(?,?,00000104), ref: 00141DAC
                                • ShellExecuteExW.SHELL32(0000003C), ref: 00141DB7
                                  • Part of subcall function 00146080: CoCreateInstance.OLE32(001B378C,00000000,00000001,001AFD7C,?,0000C356,?), ref: 001460AF
                                  • Part of subcall function 00146080: lstrcpyW.KERNEL32(?,?), ref: 001460DB
                                  • Part of subcall function 00146080: ExpandEnvironmentStringsW.KERNEL32(?,?,00000138), ref: 00146152
                                  • Part of subcall function 00146080: lstrcpynW.KERNEL32(?,?,?), ref: 0014616C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Resource$FilePath$Findlstrcpy$AttributesFreeLocalName$AllocAppendCreateDialogEnvironmentExecuteExpandExtensionIndirectInstanceLoadLockOperationParamShellShortSizeofStringslstrcmpilstrcpynlstrlen
                                • String ID: <
                                • API String ID: 622433095-4251816714
                                • Opcode ID: 7c7df45562f9f761641265e463bb8bc3de284df415304770f9d34fe1a7710c97
                                • Instruction ID: c68bc68057dd772116aabb2a78b2a11b793e0498c564bd4967ec9a71c9b65bde
                                • Opcode Fuzzy Hash: 7c7df45562f9f761641265e463bb8bc3de284df415304770f9d34fe1a7710c97
                                • Instruction Fuzzy Hash: 645174B1908345ABD720DF60D848B9BB7E9BF89708F00491EF599D3150EB75D588CB93
                                Function 00152D84 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 51libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • InitializeCriticalSectionAndSpinCount.KERNEL32(0028EC94,00000FA0,?,?,00152D62), ref: 00152D90
                                • GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,00152D62), ref: 00152D9B
                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,00152D62), ref: 00152DAC
                                • GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00152DBE
                                • GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00152DCC
                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,00152D62), ref: 00152DEF
                                • DeleteCriticalSection.KERNEL32(0028EC94,00000007,?,?,00152D62), ref: 00152E0B
                                • CloseHandle.KERNEL32(00000000,?,?,00152D62), ref: 00152E1B
                                Strings
                                • kernel32.dll, xrefs: 00152DA7
                                • SleepConditionVariableCS, xrefs: 00152DB8
                                • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00152D96
                                • WakeAllConditionVariable, xrefs: 00152DC4
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Handle$AddressCriticalModuleProcSection$CloseCountCreateDeleteEventInitializeSpin
                                • String ID: SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                • API String ID: 2565136772-3242537097
                                • Opcode ID: 8b2f59e380b4b82a421d00b04408a5397785a40e8f17664b6a964352eaf75714
                                • Instruction ID: 5602083b375fee5949bca9e5f57cbb1ac65b85b683b0e9957ccf6a1e8ca36505
                                • Opcode Fuzzy Hash: 8b2f59e380b4b82a421d00b04408a5397785a40e8f17664b6a964352eaf75714
                                • Instruction Fuzzy Hash: 70017575B41611EFDB212BB0BC4DF5A3AA9EB577437050511FC15DA590DBB088408B61
                                Function 0015AC5E Relevance: 19.8, APIs: 13, Instructions: 332COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Name::operator+$NameName::$Decorator::getReturnTypeoperator+
                                • String ID:
                                • API String ID: 2932655852-0
                                • Opcode ID: c38357a3d8af50f9560843de5435aa862c469d8e5f364cfd0920c550f8ec371b
                                • Instruction ID: a4fc65a18c7b8ad30484961e4fa7a75031795e8ed3c1228671c8957e698e420e
                                • Opcode Fuzzy Hash: c38357a3d8af50f9560843de5435aa862c469d8e5f364cfd0920c550f8ec371b
                                • Instruction Fuzzy Hash: 8DC176B5944209EFCB18DFA4E896DED7BB8EF14302F50015DF922AF291EB309949CB51
                                Function 0015C1C2 Relevance: 19.8, APIs: 13, Instructions: 305COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 0015C22D
                                • DName::operator+.LIBCMT ref: 0015C370
                                  • Part of subcall function 00157C69: shared_ptr.LIBCMT ref: 00157C85
                                • DName::operator+.LIBCMT ref: 0015C31B
                                • DName::operator+.LIBCMT ref: 0015C3BC
                                • DName::operator+.LIBCMT ref: 0015C3CB
                                • DName::operator+.LIBCMT ref: 0015C4F7
                                • DName::operator=.LIBVCRUNTIME ref: 0015C537
                                • DName::DName.LIBVCRUNTIME ref: 0015C54F
                                • DName::operator+.LIBCMT ref: 0015C55E
                                • DName::operator+.LIBCMT ref: 0015C56A
                                  • Part of subcall function 0015DA4E: Replicator::operator[].LIBCMT ref: 0015DA8B
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]shared_ptr
                                • String ID:
                                • API String ID: 1043660730-0
                                • Opcode ID: 596111a2f19008f7905c352a70ca8f63b6e0527d1a68626c7febbbd0530c0f78
                                • Instruction ID: 4d90a0dd4a13badde4d2925b6cd1297cf2cdda5a0e4554d193c98c9348910842
                                • Opcode Fuzzy Hash: 596111a2f19008f7905c352a70ca8f63b6e0527d1a68626c7febbbd0530c0f78
                                • Instruction Fuzzy Hash: 77C1C271904308DFCB14CFA4E859BEEB7F8BF15302F14445DE965AB281EB75A948CB90
                                Function 00149634 Relevance: 19.6, APIs: 13, Instructions: 124windowCOMMON
                                Download Yara Rule
                                APIs
                                • SetWindowPos.USER32(00000000,00000000,00000000,?,00000004), ref: 00149667
                                • GetWindowRect.USER32(?), ref: 00149678
                                • SendMessageW.USER32(00000005,00000000,00000000), ref: 001496A9
                                • GetWindowRect.USER32(?), ref: 001496BA
                                • BeginDeferWindowPos.USER32(00000002), ref: 001496D0
                                • DeferWindowPos.USER32(00000000,00000000,00000000,00000000,?,00000064,00000014), ref: 001496F7
                                • GetWindowRect.USER32(?), ref: 00149711
                                • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000014), ref: 00149752
                                • EndDeferWindowPos.USER32(?), ref: 00149759
                                • SendMessageW.USER32(0000101E,00000000,0000FFFE), ref: 00149777
                                • SendMessageW.USER32(00000404,00000001,?), ref: 00149793
                                • InvalidateRect.USER32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,00000014), ref: 0014979F
                                • SendMessageW.USER32(0000040B,00001000,001BD420), ref: 001497BA
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Window$DeferMessageRectSend$BeginInvalidate
                                • String ID:
                                • API String ID: 1489923645-0
                                • Opcode ID: 3c530705368d0a9dec963bdf7732a27afd8add8277f8930b5bd6ac9b075d2be5
                                • Instruction ID: ffcceeca395bef74ab28c2814768a8b5afc1577110f45b0048c08baf742d9db5
                                • Opcode Fuzzy Hash: 3c530705368d0a9dec963bdf7732a27afd8add8277f8930b5bd6ac9b075d2be5
                                • Instruction Fuzzy Hash: A941AC32644302AFD7118F65FD29F6A7BE6FB89B18F00051AF644A71F0E770A820CB95
                                Function 0014BB60 Relevance: 19.6, APIs: 13, Instructions: 121windowCOMMON
                                Download Yara Rule
                                APIs
                                • SetWindowPos.USER32(00000000,00000000,00000000,9AAD4D09,00000004), ref: 0014BBAB
                                • GetWindowRect.USER32(?), ref: 0014BBBC
                                • SendMessageW.USER32(00000005,00000000,00000000), ref: 0014BBEB
                                • GetWindowRect.USER32(?), ref: 0014BBF8
                                • BeginDeferWindowPos.USER32(00000002), ref: 0014BC06
                                • DeferWindowPos.USER32(00000000,00000000,00000000,00000000,00000064,00000064,00000014), ref: 0014BC2D
                                • GetWindowRect.USER32(?), ref: 0014BC47
                                • DeferWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000014), ref: 0014BC7D
                                • EndDeferWindowPos.USER32(?), ref: 0014BC84
                                • SendMessageW.USER32(0000101E,00000000,0000FFFE), ref: 0014BC9C
                                • SendMessageW.USER32(00000404,00000001,?), ref: 0014BCB8
                                • InvalidateRect.USER32(00000000,00000001), ref: 0014BCC4
                                • SendMessageW.USER32(0000040B,00001000,001BD420), ref: 0014BCDF
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Window$DeferMessageRectSend$BeginInvalidate
                                • String ID:
                                • API String ID: 1489923645-0
                                • Opcode ID: b70af45f8f4ae568f3a9bee6f93ea2be0f88a69788388850d350a9ee5d791997
                                • Instruction ID: f2b99206dea20fb15ea924673515493625c66f3f7bb041d26f8b6162a36cd8ab
                                • Opcode Fuzzy Hash: b70af45f8f4ae568f3a9bee6f93ea2be0f88a69788388850d350a9ee5d791997
                                • Instruction Fuzzy Hash: FA41AC32240206AFD7118F65ECA9F6A7BEAFB89758F00451AF600A71F0E771A864CB55
                                Function 0014BA00 Relevance: 19.6, APIs: 13, Instructions: 103windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowLongW.USER32(?,000000FA), ref: 0014BA23
                                • GetWindowLongW.USER32(000000EC), ref: 0014BA5C
                                • SetWindowLongW.USER32(000000EC,00000000), ref: 0014BA6C
                                • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000027,?,000000FA), ref: 0014BA84
                                • SendMessageW.USER32(0000031A,00000000,00000000), ref: 0014BA9F
                                • SendMessageW.USER32(0000040D,00000000,?), ref: 0014BAC7
                                • DestroyWindow.USER32 ref: 0014BAE3
                                • DestroyWindow.USER32 ref: 0014BAEB
                                • DestroyWindow.USER32 ref: 0014BAF3
                                • GetClientRect.USER32(?,?), ref: 0014BB04
                                • SendMessageW.USER32(?,00000005,00000000,?), ref: 0014BB1F
                                • SendMessageW.USER32(0000040B,00001000,?), ref: 0014BB36
                                • UpdateWindow.USER32 ref: 0014BB39
                                  • Part of subcall function 001319E0: SystemParametersInfoW.USER32(00000042,0000000C,00000000), ref: 00131A11
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Window$MessageSend$DestroyLong$ClientInfoParametersRectSystemUpdate
                                • String ID:
                                • API String ID: 133368004-0
                                • Opcode ID: 5ec9108987482147b4eb92b03f43d090ef0b5de7b9886d5034a669ed890a6a88
                                • Instruction ID: 6b3aadbb46394faa1115274cb512d9052b2fb9dfc9fe1eb03ab6970cfab7d9ff
                                • Opcode Fuzzy Hash: 5ec9108987482147b4eb92b03f43d090ef0b5de7b9886d5034a669ed890a6a88
                                • Instruction Fuzzy Hash: CF314474644201BFE710AB21FC5EF6A7FE9EB48755F100126F941A20F2EB719824CBA2
                                Function 00131390 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 143windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,0000101F,?,?), ref: 001313D7
                                  • Part of subcall function 001319E0: SystemParametersInfoW.USER32(00000042,0000000C,00000000), ref: 00131A11
                                • SendMessageW.USER32(?,00001024,00000000,?), ref: 00131450
                                • SendMessageW.USER32(?,00001026,00000000,?), ref: 00131477
                                • SendMessageW.USER32(?,00001001,00000000,?), ref: 00131485
                                • SendMessageW.USER32(?,0000031A,?,?), ref: 001314CC
                                • RedrawWindow.USER32(?,00000000,00000000,00000407), ref: 001314D8
                                • #413.COMCTL32(?,?,?,?), ref: 001314EA
                                • SetTextColor.GDI32(?,?), ref: 00131513
                                • #413.COMCTL32(?,?,?,?), ref: 00131542
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$#413$ColorInfoParametersRedrawSystemTextWindow
                                • String ID: Header$ItemsView
                                • API String ID: 4170420104-3116908764
                                • Opcode ID: 3265e2a1cceddc2c389fa0fda24e7cd7a6cda3cd14dc323e9f1578ef27a8f3fd
                                • Instruction ID: 89dcf262b7afbdd64f259d361b6522b26d287789aa04540d958aa8a2e1645deb
                                • Opcode Fuzzy Hash: 3265e2a1cceddc2c389fa0fda24e7cd7a6cda3cd14dc323e9f1578ef27a8f3fd
                                • Instruction Fuzzy Hash: AD410632244345BFD7215FA4EC09F6F7FA8FB9D704F04491AF685A50E1C7A5D8419722
                                Function 001337A0 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 141fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00290388,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 00133821
                                • LockFileEx.KERNEL32(00000000,00000002,00000000,000000FF,00000000,?), ref: 00133840
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,?,00000040), ref: 001338D5
                                • FlushFileBuffers.KERNEL32(?,?,?,Settings2,ReuseWindow,?,00000000,00000001,00000001), ref: 0013390A
                                • UnlockFileEx.KERNEL32(?,00000000,000000FF,00000000,?,?,?,?,Settings2,ReuseWindow,?,00000000,00000001,00000001), ref: 0013391C
                                Strings
                                • Settings2, xrefs: 001338EE
                                • ReuseWindow, xrefs: 001338E9
                                • %ld, xrefs: 00133893
                                • AcquireWriteFileLock(): INVALID FILE HANDLE!, xrefs: 0013393E
                                • AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!, xrefs: 0013384F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: File$BuffersByteCharCreateFlushLockMultiUnlockWide
                                • String ID: %ld$AcquireWriteFileLock(): INVALID FILE HANDLE!$AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!$ReuseWindow$Settings2
                                • API String ID: 638334387-856838195
                                • Opcode ID: f457b8bbeb3dd4923516984f6654d9aa4f52df5a72d413f63d6574d0de1a5228
                                • Instruction ID: a24926fda6e2c1b6c15c838b7b451908b30c879a20c947cce99e14cf4ff50190
                                • Opcode Fuzzy Hash: f457b8bbeb3dd4923516984f6654d9aa4f52df5a72d413f63d6574d0de1a5228
                                • Instruction Fuzzy Hash: 67415A72704300ABD3249B64DC46FEF73A8AB91720F14462DF9A5970D0EBB09A888356
                                Function 0014C829 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 121windowfilestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00146890: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 001468B6
                                • MessageBeep.USER32(00000000), ref: 0014C20C
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00143D18
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00143D28
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,?,?,0000104B), ref: 00143D4D
                                • lstrcpyW.KERNEL32(?,?), ref: 0014C873
                                  • Part of subcall function 00144FE0: LoadStringW.USER32(0000A411,?,00000000,00000001), ref: 00144FF2
                                  • Part of subcall function 00144FE0: LoadStringW.USER32(0000A411,?,?), ref: 00145008
                                  • Part of subcall function 00146530: lstrlenW.KERNEL32(?,75A4EBF0,0013FA1F), ref: 00146534
                                  • Part of subcall function 00146530: CharPrevW.USER32(?,00000000,?), ref: 0014654A
                                • GetSaveFileNameW.COMDLG32(?,?,?,?,?,?), ref: 0014C8FE
                                  • Part of subcall function 00144FA0: LoadCursorW.USER32(00000000,00007F02), ref: 00144FA7
                                  • Part of subcall function 00144FA0: SetCursor.USER32(00000000,?,?,?,?,?), ref: 00144FAE
                                  • Part of subcall function 00144FA0: DestroyCursor.USER32(00000000), ref: 00144FB5
                                  • Part of subcall function 00145060: LocalAlloc.KERNEL32(00000040,?,00000000,771B3070,75A45540,?,0014F3C1,?,00000100,00002712,?), ref: 0014506E
                                  • Part of subcall function 00145060: LoadStringW.USER32(?,00000000,?), ref: 00145087
                                  • Part of subcall function 00145060: LoadStringW.USER32(?,00000000,?), ref: 0014509E
                                  • Part of subcall function 00145060: LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001450C2
                                  • Part of subcall function 00145060: lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001450C9
                                  • Part of subcall function 001458E0: SendMessageW.USER32(0000040B,?,?), ref: 001458F6
                                • SendMessageW.USER32(00000409,00000001,00000000), ref: 0014C95A
                                • InvalidateRect.USER32(00000000,00000001,?,?,?,?,?,?,00000000,00000058), ref: 0014C966
                                • UpdateWindow.USER32 ref: 0014C972
                                • CopyFileW.KERNEL32(?,?,00000000,?,?,?,?,?,?,00000000,00000058), ref: 0014C98A
                                • GetFileAttributesW.KERNEL32(?,?,?,?,?,?,?,00000000,00000058), ref: 0014C9BE
                                • SetFileAttributesW.KERNEL32(?,00000000,?,?,?,?,?,?,00000000,00000058), ref: 0014C9D4
                                • SendMessageW.USER32(00000409,00000000,00000000), ref: 0014C9FC
                                  • Part of subcall function 00142D90: LoadStringW.USER32(?,?,00000200), ref: 00142DEB
                                  • Part of subcall function 00142D90: LoadStringW.USER32(?,?,00000200), ref: 00142E09
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Message$LoadSend$String$File$Cursor$AttributesLocallstrlen$AllocBeepCharCopyDestroyFreeInvalidateNamePrevRectSaveUpdateWindowlstrcpy
                                • String ID: X
                                • API String ID: 1551183220-3081909835
                                • Opcode ID: 9885d94694f0ee6dc586ab9b6bad1a62218f73ef27524abe444b80838951378a
                                • Instruction ID: f480667f3df66ff14f66c24522cd8e7773ab9358006b5cd978ecd5b8f8660a53
                                • Opcode Fuzzy Hash: 9885d94694f0ee6dc586ab9b6bad1a62218f73ef27524abe444b80838951378a
                                • Instruction Fuzzy Hash: C641A7B1644345ABE730DB60EC4AFDB73ECBB95714F40492AF648D61E2EB709148CB52
                                Function 0013DCE1 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 113stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItemTextW.USER32(?,00000064,?,00000104), ref: 0013DD02
                                  • Part of subcall function 00146590: ExpandEnvironmentStringsW.KERNEL32(?,00000138,00000138,?,00000000), ref: 001465B5
                                  • Part of subcall function 00146590: lstrcpynW.KERNEL32(?,?,00000104), ref: 001465C6
                                • lstrcpyW.KERNEL32(?,?,?,00000064,?,00000104), ref: 0013DD2F
                                  • Part of subcall function 00146380: CharNextW.USER32(?,?,771EF860,?,0013F938), ref: 001463A1
                                  • Part of subcall function 00146380: lstrlenW.KERNEL32(?,?,771EF860,?,0013F938), ref: 001463B2
                                  • Part of subcall function 00146380: lstrlenW.KERNEL32(?,?,?,0013F938), ref: 001463C7
                                  • Part of subcall function 00146380: CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463D4
                                  • Part of subcall function 00146380: CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463E7
                                • StrChrW.SHLWAPI(?,00000020), ref: 0013DD7D
                                • lstrcpyW.KERNEL32(?,-00000002), ref: 0013DD98
                                • GetOpenFileNameW.COMDLG32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000058), ref: 0013DE2F
                                • lstrcatW.KERNEL32(?,001BDDEC), ref: 0013DE63
                                • lstrcatW.KERNEL32(?,00000000), ref: 0013DE75
                                • SetDlgItemTextW.USER32(?,00000064,?), ref: 0013DE82
                                • PostMessageW.USER32(?,00000028,00000001,00000000), ref: 0013DE8F
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Char$ItemPrevTextlstrcatlstrcpylstrlen$EnvironmentExpandFileMessageNameNextOpenPostStringslstrcpyn
                                • String ID: "$X
                                • API String ID: 3652824999-1355838460
                                • Opcode ID: 35d593d7702535312060b0e5e19362d391cd52bcdd6715104bec595a01823a4e
                                • Instruction ID: bc0f91641c04375390a837f246c019a25081ce0e7b1a6efbc95a8538dc7cc8a1
                                • Opcode Fuzzy Hash: 35d593d7702535312060b0e5e19362d391cd52bcdd6715104bec595a01823a4e
                                • Instruction Fuzzy Hash: A7415B716443859BD770EBA0E845BEBB3E8BF95304F00492EEA89D6191EFB09548CB53
                                Function 00143080 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 88windowmemorystringCOMMON
                                Download Yara Rule
                                APIs
                                • GlobalAlloc.KERNEL32(00000040,0000022C,?,?,?), ref: 001430B3
                                • SetPropW.USER32(00000000,DirListData,00000000), ref: 001430DE
                                • lstrcpyW.KERNEL32(00000010,001BD420,?,?,?), ref: 00143104
                                • SHGetFileInfoW.SHELL32(C:\,00000000,?,000002B4,00004001), ref: 00143120
                                • SendMessageW.USER32(00000000,00001003,00000001,00000000), ref: 00143135
                                • SHGetFileInfoW.SHELL32(C:\,00000000,?,000002B4,00004000), ref: 0014314D
                                • SendMessageW.USER32(00000000,00001003,00000000,00000000), ref: 0014315C
                                • CreateEventW.KERNEL32(00000000,00000001,00000000,00000000,?,?,?), ref: 00143180
                                • CreateEventW.KERNEL32(00000000,00000001,00000001,00000000,?,?,?), ref: 00143190
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: CreateEventFileInfoMessageSend$AllocGlobalProplstrcpy
                                • String ID: C:\$DirListData
                                • API String ID: 1243389431-2784504048
                                • Opcode ID: f52593b2e06e838a1336b79f37b8c87347c126698dffd7058a97afdc53ad450b
                                • Instruction ID: 52cca5c7e69a6bbde57cc9fe91c8ffaf1eeb6fbf03725de89f7e466b5f20fbf0
                                • Opcode Fuzzy Hash: f52593b2e06e838a1336b79f37b8c87347c126698dffd7058a97afdc53ad450b
                                • Instruction Fuzzy Hash: 653141B1680304BBFB60AF50EC8EF967BECEB09B11F504055FA19AE1C2D7F564488B61
                                Function 00150DD0 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowRect.USER32(?,?), ref: 00150DE7
                                • MonitorFromRect.USER32 ref: 00150E0F
                                • GetMonitorInfoW.USER32(00000000,?), ref: 00150E1B
                                • EqualRect.USER32(?,?), ref: 00150E6D
                                • SystemParametersInfoW.USER32(00000048,00000008,?,00000000), ref: 00150EA0
                                • DrawAnimatedRects.USER32(?,00000003,?,?), ref: 00150EBA
                                • OffsetRect.USER32(?,?,?), ref: 00150ED7
                                • SetWindowPlacement.USER32(?,0000002C), ref: 00150EE3
                                • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 00150EEF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Rect$Window$InfoMonitorPlacement$AnimatedDrawEqualFromOffsetParametersRectsSystem
                                • String ID: ($,
                                • API String ID: 1691248947-170869519
                                • Opcode ID: c6accbc9b72accac98ca5dba0415bdf8c14ea84ead4714102e08fa7a3bec7e08
                                • Instruction ID: 8fd35db35af44209c84ee8f49c880ae19a5d36cc038fba772eef4f9a6f1ff691
                                • Opcode Fuzzy Hash: c6accbc9b72accac98ca5dba0415bdf8c14ea84ead4714102e08fa7a3bec7e08
                                • Instruction Fuzzy Hash: 1131F5B1408304AFE301CF64D989AAFBBE8FF89704F40891DF591C6250EB74E988CB52
                                Function 0014DCA2 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowRect.USER32(?,?), ref: 0014DCA8
                                • MonitorFromRect.USER32 ref: 0014DCD0
                                • GetMonitorInfoW.USER32(00000000,?), ref: 0014DCDC
                                • EqualRect.USER32(?,?), ref: 0014DD46
                                • SystemParametersInfoW.USER32(00000048,00000008,?,00000000), ref: 0014DD7F
                                • DrawAnimatedRects.USER32(?,00000003,?,?), ref: 0014DD9C
                                • OffsetRect.USER32(?,?,?), ref: 0014DDBC
                                • SetWindowPlacement.USER32(?,0000002C), ref: 0014DDD1
                                • SetWindowPlacement.USER32(?,0000002C,?,0000002C), ref: 0014DDDC
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Rect$Window$InfoMonitorPlacement$AnimatedDrawEqualFromOffsetParametersRectsSystem
                                • String ID: ($,
                                • API String ID: 1691248947-170869519
                                • Opcode ID: 9fead97fa261f5e67fbaadf5c3f1533f3a21e82b332adb0fadcf6af2c525f3a0
                                • Instruction ID: 9e643c43396ef45f4358396216e393c0bac1a5bf83b0384c7bc8a104dffbf2c4
                                • Opcode Fuzzy Hash: 9fead97fa261f5e67fbaadf5c3f1533f3a21e82b332adb0fadcf6af2c525f3a0
                                • Instruction Fuzzy Hash: CC31CAB55083849FE320CF64D848BAFB7E8FB89304F048A1EF5C996290EB749544CB52
                                Function 00143280 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 50windowsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • GetPropW.USER32(?,DirListData), ref: 0014328A
                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00143420,?,?), ref: 00143298
                                • WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00143420,?,?), ref: 001432A6
                                • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001432D2
                                • TranslateMessage.USER32(?), ref: 001432DD
                                • DispatchMessageW.USER32(?), ref: 001432E4
                                • WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00143420,?,?), ref: 001432EE
                                • ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00143420,?,?), ref: 00143301
                                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00143420,?,?), ref: 0014330D
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: EventMessage$ObjectSingleWait$DispatchPeekPropResetTranslate
                                • String ID: C:\Users\user\Desktop$DirListData
                                • API String ID: 3160958571-719169122
                                • Opcode ID: aab7dd01e64448f76bcb7702635f5306528f88606ebfb0537ac34d9965209994
                                • Instruction ID: 0336175a2327cbfef29953a6ca0b5c47b2309f12483801327733dfe94847f28e
                                • Opcode Fuzzy Hash: aab7dd01e64448f76bcb7702635f5306528f88606ebfb0537ac34d9965209994
                                • Instruction Fuzzy Hash: B3017532640301BBD720ABA5EC49F967BF8FB49720F040929F651D1470EB71E9818B21
                                Function 00143860 Relevance: 18.2, APIs: 12, Instructions: 231windowmemorysynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                • ResetEvent.KERNEL32(?), ref: 00143890
                                • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 001438AD
                                • CoInitialize.OLE32(00000000), ref: 001438B8
                                • WaitForSingleObject.KERNEL32(?,00000000,?,00001004,00000000,00000000), ref: 001438E8
                                • SendMessageW.USER32 ref: 0014390F
                                • CoTaskMemAlloc.OLE32(?), ref: 001439D9
                                • SHGetFileInfoW.SHELL32(00000000,00000000,?,000002B4,00004009), ref: 00143A1A
                                • CoTaskMemFree.OLE32(00000000), ref: 00143A21
                                • SHGetDataFromIDListW.SHELL32(?,?,00000001,?,00000250), ref: 00143ACD
                                • SendMessageW.USER32(?,0000104C,00000000,00000002), ref: 00143B09
                                • CoUninitialize.OLE32(?,00001004,00000000,00000000), ref: 00143B32
                                • SetEvent.KERNEL32(?), ref: 00143B3E
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$EventTask$AllocDataFileFreeFromInfoInitializeListObjectResetSingleUninitializeWait
                                • String ID:
                                • API String ID: 2249403244-0
                                • Opcode ID: cc30f0940a2793491ff632a2ed748eb55b49444cf6f55d4e6b3101cd77987386
                                • Instruction ID: 99dc6f9ab73a14c56e3866fb05d11b280b1c0dc1174a1221b7e1eadb1db43613
                                • Opcode Fuzzy Hash: cc30f0940a2793491ff632a2ed748eb55b49444cf6f55d4e6b3101cd77987386
                                • Instruction Fuzzy Hash: 11917971505301ABD720CF64C888B2BBBF8FF89714F14492DF9989B2A1D774DA45CB52
                                Function 0014CBB4 Relevance: 18.1, APIs: 12, Instructions: 132stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • MessageBeep.USER32(00000000), ref: 0014C20C
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00143D18
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00143D28
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,?,?,0000104B), ref: 00143D4D
                                  • Part of subcall function 001464F0: lstrlenW.KERNEL32(?,?,?,0013E260), ref: 001464F5
                                  • Part of subcall function 001464F0: CharPrevW.USER32(?,?,?,?,0013E260), ref: 00146512
                                  • Part of subcall function 001464F0: CharPrevW.USER32(?,?,?,?,?,0013E260), ref: 0014651C
                                • SendMessageW.USER32(00001032,00000000,00000000), ref: 0014CBC9
                                • lstrcpyW.KERNEL32(?,00000000), ref: 0014CC15
                                  • Part of subcall function 00147A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00147A37
                                  • Part of subcall function 00147A20: LoadResource.KERNEL32(00000000,00000000), ref: 00147A4A
                                  • Part of subcall function 00147A20: LockResource.KERNEL32(00000000), ref: 00147A5B
                                  • Part of subcall function 00147A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00147A6E
                                  • Part of subcall function 00147A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00147A84
                                  • Part of subcall function 00147A20: FreeResource.KERNEL32(00000000), ref: 00147AA0
                                  • Part of subcall function 00147A20: lstrlenW.KERNEL32(?), ref: 00147B1D
                                • DialogBoxIndirectParamW.USER32(00000000,00000000,?,Function_000102C0,?), ref: 0014CC3D
                                • LocalFree.KERNEL32(00000000,?,Function_000102C0,?), ref: 0014CC4A
                                • lstrcpyW.KERNEL32(?), ref: 0014CCAC
                                • lstrcatW.KERNEL32(?,?), ref: 0014CCCF
                                • lstrcpyW.KERNEL32(?,?,?,?,?,?,Function_000102C0,?), ref: 0014CD13
                                • lstrcpyW.KERNEL32(?,?,?,?,?,?,Function_000102C0,?), ref: 0014CD25
                                • SHFileOperationW.SHELL32(?,?,?,?,?,Function_000102C0,?), ref: 0014CD2C
                                • SendMessageW.USER32(?,00000111,00019D0D,00000000), ref: 0014CD5D
                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000200), ref: 0014CD7B
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Message$ResourceSend$lstrcpy$CharFileFreeLocalPrevlstrlen$AllocBeepDialogFindIndirectInfoLoadLockOperationParamSizeoflstrcat
                                • String ID:
                                • API String ID: 2905323290-0
                                • Opcode ID: 9b80b629f2545cfc40b39a1c53c9d6c8da5e6d99a72d9728c7764cc865c7067f
                                • Instruction ID: 169b6ee98ee950eae181e279d9e36505d713206cc7846cd0edda40fb69578807
                                • Opcode Fuzzy Hash: 9b80b629f2545cfc40b39a1c53c9d6c8da5e6d99a72d9728c7764cc865c7067f
                                • Instruction Fuzzy Hash: 1841F3B2504344ABD730DBA0DC85FCBB3ECAF89314F00492AF699D3191EB70A548CB56
                                Function 00146950 Relevance: 18.1, APIs: 12, Instructions: 125stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpynW.KERNEL32(?,00291080,00000100), ref: 001469C0
                                • wsprintfW.USER32 ref: 001469F3
                                • DdeInitializeW.USER32(?,Function_00016930,00000010,00000000), ref: 00146A0A
                                • DdeCreateStringHandleW.USER32(?,00290640,000004B0), ref: 00146A2E
                                • DdeCreateStringHandleW.USER32(?,00290A60,000004B0), ref: 00146A40
                                • DdeConnect.USER32(?,00000000,00000000,00000000), ref: 00146A5A
                                • lstrlenW.KERNEL32(?,00000000,00000000,00000000,00004050,000000FF,00000000), ref: 00146A7C
                                • DdeClientTransaction.USER32(?,00000000), ref: 00146A92
                                • DdeDisconnect.USER32(00000000), ref: 00146A99
                                • DdeFreeStringHandle.USER32(?,00000000), ref: 00146ABA
                                • DdeFreeStringHandle.USER32(?,00000000), ref: 00146AC5
                                • DdeUninitialize.USER32(?), ref: 00146ACB
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: HandleString$CreateFree$ClientConnectDisconnectInitializeTransactionUninitializelstrcpynlstrlenwsprintf
                                • String ID:
                                • API String ID: 4165874755-0
                                • Opcode ID: f5e9a35426b81cd2ade6888b9f2e17b34d3ff49a64c797fb72da28f7b89adf38
                                • Instruction ID: cd4de694d9b22e12502410ca46d99104d7a308468d7fbcd4f17d3819b9b7b854
                                • Opcode Fuzzy Hash: f5e9a35426b81cd2ade6888b9f2e17b34d3ff49a64c797fb72da28f7b89adf38
                                • Instruction Fuzzy Hash: 4E410671644305ABD7209F50EC49BAB37ECEB86718F144829FA05E31F0E7B5E898C696
                                Function 029201B3 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0291FE6C: CreateFileW.KERNEL32(?,00000000,?,0292025C,?,?,00000000,?,0292025C,?,0000000C), ref: 0291FE89
                                • GetLastError.KERNEL32 ref: 029202C7
                                • __dosmaperr.LIBCMT ref: 029202CE
                                • GetFileType.KERNEL32(00000000), ref: 029202DA
                                • GetLastError.KERNEL32 ref: 029202E4
                                • __dosmaperr.LIBCMT ref: 029202ED
                                • CloseHandle.KERNEL32(00000000), ref: 0292030D
                                • CloseHandle.KERNEL32(029179A3), ref: 0292045A
                                • GetLastError.KERNEL32 ref: 0292048C
                                • __dosmaperr.LIBCMT ref: 02920493
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                • String ID: H
                                • API String ID: 4237864984-2852464175
                                • Opcode ID: 585ff42787e6d03d91050ec8bb171051bc9631d2a7659badf4029016eb6d3906
                                • Instruction ID: 294e8664159a3bc96ffbf24ed3c7c3dfc227387bf7c5067dc56d9d348c1b75af
                                • Opcode Fuzzy Hash: 585ff42787e6d03d91050ec8bb171051bc9631d2a7659badf4029016eb6d3906
                                • Instruction Fuzzy Hash: FFA15832A0422C9FCF199F68E890BBD3BF6AF56310F14015DE801AB291DB348C5ACB41
                                Function 00147C80 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 124windowCOMMON
                                Download Yara Rule
                                APIs
                                • FindWindowExW.USER32(00000000,00000000,Shell_TrayWnd,00000000), ref: 00147CA3
                                • FindWindowExW.USER32(00000000,00000000,TrayNotifyWnd,00000000), ref: 00147CB3
                                • GetWindowRect.USER32(00000000,?), ref: 00147CBB
                                • SHAppBarMessage.SHELL32(00000005,?), ref: 00147CE1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Window$Find$MessageRect
                                • String ID: $$Shell_TrayWnd$TrayNotifyWnd
                                • API String ID: 634609282-1160186678
                                • Opcode ID: 30e96ca78555fe13bbcf62dfdb6182a1ea820d6044ec7b4845e509b15f344280
                                • Instruction ID: 57de67c31b2d212442f1a599ebe8b67acb0145358cf906add17a45a913c4ebdc
                                • Opcode Fuzzy Hash: 30e96ca78555fe13bbcf62dfdb6182a1ea820d6044ec7b4845e509b15f344280
                                • Instruction Fuzzy Hash: DC419CB66043019FD724DF29C986F9ABBE4FF88700F50481EE89AD7290EB34E844CB51
                                Function 0014C4C8 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 108stringfilewindowCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpyW.KERNEL32(?,001BD420), ref: 0014C4DB
                                  • Part of subcall function 00144FE0: LoadStringW.USER32(0000A411,?,00000000,00000001), ref: 00144FF2
                                  • Part of subcall function 00144FE0: LoadStringW.USER32(0000A411,?,?), ref: 00145008
                                  • Part of subcall function 00146530: lstrlenW.KERNEL32(?,75A4EBF0,0013FA1F), ref: 00146534
                                  • Part of subcall function 00146530: CharPrevW.USER32(?,00000000,?), ref: 0014654A
                                • GetSaveFileNameW.COMDLG32 ref: 0014C591
                                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000002,00000080,00000000), ref: 0014C5B9
                                • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000,00000058), ref: 0014C5E2
                                • lstrcpyW.KERNEL32(?,?,?,?,?,?,00000000,00000058), ref: 0014C5F8
                                • PathRemoveFileSpecW.SHLWAPI(?,?,?,?,?,00000000,00000058), ref: 0014C602
                                • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,00000000,00000058), ref: 0014C610
                                • SendMessageW.USER32(?,00000111,00019D0D,00000000), ref: 0014C629
                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000200), ref: 0014C647
                                  • Part of subcall function 00144140: GetShortPathNameW.KERNEL32(?,?,00000104), ref: 001441A1
                                  • Part of subcall function 00144140: SendMessageW.USER32 ref: 00144229
                                  • Part of subcall function 00144140: GetShortPathNameW.KERNEL32(?,?,00000104), ref: 00144254
                                  • Part of subcall function 00144140: lstrcmpiW.KERNEL32(?,?), ref: 00144266
                                  • Part of subcall function 00144140: SendMessageW.USER32(?,00001053,00000000,?), ref: 0014427C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: File$MessageNamePathSend$LoadShortStringlstrcpy$CharCloseCreateCurrentDirectoryHandleInfoPrevRemoveSaveSpeclstrcmpilstrlen
                                • String ID: X
                                • API String ID: 394757100-3081909835
                                • Opcode ID: 506e310bdfb02b662fae3795b0d9d07ae3e3a8d7752f4962773c4190d9a9819a
                                • Instruction ID: cba3746a0a5a9fff7af87258b9aee667ecbd4eef16c99364623276cb7b4da2bc
                                • Opcode Fuzzy Hash: 506e310bdfb02b662fae3795b0d9d07ae3e3a8d7752f4962773c4190d9a9819a
                                • Instruction Fuzzy Hash: 814183B5645344ABE730EB60DC49FDBB3ECBB84714F004829F689D61D2EBB4624C8B52
                                Function 0013DB60 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpyW.KERNEL32(?,001BD420), ref: 0013DBA3
                                • LoadStringW.USER32(?,?,00000100), ref: 0013DBBA
                                • LoadStringW.USER32(?,?,00000100), ref: 0013DBD5
                                • SHGetSpecialFolderLocation.SHELL32(?,?,?,?,?,00000100), ref: 0013DBE8
                                • CoTaskMemFree.OLE32(?,?,?,?,?,?,00000100), ref: 0013DBF6
                                • SHBrowseForFolderW.SHELL32 ref: 0013DC31
                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0013DC45
                                • CoTaskMemFree.OLE32(00000000), ref: 0013DC4C
                                • CoTaskMemFree.OLE32(?), ref: 0013DC57
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: FreeTask$FolderLoadString$BrowseFromListLocationPathSpeciallstrcpy
                                • String ID: A
                                • API String ID: 3620191483-3554254475
                                • Opcode ID: 0ef89ca21ec2c970f0a91a13152c4e5e768133575d562a5281cafe1a704afda2
                                • Instruction ID: 82f82b3656b4c64773448c1e1131504021f56897a53c55762063a30d574069cf
                                • Opcode Fuzzy Hash: 0ef89ca21ec2c970f0a91a13152c4e5e768133575d562a5281cafe1a704afda2
                                • Instruction Fuzzy Hash: 25315971505345AFD310EF25EC88A9BBBE8FF89710F41092EF549D2260DB74E948CB96
                                Function 00134070 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 80fileCOMMON
                                Download Yara Rule
                                APIs
                                • StrRChrW.SHLWAPI(00290388,00000000,0000005C,?,?,?,001354A3), ref: 0013408A
                                • SHCreateDirectoryExW.SHELL32(00000000,00290388,00000000,?,?,?,001354A3), ref: 001340A2
                                • PathFileExistsW.SHLWAPI(00290388,?,?,?,001354A3), ref: 001340B5
                                • PathIsDirectoryW.SHLWAPI(00290388), ref: 001340C4
                                • CreateFileW.KERNEL32(00290388,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,001354A3), ref: 001340E3
                                • GetFileSize.KERNEL32(00000000,?), ref: 001340FE
                                • CloseHandle.KERNEL32(00000000), ref: 00134107
                                • CreateFileW.KERNEL32(00290388,40000000,00000003,00000000,00000002,00000080,00000000,?,?,?,001354A3), ref: 00134131
                                • CloseHandle.KERNEL32(00000000,?,?,?,001354A3), ref: 0013413D
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: File$Create$CloseDirectoryHandlePath$ExistsSize
                                • String ID: minipath
                                • API String ID: 3237904083-3157150768
                                • Opcode ID: b0768f8f744c997ae8468d9885e90fa6ace2e33a0c2c2f4b554fd4c0f8882d9a
                                • Instruction ID: 6445614ffd747724ec1735a88bb3daf882240340c1b9c25b2902accc95f96f35
                                • Opcode Fuzzy Hash: b0768f8f744c997ae8468d9885e90fa6ace2e33a0c2c2f4b554fd4c0f8882d9a
                                • Instruction Fuzzy Hash: BF21E972750300BFF7301B68AC4AF5A2698EB91F22F244265FE01E71D0D7E0A8D4466D
                                Function 0015932F Relevance: 16.9, APIs: 11, Instructions: 359COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: shared_ptr$operator+$Name::operator+Name::operator=
                                • String ID:
                                • API String ID: 1464150960-0
                                • Opcode ID: 39212124471baf88b8047a66704296ddb341adbb231003f9ce1b4d8d9e146d66
                                • Instruction ID: 503d16649bd1687cbcc38bff865b08f8c646cfdb057f3c040e9d6d6364f7d483
                                • Opcode Fuzzy Hash: 39212124471baf88b8047a66704296ddb341adbb231003f9ce1b4d8d9e146d66
                                • Instruction Fuzzy Hash: 23E17CB1C0420ADFCB08DF94D589AFEBBB4EB18306F14815AD9226F241D7795A4DCF92
                                Function 00141DE0 Relevance: 16.6, APIs: 11, Instructions: 77windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,00000064), ref: 00141E1F
                                • GetWindowTextLengthW.USER32(00000000), ref: 00141E22
                                • GetDlgItem.USER32(?,00000001), ref: 00141E2F
                                • EnableWindow.USER32(00000000), ref: 00141E32
                                • SetWindowLongW.USER32(?,00000008,?), ref: 00141E94
                                • SendMessageW.USER32(?,00000080,00000000,00080493), ref: 00141EAC
                                • SendDlgItemMessageW.USER32(?,00000064,000000C5,00000103,00000000), ref: 00141EC1
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ItemWindow$MessageSend$EnableLengthLongText
                                • String ID:
                                • API String ID: 944039030-0
                                • Opcode ID: 0e979af4032c6ff1ea985a6e74842240b738d8c83bc73a775542be38be9079a6
                                • Instruction ID: 2eb6dc3017e371fe4136150471fdda7d3c4524d4ab13dc58a443e1cc358d004f
                                • Opcode Fuzzy Hash: 0e979af4032c6ff1ea985a6e74842240b738d8c83bc73a775542be38be9079a6
                                • Instruction Fuzzy Hash: FD21A53AA403107BF6215B64FC0DF9B3B94EB46711F008901FA81AA1E1D7B69DD1CB91
                                Function 0015DA4E Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 185COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • Replicator::operator[].LIBCMT ref: 0015DA8B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Replicator::operator[]
                                • String ID: @$generic-type-$template-parameter-
                                • API String ID: 3676697650-1320211309
                                • Opcode ID: 1f1738e34f122a872ce09c07f28fe34346f5bc42222b27c4bca1a384282e7b7a
                                • Instruction ID: 4ad51963bce2665663106e321d4f5685bfc6298c99f400775015e3c68744ce7a
                                • Opcode Fuzzy Hash: 1f1738e34f122a872ce09c07f28fe34346f5bc42222b27c4bca1a384282e7b7a
                                • Instruction Fuzzy Hash: C561F771D04209DFCB14DFA4F946BEEBBF8AF19301F144029E921AB292DB74994DCB91
                                Function 028FA278 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 113COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: operator+$Name::operator+
                                • String ID: cli::array<$cli::pin_ptr<$std::nullptr_t$std::nullptr_t $void$void
                                • API String ID: 1198235884-2239912363
                                • Opcode ID: 1cae194b40cdc98c0b8a278d049bfb011b7f722b0b76e97f46614df895fa05ca
                                • Instruction ID: 9b17c3f552fda0ffb34719f2dd11ec0c10ffeb754ad386adc3326ad7ea2d95b7
                                • Opcode Fuzzy Hash: 1cae194b40cdc98c0b8a278d049bfb011b7f722b0b76e97f46614df895fa05ca
                                • Instruction Fuzzy Hash: 61418A7DE04218EFDF59CF94C858BAE7BF5BB00328F088449E619AB241D7759688CF81
                                Function 0013DA00 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 93stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpyW.KERNEL32(?,001BD420,?,?,?,?), ref: 0013DA5D
                                • LoadStringW.USER32(00002AFF,?,00000100), ref: 0013DA74
                                • LoadStringW.USER32(00002AFF,?,00000100), ref: 0013DA8F
                                • lstrcpyW.KERNEL32(?,?,?,?,?,?), ref: 0013DAA8
                                • GetCurrentDirectoryW.KERNEL32(00000104,?,?,?,?,?), ref: 0013DABD
                                • SHBrowseForFolderW.SHELL32 ref: 0013DB07
                                • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 0013DB15
                                • CoTaskMemFree.OLE32(00000000), ref: 0013DB1C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: LoadStringlstrcpy$BrowseCurrentDirectoryFolderFreeFromListPathTask
                                • String ID: A
                                • API String ID: 2100424654-3554254475
                                • Opcode ID: 47eec1173442b3d7759471ea70e5fd3b3d42427d224720f4aacc2a0d617f6bc7
                                • Instruction ID: daf2ccf96ce9f99effe7b573490b3dbd692f64983c6eb759dfe68b5b2433c3d3
                                • Opcode Fuzzy Hash: 47eec1173442b3d7759471ea70e5fd3b3d42427d224720f4aacc2a0d617f6bc7
                                • Instruction Fuzzy Hash: A03152B1508345AFD320DF50EC49B9BBBE8FF89714F41082AFA49D7250E774A648CB96
                                Function 00146640 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 59stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcmpW.KERNEL32(?,001BE2D8,0000C356,771EF860,0014FA23,?), ref: 00146650
                                • lstrcmpW.KERNEL32(?,001BE2E0), ref: 0014665C
                                • lstrcmpW.KERNEL32(?,001BE2D8), ref: 00146668
                                • PathIsRootW.SHLWAPI(002934AC), ref: 00146673
                                • lstrcpynW.KERNEL32(?,*.*,00000104), ref: 0014668B
                                • SearchPathW.KERNEL32(002934AC,?,00000000,00000104,?,00000000), ref: 001466B4
                                • SearchPathW.KERNEL32(C:\Users\user\Documents,?,00000000,00000104,?,00000000), ref: 001466CE
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Pathlstrcmp$Search$Rootlstrcpyn
                                • String ID: *.*$C:\Users\user\Documents
                                • API String ID: 2623810893-2594368739
                                • Opcode ID: 49c4bde0d88d2aa8a2e8f8ef1feaf93f79b7f8d1c7dac2084306ab15bf610ab9
                                • Instruction ID: 9ed3b226a6390e8e0d97d5c0ed088f60ef8cf18d826ce8976cac255ccf29195e
                                • Opcode Fuzzy Hash: 49c4bde0d88d2aa8a2e8f8ef1feaf93f79b7f8d1c7dac2084306ab15bf610ab9
                                • Instruction Fuzzy Hash: 8801DB753803227BEF1456266C1BFEF15DC9F83B68F064428F501E51D4EBA0DC81457A
                                Function 0015CC8B Relevance: 15.3, APIs: 10, Instructions: 297COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 0015CD61
                                • UnDecorator::getSignedDimension.LIBCMT ref: 0015CD6C
                                • UnDecorator::getSignedDimension.LIBCMT ref: 0015CE58
                                • UnDecorator::getSignedDimension.LIBCMT ref: 0015CE75
                                • UnDecorator::getSignedDimension.LIBCMT ref: 0015CE92
                                • DName::operator+.LIBCMT ref: 0015CEA7
                                • UnDecorator::getSignedDimension.LIBCMT ref: 0015CEC1
                                • swprintf.LIBCMT ref: 0015CF3B
                                • DName::operator+.LIBCMT ref: 0015CF96
                                  • Part of subcall function 00158D0A: DName::DName.LIBVCRUNTIME ref: 00158D68
                                • DName::DName.LIBVCRUNTIME ref: 0015D00D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Decorator::getDimensionSigned$Name::operator+$NameName::$swprintf
                                • String ID:
                                • API String ID: 3689813335-0
                                • Opcode ID: 90eb3a692e8def09514a9a0a9de522e0065c774c1f55b71036236921ed47a15d
                                • Instruction ID: f265ad5d173800187e25583b48c767e1d205b8972729e618b0f95de31b93f8a9
                                • Opcode Fuzzy Hash: 90eb3a692e8def09514a9a0a9de522e0065c774c1f55b71036236921ed47a15d
                                • Instruction Fuzzy Hash: 5691847280430ADDCB189FB4E94A9FE7B78AB15302F10042AF931AE191DB799A0D97D1
                                Function 00140410 Relevance: 15.1, APIs: 10, Instructions: 132stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00143D18
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00143D28
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,?,?,0000104B), ref: 00143D4D
                                  • Part of subcall function 001464F0: lstrlenW.KERNEL32(?,?,?,0013E260), ref: 001464F5
                                  • Part of subcall function 001464F0: CharPrevW.USER32(?,?,?,?,0013E260), ref: 00146512
                                  • Part of subcall function 001464F0: CharPrevW.USER32(?,?,?,?,?,0013E260), ref: 0014651C
                                • lstrcpyW.KERNEL32(?,00000000), ref: 00140476
                                  • Part of subcall function 00147A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00147A37
                                  • Part of subcall function 00147A20: LoadResource.KERNEL32(00000000,00000000), ref: 00147A4A
                                  • Part of subcall function 00147A20: LockResource.KERNEL32(00000000), ref: 00147A5B
                                  • Part of subcall function 00147A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00147A6E
                                  • Part of subcall function 00147A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00147A84
                                  • Part of subcall function 00147A20: FreeResource.KERNEL32(00000000), ref: 00147AA0
                                  • Part of subcall function 00147A20: lstrlenW.KERNEL32(?), ref: 00147B1D
                                • DialogBoxIndirectParamW.USER32(00000000,00000000,?,Function_000102C0,?), ref: 0014049A
                                • LocalFree.KERNEL32(00000000,?,Function_000102C0,?), ref: 001404A7
                                • lstrcpyW.KERNEL32(?,?), ref: 00140503
                                • lstrcatW.KERNEL32(?,?), ref: 00140526
                                • lstrcpyW.KERNEL32(?,?,?,?,?,?,Function_000102C0,?), ref: 0014056A
                                • lstrcpyW.KERNEL32(?,?,?,?,?,?,Function_000102C0,?), ref: 0014057C
                                • SHFileOperationW.SHELL32(?,?,?,?,?,Function_000102C0,?), ref: 00140583
                                • SendMessageW.USER32(?,00000111,00019D0D,00000000), ref: 001405AD
                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000200), ref: 001405CC
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Resource$MessageSendlstrcpy$CharFileFreeLocalPrevlstrlen$AllocDialogFindIndirectInfoLoadLockOperationParamSizeoflstrcat
                                • String ID:
                                • API String ID: 606905921-0
                                • Opcode ID: e1bae0c6bbcfbe2065d738efdbfadcdcc620830b35bd812031921effe666da69
                                • Instruction ID: 63539bf201460b8182672d8e4d99ffd6b067405525de06e8d9ce0c91143181f5
                                • Opcode Fuzzy Hash: e1bae0c6bbcfbe2065d738efdbfadcdcc620830b35bd812031921effe666da69
                                • Instruction Fuzzy Hash: 814172B25043489BD320DBA0DC85FDFB3ECAF98314F00092AF659C7191EB74A6488B96
                                Function 001660E0 Relevance: 14.5, APIs: 1, Strings: 7, Instructions: 487COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID: :$f$f$f$p$p$p
                                • API String ID: 3732870572-1434680307
                                • Opcode ID: 3be218a9bba03cae0e15d5f43777db04633dce69e25e5bd01d464dfa917906bb
                                • Instruction ID: 1c9abfb1b9e609bfd45be2de7efc55e9ace226673efa290d15cd6e478ced2da8
                                • Opcode Fuzzy Hash: 3be218a9bba03cae0e15d5f43777db04633dce69e25e5bd01d464dfa917906bb
                                • Instruction Fuzzy Hash: DD029E35E01148DADF24CFA5EC696EDBBB6FF40B18FA48109D4157B285DB308EA8CB14
                                Function 028EA164 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 325COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 028EA16B
                                  • Part of subcall function 028DF940: __EH_prolog3.LIBCMT ref: 028DF947
                                  • Part of subcall function 028DF940: std::_Lockit::_Lockit.LIBCPMT ref: 028DF951
                                  • Part of subcall function 028DF940: std::_Lockit::~_Lockit.LIBCPMT ref: 028DF9C2
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: H_prolog3Lockitstd::_$Lockit::_Lockit::~_
                                • String ID: %H : %M$%H : %M : %S$%I : %M : %S %p$%b %d %H : %M : %S %Y$%d / %m / %y$%m / %d / %y$:AM:am:PM:pm
                                • API String ID: 1538362411-2891247106
                                • Opcode ID: 461ff88b5ae95102ee7a530108ec1df40d6e53e3fba6c773360d63f7e824283a
                                • Instruction ID: 30c564bc6a1840b620dab442267dcdcf19b91ca976824721ff4d018d5a680fdb
                                • Opcode Fuzzy Hash: 461ff88b5ae95102ee7a530108ec1df40d6e53e3fba6c773360d63f7e824283a
                                • Instruction Fuzzy Hash: 85B18D7D50010AABDF1DDE68C959DFE3BA9EF46B08F048119FA0BE6261D732D910CB61
                                Function 00145A70 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 142windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpynW.KERNEL32(?,?,000001FE,44000000,?,75A45540), ref: 00145AB4
                                  • Part of subcall function 00146380: CharNextW.USER32(?,?,771EF860,?,0013F938), ref: 001463A1
                                  • Part of subcall function 00146380: lstrlenW.KERNEL32(?,?,771EF860,?,0013F938), ref: 001463B2
                                  • Part of subcall function 00146380: lstrlenW.KERNEL32(?,?,?,0013F938), ref: 001463C7
                                  • Part of subcall function 00146380: CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463D4
                                  • Part of subcall function 00146380: CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463E7
                                • lstrlenW.KERNEL32(00000000,?,?,?,?,75A45540), ref: 00145AE2
                                • SendMessageW.USER32(?,00000418,00000000,00000000), ref: 00145B21
                                • SendMessageW.USER32(?,00000416,00000000,00000000), ref: 00145B3A
                                • SendMessageW.USER32(?,00000444,00000001,0028E7B4), ref: 00145BC8
                                • lstrlenW.KERNEL32(00000000,?,?,?,?,?,?,?,75A45540), ref: 00145BCB
                                • SendMessageW.USER32(?,00000418,00000000,00000000), ref: 00145BE3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSendlstrlen$Char$Prev$Nextlstrcpyn
                                • String ID:
                                • API String ID: 1478935676-3916222277
                                • Opcode ID: 23184ffbdea1284bb84e6b4236350d583933e299171111770d73376959dfd611
                                • Instruction ID: 12501f36adccc9819e6f4d37d57b4b0051f0659feea31602903e97db5b9b5c41
                                • Opcode Fuzzy Hash: 23184ffbdea1284bb84e6b4236350d583933e299171111770d73376959dfd611
                                • Instruction Fuzzy Hash: DD41F572940714A7D720AB109C42F9B73DEEB90704F150829FA05E71E2E774E98986E6
                                Function 00133560 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 122fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00290388,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 001335C1
                                • LockFileEx.KERNEL32(00000000,00000002,00000000,000000FF,00000000,?), ref: 001335E0
                                • FlushFileBuffers.KERNEL32(?,?,?,minipath,?,?,00000000,00000001,00000001), ref: 00133665
                                • UnlockFileEx.KERNEL32(?,00000000,000000FF,00000000,?,?,?,?,minipath,?,?,00000000,00000001,00000001), ref: 00133677
                                • CloseHandle.KERNEL32(?,?,00000000,000000FF,00000000,?,?,?,?,minipath,?,?,00000000,00000001,00000001), ref: 0013367E
                                Strings
                                • AcquireWriteFileLock(): INVALID FILE HANDLE!, xrefs: 001336A9
                                • minipath, xrefs: 0013363E
                                • AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!, xrefs: 001335F3
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: File$BuffersCloseCreateFlushHandleLockUnlock
                                • String ID: AcquireWriteFileLock(): INVALID FILE HANDLE!$AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!$minipath
                                • API String ID: 3886186091-1287712860
                                • Opcode ID: 16e126a4db791262db0d86d8698543ac67854aa6cba4a3a7eb8bc2bd681deae1
                                • Instruction ID: 361783ff978b09a58e835335e5c03b80b9eb418275cf16a8dfcf094318f57cc0
                                • Opcode Fuzzy Hash: 16e126a4db791262db0d86d8698543ac67854aa6cba4a3a7eb8bc2bd681deae1
                                • Instruction Fuzzy Hash: 44317F717043107FD63467289C87BAF76D49B91B70F140329FD71A22D0D7509F8D829A
                                Function 00133A70 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00290388,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 00133ACF
                                • LockFileEx.KERNEL32(00000000,00000002,00000000,000000FF,00000000,?), ref: 00133AEE
                                • FlushFileBuffers.KERNEL32(?,?,?,?,SaveSettings,?), ref: 00133B5E
                                • UnlockFileEx.KERNEL32(?,00000000,000000FF,00000000,?,?,?,?,?,SaveSettings,?), ref: 00133B70
                                • CloseHandle.KERNEL32(?,?,00000000,000000FF,00000000,?,?,?,?,?,SaveSettings,?), ref: 00133B77
                                Strings
                                • AcquireWriteFileLock(): INVALID FILE HANDLE!, xrefs: 00133BA2
                                • AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!, xrefs: 00133AFD
                                • SaveSettings, xrefs: 00133B41
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: File$BuffersCloseCreateFlushHandleLockUnlock
                                • String ID: AcquireWriteFileLock(): INVALID FILE HANDLE!$AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!$SaveSettings
                                • API String ID: 3886186091-4113319956
                                • Opcode ID: 1f1514114386aa67f61e4e8ac76898be548257dfb46bb81388b944deec228b94
                                • Instruction ID: 79091607280b5230349cd05c010ef1c9841c89c873c97b6c17ed36c5c2906118
                                • Opcode Fuzzy Hash: 1f1514114386aa67f61e4e8ac76898be548257dfb46bb81388b944deec228b94
                                • Instruction Fuzzy Hash: ED318F326443106BE3206738DC86FAFB7E49B91770F144329FDB5A61D0D7745E8982D6
                                Function 001472B0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103stringmemorywindowCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,00000268), ref: 001472D3
                                • lstrcpynW.KERNEL32(00000000,Copy/Move MRU,00000100), ref: 00147304
                                • lstrcpynW.KERNEL32(?,?,00000104), ref: 0014736D
                                • lstrlenW.KERNEL32(?), ref: 00147378
                                • SendMessageW.USER32(00000143,00000143,00000000,?), ref: 0014738E
                                • LocalFree.KERNEL32(00000000), ref: 001473AD
                                • LocalFree.KERNEL32(?), ref: 001473CD
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Local$Freelstrcpyn$AllocMessageSendlstrlen
                                • String ID: Copy/Move MRU
                                • API String ID: 876074594-4109381532
                                • Opcode ID: 98e5c42c4f6d65d203f07dc5949c82047472f0fe98c33a18531c257b1a65123a
                                • Instruction ID: c3de122aa05f00cb53c60feb94ec6c6c91d96c2b44d261d34a05d5688acb0ffa
                                • Opcode Fuzzy Hash: 98e5c42c4f6d65d203f07dc5949c82047472f0fe98c33a18531c257b1a65123a
                                • Instruction Fuzzy Hash: 5E313471648305ABE7209F24DC8ABABB7A8FFA1704F150428FD45AB1E2DB74E8458791
                                Function 0014CD9D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 86windowCOMMON
                                Download Yara Rule
                                APIs
                                • MessageBeep.USER32(00000000), ref: 0014C20C
                                • SendMessageW.USER32(00001032,00000000,00000000), ref: 0014CDB2
                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 0014CDCC
                                • SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 0014CDE0
                                • SendMessageW.USER32 ref: 0014CE0F
                                • GetParent.USER32(?), ref: 0014CE3B
                                • GetParent.USER32(?), ref: 0014CE5B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Message$Send$Parent$Beep
                                • String ID: $
                                • API String ID: 3721797063-3993045852
                                • Opcode ID: e38ab5920d71a3a467b1bd20f5aaa5e99751bfa9d972ed65e4399596e7666694
                                • Instruction ID: e6772591155d72593b6b413be3c2a2b53273982502f0933f5e15c5329b585f6e
                                • Opcode Fuzzy Hash: e38ab5920d71a3a467b1bd20f5aaa5e99751bfa9d972ed65e4399596e7666694
                                • Instruction Fuzzy Hash: 63317AB0204301AFE320DF65CC95F5BBBE8BB88754F004919F6959B2E0DBB1E844CB56
                                Function 00134320 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 85stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001333B0: lstrlenW.KERNEL32(?,?), ref: 00133516
                                  • Part of subcall function 00134160: ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,75DA4E90,771EF860,?,75DAA6F0), ref: 0013418A
                                  • Part of subcall function 00134160: PathIsRelativeW.SHLWAPI(?,?,75DAA6F0), ref: 00134198
                                  • Part of subcall function 00134160: lstrcpyW.KERNEL32(?,?,?,75DAA6F0), ref: 001341B2
                                  • Part of subcall function 00134160: PathFindFileNameW.SHLWAPI(?,?,?,75DAA6F0), ref: 001341C1
                                  • Part of subcall function 00134160: lstrcpyW.KERNEL32(00000000,?,75DAA6F0), ref: 001341C8
                                  • Part of subcall function 00134160: PathFileExistsW.KERNELBASE(?,?,75DAA6F0), ref: 001341CF
                                  • Part of subcall function 00134160: PathIsDirectoryW.SHLWAPI(?), ref: 001341E4
                                  • Part of subcall function 00134160: lstrcpyW.KERNEL32(?,?,?,75DAA6F0), ref: 001341F4
                                  • Part of subcall function 00134160: PathRemoveFileSpecW.SHLWAPI(?,?,75DAA6F0), ref: 001341FB
                                  • Part of subcall function 00134160: lstrcatW.KERNEL32(?,\np3\,?,75DAA6F0), ref: 00134211
                                  • Part of subcall function 00134160: lstrcatW.KERNEL32(?,?,?,75DAA6F0), ref: 00134220
                                  • Part of subcall function 00134160: PathFileExistsW.KERNELBASE(?,?,75DAA6F0), ref: 00134227
                                  • Part of subcall function 00134160: PathIsDirectoryW.SHLWAPI(?), ref: 00134236
                                  • Part of subcall function 00134160: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,75DAA6F0), ref: 0013424F
                                  • Part of subcall function 00134160: PathAppendW.SHLWAPI(?,?,?,75DAA6F0), ref: 00134262
                                  • Part of subcall function 00134160: PathFileExistsW.KERNELBASE(?,?,75DAA6F0), ref: 0013426D
                                  • Part of subcall function 00134160: PathIsDirectoryW.SHLWAPI(?), ref: 0013427C
                                • lstrcpyW.KERNEL32(?,?,?,?,75DA4E90,771EF860), ref: 0013437D
                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,?,?,75DA4E90,771EF860), ref: 001343B1
                                • PathIsRelativeW.SHLWAPI(?,?,?,75DA4E90,771EF860), ref: 001343BF
                                • lstrcpyW.KERNEL32(?,?,?,?,75DA4E90,771EF860), ref: 001343D1
                                • PathFindFileNameW.SHLWAPI(?,?,?,?,75DA4E90,771EF860), ref: 001343DC
                                • lstrcpyW.KERNEL32(00000000,?,?,75DA4E90,771EF860), ref: 001343E3
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Path$Filelstrcpy$DirectoryExists$EnvironmentExpandFindNameRelativeStringslstrcat$AppendFolderRemoveSpeclstrlen
                                • String ID: minipath.ini
                                • API String ID: 785113118-2848199397
                                • Opcode ID: 03415e41001519fb20bc0ed8afae8de9c83ddbecad534eeebc6aba04cbd1e9cd
                                • Instruction ID: bcde9675544656adcb37ec34777d7ec0fd64b9397d202aa3b80544d97a4e8b20
                                • Opcode Fuzzy Hash: 03415e41001519fb20bc0ed8afae8de9c83ddbecad534eeebc6aba04cbd1e9cd
                                • Instruction Fuzzy Hash: B0217EB26142085BD720EB64DC85BFF73ECABD8310F44442AF619C3150EB78A5898662
                                Function 0014D189 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpyW.KERNEL32(?,0029493C), ref: 0014D196
                                  • Part of subcall function 00147A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00147A37
                                  • Part of subcall function 00147A20: LoadResource.KERNEL32(00000000,00000000), ref: 00147A4A
                                  • Part of subcall function 00147A20: LockResource.KERNEL32(00000000), ref: 00147A5B
                                  • Part of subcall function 00147A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00147A6E
                                  • Part of subcall function 00147A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00147A84
                                  • Part of subcall function 00147A20: FreeResource.KERNEL32(00000000), ref: 00147AA0
                                  • Part of subcall function 00147A20: lstrlenW.KERNEL32(?), ref: 00147B1D
                                • DialogBoxIndirectParamW.USER32(00000000,00000000,?,Function_0000FEA0,00000000), ref: 0014D1BE
                                • LocalFree.KERNEL32(00000000,?,Function_0000FEA0,00000000), ref: 0014D1CB
                                • lstrcmpiW.KERNEL32(0029493C,?,?,Function_0000FEA0,00000000), ref: 0014D1E7
                                • SendMessageW.USER32(?,00000111,00019D0D,00000000), ref: 0014D23B
                                • SendMessageW.USER32(00001013,00000000,00000000,00000000), ref: 0014D26F
                                • lstrcmpW.KERNEL32(0029493C,*.*,?,Function_0000FEA0,00000000), ref: 0014D27B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Resource$FreeLocalMessageSend$AllocDialogFindIndirectLoadLockParamSizeoflstrcmplstrcmpilstrcpylstrlen
                                • String ID: *.*
                                • API String ID: 773039121-438819550
                                • Opcode ID: b049e15683b3e585be1dc4d10d81f7a2c39bbeba43b615c653a5d701a28b126b
                                • Instruction ID: d38c84daf031366d30a7cdf5a9b3f0ee196f8c76910b293911a5fd58e1ac9238
                                • Opcode Fuzzy Hash: b049e15683b3e585be1dc4d10d81f7a2c39bbeba43b615c653a5d701a28b126b
                                • Instruction Fuzzy Hash: 61210876744340ABEB30AB60FC4AFAB77ECEB45714F450426F509A71B1E7B0A854C752
                                Function 00147580 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 80COMMON
                                Download Yara Rule
                                APIs
                                • GetDC.USER32(00000000), ref: 0014760D
                                • EnumFontsW.GDI32(00000000,Segoe UI,Function_00017510,?), ref: 00147621
                                • ReleaseDC.USER32(00000000,00000000), ref: 0014762A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: EnumFontsRelease
                                • String ID: Malgun Gothic$Microsoft JhengHei UI$Microsoft YaHei UI$Segoe UI$Yu Gothic UI
                                • API String ID: 2694381407-2688067338
                                • Opcode ID: 9ffc2427e9ed88631b21957f5f0284b0b3d5f6d13552c0c2190f6f82d2042cf4
                                • Instruction ID: 6b6dfe7d1a7edaeaacb791a1fc4a62c3a597b692a113c397e9417243e6c92fe0
                                • Opcode Fuzzy Hash: 9ffc2427e9ed88631b21957f5f0284b0b3d5f6d13552c0c2190f6f82d2042cf4
                                • Instruction Fuzzy Hash: DB21F3753083518FE7184A2C9AA47AA72EAFF85311F6A0939F906DF6F1E730CD408351
                                Function 00144460 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 54windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,0000200B,00000000,Explorer), ref: 0014448F
                                • SendMessageW.USER32(?,00000155,00000001,00000000), ref: 0014449B
                                • SHGetFileInfoW.SHELL32(C:\,00000000,?,000002B4,00004001), ref: 001444C7
                                • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 001444D6
                                • SendMessageW.USER32(?,0000040E,00000008,00000008), ref: 001444E2
                                • SendMessageW.USER32(?,0000040E,00000020,00000020), ref: 001444EE
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$FileInfo
                                • String ID: C:\$Explorer
                                • API String ID: 521633743-4050850895
                                • Opcode ID: 6e501a5fd48c201ff30838956279d193494bd5bb5147817fa068f02a31cdc3eb
                                • Instruction ID: 7df7ebf3f9759cd9fa0056de761c71da45a840642e610e5403fb3716903e4d9a
                                • Opcode Fuzzy Hash: 6e501a5fd48c201ff30838956279d193494bd5bb5147817fa068f02a31cdc3eb
                                • Instruction Fuzzy Hash: 40018F717C030476F63067549C8BFAE3BADAB89F11F40440AF708BE1C2DBF464458696
                                Function 00147A20 Relevance: 13.7, APIs: 9, Instructions: 180stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00147A37
                                • LoadResource.KERNEL32(00000000,00000000), ref: 00147A4A
                                • LockResource.KERNEL32(00000000), ref: 00147A5B
                                • SizeofResource.KERNEL32(00000000,00000000), ref: 00147A6E
                                • LocalAlloc.KERNEL32(00000040,00000040), ref: 00147A84
                                • FreeResource.KERNEL32(00000000), ref: 00147AA0
                                • lstrlenW.KERNEL32(?), ref: 00147B1D
                                • lstrlenW.KERNEL32(?), ref: 00147B89
                                • FreeResource.KERNEL32(00000000), ref: 00147C1A
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Resource$Freelstrlen$AllocFindLoadLocalLockSizeof
                                • String ID:
                                • API String ID: 2547741363-0
                                • Opcode ID: 3dc67e5efac498585ad892fdf7ebda1c07b0d91d578d70920d2a189c1618a30b
                                • Instruction ID: d7038521f37ca155d687b6abca129cbcc3e3f254057c2034288f732b1eb82361
                                • Opcode Fuzzy Hash: 3dc67e5efac498585ad892fdf7ebda1c07b0d91d578d70920d2a189c1618a30b
                                • Instruction Fuzzy Hash: D451E1716083118BD7209F64DC85B2BB7E4EF99744F04092DF949873A0E734DD49CBA2
                                Function 0014CA31 Relevance: 13.6, APIs: 9, Instructions: 104windowstringsynchronizationCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00143D18
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00143D28
                                  • Part of subcall function 00143CE0: SendMessageW.USER32(?,?,?,0000104B), ref: 00143D4D
                                • lstrcpyW.KERNEL32(?,?), ref: 0014CA9E
                                • SHFileOperationW.SHELL32(?), ref: 0014CB08
                                • WaitForSingleObject.KERNEL32(00000000), ref: 0014CB16
                                • SendMessageW.USER32(?,00000111,00019D0D,00000000), ref: 0014CB36
                                • SendMessageW.USER32(00001004,00000000,00000000), ref: 0014CB4C
                                • SendMessageW.USER32(00001004,00000000,00000000), ref: 0014CB62
                                • SendMessageW.USER32(0000102B,00000000,?), ref: 0014CB91
                                • SendMessageW.USER32(00001013,00000000,00000000), ref: 0014CBA1
                                • FindNextChangeNotification.KERNEL32 ref: 0014CBA9
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$ChangeFileFindNextNotificationObjectOperationSingleWaitlstrcpy
                                • String ID:
                                • API String ID: 1797783416-0
                                • Opcode ID: 37e847acee1e7b35b551e9e8d33e329a6c1bb2951cf9442d68d028c3cd216c71
                                • Instruction ID: 8ec35d29fdeb54e16c5002d02b7e907be4e514e45db15501f50b129e73444517
                                • Opcode Fuzzy Hash: 37e847acee1e7b35b551e9e8d33e329a6c1bb2951cf9442d68d028c3cd216c71
                                • Instruction Fuzzy Hash: B3410470544345AAE7309B21EC49FDB77E8FB44724F10452AF694A71F0E7B19884CB96
                                Function 0015643D Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • type_info::operator==.LIBVCRUNTIME ref: 0015655C
                                • ___TypeMatch.LIBVCRUNTIME ref: 0015666A
                                • _UnwindNestedFrames.LIBCMT ref: 001567BC
                                • CallUnexpected.LIBVCRUNTIME ref: 001567D7
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: CallFramesMatchNestedTypeUnexpectedUnwindtype_info::operator==
                                • String ID: csm$csm$csm
                                • API String ID: 2751267872-393685449
                                • Opcode ID: 35ebcec141cf9937a4de2af7cec0a5e31244eec76b3f67f7b339467c89eb476b
                                • Instruction ID: 285da1215a753e9b4cfbca9f2a888f49e482920a436eb7af86cea1964337a8b1
                                • Opcode Fuzzy Hash: 35ebcec141cf9937a4de2af7cec0a5e31244eec76b3f67f7b339467c89eb476b
                                • Instruction Fuzzy Hash: D3B17771800209EFCF18DFA4C8819AEBBB5FF28316B90455AEC206F256D735DA59CBD1
                                Function 00133BC0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 00133C1A
                                • LockFileEx.KERNEL32(00000000,00000002,00000000,000000FF,00000000,?,?,?,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 00133C3A
                                • FlushFileBuffers.KERNEL32(?,?,?,?,?,?,?,?,?,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 00133CA8
                                • UnlockFileEx.KERNEL32(?,00000000,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,C0000000,00000003), ref: 00133CBA
                                • CloseHandle.KERNEL32(?,?,00000000,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,C0000000), ref: 00133CC1
                                  • Part of subcall function 00142F30: GetLastError.KERNEL32(?,00000000,?,?,00132773), ref: 00142F39
                                  • Part of subcall function 00142F30: FormatMessageW.KERNEL32 ref: 00142F63
                                  • Part of subcall function 00142F30: lstrlenW.KERNEL32(00000000,00000000,00290388), ref: 00142F7A
                                  • Part of subcall function 00142F30: lstrlenW.KERNEL32(00000000), ref: 00142F82
                                  • Part of subcall function 00142F30: LocalAlloc.KERNEL32(00000040,00000000), ref: 00142F92
                                  • Part of subcall function 00142F30: GetFocus.USER32 ref: 00142FBF
                                  • Part of subcall function 00142F30: MessageBoxExW.USER32(?,00000000,MiniPath - ERROR,00000010,?), ref: 00142FDA
                                  • Part of subcall function 00142F30: LocalFree.KERNEL32(00000000,?,?,00132773), ref: 00142FE1
                                  • Part of subcall function 00142F30: LocalFree.KERNEL32(?), ref: 00142FE7
                                Strings
                                • AcquireWriteFileLock(): INVALID FILE HANDLE!, xrefs: 00133CEC
                                • AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!, xrefs: 00133C49
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: File$Local$FreeMessagelstrlen$AllocBuffersCloseCreateErrorFlushFocusFormatHandleLastLockUnlock
                                • String ID: AcquireWriteFileLock(): INVALID FILE HANDLE!$AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!
                                • API String ID: 3792989122-250906885
                                • Opcode ID: 2003fb8f23d7843e4c29fb8d3e2e7560358e6fc3580685cf2a979edbc321fd76
                                • Instruction ID: 15dd5b70195cbf7a5bd06da9b9dc4dbd6cc5ff44ce9c59bce050331070b20f8b
                                • Opcode Fuzzy Hash: 2003fb8f23d7843e4c29fb8d3e2e7560358e6fc3580685cf2a979edbc321fd76
                                • Instruction Fuzzy Hash: 8A315232A042216BD33467289C45BBFB3E45B91770F45431AFD75B61D0EBA05F898396
                                Function 001315C0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110windowCOMMON
                                Download Yara Rule
                                APIs
                                • SetTextColor.GDI32(?,?), ref: 001316CC
                                  • Part of subcall function 001319E0: SystemParametersInfoW.USER32(00000042,0000000C,00000000), ref: 00131A11
                                • SendMessageW.USER32(?,0000111E,00000000,?), ref: 00131656
                                • SendMessageW.USER32(?,0000111D,00000000,?), ref: 0013167D
                                • RedrawWindow.USER32(?,00000000,00000000,00000407), ref: 00131694
                                • #413.COMCTL32(?,?,?,?), ref: 001316A2
                                • #413.COMCTL32(?,?,?,?), ref: 001316FA
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: #413MessageSend$ColorInfoParametersRedrawSystemTextWindow
                                • String ID: ItemsView
                                • API String ID: 2992698940-272564461
                                • Opcode ID: 2e01806dc0601601913f5e35c8d6c323b593091c24f130d05ec5e6fffcd3924a
                                • Instruction ID: 213cb9da8139bacf5de3b74712ddc9549cfbadb9f6f241e1a0c0e8004b6f4300
                                • Opcode Fuzzy Hash: 2e01806dc0601601913f5e35c8d6c323b593091c24f130d05ec5e6fffcd3924a
                                • Instruction Fuzzy Hash: 70312572344305BFE3215BE5EC0AF9B7BACFB8A715F084426F704A50A1C7B1E9548B65
                                Function 00131710 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 110windowCOMMON
                                Download Yara Rule
                                APIs
                                • SetTextColor.GDI32(?,?), ref: 0013181C
                                  • Part of subcall function 001319E0: SystemParametersInfoW.USER32(00000042,0000000C,00000000), ref: 00131A11
                                • SendMessageW.USER32(?,0000111E,00000000,?), ref: 001317A6
                                • SendMessageW.USER32(?,0000111D,00000000,?), ref: 001317CD
                                • RedrawWindow.USER32(?,00000000,00000000,00000407), ref: 001317E4
                                • #413.COMCTL32(?,?,?,?), ref: 001317F2
                                • #413.COMCTL32(?,?,?,?), ref: 0013184A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: #413MessageSend$ColorInfoParametersRedrawSystemTextWindow
                                • String ID: ItemsView
                                • API String ID: 2992698940-272564461
                                • Opcode ID: 7cda88db2fc59b306325198d313cc9c38de2a5ecde02961d11bc977bed3580c2
                                • Instruction ID: ba8c02fc2cac44a831a5cfadb9239801ca374f30bc43590b727f54bbcacb34b5
                                • Opcode Fuzzy Hash: 7cda88db2fc59b306325198d313cc9c38de2a5ecde02961d11bc977bed3580c2
                                • Instruction Fuzzy Hash: C7314832245304BBE7229FA4EC49FAB7FA8FF8AB51F044416F704A90A1CB61D9508766
                                Function 00145670 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowRect.USER32(?,?), ref: 00145699
                                • GetParent.USER32(?), ref: 0014569C
                                • GetWindowRect.USER32(00000000,?), ref: 001456A8
                                • MonitorFromRect.USER32(?,00000002), ref: 001456B1
                                • GetMonitorInfoW.USER32(00000000,?), ref: 001456C5
                                • SetWindowPos.USER32(?,00000000,?,?,00000000,00000000,00000005), ref: 00145757
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: RectWindow$Monitor$FromInfoParent
                                • String ID: (
                                • API String ID: 2534694491-3887548279
                                • Opcode ID: 7e1b4ca53cf4f2fdc49f54f53b8bd2b574f1338b405d28db018a8e587152ebbd
                                • Instruction ID: e1ea4b7165458499d56856c7e1af6779942f6339380fe8952ccb1857eb046157
                                • Opcode Fuzzy Hash: 7e1b4ca53cf4f2fdc49f54f53b8bd2b574f1338b405d28db018a8e587152ebbd
                                • Instruction Fuzzy Hash: 69316C766083029FC704CF68DD89A2EBBE9FB88714F544A2DF585D3291E770F9448B92
                                Function 001473F0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 93stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,00000268), ref: 00147413
                                • lstrcpynW.KERNEL32(00000000,Copy/Move MRU,00000100), ref: 0014744E
                                • lstrcmpiW.KERNEL32(00000000), ref: 0014748D
                                • lstrcmpW.KERNEL32(00000000), ref: 00147495
                                • LocalFree.KERNEL32(?), ref: 001474B4
                                • StrDupW.SHLWAPI ref: 001474E2
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Local$AllocFreelstrcmplstrcmpilstrcpyn
                                • String ID: Copy/Move MRU
                                • API String ID: 3287565185-4109381532
                                • Opcode ID: 09cf74ea17a299952c6006aaf9ea7f643cf983683f48d8313aa7b986548c58b2
                                • Instruction ID: 11dfc516511617de3c5f7dfbabc16cd3db38ccc07cee95e911424b8e6f05ad4f
                                • Opcode Fuzzy Hash: 09cf74ea17a299952c6006aaf9ea7f643cf983683f48d8313aa7b986548c58b2
                                • Instruction Fuzzy Hash: F7313535708712DBC7119F14EC84B7ABBE1FF81700F044519FD45672A1DB74A84ACBA2
                                Function 00144810 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 83windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00000146,00000000,00000000), ref: 00144842
                                • SendMessageW.USER32(?,0000040D,00000000,00000020), ref: 00144871
                                • StrRetToBufW.SHLWAPI(?,75A45540,?,00000040), ref: 001448A3
                                • PathIsSameRootW.SHLWAPI(00000020,?), ref: 001448B5
                                • SendMessageW.USER32(?,0000014E,00000001,00000000), ref: 001448D4
                                • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 001448FA
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$PathRootSame
                                • String ID:
                                • API String ID: 2384681124-3916222277
                                • Opcode ID: 5fa03d003a7047ee0357c4d61817565de70d793e7c06702cc3f1cef713679147
                                • Instruction ID: 08a7c57831e70fddbcbd759d67bdbd3f4043bbc5bc3440994be7f5aedb1bff9d
                                • Opcode Fuzzy Hash: 5fa03d003a7047ee0357c4d61817565de70d793e7c06702cc3f1cef713679147
                                • Instruction Fuzzy Hash: 09215171244346AFE320DB55DD45FA7B7ECFB89B00F010429F649D71A1D770E8448B52
                                Function 001328E0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00290388,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 00132928
                                • LockFileEx.KERNEL32(00000000,00000002,00000000,000000FF,00000000,?), ref: 00132947
                                • FlushFileBuffers.KERNEL32(75A373E0,75A373E0), ref: 0013299A
                                • UnlockFileEx.KERNEL32(75A373E0,00000000,000000FF,00000000,?), ref: 001329AC
                                • CloseHandle.KERNEL32(75A373E0), ref: 001329B3
                                  • Part of subcall function 00142F30: GetLastError.KERNEL32(?,00000000,?,?,00132773), ref: 00142F39
                                  • Part of subcall function 00142F30: FormatMessageW.KERNEL32 ref: 00142F63
                                  • Part of subcall function 00142F30: lstrlenW.KERNEL32(00000000,00000000,00290388), ref: 00142F7A
                                  • Part of subcall function 00142F30: lstrlenW.KERNEL32(00000000), ref: 00142F82
                                  • Part of subcall function 00142F30: LocalAlloc.KERNEL32(00000040,00000000), ref: 00142F92
                                  • Part of subcall function 00142F30: GetFocus.USER32 ref: 00142FBF
                                  • Part of subcall function 00142F30: MessageBoxExW.USER32(?,00000000,MiniPath - ERROR,00000010,?), ref: 00142FDA
                                  • Part of subcall function 00142F30: LocalFree.KERNEL32(00000000,?,?,00132773), ref: 00142FE1
                                  • Part of subcall function 00142F30: LocalFree.KERNEL32(?), ref: 00142FE7
                                Strings
                                • AcquireWriteFileLock(): INVALID FILE HANDLE!, xrefs: 001329C2
                                • AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!, xrefs: 00132956
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: File$Local$FreeMessagelstrlen$AllocBuffersCloseCreateErrorFlushFocusFormatHandleLastLockUnlock
                                • String ID: AcquireWriteFileLock(): INVALID FILE HANDLE!$AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!
                                • API String ID: 3792989122-250906885
                                • Opcode ID: 2b7dcd597404643739eff2c1e1c5458d1d85347475f3407f1501dd1217e9f083
                                • Instruction ID: 9fb2d7079fd3d65cdd651583bb65c3c3799aee6c9c25d4091ea85d0f152f5f71
                                • Opcode Fuzzy Hash: 2b7dcd597404643739eff2c1e1c5458d1d85347475f3407f1501dd1217e9f083
                                • Instruction Fuzzy Hash: 9A215C3175032267F72477289C4AF6B2298FBC2738F650326FA64A20E0E7B4588D4375
                                Function 00131C70 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 80memorylibraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(comctl32.dll,00000000,00000800), ref: 00131C89
                                • FreeLibrary.KERNEL32(00000000), ref: 00131CD1
                                • VirtualProtect.KERNEL32(00000000,00000004,00000004,?), ref: 00131D19
                                • VirtualProtect.KERNEL32(00000000,00000004,?,?), ref: 00131D3F
                                • FreeLibrary.KERNEL32(00000000), ref: 00131D43
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Library$FreeProtectVirtual$Load
                                • String ID: comctl32.dll$uxtheme.dll
                                • API String ID: 2863076735-677055601
                                • Opcode ID: 4ed21a675e0178e0f8cb235c6626df76e6edd3613dd9beb2687d9dc839834e8b
                                • Instruction ID: 9a6a05922cdbcf793853ab96de2fbce451876c668868a169e96558569de17f80
                                • Opcode Fuzzy Hash: 4ed21a675e0178e0f8cb235c6626df76e6edd3613dd9beb2687d9dc839834e8b
                                • Instruction Fuzzy Hash: D421C272740301BBEB248B68EC84BA677E8BF41755F08843DFA5597241DB75EC09C761
                                Function 001431C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 34COMMON
                                Download Yara Rule
                                APIs
                                • GetPropW.USER32(00000000,DirListData), ref: 001431CA
                                  • Part of subcall function 00143280: GetPropW.USER32(?,DirListData), ref: 0014328A
                                  • Part of subcall function 00143280: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00143420,?,?), ref: 00143298
                                  • Part of subcall function 00143280: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00143420,?,?), ref: 001432A6
                                  • Part of subcall function 00143280: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001432D2
                                  • Part of subcall function 00143280: TranslateMessage.USER32(?), ref: 001432DD
                                  • Part of subcall function 00143280: DispatchMessageW.USER32(?), ref: 001432E4
                                  • Part of subcall function 00143280: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00143420,?,?), ref: 001432EE
                                  • Part of subcall function 00143280: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00143420,?,?), ref: 00143301
                                  • Part of subcall function 00143280: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00143420,?,?), ref: 0014330D
                                • CloseHandle.KERNEL32(?), ref: 001431DF
                                • CloseHandle.KERNEL32(?), ref: 001431EB
                                • CoTaskMemFree.OLE32(?), ref: 001431F9
                                • RemovePropW.USER32(00000000,DirListData), ref: 00143214
                                • GlobalFree.KERNEL32(00000000), ref: 0014321B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: EventMessageProp$CloseFreeHandleObjectSingleWait$DispatchGlobalPeekRemoveResetTaskTranslate
                                • String ID: DirListData
                                • API String ID: 222544525-869039069
                                • Opcode ID: 7c735e8e91e6792b08fdd1f1d0e9b9ea2d6b3dde20123138f47b0331f504fa4d
                                • Instruction ID: b137b0ad98d97a812f593b90cc2c2a07c3eced5d92dbc853cffb4c751639ee9a
                                • Opcode Fuzzy Hash: 7c735e8e91e6792b08fdd1f1d0e9b9ea2d6b3dde20123138f47b0331f504fa4d
                                • Instruction Fuzzy Hash: 57F0FE75300201BFE7086BB5EC8DD6ABBF9FF597227044529F41AC2670DB70DD918A20
                                Function 001A64D0 Relevance: 12.2, APIs: 8, Instructions: 248COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,001A67A0,00000000,00000000,?,00000000,?,?,?,?,00000000,?), ref: 001A6576
                                • __alloca_probe_16.LIBCMT ref: 001A6631
                                • __alloca_probe_16.LIBCMT ref: 001A66C0
                                • __freea.LIBCMT ref: 001A670B
                                • __freea.LIBCMT ref: 001A6711
                                • __freea.LIBCMT ref: 001A6747
                                • __freea.LIBCMT ref: 001A674D
                                • __freea.LIBCMT ref: 001A675D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: __freea$__alloca_probe_16$Info
                                • String ID:
                                • API String ID: 127012223-0
                                • Opcode ID: d5bd65413082ee76ca99af2b3da58337a38833b89f3b4e1089ff07dab3fb0817
                                • Instruction ID: 847e752d8c13b9045f31647b9a6d7b6a30d2fb2be2dc54a1ecd2b702f25bbd15
                                • Opcode Fuzzy Hash: d5bd65413082ee76ca99af2b3da58337a38833b89f3b4e1089ff07dab3fb0817
                                • Instruction Fuzzy Hash: 6E71D2BAD00255ABDF219FA48C81BAE77FAAF5B754F2D0059E905B7281E735DC00C7A0
                                Function 0288A190 Relevance: 12.2, APIs: 8, Instructions: 231COMMON
                                Download Yara Rule
                                APIs
                                • std::locale::_Init.LIBCPMT ref: 0288A1CB
                                  • Part of subcall function 028DB2AF: __EH_prolog3.LIBCMT ref: 028DB2B6
                                  • Part of subcall function 028DB2AF: std::_Lockit::_Lockit.LIBCPMT ref: 028DB2C1
                                  • Part of subcall function 028DB2AF: std::locale::_Setgloballocale.LIBCPMT ref: 028DB2DC
                                  • Part of subcall function 028DB2AF: _Yarn.LIBCPMT ref: 028DB2F2
                                  • Part of subcall function 028DB2AF: std::_Lockit::~_Lockit.LIBCPMT ref: 028DB332
                                • std::_Lockit::_Lockit.LIBCPMT ref: 0288A245
                                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0288A28D
                                  • Part of subcall function 028DB3AF: _Yarn.LIBCPMT ref: 028DB3CE
                                  • Part of subcall function 028DB3AF: _Yarn.LIBCPMT ref: 028DB3F2
                                • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0288A2C2
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0288A357
                                • std::locale::_Locimp::_New_Locimp.LIBCPMT ref: 0288A381
                                • std::_Lockit::_Lockit.LIBCPMT ref: 0288A3A7
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 0288A3C8
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_Yarnstd::locale::_$Locinfo::_$H_prolog3InitLocimpLocimp::_Locinfo_ctorLocinfo_dtorNew_Setgloballocale
                                • String ID:
                                • API String ID: 3764317792-0
                                • Opcode ID: a847760cf0eff18c7837454b2664307046b9aefc1b64a935d85b61f0876e7a7f
                                • Instruction ID: 9b7157b554c88c6bd0af2ea1cfd4d50ba002799569ced143086ead73128dcc99
                                • Opcode Fuzzy Hash: a847760cf0eff18c7837454b2664307046b9aefc1b64a935d85b61f0876e7a7f
                                • Instruction Fuzzy Hash: 88918BB8E007459FEB24DFA8C844BAEBBF4BF54304F14451AD809DB681EB75A548CF91
                                Function 00142D90 Relevance: 12.1, APIs: 8, Instructions: 126stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadStringW.USER32(?,?,00000200), ref: 00142DEB
                                • LoadStringW.USER32(?,?,00000200), ref: 00142E09
                                • StrChrW.SHLWAPI(?,0000000A,?,?,?,?,?,?,?,?,771EF860), ref: 00142E78
                                • lstrcpyW.KERNEL32(?,00000002,?,?,?,?,?,?,?,?,771EF860), ref: 00142E90
                                • lstrcpyW.KERNEL32(?,?,?,?,?,?,?,?,?,?,771EF860), ref: 00142EB0
                                • lstrcpyW.KERNEL32(?,001BD420,?,?,?,?,?,?,?,?,771EF860), ref: 00142EBC
                                • GetFocus.USER32 ref: 00142EBE
                                • MessageBoxExW.USER32(?,?,?,00000040,?), ref: 00142F01
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: lstrcpy$LoadString$FocusMessage
                                • String ID:
                                • API String ID: 3506571364-0
                                • Opcode ID: 89db7031bd8ff2b9b4d3dadba5a6dfbb0a2c1f17c4837c63f0c0815ce6cd7be6
                                • Instruction ID: 299c84765682e78d0634ef0e3b093c66d68e29fca9755bd4b7d5f9c6770f8adc
                                • Opcode Fuzzy Hash: 89db7031bd8ff2b9b4d3dadba5a6dfbb0a2c1f17c4837c63f0c0815ce6cd7be6
                                • Instruction Fuzzy Hash: E14184B2604215EBD7219B60EC45BEB77ECFF48304F40482AF699D7150EB34D5898B96
                                Function 00144140 Relevance: 12.1, APIs: 8, Instructions: 122windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • GetShortPathNameW.KERNEL32(?,?,00000104), ref: 001441A1
                                • SHGetFileInfoW.SHELL32(?,00000000,?,000002B4,00000200), ref: 001441F5
                                • SendMessageW.USER32 ref: 00144229
                                • GetShortPathNameW.KERNEL32(?,?,00000104), ref: 00144254
                                • lstrcmpiW.KERNEL32(?,?), ref: 00144266
                                • SendMessageW.USER32(?,00001053,00000000,?), ref: 0014427C
                                • SendMessageW.USER32(?,0000102B,00000000,?), ref: 001442BC
                                • SendMessageW.USER32(?,00001013,00000000,00000000), ref: 001442C7
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$NamePathShort$FileInfolstrcmpi
                                • String ID:
                                • API String ID: 2457365294-0
                                • Opcode ID: bc9ac620b2a2a29fc4181aed7de67108e8deb59dc3e7d8fc3ff14c00802a1819
                                • Instruction ID: 51b1b8d6edd19e84fdfa9889ff0557dcd4dc6d09c1560b777e48a4436d5306bd
                                • Opcode Fuzzy Hash: bc9ac620b2a2a29fc4181aed7de67108e8deb59dc3e7d8fc3ff14c00802a1819
                                • Instruction Fuzzy Hash: 6441B171604305ABE730DB25DC85FABB7ECEF85724F000519FA98971E1E7B4EA448A52
                                Function 0013DC80 Relevance: 12.1, APIs: 8, Instructions: 119windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00000080,00000000,00080493), ref: 0013E1FA
                                • SetDlgItemTextW.USER32(?,00000064,00000000), ref: 0013E26D
                                • SendDlgItemMessageW.USER32(?,00000064,000000C5,00000103,00000000), ref: 0013E282
                                • GetDlgItem.USER32(?,00000064), ref: 0013E28D
                                • SHAutoComplete.SHLWAPI(00000000), ref: 0013E294
                                • GetDlgItem.USER32(?,00000065), ref: 0013E2C0
                                • SendMessageW.USER32(00000000,00001603,00000000,?), ref: 0013E2D3
                                • ImageList_Destroy.COMCTL32(?), ref: 0013E2E1
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Item$MessageSend$AutoCompleteDestroyImageList_Text
                                • String ID:
                                • API String ID: 2206562733-0
                                • Opcode ID: 5795216ce581d79cff2c7549ccca025e345652e4fed2b8af23472479b2fca431
                                • Instruction ID: cd30267c1756b04ec71c80a40ed2452e5b04459f6574bb340d8e1b79fd48bd72
                                • Opcode Fuzzy Hash: 5795216ce581d79cff2c7549ccca025e345652e4fed2b8af23472479b2fca431
                                • Instruction Fuzzy Hash: CF3128323403046BE630AB64EC4AFBF37E9EB85725F000529F659DB5E1DB759850C752
                                Function 00145770 Relevance: 12.1, APIs: 8, Instructions: 65windowCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItem.USER32(?,00000065), ref: 00145790
                                • LoadImageW.USER32(?,?,00000000,00000000,00000000,00002000), ref: 001457A5
                                • GetObjectW.GDI32(00000000,00000018,?), ref: 001457B5
                                • ImageList_Create.COMCTL32(?,?,00000021,00000001,00000000,?,?,?,?,?,?,?,?,?,?,0013E214), ref: 001457C9
                                • ImageList_AddMasked.COMCTL32(00000000,00000000,FF000000,?,?,?,?,?,?,?,?,?,?,0013E214,00000065), ref: 001457DA
                                • DeleteObject.GDI32(00000000), ref: 001457E1
                                • SetRect.USER32(?,00000000,00000000,00000000,00000000), ref: 001457F4
                                • SendMessageW.USER32(00000000,00001602,00000000,?), ref: 0014580F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Image$List_Object$CreateDeleteItemLoadMaskedMessageRectSend
                                • String ID:
                                • API String ID: 26161057-0
                                • Opcode ID: c3c2d18251b06b70f4a8bc79b609eee4aca8bf51d5266d26f0e2f572d25f7263
                                • Instruction ID: 67958f5f7bc6cdd6aad3207be4dd44cda7476eb2f86945463e78fc5b4d94bf65
                                • Opcode Fuzzy Hash: c3c2d18251b06b70f4a8bc79b609eee4aca8bf51d5266d26f0e2f572d25f7263
                                • Instruction Fuzzy Hash: A1118672244304BBE7205B609C4AF9B7BECFB49B11F104519F745D65D0D7B0A5408BA5
                                Function 001590E3 Relevance: 10.7, APIs: 7, Instructions: 151COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 00159171
                                • DName::operator+.LIBCMT ref: 001591C4
                                  • Part of subcall function 00157C69: shared_ptr.LIBCMT ref: 00157C85
                                  • Part of subcall function 00157B58: DName::operator+.LIBCMT ref: 00157B79
                                • DName::operator+.LIBCMT ref: 001591B5
                                • DName::operator+.LIBCMT ref: 00159215
                                • DName::operator+.LIBCMT ref: 00159222
                                • DName::operator+.LIBCMT ref: 00159269
                                • DName::operator+.LIBCMT ref: 00159276
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Name::operator+$shared_ptr
                                • String ID:
                                • API String ID: 1037112749-0
                                • Opcode ID: c04e0a0aa5063c22710342f95079881d4f96db0ee96fe6b6b4bdc95a3e7248c1
                                • Instruction ID: 4aeb14434897d809a2eabadd16e3a39fb0ec975dd2517309ec01f3b4975bb9c9
                                • Opcode Fuzzy Hash: c04e0a0aa5063c22710342f95079881d4f96db0ee96fe6b6b4bdc95a3e7248c1
                                • Instruction Fuzzy Hash: 635185B1904219EFDF04DB94D896EEEBBB8AF18311F044159F915AB2C1EB70964CCBA1
                                Function 00154790 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135COMMON
                                Download Yara Rule
                                APIs
                                • _ValidateLocalCookies.LIBCMT ref: 001547C7
                                • ___except_validate_context_record.LIBVCRUNTIME ref: 001547CF
                                • _ValidateLocalCookies.LIBCMT ref: 00154858
                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00154883
                                • _ValidateLocalCookies.LIBCMT ref: 001548D8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                • String ID: csm
                                • API String ID: 1170836740-1018135373
                                • Opcode ID: 6a2a4881c2dee441e3451d48807c47df801202dc9bd52d6a95dc1113d09ed38d
                                • Instruction ID: d30cb61e54f952bd7a287d1d83b07c216ab8eea582e57898e491b66b8ccaf1e0
                                • Opcode Fuzzy Hash: 6a2a4881c2dee441e3451d48807c47df801202dc9bd52d6a95dc1113d09ed38d
                                • Instruction Fuzzy Hash: 46519134A00248EFCB00DF99C880A9EBBE5FF59319F148055EC289F352D731EA99CB90
                                Function 028D21D0 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 131COMMON
                                Download Yara Rule
                                APIs
                                • QueryPerformanceCounter.KERNEL32(?), ref: 028D220A
                                • GetLastError.KERNEL32(0000000A), ref: 028D2235
                                Strings
                                • Timer: QueryPerformanceFrequency failed with error , xrefs: 028D233B
                                • Timer: QueryPerformanceCounter failed with error , xrefs: 028D2250
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: CounterErrorLastPerformanceQuery
                                • String ID: Timer: QueryPerformanceCounter failed with error $Timer: QueryPerformanceFrequency failed with error
                                • API String ID: 1297246462-2136607233
                                • Opcode ID: 6b728602f811c6fc7160e67f4793609778260b131a014898c43f7a8e890376a7
                                • Instruction ID: 6e7266494909fc8891118edf91b724df64222536d205a4e0b1de8aaa81926f5d
                                • Opcode Fuzzy Hash: 6b728602f811c6fc7160e67f4793609778260b131a014898c43f7a8e890376a7
                                • Instruction Fuzzy Hash: 30418F79E44318EBEB11DFA8D855FAEB7B9FB04700F000619E91AE7281DB74A518CF51
                                Function 001333B0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 131stringfileCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32(?,?), ref: 00133548
                                  • Part of subcall function 001326C0: CreateFileW.KERNEL32(00290388,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00132703
                                  • Part of subcall function 001326C0: LockFileEx.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?), ref: 0013271A
                                • FlushFileBuffers.KERNEL32(00000000,00000000), ref: 00133411
                                • UnlockFileEx.KERNEL32(00000000,00000000,000000FF,00000000,?), ref: 00133423
                                • CloseHandle.KERNEL32(00000000), ref: 0013342A
                                • lstrlenW.KERNEL32(?,?), ref: 00133516
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: File$lstrlen$BuffersCloseCreateFlushHandleLockUnlock
                                • String ID: Settings2
                                • API String ID: 2223255397-1942966065
                                • Opcode ID: 9eed6d1d1017e1765141f815d663b7c1093e62893ddb36059ade7a04cb2b34f2
                                • Instruction ID: de33cf43142507bc72007630fb383c510639f84fcdb77977bf1dbc9389f065c1
                                • Opcode Fuzzy Hash: 9eed6d1d1017e1765141f815d663b7c1093e62893ddb36059ade7a04cb2b34f2
                                • Instruction Fuzzy Hash: A441DF716083109BC321EF24D845B6FB7E5BF85710F184A1DF8A193290DB75EE498B96
                                Function 00147010 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 115stringCOMMON
                                Download Yara Rule
                                APIs
                                • LocalFree.KERNEL32(001BFD20,9AAD4D09,75A48FB0,00000204), ref: 00147069
                                • lstrlenW.KERNEL32(?,?,?,?,9AAD4D09,75A48FB0,00000204), ref: 001470E0
                                • StrDupW.SHLWAPI(?,?,?,?,9AAD4D09,75A48FB0,00000204), ref: 0014713B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: FreeLocallstrlen
                                • String ID: "$"$%.2i
                                • API String ID: 3681330831-3884397407
                                • Opcode ID: 092e3dd5c64d9352e848da8792ced1457c7e7aa82b69e11f439f653e4b9c05de
                                • Instruction ID: 4af917e5142b6d1b60e59d617835f71459795378a46014e2f63d5bba991aeddf
                                • Opcode Fuzzy Hash: 092e3dd5c64d9352e848da8792ced1457c7e7aa82b69e11f439f653e4b9c05de
                                • Instruction Fuzzy Hash: 0841D072D0431C9BDB10EFA5CC45BAAB7F8FB04710F0245A9E859E7291DB71A9848FD0
                                Function 00143ED0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 94windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00143EF1
                                • SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00143F05
                                • SendMessageW.USER32 ref: 00143F28
                                • GetParent.USER32(?), ref: 00143F4B
                                • GetParent.USER32(?), ref: 00143F6C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$Parent
                                • String ID: $
                                • API String ID: 1020955656-3993045852
                                • Opcode ID: 733b17e5053addbae5941cd43cfaaed21346d84ecf16810cd7a4b0d897f3678e
                                • Instruction ID: a498c93a003677f88375721c82225b205ec6f53cb261b75daa0c95f4c7eae4a9
                                • Opcode Fuzzy Hash: 733b17e5053addbae5941cd43cfaaed21346d84ecf16810cd7a4b0d897f3678e
                                • Instruction Fuzzy Hash: 8F31AEB1208305AFE710CF54DC84F67BBE8EB89724F00495EF955D7290D7B6E9098BA2
                                Function 00144910 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 86windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00144931
                                • SendMessageW.USER32 ref: 0014495B
                                • GetParent.USER32(?), ref: 00144976
                                • GetParent.USER32(?), ref: 00144997
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageParentSend
                                • String ID: $$
                                • API String ID: 928151917-182950533
                                • Opcode ID: be78b3c0d0abba29052963494f7305e6636571bd068ddd3bb158beb84273f470
                                • Instruction ID: 2fcb60a532b3f12f34dda10e3d6d198804e6d1792fda9bbefafe8179b0a5d515
                                • Opcode Fuzzy Hash: be78b3c0d0abba29052963494f7305e6636571bd068ddd3bb158beb84273f470
                                • Instruction Fuzzy Hash: CF218D75608300AFE300CF58DC84B5BBBE8FB88764F50452DF954D7290D775E9098B92
                                Function 0019316B Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 74COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • FreeLibrary.KERNEL32(00000000,?,00000000,00000800,00000000,?,?,9AAD4D09,?,00193278,?,?,?,00000000), ref: 0019322C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: FreeLibrary
                                • String ID: api-ms-$ext-ms-
                                • API String ID: 3664257935-537541572
                                • Opcode ID: 010319ecc002d366970b351d7d262b849d359327eabf66ba0633f1aebd3d2c79
                                • Instruction ID: 9d6c41779ece431ad768ff06c2b19270d8f93df1c0f8d64c4bd86b569b2b48d7
                                • Opcode Fuzzy Hash: 010319ecc002d366970b351d7d262b849d359327eabf66ba0633f1aebd3d2c79
                                • Instruction Fuzzy Hash: 86213639A01211EBDF219BA1EC49A6A3769EF527A0F250121FD21A72E0DB30EF00C6D0
                                Function 0014CEDF Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0014CEF5
                                • SendMessageW.USER32 ref: 0014CF19
                                • GetParent.USER32(?), ref: 0014CF3A
                                • GetParent.USER32(?), ref: 0014CF5A
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageParentSend
                                • String ID: $$
                                • API String ID: 928151917-182950533
                                • Opcode ID: f5c7c962a2353628179da9791575baaf3821ebd558d806b8a04fd73a3ffa2755
                                • Instruction ID: cb0ac80f384ab63c6dca65fbba89f8168f50c57655342247f2608f45a4403613
                                • Opcode Fuzzy Hash: f5c7c962a2353628179da9791575baaf3821ebd558d806b8a04fd73a3ffa2755
                                • Instruction Fuzzy Hash: 752138B5208300AFD310CF65CC94F5BBBE8FB89754F104919F6999B2A1D7B1E8458F52
                                Function 001546A2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • std::invalid_argument::invalid_argument.LIBCONCRT ref: 001546AE
                                  • Part of subcall function 0015423F: std::exception::exception.LIBCONCRT ref: 0015424C
                                  • Part of subcall function 00155B01: RaiseException.KERNEL32(E06D7363,00000001,00000003,00153ACC,?,?,?,?,00153ACC,?,001C0B3C), ref: 00155B61
                                • std::invalid_argument::invalid_argument.LIBCONCRT ref: 001546CE
                                  • Part of subcall function 001542B3: std::exception::exception.LIBCONCRT ref: 001542C0
                                • std::invalid_argument::invalid_argument.LIBCONCRT ref: 001546EE
                                  • Part of subcall function 001542ED: std::exception::exception.LIBCONCRT ref: 001542FA
                                • std::regex_error::regex_error.LIBCPMT ref: 0015470E
                                  • Part of subcall function 00154330: std::exception::exception.LIBCONCRT ref: 00154348
                                • std::invalid_argument::invalid_argument.LIBCONCRT ref: 0015472E
                                  • Part of subcall function 00154379: std::exception::exception.LIBCONCRT ref: 00154386
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: std::exception::exception$std::invalid_argument::invalid_argument$ExceptionRaisestd::regex_error::regex_error
                                • String ID: bad function call
                                • API String ID: 2470674941-3612616537
                                • Opcode ID: 98a2361fbb5f2a32182335dfc3bf25ec856f61f80038720fb43c036724a423a6
                                • Instruction ID: 7c6f95b1c1a4a68bb36eae7a7ff26d36fb7b9486e25103d69e337e7f10287a6a
                                • Opcode Fuzzy Hash: 98a2361fbb5f2a32182335dfc3bf25ec856f61f80038720fb43c036724a423a6
                                • Instruction Fuzzy Hash: 34110C39C0020CB7CB04FAE4ED5BDDDB77EAA24705F804464BE20964A5EB71A75DC6D1
                                Function 0014944A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57windowstringCOMMON
                                Download Yara Rule
                                APIs
                                • DefWindowProcW.USER32 ref: 0014944E
                                • lstrcmpW.KERNEL32(0029493C,*.*), ref: 00149460
                                • SendMessageW.USER32(00001024,00000000,00D77800), ref: 001494CA
                                • SendMessageW.USER32(00001004,00000000,00000000), ref: 001494DB
                                • SendMessageW.USER32(00001015,00000000,-00000001), ref: 001494EC
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$ProcWindowlstrcmp
                                • String ID: *.*
                                • API String ID: 3670981246-438819550
                                • Opcode ID: 974663196645ebba7b7334ef1b0749966842728e07a1d5733b1dd760742d38b9
                                • Instruction ID: ca2b91d1a7e9f7d13d67bbbe95be332dc6646c9d48560d57712063e86195a08f
                                • Opcode Fuzzy Hash: 974663196645ebba7b7334ef1b0749966842728e07a1d5733b1dd760742d38b9
                                • Instruction Fuzzy Hash: F2110434640200AAE7359721FE0EFB73694E785765F090027F5058A1F0DBB54C51CB62
                                Function 0013DEAE Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetDlgItemTextW.USER32(?,00000064,?,00000104), ref: 0013DEC0
                                • lstrcpyW.KERNEL32(?,?,?,00000064,?,00000104), ref: 0013DED3
                                  • Part of subcall function 00146380: CharNextW.USER32(?,?,771EF860,?,0013F938), ref: 001463A1
                                  • Part of subcall function 00146380: lstrlenW.KERNEL32(?,?,771EF860,?,0013F938), ref: 001463B2
                                  • Part of subcall function 00146380: lstrlenW.KERNEL32(?,?,?,0013F938), ref: 001463C7
                                  • Part of subcall function 00146380: CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463D4
                                  • Part of subcall function 00146380: CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463E7
                                • StrChrW.SHLWAPI(?,00000020), ref: 0013DF1B
                                • GetDlgItem.USER32(?,00000001), ref: 0013DF45
                                • EnableWindow.USER32(00000000), ref: 0013DF4C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Char$ItemPrevlstrlen$EnableNextTextWindowlstrcpy
                                • String ID: "
                                • API String ID: 2789626447-123907689
                                • Opcode ID: 571f898794dd49a65e284aa963a4630be689247d70d8930c2d773149b18c430b
                                • Instruction ID: 24aeeca888cc1713cd4b73aa7b25591d5b9cc6834a691301b1a9d1d57fe54688
                                • Opcode Fuzzy Hash: 571f898794dd49a65e284aa963a4630be689247d70d8930c2d773149b18c430b
                                • Instruction Fuzzy Hash: 401152356043809AE730AF60EC89BEF73EDFFD5784F40051EF54A86490EBB14494C662
                                Function 0014A880 Relevance: 10.6, APIs: 7, Instructions: 51COMMON
                                Download Yara Rule
                                APIs
                                • PathIsRelativeW.SHLWAPI(00294734,00000000), ref: 0014A898
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0014A8AE
                                • PathRemoveFileSpecW.SHLWAPI(?), ref: 0014A8B9
                                • PathAppendW.SHLWAPI(?,00294734), ref: 0014A8C5
                                • PathFileExistsW.SHLWAPI(00294734), ref: 0014A8D0
                                • PathIsDirectoryW.SHLWAPI(00294734), ref: 0014A8DB
                                • LoadImageW.USER32(00000000,00294734,00000000,00000000,00000000,00002010), ref: 0014A8EF
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Path$File$AppendDirectoryExistsImageLoadModuleNameRelativeRemoveSpec
                                • String ID:
                                • API String ID: 1924643234-0
                                • Opcode ID: 561bff77d2cdc63ccc927ce40b963259511eb35c3d2852b393ec1526e404448a
                                • Instruction ID: 92a7044bd5c6ff55c1dd3ec943f508377372179cf2f84156654c954ef99743ef
                                • Opcode Fuzzy Hash: 561bff77d2cdc63ccc927ce40b963259511eb35c3d2852b393ec1526e404448a
                                • Instruction Fuzzy Hash: E90144B1504315AFEB109B60DC0DAAB77ECFF49741F414419F955C30A1EB749988CB52
                                Function 00152568 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 45libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,00000000,001525E3,00152546,00152AAD,?,?,00000000,?,?), ref: 0015257F
                                • GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 00152595
                                • GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 001525AA
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: AddressProc$HandleModule
                                • String ID: AcquireSRWLockExclusive$KERNEL32.DLL$ReleaseSRWLockExclusive
                                • API String ID: 667068680-1718035505
                                • Opcode ID: 825263aca8ed57860a03ea86ce6f0b8b4186a4efff49f3869a39f6e1886d9584
                                • Instruction ID: 4c575da1561c48de8b630a0e7817c7e7b334510cf21a561217b6b9013afa86fe
                                • Opcode Fuzzy Hash: 825263aca8ed57860a03ea86ce6f0b8b4186a4efff49f3869a39f6e1886d9584
                                • Instruction Fuzzy Hash: 14F0A437661A22DB5B211F785CE66F622C95B07313316053AFD22DA550FB70CDCA9790
                                Function 001A5F94 Relevance: 9.3, APIs: 6, Instructions: 298COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 178e70f8bd3494556ecf13a0ec02d4f52eec5afee40c96e8d47e52af37c29a84
                                • Instruction ID: b32a4d5d846999f6c51230454e95b82edcf07cbefc521c40d4df1968ba259c63
                                • Opcode Fuzzy Hash: 178e70f8bd3494556ecf13a0ec02d4f52eec5afee40c96e8d47e52af37c29a84
                                • Instruction Fuzzy Hash: 69B1F5B8A04249AFDF15DFA8D880BAD7BB1FF5A314F188159E4059B292C770DE42CF60
                                Function 0015D8FA Relevance: 9.1, APIs: 6, Instructions: 119COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 0015D93E
                                • DName::operator+.LIBCMT ref: 0015D94A
                                  • Part of subcall function 00157C69: shared_ptr.LIBCMT ref: 00157C85
                                • DName::operator+=.LIBCMT ref: 0015DA08
                                  • Part of subcall function 0015C1C2: DName::operator+.LIBCMT ref: 0015C22D
                                  • Part of subcall function 0015C1C2: DName::operator+.LIBCMT ref: 0015C4F7
                                  • Part of subcall function 00157B58: DName::operator+.LIBCMT ref: 00157B79
                                • DName::operator+.LIBCMT ref: 0015D9C5
                                  • Part of subcall function 00157CC1: DName::operator=.LIBVCRUNTIME ref: 00157CE2
                                • DName::DName.LIBVCRUNTIME ref: 0015DA2C
                                • DName::operator+.LIBCMT ref: 0015DA38
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Name::operator+$NameName::Name::operator+=Name::operator=shared_ptr
                                • String ID:
                                • API String ID: 2795783184-0
                                • Opcode ID: cff89c3c2202a347be218fc8dba9bf7552f9320b0db3071195d27ef3c5091818
                                • Instruction ID: f12e1b3584adf64f766089f37391c41776e7917bb65a866ee0a0e58668ab838c
                                • Opcode Fuzzy Hash: cff89c3c2202a347be218fc8dba9bf7552f9320b0db3071195d27ef3c5091818
                                • Instruction Fuzzy Hash: B14127B0A08244EFCB20DFB8F885BAE7BF8AF05301F100498F866AF282D7355948C750
                                Function 00143CE0 Relevance: 9.1, APIs: 6, Instructions: 119windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00143D18
                                • SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00143D28
                                • SendMessageW.USER32(?,?,?,0000104B), ref: 00143D4D
                                • StrRetToBufW.SHLWAPI(?,?,?,00000104,?,00008000,?,?,?,?,0000104B,00000000,?), ref: 00143DA9
                                • StrRetToBufW.SHLWAPI(?,?,?,00000104,?,00000001,?,?,?,?,0000104B,00000000,?), ref: 00143DE8
                                • SHGetDataFromIDListW.SHELL32(?,?,00000001,?,00000250), ref: 00143E00
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$DataFromList
                                • String ID:
                                • API String ID: 101582348-0
                                • Opcode ID: 95777e8c81ed6ef631a26328d589822aed9da18b14933789e7b354fe143847c5
                                • Instruction ID: ee9876084f609adc1a6441754bcae9ba2fa7839139273489d28e34d34dff9c8d
                                • Opcode Fuzzy Hash: 95777e8c81ed6ef631a26328d589822aed9da18b14933789e7b354fe143847c5
                                • Instruction Fuzzy Hash: 0D416CB0204305AFE720DBA8CC81F6AB7E8BF89714F504929F6A4D71E1E7B0E9458B51
                                Function 0015C580 Relevance: 9.1, APIs: 6, Instructions: 94COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 0015DA4E: Replicator::operator[].LIBCMT ref: 0015DA8B
                                • DName::operator=.LIBVCRUNTIME ref: 0015C62A
                                  • Part of subcall function 0015C1C2: DName::operator+.LIBCMT ref: 0015C22D
                                  • Part of subcall function 0015C1C2: DName::operator+.LIBCMT ref: 0015C4F7
                                • DName::operator+.LIBCMT ref: 0015C5E4
                                • DName::operator+.LIBCMT ref: 0015C5F0
                                • DName::DName.LIBVCRUNTIME ref: 0015C642
                                • DName::operator+.LIBCMT ref: 0015C651
                                • DName::operator+.LIBCMT ref: 0015C65D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Name::operator+$NameName::Name::operator=Replicator::operator[]
                                • String ID:
                                • API String ID: 955152517-0
                                • Opcode ID: 4b2411420b36b8628528b847b9516cd0dafcb70264c1fd6f5b20123774256880
                                • Instruction ID: 5ce4fd5e7f9f9f6158335ceca1e317ea95403b083e16e8b4205b8ae823389481
                                • Opcode Fuzzy Hash: 4b2411420b36b8628528b847b9516cd0dafcb70264c1fd6f5b20123774256880
                                • Instruction Fuzzy Hash: CC31B5B1A05304DFCB18DF54E455EEABBF8AF68301F10845DE996AB391D7705648CB50
                                Function 0014D4AC Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 67stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpyW.KERNEL32(00290388,C:\Users\user\Desktop\bgsTrRPJh0.ini), ref: 0014D4D4
                                  • Part of subcall function 00134070: StrRChrW.SHLWAPI(00290388,00000000,0000005C,?,?,?,001354A3), ref: 0013408A
                                  • Part of subcall function 00134070: SHCreateDirectoryExW.SHELL32(00000000,00290388,00000000,?,?,?,001354A3), ref: 001340A2
                                  • Part of subcall function 00134070: PathFileExistsW.SHLWAPI(00290388,?,?,?,001354A3), ref: 001340B5
                                  • Part of subcall function 00134070: PathIsDirectoryW.SHLWAPI(00290388), ref: 001340C4
                                  • Part of subcall function 00134070: CreateFileW.KERNEL32(00290388,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,001354A3), ref: 001340E3
                                  • Part of subcall function 00134070: GetFileSize.KERNEL32(00000000,?), ref: 001340FE
                                  • Part of subcall function 00134070: CloseHandle.KERNEL32(00000000), ref: 00134107
                                • lstrcpyW.KERNEL32(C:\Users\user\Desktop\bgsTrRPJh0.ini,001BD420), ref: 0014D4E9
                                  • Part of subcall function 00142D90: LoadStringW.USER32(?,?,00000200), ref: 00142DEB
                                  • Part of subcall function 00142D90: LoadStringW.USER32(?,?,00000200), ref: 00142E09
                                • lstrcpyW.KERNEL32(00290388,001BD420), ref: 0014D4F2
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Filelstrcpy$CreateDirectoryLoadPathString$CloseExistsHandleSize
                                • String ID: C:\Users\user\Desktop\bgsTrRPJh0.ini$Settings$WriteTest
                                • API String ID: 589230846-2785627433
                                • Opcode ID: 001eb0686e8b5d8f392d80da2bc632be6ff2c304b7cef1e8716f005364c73194
                                • Instruction ID: ec88caa17360451c033d53831369422cbf3b5b48dc9c581dadb3e1ddfc039369
                                • Opcode Fuzzy Hash: 001eb0686e8b5d8f392d80da2bc632be6ff2c304b7cef1e8716f005364c73194
                                • Instruction Fuzzy Hash: AC1148A6F5020067EB1873F4BC17E7A22959BA1719F954139F805971E2FFF89C80C2A7
                                Function 00149562 Relevance: 9.1, APIs: 6, Instructions: 67windowtimeCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(00000423,00000000,00000000), ref: 00149571
                                • DefWindowProcW.USER32(?,?,?), ref: 001495A2
                                • GetMessageTime.USER32 ref: 001495D1
                                • GetMessagePos.USER32 ref: 001495E1
                                • GetMessagePos.USER32 ref: 001495EA
                                • DefWindowProcW.USER32(?,?,?,?), ref: 00149618
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Message$ProcWindow$SendTime
                                • String ID:
                                • API String ID: 247368415-0
                                • Opcode ID: 88def77ad7de11bedbae1b8cad3c0a5f3482de3bbea6a6170477c939bf1c76b4
                                • Instruction ID: 2fbf07f80f9e8f2e5b9e5866ec1df5ca3b7bbb71a5ba8fcd6e7d5bfcbb154b34
                                • Opcode Fuzzy Hash: 88def77ad7de11bedbae1b8cad3c0a5f3482de3bbea6a6170477c939bf1c76b4
                                • Instruction Fuzzy Hash: 982149726042049FD710DF54EC45B6EBBF8EB8D711F00481EFA89DB290CB7498408B92
                                Function 001513A9 Relevance: 9.1, APIs: 6, Instructions: 63filelibraryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,80000000,00000005,00000000,00000003,00000000,00000000,?,00000000,00000000,?,00151627,?,00000000,00000000), ref: 001513CD
                                • CreateFileMappingW.KERNEL32(00000000,00000000,00000008,00000000,00000000,00000000,?,00151627,?,00000000,00000000,?,?,00000104,?), ref: 001513E1
                                • CloseHandle.KERNEL32(00000000,?,00151627,?,00000000,00000000,?,?,00000104,?), ref: 001513EA
                                • MapViewOfFile.KERNEL32(00000000,00000001,00000000,00000000,00000000,?,00151627,?,00000000,00000000,?,?,00000104,?), ref: 001513FA
                                • CloseHandle.KERNEL32(00000000,?,00151627,?,00000000,00000000,?,?,00000104,?), ref: 00151403
                                • LoadLibraryExW.KERNEL32(?,00000000,00000000,?,00000000,00000000,?,00151627,?,00000000,00000000,?,?,00000104,?), ref: 00151420
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: File$CloseCreateHandle$LibraryLoadMappingView
                                • String ID:
                                • API String ID: 1262414356-0
                                • Opcode ID: 333531aa8d413a7bb3f6adea238ce74c6a83ad453075e614f042ff27bd84657f
                                • Instruction ID: 1d69cfa9450dd8dc9c100c3eb9e936c8ff22a0dc3d54a056223610a171cbe726
                                • Opcode Fuzzy Hash: 333531aa8d413a7bb3f6adea238ce74c6a83ad453075e614f042ff27bd84657f
                                • Instruction Fuzzy Hash: FE01B5B2640218FFF3211B645C8CFBB76DCEB45B96F155528FD2596090D7B18C888670
                                Function 001560CF Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetLastError.KERNEL32(?,?,001560C6,001550AA,00153CB6), ref: 001560DD
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 001560EB
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00156104
                                • SetLastError.KERNEL32(00000000,001560C6,001550AA,00153CB6), ref: 00156156
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ErrorLastValue___vcrt_
                                • String ID:
                                • API String ID: 3852720340-0
                                • Opcode ID: 120484f62b4b4df8480213539789f8e744b605ba5168abcc7a9ccebf4935f24a
                                • Instruction ID: 250c28b5b6d1dbbe177f475bcac7d0b0889d30a217ec3d5d6d8ee915b32796c6
                                • Opcode Fuzzy Hash: 120484f62b4b4df8480213539789f8e744b605ba5168abcc7a9ccebf4935f24a
                                • Instruction Fuzzy Hash: 90012833619A11DEE7182778BCC5A772BA4EB71BF7720422AFD314A0E2EF118D595180
                                Function 001426E0 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32(?,00000000), ref: 001426E9
                                • ShowWindow.USER32(00000000,?,00000000), ref: 001426F3
                                  • Part of subcall function 00147C40: DialogBoxIndirectParamW.USER32(00000000,00000000,?,?,?), ref: 00147C5A
                                  • Part of subcall function 00147C40: LocalFree.KERNEL32(00000000), ref: 00147C67
                                • ShowWindow.USER32(00000001), ref: 00142715
                                • ShowWindow.USER32(?,00000001), ref: 0014271A
                                • CheckRadioButton.USER32(?,00000068,0000006A,00000069), ref: 00142729
                                • CheckRadioButton.USER32(?,00000064,00000065,00000065), ref: 00142732
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ShowWindow$ButtonCheckRadio$DialogFreeIndirectLocalParam
                                • String ID:
                                • API String ID: 468163734-0
                                • Opcode ID: 9cbdc5d1bbb9f129124cc7e110093a02c80a7cbfb3208ad62048bb667dd8606f
                                • Instruction ID: 5a77dbd62e59ab5cb72dc0c61db49244f5b4de7b9ec3d2e85f5e329057423d3f
                                • Opcode Fuzzy Hash: 9cbdc5d1bbb9f129124cc7e110093a02c80a7cbfb3208ad62048bb667dd8606f
                                • Instruction Fuzzy Hash: 07F0C232F8021876E6206752FC57F1EBFA6EB51F51F10002BF6057A1E0AAE224658990
                                Function 0013FE00 Relevance: 9.0, APIs: 6, Instructions: 42stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • AppendMenuW.USER32(00000000,?,?,00000000), ref: 0013FE18
                                • lstrcmpiW.KERNEL32(?,002914E8,?,?), ref: 0013FE28
                                • IsDlgButtonChecked.USER32(00000066), ref: 0013FE3A
                                • CharNextW.USER32(?,002914E8,?,?), ref: 0013FE4B
                                • lstrcmpiW.KERNEL32(00000000,?,?), ref: 0013FE52
                                • IsDlgButtonChecked.USER32(00000066), ref: 0013FE64
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ButtonCheckedlstrcmpi$AppendCharMenuNext
                                • String ID:
                                • API String ID: 2957333968-0
                                • Opcode ID: bbcd6acf20a15268a0544a3b670e436f4dcb2d22ea4562e798aabc02b0f420bf
                                • Instruction ID: 18bf30d25f3b007cb910537f347d6aab2a305615449320e6f064d34a1f33d3ac
                                • Opcode Fuzzy Hash: bbcd6acf20a15268a0544a3b670e436f4dcb2d22ea4562e798aabc02b0f420bf
                                • Instruction Fuzzy Hash: C6012835E40212ABEB226F62FD0CA5A3BE9FB16745F05843BF401D2270E37188B19B54
                                Function 00147EA0 Relevance: 9.0, APIs: 6, Instructions: 41COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000048,00000008,00000000), ref: 00147EC4
                                • GetWindowRect.USER32(?,?), ref: 00147EE0
                                • DrawAnimatedRects.USER32(?,00000003,?,?), ref: 00147EF3
                                • ShowWindow.USER32(?,00000005), ref: 00147EFC
                                • SetActiveWindow.USER32(?), ref: 00147F03
                                • SetForegroundWindow.USER32(?), ref: 00147F0A
                                  • Part of subcall function 00147C80: FindWindowExW.USER32(00000000,00000000,Shell_TrayWnd,00000000), ref: 00147CA3
                                  • Part of subcall function 00147C80: FindWindowExW.USER32(00000000,00000000,TrayNotifyWnd,00000000), ref: 00147CB3
                                  • Part of subcall function 00147C80: GetWindowRect.USER32(00000000,?), ref: 00147CBB
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Window$FindRect$ActiveAnimatedDrawForegroundInfoParametersRectsShowSystem
                                • String ID:
                                • API String ID: 2112798254-0
                                • Opcode ID: aac0c3b67a32d957305ca09eaa1865b19a9f3d6f43a1864659ee3463fce7cc8c
                                • Instruction ID: e5ce6a98cfdc3c9e28c0d99be0295ca4522decfa152ef225e43451289a2455e0
                                • Opcode Fuzzy Hash: aac0c3b67a32d957305ca09eaa1865b19a9f3d6f43a1864659ee3463fce7cc8c
                                • Instruction Fuzzy Hash: 7B014F71104611ABD311DB10EC59FAF7BECFF4A705F404809F545D64A0EB349A89CBA2
                                Function 00145880 Relevance: 9.0, APIs: 6, Instructions: 35COMMON
                                Download Yara Rule
                                APIs
                                • GetWindowLongW.USER32(0000A02A,000000EC), ref: 0014588B
                                • SetWindowLongW.USER32(0000A02A,000000EC,00000000), ref: 0014589A
                                • MulDiv.KERNEL32(?,000000FF,00000064), ref: 001458AB
                                • SetLayeredWindowAttributes.USER32(0000A02A,00000000,?,00000002), ref: 001458BE
                                • GetWindowLongW.USER32(0000A02A,000000EC), ref: 001458C7
                                • SetWindowLongW.USER32(0000A02A,000000EC,00000000), ref: 001458D6
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Window$Long$AttributesLayered
                                • String ID:
                                • API String ID: 2169480361-0
                                • Opcode ID: 3667dc5da9a61b68fb0d594bb14c0c247c1a3089e8b7beaa1c3ae36cafc9044c
                                • Instruction ID: 8a92dd1108f4b6f111d8936c5b0b7c18fa2405fbe890189748ad818cb0ec3ddb
                                • Opcode Fuzzy Hash: 3667dc5da9a61b68fb0d594bb14c0c247c1a3089e8b7beaa1c3ae36cafc9044c
                                • Instruction Fuzzy Hash: 47F08272149722BFEA152764BC0EFEB7E99EF87722F200219F152D14E1DF6045908BA1
                                Function 0018C4A9 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 95COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameW.KERNEL32(00000000,0028F44A,00000104), ref: 0018C506
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: FileModuleName
                                • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                • API String ID: 514040917-4022980321
                                • Opcode ID: 980ed7ec850c61db1433d1ed62fa29cc539ca8bfdc77d548bbeaf976daa63567
                                • Instruction ID: d55f824afae0a448b59126145d50108f961c08c46813beab28b8218318bf9cb4
                                • Opcode Fuzzy Hash: 980ed7ec850c61db1433d1ed62fa29cc539ca8bfdc77d548bbeaf976daa63567
                                • Instruction Fuzzy Hash: 6721D436B4131526DF203665BD4AEAB379C8FA2754F04043AFD08A2192FB61EB51CBF1
                                Function 028FA108 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: NameName::operator+shared_ptr
                                • String ID: volatile$volatile
                                • API String ID: 606639705-1839175264
                                • Opcode ID: c3e60b6f327f65b52ad72c8ca550f79a06e53534926538cf51f4f7604caa2ab1
                                • Instruction ID: b6b07e9056610c4c2c9d87beb998a497981e5af7e82e9af1a28d54e0b205db5d
                                • Opcode Fuzzy Hash: c3e60b6f327f65b52ad72c8ca550f79a06e53534926538cf51f4f7604caa2ab1
                                • Instruction Fuzzy Hash: 7321AF7D944219EACF589F68C8189FD7BB9FB44328F048615AA0ED6200E3729385CF92
                                Function 001461B0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59stringCOMMON
                                Download Yara Rule
                                APIs
                                • PathFindExtensionW.SHLWAPI(?,.lnk,00000000,-00000001), ref: 001461E2
                                • lstrcmpiW.KERNEL32(00000000), ref: 001461E9
                                  • Part of subcall function 00146080: CoCreateInstance.OLE32(001B378C,00000000,00000001,001AFD7C,?,0000C356,?), ref: 001460AF
                                  • Part of subcall function 00146080: lstrcpyW.KERNEL32(?,?), ref: 001460DB
                                  • Part of subcall function 00146080: ExpandEnvironmentStringsW.KERNEL32(?,?,00000138), ref: 00146152
                                  • Part of subcall function 00146080: lstrcpynW.KERNEL32(?,?,?), ref: 0014616C
                                • PathIsDirectoryW.SHLWAPI(?), ref: 00146229
                                • lstrcpynW.KERNEL32(?,?,?), ref: 00146240
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Pathlstrcpyn$CreateDirectoryEnvironmentExpandExtensionFindInstanceStringslstrcmpilstrcpy
                                • String ID: .lnk
                                • API String ID: 403286655-24824748
                                • Opcode ID: c22c5b805dcfde18ef8b306cbc5d1c32d1decce366c5919034f951f72fb3eb66
                                • Instruction ID: 890e2e88eb8d2d5b4a66715a98efbfc31adc473631b2760b9cba2f2ab5cb7da2
                                • Opcode Fuzzy Hash: c22c5b805dcfde18ef8b306cbc5d1c32d1decce366c5919034f951f72fb3eb66
                                • Instruction Fuzzy Hash: 6A1186B16042056BD7209724DC45BEF73E8AF95704F448839F949C72A0EBB4DD8987A7
                                Function 00151046 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59registryCOMMON
                                Download Yara Rule
                                APIs
                                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383},00000000,00000001,?), ref: 0015107E
                                • RegQueryValueExW.ADVAPI32(?,Locale,00000000,00000000,?,00000006), ref: 0015109B
                                • RegCloseKey.ADVAPI32(?), ref: 001510A6
                                Strings
                                • Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}, xrefs: 00151074
                                • Locale, xrefs: 00151093
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: CloseOpenQueryValue
                                • String ID: Locale$Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
                                • API String ID: 3677997916-1161606707
                                • Opcode ID: 7e29bf163a1fcf6b388489f74adc6ef76649be9021ca5df765af4c5b12976c27
                                • Instruction ID: 5ba9c5b48b3109224c66430c6d78bd07a12044221414b4233272ae82837688b8
                                • Opcode Fuzzy Hash: 7e29bf163a1fcf6b388489f74adc6ef76649be9021ca5df765af4c5b12976c27
                                • Instruction Fuzzy Hash: 17119179A00149FBDB219BA1EC49FAF77B8FB85740F010415FC12A71A0E7709984C760
                                Function 0014D2A5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 53stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcmpW.KERNEL32(0029493C,*.*), ref: 0014D2AF
                                • lstrcpyW.KERNEL32(0029493C,*.*), ref: 0014D2CF
                                • SendMessageW.USER32(?,00000111,00019D0D,00000000), ref: 0014D321
                                • SendMessageW.USER32(00001013,00000000,00000000,00000000), ref: 0014D355
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$lstrcmplstrcpy
                                • String ID: *.*
                                • API String ID: 183746767-438819550
                                • Opcode ID: 4462e424810a8759cc6d8473400bbfb32c6699f84ee14075c6a9c681615b5695
                                • Instruction ID: 1fec5684ab70882a844dc0bf53ec0704da11f0697075aeb03e021372c96782b8
                                • Opcode Fuzzy Hash: 4462e424810a8759cc6d8473400bbfb32c6699f84ee14075c6a9c681615b5695
                                • Instruction Fuzzy Hash: EE112BB2344341ABE730AB60FC9AFAB77E8BB41314F44442AF159560E2EBB19458CB53
                                Function 00140210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcpyW.KERNEL32(<I),0029493C), ref: 00140234
                                  • Part of subcall function 00147A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00147A37
                                  • Part of subcall function 00147A20: LoadResource.KERNEL32(00000000,00000000), ref: 00147A4A
                                  • Part of subcall function 00147A20: LockResource.KERNEL32(00000000), ref: 00147A5B
                                  • Part of subcall function 00147A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00147A6E
                                  • Part of subcall function 00147A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00147A84
                                  • Part of subcall function 00147A20: FreeResource.KERNEL32(00000000), ref: 00147AA0
                                  • Part of subcall function 00147A20: lstrlenW.KERNEL32(?), ref: 00147B1D
                                • DialogBoxIndirectParamW.USER32(00000000,00000000,?,Function_0000FEA0,00000000), ref: 0014025C
                                • LocalFree.KERNEL32(00000000,?,Function_0000FEA0,00000000), ref: 00140269
                                • lstrcmpiW.KERNEL32(0029493C,?,?,Function_0000FEA0,00000000), ref: 0014027E
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Resource$FreeLocal$AllocDialogFindIndirectLoadLockParamSizeoflstrcmpilstrcpylstrlen
                                • String ID: <I)
                                • API String ID: 2002630831-2973346246
                                • Opcode ID: 80d735b5731acc2a1e71e9333200d2df7f3b2e3d81341777813f88c759c83cfb
                                • Instruction ID: f0006c32bf772994f5546e644821fb0d522cdbbff65a7a3b0d4282926f0ca754
                                • Opcode Fuzzy Hash: 80d735b5731acc2a1e71e9333200d2df7f3b2e3d81341777813f88c759c83cfb
                                • Instruction Fuzzy Hash: D801D2723043149BE720AB61EC4DF6B77E8EB4A750F410426F915832A0E7B0AC448661
                                Function 00144770 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 51windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0014478A
                                • SendMessageW.USER32 ref: 001447B9
                                • StrRetToBufW.SHLWAPI(?,?,?,00000040), ref: 001447E8
                                • PathRemoveBackslashW.SHLWAPI ref: 001447EF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$BackslashPathRemove
                                • String ID:
                                • API String ID: 1132864304-3916222277
                                • Opcode ID: 7db927dc9cc2d8e1e3e2b94f478ac367cb6f6a36795347f77cbe60d2ac354e2d
                                • Instruction ID: b8e6e61dd5ff818aa78805a71fd90e2dad3adb5152788fe60594bf21a64a1d7f
                                • Opcode Fuzzy Hash: 7db927dc9cc2d8e1e3e2b94f478ac367cb6f6a36795347f77cbe60d2ac354e2d
                                • Instruction Fuzzy Hash: 6A014075200200AFE310DB69ED49FAB77ECEFCA724F504559F258D72E0D374E5058A91
                                Function 00131AC0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • RtlGetNtVersionNumbers.NTDLL ref: 00131B1F
                                • SetPropW.USER32(?,UseImmersiveDarkModeColors,75A48510), ref: 00131B45
                                • SetWindowCompositionAttribute.USER32 ref: 00131B6E
                                  • Part of subcall function 00131990: SystemParametersInfoW.USER32(00000042,0000000C,00000000), ref: 001319AF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: AttributeCompositionInfoNumbersParametersPropSystemVersionWindow
                                • String ID: P#t@~t)t$UseImmersiveDarkModeColors
                                • API String ID: 153591563-336199375
                                • Opcode ID: 2fe43e0554050d9debaccc642ff2f709c8de0b9b78210f9c965a60fbcc6e9fae
                                • Instruction ID: 5c289efa08de5b6ec7b261ac4329fae154737b73be95fc5e5b07cbffc474ddbb
                                • Opcode Fuzzy Hash: 2fe43e0554050d9debaccc642ff2f709c8de0b9b78210f9c965a60fbcc6e9fae
                                • Instruction Fuzzy Hash: 6A11E174105301ABDB10AF18E949B9ABBE4FF5A704F048819F589D32E1E37488048B42
                                Function 00131300 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 0013131A
                                • #410.COMCTL32(?,00131550,00000000,00000000), ref: 00131340
                                • SendMessageW.USER32(?,00001036,00000000,00010030), ref: 00131353
                                • SendMessageW.USER32(?,00000127,00010001,00000000), ref: 00131362
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$#410
                                • String ID: ItemsView
                                • API String ID: 147371132-272564461
                                • Opcode ID: 6c46134d0a7785486c8d9ea6a4f1c5e9633d08016e34dde31cddcbca6a4533ba
                                • Instruction ID: 39067225400741acb27dc9696bd4c90b073ae8c02043d55377e811c070e6b4e4
                                • Opcode Fuzzy Hash: 6c46134d0a7785486c8d9ea6a4f1c5e9633d08016e34dde31cddcbca6a4533ba
                                • Instruction Fuzzy Hash: BAF05BB2BD032079F53517506C87FBB6A5C975AFA1F200016F3057E1D1DBD4784197A9
                                Function 0018AB2A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42libraryloaderCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,9AAD4D09,?,?,00000000,001AD9B8,000000FF,?,0018AAB1,0018AC00,?,0018AA85,00000000), ref: 0018AB5F
                                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0018AB71
                                • FreeLibrary.KERNEL32(00000000,?,?,00000000,001AD9B8,000000FF,?,0018AAB1,0018AC00,?,0018AA85,00000000), ref: 0018AB93
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: AddressFreeHandleLibraryModuleProc
                                • String ID: CorExitProcess$mscoree.dll
                                • API String ID: 4061214504-1276376045
                                • Opcode ID: ff71f30d89b67ada751703e086a2d41aa0666d29011f6dd0a1b57fad001e3f84
                                • Instruction ID: 51af55459a7ca269abc46f8838098803d477348b472a8f371518cc577ec147cf
                                • Opcode Fuzzy Hash: ff71f30d89b67ada751703e086a2d41aa0666d29011f6dd0a1b57fad001e3f84
                                • Instruction Fuzzy Hash: C101A231A04619AFDB119F54CC05FAEBBB8FF05B61F41062AF812A26D0DB749940CF91
                                Function 0019332F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 35libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(?,00000000,00000800,?,001932E8), ref: 0019333E
                                • GetLastError.KERNEL32(?,001932E8), ref: 00193348
                                • LoadLibraryExW.KERNEL32(?,00000000,00000000), ref: 00193386
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID: api-ms-$ext-ms-
                                • API String ID: 3177248105-537541572
                                • Opcode ID: d6faecfc81077a31c9c3306afaf340aa0c0a75b3475d54672d35f04d1be3f1c2
                                • Instruction ID: 6cb45c0004028ee1b86fea3333ab4b2b767deddee8b815db0f7e12551c9a8ed1
                                • Opcode Fuzzy Hash: d6faecfc81077a31c9c3306afaf340aa0c0a75b3475d54672d35f04d1be3f1c2
                                • Instruction Fuzzy Hash: 8EF03030780308FBEF202F61DD06B593F96BF51B50F544020FA0CA84E1EBB2EB918A46
                                Function 001451D0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 21libraryloaderCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryW.KERNEL32(uxtheme.dll), ref: 001451D9
                                • GetProcAddress.KERNEL32(00000000,IsAppThemed), ref: 001451EB
                                • FreeLibrary.KERNEL32(00000000), ref: 001451FA
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Library$AddressFreeLoadProc
                                • String ID: IsAppThemed$uxtheme.dll
                                • API String ID: 145871493-2993874081
                                • Opcode ID: 274f3b97ce29b966a907ee3dc6c54f1d8b1400b7e0ed13f43d38c4040d34ca8a
                                • Instruction ID: 232fb28c1b298d46579e35d1002c5886ae930c5b1b5c99aabdfbe05dff317f63
                                • Opcode Fuzzy Hash: 274f3b97ce29b966a907ee3dc6c54f1d8b1400b7e0ed13f43d38c4040d34ca8a
                                • Instruction Fuzzy Hash: FBD05B323006205B572117796C4CDAB66F9DFC2F5130A0155F400D2610DB648C818561
                                Function 00192941 Relevance: 7.7, APIs: 5, Instructions: 202COMMON
                                Download Yara Rule
                                APIs
                                • __alloca_probe_16.LIBCMT ref: 001929C8
                                • __alloca_probe_16.LIBCMT ref: 00192A89
                                • __freea.LIBCMT ref: 00192AF0
                                  • Part of subcall function 00190253: HeapAlloc.KERNEL32(00000000,?,?,?,00152D34,?,?,0013102A,00000024,9AAD4D09,?,?,001AD2BF,000000FF), ref: 00190285
                                • __freea.LIBCMT ref: 00192B05
                                • __freea.LIBCMT ref: 00192B15
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: __freea$__alloca_probe_16$AllocHeap
                                • String ID:
                                • API String ID: 1096550386-0
                                • Opcode ID: 0b9b1a961b663f155084d9801387afce036a7060de4173f802db9d4ae64d1745
                                • Instruction ID: 181fc395feba3ae4322fc7ceb5d251b666933da61a1a84a6524bf9c1e12d2f1a
                                • Opcode Fuzzy Hash: 0b9b1a961b663f155084d9801387afce036a7060de4173f802db9d4ae64d1745
                                • Instruction Fuzzy Hash: 4851AB72600216BFEF259F648C82EBB3BE9EF54354B250128FD09E7151EB75CC50D6A0
                                Function 0015BB92 Relevance: 7.7, APIs: 5, Instructions: 178COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: operator+shared_ptr$NameName::
                                • String ID:
                                • API String ID: 2894330373-0
                                • Opcode ID: 0619f75a1bc4bf0b7188683cac25347cc14d23736c4049f6c7d1560b68960eca
                                • Instruction ID: 9d153bda4c6e6255b830c21bbe36205ddd498236886ac481c705d6bec2f2efec
                                • Opcode Fuzzy Hash: 0619f75a1bc4bf0b7188683cac25347cc14d23736c4049f6c7d1560b68960eca
                                • Instruction Fuzzy Hash: AA61A375808209EFCB14CFA4E989AFD7BB4FB04305F14826AEC259F255DB769649CF40
                                Function 028941A0 Relevance: 7.6, APIs: 5, Instructions: 146COMMON
                                Download Yara Rule
                                APIs
                                • FindFirstVolumeW.KERNEL32(?,00000200,6B22EED2), ref: 02894211
                                • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,00000400,?), ref: 0289423A
                                • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 02894262
                                • FindNextVolumeW.KERNEL32(00000000,?,00000200), ref: 02894382
                                • FindVolumeClose.KERNEL32(00000000), ref: 02894391
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: Volume$Find$CloseFirstInformationNameNamesNextPath
                                • String ID:
                                • API String ID: 1001540003-0
                                • Opcode ID: 461de3c95acaa7833c32cf30f8e6b24b082e445699b9363a2df839dfe0cbd7c6
                                • Instruction ID: 4426ab9b1656c71289c129e1cfd8b040d060bcd3f2b59e1792f5781803bdf1c6
                                • Opcode Fuzzy Hash: 461de3c95acaa7833c32cf30f8e6b24b082e445699b9363a2df839dfe0cbd7c6
                                • Instruction Fuzzy Hash: 5051707590021C9BEB24CF24DD54FEAB3B8FB44704F184699E519E7680EB74AA84CF54
                                Function 00133190 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 65COMMON
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,true,true,?,00000040), ref: 001331F6
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide
                                • String ID: Settings$ShowDriveBox$false$true
                                • API String ID: 626452242-921498056
                                • Opcode ID: 3291988935c1d25ad0b037989455bc008d69021da6d9722bac5b1c01bf0f0b20
                                • Instruction ID: 54d8be707475259af33ca81f47a04d0af3d826c786647c53557caef486414589
                                • Opcode Fuzzy Hash: 3291988935c1d25ad0b037989455bc008d69021da6d9722bac5b1c01bf0f0b20
                                • Instruction Fuzzy Hash: 3F1106767102015BE7349728EC16BB777E9EBCA740F848429F9A9DB1C0EF74C9088392
                                Function 00146380 Relevance: 7.6, APIs: 5, Instructions: 53stringCOMMON
                                Download Yara Rule
                                APIs
                                • CharNextW.USER32(?,?,771EF860,?,0013F938), ref: 001463A1
                                • lstrlenW.KERNEL32(?,?,771EF860,?,0013F938), ref: 001463B2
                                • lstrlenW.KERNEL32(?,?,?,0013F938), ref: 001463C7
                                • CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463D4
                                • CharPrevW.USER32(?,00000000,?,?,0013F938), ref: 001463E7
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Char$Prevlstrlen$Next
                                • String ID:
                                • API String ID: 2482157412-0
                                • Opcode ID: 713c6ba7eb1f6c46d57b04d176e8806582947ed8a4f0b82900fd9d499c1555bf
                                • Instruction ID: 07dccac687190150da5703f21ccb376abde80381dccc48df670fb3ce2c683959
                                • Opcode Fuzzy Hash: 713c6ba7eb1f6c46d57b04d176e8806582947ed8a4f0b82900fd9d499c1555bf
                                • Instruction Fuzzy Hash: 1C01A2629102645BDB246F68DCC093B77FCFB8B324B050466E405D7161DBB09C91C7B1
                                Function 00145060 Relevance: 7.6, APIs: 5, Instructions: 53memorystringCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?,00000000,771B3070,75A45540,?,0014F3C1,?,00000100,00002712,?), ref: 0014506E
                                • LoadStringW.USER32(?,00000000,?), ref: 00145087
                                • LoadStringW.USER32(?,00000000,?), ref: 0014509E
                                • LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001450C2
                                • lstrlenW.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 001450C9
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: LoadLocalString$AllocFreelstrlen
                                • String ID:
                                • API String ID: 389633860-0
                                • Opcode ID: 5bc6ff886cd62205439e718338e32ee41b3e67e5e07f9ad9c7380948ef1024d7
                                • Instruction ID: 6237af4ff81269345225b6011cf2b5df20c630b66e2b616329774572f72cb3ae
                                • Opcode Fuzzy Hash: 5bc6ff886cd62205439e718338e32ee41b3e67e5e07f9ad9c7380948ef1024d7
                                • Instruction Fuzzy Hash: E6018F72305215ABC7209B66FC48C6BBFADEFC6366B000026FA05D2121E73198598BB1
                                Function 028E0290 Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 028E0297
                                • std::_Lockit::_Lockit.LIBCPMT ref: 028E02A1
                                  • Part of subcall function 028A9540: std::_Lockit::_Lockit.LIBCPMT ref: 028A954F
                                  • Part of subcall function 028A9540: std::_Lockit::~_Lockit.LIBCPMT ref: 028A956A
                                • numpunct.LIBCPMT ref: 028E02DB
                                • std::_Facet_Register.LIBCPMT ref: 028E02F2
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 028E0312
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                • String ID:
                                • API String ID: 743221004-0
                                • Opcode ID: 9f19b9c613edc709007069e90aa3bc83067b6b7c2d62eb9b295e663d4c3b33fd
                                • Instruction ID: 68d38865858c79e67a2099c446dacb0d7edc7af35ae4a8686ba29ba9a9ba3b07
                                • Opcode Fuzzy Hash: 9f19b9c613edc709007069e90aa3bc83067b6b7c2d62eb9b295e663d4c3b33fd
                                • Instruction Fuzzy Hash: 9F01843D9042199FCF05EBA8C4146BE77A6BF85354F250508D819F7290DF749E45CB92
                                Function 028E01FB Relevance: 7.5, APIs: 5, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 028E0202
                                • std::_Lockit::_Lockit.LIBCPMT ref: 028E020C
                                  • Part of subcall function 028A9540: std::_Lockit::_Lockit.LIBCPMT ref: 028A954F
                                  • Part of subcall function 028A9540: std::_Lockit::~_Lockit.LIBCPMT ref: 028A956A
                                • numpunct.LIBCPMT ref: 028E0246
                                • std::_Facet_Register.LIBCPMT ref: 028E025D
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 028E027D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Registernumpunct
                                • String ID:
                                • API String ID: 743221004-0
                                • Opcode ID: a780ced745be8b8e235b81ad5a5965041e4501662dd8bb334f121594dbc2d29a
                                • Instruction ID: 57b982d9aa890e9316f14e323abc9ab0b130552db498ac801eb1857149f64500
                                • Opcode Fuzzy Hash: a780ced745be8b8e235b81ad5a5965041e4501662dd8bb334f121594dbc2d29a
                                • Instruction Fuzzy Hash: A601843DA042159BCF06EBA8C4146BEB7A7BF94314F294509D815F7290DF749A09CF92
                                Function 00145160 Relevance: 7.5, APIs: 5, Instructions: 33threadCOMMON
                                Download Yara Rule
                                APIs
                                • GetWindowThreadProcessId.USER32(?,?), ref: 00145175
                                • OpenProcess.KERNEL32(00000410,00000000,?,?,?), ref: 00145186
                                • EnumProcessModules.PSAPI(00000000,?,00000004,00000000,?,?), ref: 0014519B
                                • GetModuleFileNameExW.PSAPI(00000000,?,?,00000100,?,?), ref: 001451AC
                                • CloseHandle.KERNEL32(00000000,?,00000100,?,?), ref: 001451B3
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Process$CloseEnumFileHandleModuleModulesNameOpenThreadWindow
                                • String ID:
                                • API String ID: 1339411102-0
                                • Opcode ID: 70c8346daa8025bfef609ce484f3ce5a2226b85ee89da1c8ed44750224d249fb
                                • Instruction ID: c0714059864b58dd4b83f387b3d324dfa392c64f105a858a95e9564540476307
                                • Opcode Fuzzy Hash: 70c8346daa8025bfef609ce484f3ce5a2226b85ee89da1c8ed44750224d249fb
                                • Instruction Fuzzy Hash: DCF08276104210BFE3119B54EC49FDB7FECEF8A750F008829F645C1160D7749589CBA6
                                Function 00146820 Relevance: 7.5, APIs: 5, Instructions: 31stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlenW.KERNEL32 ref: 00146825
                                • GlobalAlloc.KERNEL32(00002042,00000000), ref: 00146838
                                • GlobalLock.KERNEL32(00000000), ref: 00146845
                                • lstrcpyW.KERNEL32(-00000014), ref: 00146876
                                • GlobalUnlock.KERNEL32(00000000), ref: 0014687D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Global$AllocLockUnlocklstrcpylstrlen
                                • String ID:
                                • API String ID: 270455586-0
                                • Opcode ID: 2fd898188a5664b9e58ff4cd122a1609a911d009efda52f6a2a1afa0efe8785a
                                • Instruction ID: d8864e54c7782ed2160174f86213da0a3ae135c3f9761ee2761a7789cb1b4d3a
                                • Opcode Fuzzy Hash: 2fd898188a5664b9e58ff4cd122a1609a911d009efda52f6a2a1afa0efe8785a
                                • Instruction Fuzzy Hash: 27F0FEB16012219FE7515F15EC0CB9B7BE8EB82755F068054F5058B271DBB9C885CBA1
                                Function 028943C0 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 199fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00000000,C0000000,00000000,00000000,00000002,00000080,00000000,02951784,6B22EED2,00000000,?), ref: 02894558
                                • WriteFile.KERNEL32(00000000,ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd*!* To access .onion websites downlo,00000443,00000000), ref: 0289457D
                                • CloseHandle.KERNEL32(00000000), ref: 02894584
                                Strings
                                • ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd*!* To access .onion websites downlo, xrefs: 02894577
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleWrite
                                • String ID: ATTENTION!Your network has been breached and all data was encrypted. Please contact us at:https://bastad5huzwkepdixedg2gekg7jk22ato24zyllp6lnjx7wdtyctgvyd.onion/ Login ID: a3ae86a9-08d9-49ca-8317-2f17622c44fd*!* To access .onion websites downlo
                                • API String ID: 1065093856-1903016490
                                • Opcode ID: a0fc4ad96227a28025aefca1763c599d7ebb08d1c60cf308e62f83f7572d50a8
                                • Instruction ID: fa862bdb63249e11edf020e3e6ca80dcc2da4b12687ff608734a9ccfb1bb6af4
                                • Opcode Fuzzy Hash: a0fc4ad96227a28025aefca1763c599d7ebb08d1c60cf308e62f83f7572d50a8
                                • Instruction Fuzzy Hash: BE71D179D00218DFDF14DFA8C898BAEB7B1FF48318F144219E51AE7290D734AA46CB95
                                Function 00133D20 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 174fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 001326C0: CreateFileW.KERNEL32(00290388,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00132703
                                  • Part of subcall function 001326C0: LockFileEx.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?), ref: 0013271A
                                • FlushFileBuffers.KERNEL32(00000000,00000000), ref: 00133D8C
                                • UnlockFileEx.KERNEL32(00000000,00000000,000000FF,00000000,?), ref: 00133D9E
                                • CloseHandle.KERNEL32(00000000), ref: 00133DA5
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: File$BuffersCloseCreateFlushHandleLockUnlock
                                • String ID: Filters
                                • API String ID: 3886186091-3083492881
                                • Opcode ID: 99774c0efecf5cf2485712fd61f91a84cf375060bbc42478e27695f41c248200
                                • Instruction ID: b3597dc02864a28ef3617c449ed724cbc445371b941657decf89e55c7c2e4bee
                                • Opcode Fuzzy Hash: 99774c0efecf5cf2485712fd61f91a84cf375060bbc42478e27695f41c248200
                                • Instruction Fuzzy Hash: 1251CC72A083009FC720EF54C880BAFB7E4EF95311F54496DF961972A1D775AA08CBA6
                                Function 028F0135 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 109COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3_GS.LIBCMT ref: 028F013C
                                  • Part of subcall function 02889390: std::_Lockit::_Lockit.LIBCPMT ref: 028893C3
                                  • Part of subcall function 02889390: std::_Lockit::_Lockit.LIBCPMT ref: 028893E5
                                  • Part of subcall function 02889390: std::_Lockit::~_Lockit.LIBCPMT ref: 02889405
                                  • Part of subcall function 02889390: std::_Lockit::~_Lockit.LIBCPMT ref: 028894FD
                                • _Find_unchecked1.LIBCPMT ref: 028F01DF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_$Lockit::_Lockit::~_$Find_unchecked1H_prolog3_
                                • String ID: 0123456789-$0123456789-
                                • API String ID: 156722996-2494171821
                                • Opcode ID: abff2c604bc2598dc9f63b3408140b2ad209539fa41b8481be11b9363491eeea
                                • Instruction ID: c017cea339eb23787f4f849e99735480ad05161221f9aa07bd5a61ddb24dca31
                                • Opcode Fuzzy Hash: abff2c604bc2598dc9f63b3408140b2ad209539fa41b8481be11b9363491eeea
                                • Instruction Fuzzy Hash: 89415C39900209DFDF15EFA8C880AEEBBB6BF04314F100059E915EB255DB759A56CF92
                                Function 001326C0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 79fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(00290388,80000000,00000003,00000000,00000003,00000080,00000000), ref: 00132703
                                • LockFileEx.KERNEL32(00000000,00000000,00000000,000000FF,00000000,?), ref: 0013271A
                                Strings
                                • AcquireReadFileLock(%s): INVALID FILE HANDLE!, xrefs: 00132753
                                • AcquireReadFileLock(%s): NO READER LOCK ACQUIRED!, xrefs: 0013273A
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: File$CreateLock
                                • String ID: AcquireReadFileLock(%s): INVALID FILE HANDLE!$AcquireReadFileLock(%s): NO READER LOCK ACQUIRED!
                                • API String ID: 3593386577-1051419391
                                • Opcode ID: cde5296f2b25d639bf37e3d933912021c58fe14c7afb6b34408977866b63bc52
                                • Instruction ID: 281710e9aaaf06dbad3772f4696fd8b8c0bfbdc87240b01f61b515e1c05c005a
                                • Opcode Fuzzy Hash: cde5296f2b25d639bf37e3d933912021c58fe14c7afb6b34408977866b63bc52
                                • Instruction Fuzzy Hash: 7A213A71741300B3E231A734AC56F9B33DCAB91B30F600615FA64A60D0EBB4A6488251
                                Function 028E6364 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 028E636B
                                  • Part of subcall function 028DEDC3: _Maklocstr.LIBCPMT ref: 028DEDE3
                                  • Part of subcall function 028DEDC3: _Maklocstr.LIBCPMT ref: 028DEE00
                                  • Part of subcall function 028DEDC3: _Maklocstr.LIBCPMT ref: 028DEE1D
                                  • Part of subcall function 028DEDC3: _Maklocchr.LIBCPMT ref: 028DEE2F
                                  • Part of subcall function 028DEDC3: _Maklocchr.LIBCPMT ref: 028DEE42
                                • _Mpunct.LIBCPMT ref: 028E63F8
                                • _Mpunct.LIBCPMT ref: 028E6412
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: Maklocstr$MaklocchrMpunct$H_prolog3
                                • String ID: $+xv
                                • API String ID: 2939335142-1686923651
                                • Opcode ID: 7b4d513273d10f30b388e0146447be10b9cb4d3b31a0a42bcb5e59ee99295ed3
                                • Instruction ID: 2d26868dfbe1c7c7dca160f781b953485af46ca9ab96cf4fafa407a741703bb7
                                • Opcode Fuzzy Hash: 7b4d513273d10f30b388e0146447be10b9cb4d3b31a0a42bcb5e59ee99295ed3
                                • Instruction Fuzzy Hash: 4121B5B9804B916EDB21DF78848063BBFFCAB19304F04095AE59AC7A41E730E605CF91
                                Function 001442D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcmpW.KERNEL32(?,*.*), ref: 00144339
                                • StrChrW.SHLWAPI(?,0000003B,?,*.*), ref: 0014435B
                                • StrChrW.SHLWAPI(?,0000003B,?,*.*), ref: 0014437D
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: lstrcmp
                                • String ID: *.*
                                • API String ID: 1534048567-438819550
                                • Opcode ID: e1cf375411139097a390d3edab2e71f29684c7993fdae2a734630c21c41c7915
                                • Instruction ID: a16c28d2232bb055a87d24230c81eef1c9ba3c82535a9922de7c63b7bf89f83c
                                • Opcode Fuzzy Hash: e1cf375411139097a390d3edab2e71f29684c7993fdae2a734630c21c41c7915
                                • Instruction Fuzzy Hash: 6821E1B22017118BE7259F24DC84BA7B3E9FF81B14F04846EEA56C7650EB72A901CB10
                                Function 001336D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 72fileCOMMON
                                Download Yara Rule
                                APIs
                                • FlushFileBuffers.KERNEL32(00000000,00000000), ref: 0013372B
                                • UnlockFileEx.KERNEL32(00000000,00000000,000000FF,00000000,?), ref: 0013373D
                                • CloseHandle.KERNEL32(00000000), ref: 00133744
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: File$BuffersCloseFlushHandleUnlock
                                • String ID: Settings2
                                • API String ID: 838080827-1942966065
                                • Opcode ID: 9dca0b19a1cef7015bcea3910ba31f919efa7d1d46e2792c5e03293d6330d610
                                • Instruction ID: 6a145499f5ce0549384bf8c6f6de1999af7f927c7d3a8ba4a5cac83b721e05b7
                                • Opcode Fuzzy Hash: 9dca0b19a1cef7015bcea3910ba31f919efa7d1d46e2792c5e03293d6330d610
                                • Instruction Fuzzy Hash: AC115BB26043105FC710AB2CDD85A9EB7E8DFD0330F440629F954932A0D7349E4DC3A6
                                Function 00155003 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 63COMMON
                                Download Yara Rule
                                APIs
                                • __is_exception_typeof.LIBVCRUNTIME ref: 00155097
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: __is_exception_typeof
                                • String ID: MOC$RCC$csm
                                • API String ID: 3140442014-2671469338
                                • Opcode ID: b47ff39d65d8a8a1fcb5a3400d9e6fa48af9f635414f12087399cdfa19ff42c0
                                • Instruction ID: 98bfe45eb00f65619b2d26c6bfe533a4e8da8a57e02ab0af07337c8414b7b573
                                • Opcode Fuzzy Hash: b47ff39d65d8a8a1fcb5a3400d9e6fa48af9f635414f12087399cdfa19ff42c0
                                • Instruction Fuzzy Hash: FE119031510705DFD718AF54C415AAABBE9EF10312F560499FC508F2A2D7B5ED88CBD1
                                Function 00150250 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53stringwindowCOMMON
                                Download Yara Rule
                                APIs
                                • LoadImageW.USER32(00000064,00000001,00000010,00000010,?,?), ref: 00150284
                                • lstrcpyW.KERNEL32(?,?,?,MiniPath), ref: 001502D8
                                • Shell_NotifyIconW.SHELL32(00000002,000003BC), ref: 001502F0
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: IconImageLoadNotifyShell_lstrcpy
                                • String ID: MiniPath
                                • API String ID: 2060738540-3848962392
                                • Opcode ID: 0e63359f1fac900d39d69676bd9a7fea08ee32a2eee765bed5a8c1359b933f39
                                • Instruction ID: e4c006a49736c71dc9e83d272a1107d715d5a9665142db0657c54e77a4a75729
                                • Opcode Fuzzy Hash: 0e63359f1fac900d39d69676bd9a7fea08ee32a2eee765bed5a8c1359b933f39
                                • Instruction Fuzzy Hash: BE11CA71644310DFE3218F04EC4AB5BBBE8EB88B54F00441DF958E72D0D3B499488F96
                                Function 00132640 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 52fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 00132664
                                • LockFileEx.KERNEL32(00000000,00000002,00000000,000000FF,00000000,?,?,C0000000,00000003,00000000,00000004,00000080,00000000), ref: 0013267B
                                  • Part of subcall function 00142F30: GetLastError.KERNEL32(?,00000000,?,?,00132773), ref: 00142F39
                                  • Part of subcall function 00142F30: FormatMessageW.KERNEL32 ref: 00142F63
                                  • Part of subcall function 00142F30: lstrlenW.KERNEL32(00000000,00000000,00290388), ref: 00142F7A
                                  • Part of subcall function 00142F30: lstrlenW.KERNEL32(00000000), ref: 00142F82
                                  • Part of subcall function 00142F30: LocalAlloc.KERNEL32(00000040,00000000), ref: 00142F92
                                  • Part of subcall function 00142F30: GetFocus.USER32 ref: 00142FBF
                                  • Part of subcall function 00142F30: MessageBoxExW.USER32(?,00000000,MiniPath - ERROR,00000010,?), ref: 00142FDA
                                  • Part of subcall function 00142F30: LocalFree.KERNEL32(00000000,?,?,00132773), ref: 00142FE1
                                  • Part of subcall function 00142F30: LocalFree.KERNEL32(?), ref: 00142FE7
                                Strings
                                • AcquireWriteFileLock(): INVALID FILE HANDLE!, xrefs: 001326A0
                                • AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!, xrefs: 0013268A
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Local$FileFreeMessagelstrlen$AllocCreateErrorFocusFormatLastLock
                                • String ID: AcquireWriteFileLock(): INVALID FILE HANDLE!$AcquireWriteFileLock(): NO EXCLUSIVE LOCK ACQUIRED!
                                • API String ID: 434643049-250906885
                                • Opcode ID: 20c0c9794443894ae3f9c84123c6f0f2166443d0f90a2609cd39ed59a08eed9b
                                • Instruction ID: 4d4f5fdaf0c7d2e6b0102e32595b273f2e04378accdb03a62791b26a119071e5
                                • Opcode Fuzzy Hash: 20c0c9794443894ae3f9c84123c6f0f2166443d0f90a2609cd39ed59a08eed9b
                                • Instruction Fuzzy Hash: BAF0F67139521132F638253D7C16F8A62989F83BB5F794335FE70E60E4DBA09C850168
                                Function 0014FFB0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetClassNameW.USER32(?,?,00000040), ref: 0014FFE2
                                • lstrcmpiW.KERNEL32(?,MiniPath), ref: 0014FFF6
                                • IsWindowEnabled.USER32(?), ref: 00150003
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ClassEnabledNameWindowlstrcmpi
                                • String ID: MiniPath
                                • API String ID: 2986337850-3848962392
                                • Opcode ID: f55e70acca192fe521287198398d0d30d19038ca4313014a62a029763370f290
                                • Instruction ID: 0049f8890ae19e2e69fb28269b6ed5ed54e1f96bda1317b456e81dcb3567d180
                                • Opcode Fuzzy Hash: f55e70acca192fe521287198398d0d30d19038ca4313014a62a029763370f290
                                • Instruction Fuzzy Hash: 37F0AF727042019BD7349B25EC85B6BF7E8FF8D741F00482AF989C3180EB7498188762
                                Function 001440C0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33stringCOMMON
                                Download Yara Rule
                                APIs
                                • GetPropW.USER32(DirListData), ref: 001440E2
                                • SHGetPathFromIDListW.SHELL32(?,?), ref: 001440F0
                                • lstrcpyW.KERNEL32(?,?), ref: 00144100
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: FromListPathProplstrcpy
                                • String ID: DirListData
                                • API String ID: 1236027899-869039069
                                • Opcode ID: af1c0ca2aec86166f97573e8a7bccd9a13492e292b71ccf66cbe05696fcef5bd
                                • Instruction ID: 61a37fad20c4149ed148d6955b327065006e422cea2b60a4de9a0d8301598a4a
                                • Opcode Fuzzy Hash: af1c0ca2aec86166f97573e8a7bccd9a13492e292b71ccf66cbe05696fcef5bd
                                • Instruction Fuzzy Hash: 7BF0B4B66103009FE720DB64EC4EBBB7BE4FF49711F954519F82986161EB389898C742
                                Function 00131567 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 28windowCOMMON
                                Download Yara Rule
                                APIs
                                • #410.COMCTL32(?,00131710,00000000,00000000), ref: 00131585
                                • SendMessageW.USER32(?,0000112C,00000000,00000064), ref: 00131595
                                • SendMessageW.USER32(?,00000127,00010001,00000000), ref: 001315A8
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$#410
                                • String ID: ItemsView
                                • API String ID: 147371132-272564461
                                • Opcode ID: 20220ab629ef7221198069af71af0a78795ad12b0febddfd603044788d7f6621
                                • Instruction ID: 94aedef3b7b6f90c3cb43021648301e187ea1a58908bddd0f77094645a7d6de8
                                • Opcode Fuzzy Hash: 20220ab629ef7221198069af71af0a78795ad12b0febddfd603044788d7f6621
                                • Instruction Fuzzy Hash: 45E04F71380300BAF5211B606D4BFBA35BD9B8BF02F200014F305BD4D18BF86491962A
                                Function 0015E556 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 27libraryCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,0015E453,00000000,?,0028F048,?,?,?,0015E6AA,00000004,InitializeCriticalSectionEx,001B6CDC,InitializeCriticalSectionEx), ref: 0015E563
                                • GetLastError.KERNEL32(?,0015E453,00000000,?,0028F048,?,?,?,0015E6AA,00000004,InitializeCriticalSectionEx,001B6CDC,InitializeCriticalSectionEx,00000000,?,00157172), ref: 0015E56D
                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000), ref: 0015E595
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: LibraryLoad$ErrorLast
                                • String ID: api-ms-
                                • API String ID: 3177248105-2084034818
                                • Opcode ID: 8234c0ddd0922a4f2c92811bc72de46225b3d67d3f0402e64afec93e37be3be3
                                • Instruction ID: cd9d7ef47ba240b991466760e98431b5aa0b8027624acba5a4d33880b54173a6
                                • Opcode Fuzzy Hash: 8234c0ddd0922a4f2c92811bc72de46225b3d67d3f0402e64afec93e37be3be3
                                • Instruction Fuzzy Hash: C7E01A70790304FBEF201F60EC06BA83E96AB12B55F508420F91CE84E0F7A2EA958A45
                                Function 00144A10 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 25windowCOMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: FreeTask$MessageSend
                                • String ID:
                                • API String ID: 1000612462-3916222277
                                • Opcode ID: f080c95da0bceb8e2cdcd122a1550670ce290aea59fa891595f1ac04e05dd382
                                • Instruction ID: 97d5d0a0deddba6e29594c4ccde2720fdb7a2da5cbb881f03501a4305102c1dd
                                • Opcode Fuzzy Hash: f080c95da0bceb8e2cdcd122a1550670ce290aea59fa891595f1ac04e05dd382
                                • Instruction Fuzzy Hash: 6FF01579604201AFD304DF48EE88B6ABBF8FB9D700F004459F609976A0D731EC95CB52
                                Function 00143230 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 23COMMON
                                Download Yara Rule
                                APIs
                                • GetPropW.USER32(00000000,DirListData), ref: 0014323A
                                  • Part of subcall function 00143280: GetPropW.USER32(?,DirListData), ref: 0014328A
                                  • Part of subcall function 00143280: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00143420,?,?), ref: 00143298
                                  • Part of subcall function 00143280: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00143420,?,?), ref: 001432A6
                                  • Part of subcall function 00143280: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 001432D2
                                  • Part of subcall function 00143280: TranslateMessage.USER32(?), ref: 001432DD
                                  • Part of subcall function 00143280: DispatchMessageW.USER32(?), ref: 001432E4
                                  • Part of subcall function 00143280: WaitForSingleObject.KERNEL32(?,00000000,?,?,?,?,?,?,?,00143420,?,?), ref: 001432EE
                                  • Part of subcall function 00143280: ResetEvent.KERNEL32(?,?,?,?,?,?,?,?,00143420,?,?), ref: 00143301
                                  • Part of subcall function 00143280: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,00143420,?,?), ref: 0014330D
                                • ResetEvent.KERNEL32(?), ref: 00143255
                                • ResetEvent.KERNEL32(?), ref: 0014325D
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Event$MessageReset$ObjectPropSingleWait$DispatchPeekTranslate
                                • String ID: DirListData
                                • API String ID: 628585283-869039069
                                • Opcode ID: 93748a375b8d561e9c3aa8e90e5b4c22008482d9aa469ce2646297d698ba38a7
                                • Instruction ID: f52013fdd799e984e90f23960f2d759babcd17494423542075d0d2433544111b
                                • Opcode Fuzzy Hash: 93748a375b8d561e9c3aa8e90e5b4c22008482d9aa469ce2646297d698ba38a7
                                • Instruction Fuzzy Hash: 62E08632B0002137C6142365BC0DF8A7ED4DF96720F040126F40453260DBA02D5289E4
                                Function 00148380 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 17COMMON
                                Download Yara Rule
                                APIs
                                • SetBkColor.GDI32(?,00333333), ref: 0014838E
                                • GetSysColor.USER32(0000000F), ref: 00148398
                                • SetBkColor.GDI32(?,00000000), ref: 001483A0
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Color
                                • String ID: 333
                                • API String ID: 2811717613-2463598333
                                • Opcode ID: a200565ed602299da8f49abfd5345d22696a5b57b51b8cec6adddd1de332b376
                                • Instruction ID: 9fd507d29d4e909549a3a759e8f70385c30af1fe379c562c7551217ca048e6dc
                                • Opcode Fuzzy Hash: a200565ed602299da8f49abfd5345d22696a5b57b51b8cec6adddd1de332b376
                                • Instruction Fuzzy Hash: C1D01235205422ABE751271CBE089FF269DEF8B732B0DC451F515D1815DF984DC546B2
                                Function 001A354C Relevance: 6.3, APIs: 4, Instructions: 338fileCOMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • GetConsoleOutputCP.KERNEL32(9AAD4D09,?,00000000,?), ref: 001A35AF
                                  • Part of subcall function 00197F0A: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000001,0000FDE9,00000000,?,?,?,00191B59,?,00000000,?), ref: 00197FB6
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 001A380A
                                • WriteFile.KERNEL32(?,?,00000001,?,00000000), ref: 001A3852
                                • GetLastError.KERNEL32 ref: 001A38F5
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: FileWrite$ByteCharConsoleErrorLastMultiOutputWide
                                • String ID:
                                • API String ID: 2112829910-0
                                • Opcode ID: aa623c13f984025e9658a38cda7bfe5d03c59cba8fba9ef4e39139173fdd67d5
                                • Instruction ID: 8ca2f1d30e360997b3e8642510fbd2e8ebe284f6927370c2ac80b20f10e75b07
                                • Opcode Fuzzy Hash: aa623c13f984025e9658a38cda7bfe5d03c59cba8fba9ef4e39139173fdd67d5
                                • Instruction Fuzzy Hash: 91D15CB9E002589FCB15CFE8D881AADBBB5FF0A310F14412AF926E7355D730AA45CB50
                                Function 0015A2F4 Relevance: 6.2, APIs: 4, Instructions: 192COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 0015A2FB
                                • UnDecorator::getSymbolName.LIBCMT ref: 0015A38D
                                • DName::operator+.LIBCMT ref: 0015A491
                                • DName::DName.LIBVCRUNTIME ref: 0015A534
                                  • Part of subcall function 00157C69: shared_ptr.LIBCMT ref: 00157C85
                                  • Part of subcall function 00157F03: DName::DName.LIBVCRUNTIME ref: 00157F61
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Name$Name::$Decorator::getH_prolog3Name::operator+Symbolshared_ptr
                                • String ID:
                                • API String ID: 1134295639-0
                                • Opcode ID: eb9ee4f2c34c6089382ee4eaf412f54c3d899bfb636d26c3265a17106da1b32d
                                • Instruction ID: 5f00bce6c52b49fea034fda7aba2de1ffa418630d0f38032ec75ad3e806474f6
                                • Opcode Fuzzy Hash: eb9ee4f2c34c6089382ee4eaf412f54c3d899bfb636d26c3265a17106da1b32d
                                • Instruction Fuzzy Hash: 9C71C175C01219CFDB00CFA4E885BEDBBB4BF08311F58426AEC21AF242D7759949CB61
                                Function 001561E6 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: AdjustPointer
                                • String ID:
                                • API String ID: 1740715915-0
                                • Opcode ID: b89d457534a6b8564ddaf0403d5cfa4ce1fa1d472cda56fc5aea39aca79d7741
                                • Instruction ID: b411d6ad254f51ec1e8954859e162b0604e08e2a6931ca31f7068abf465710c6
                                • Opcode Fuzzy Hash: b89d457534a6b8564ddaf0403d5cfa4ce1fa1d472cda56fc5aea39aca79d7741
                                • Instruction Fuzzy Hash: D251CB72A04606EFDB298F14D841BAAB7A0FF14312F544129EC294F291E731EC98CBD0
                                Function 0015A6B4 Relevance: 6.1, APIs: 4, Instructions: 131COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • DName::operator+.LIBCMT ref: 0015A6E7
                                  • Part of subcall function 00157C2D: DName::operator+=.LIBCMT ref: 00157C43
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Name::operator+Name::operator+=
                                • String ID:
                                • API String ID: 382699925-0
                                • Opcode ID: 4816cb3a354707b745150cad844ae4c08e79ff33c0dfa86c0445cc8058c12bc7
                                • Instruction ID: 53cefc586b86289f4d26859005fbb85cf2998195b637f5d7edf4285edc00458c
                                • Opcode Fuzzy Hash: 4816cb3a354707b745150cad844ae4c08e79ff33c0dfa86c0445cc8058c12bc7
                                • Instruction Fuzzy Hash: 4E414EB1C4020ADECF04DFA4E9859EEBBF4AF18306F500259E925BB240D7759A8DCB91
                                Function 029183BF Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 029153CA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,02914E8C,?,00000000,-00000008), ref: 02915476
                                • GetLastError.KERNEL32 ref: 02918423
                                • __dosmaperr.LIBCMT ref: 0291842A
                                • GetLastError.KERNEL32(?,?,?,?), ref: 02918464
                                • __dosmaperr.LIBCMT ref: 0291846B
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                • String ID:
                                • API String ID: 1913693674-0
                                • Opcode ID: c7e69d99a539233a85477518b7becb1ffad16ddd944e0fc70b2c762ab6deefa5
                                • Instruction ID: 490dd2b77dbc846a9707a7c97978c9e81a509f615c26700b6d328f8555dd28df
                                • Opcode Fuzzy Hash: c7e69d99a539233a85477518b7becb1ffad16ddd944e0fc70b2c762ab6deefa5
                                • Instruction Fuzzy Hash: 1F21DA7160461DAFAB20AFA7C88196BB7AEFF413A47048519F91997580EB30EC019B90
                                Function 00195D47 Relevance: 6.1, APIs: 4, Instructions: 82COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00197F0A: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000001,0000FDE9,00000000,?,?,?,00191B59,?,00000000,?), ref: 00197FB6
                                • GetLastError.KERNEL32 ref: 00195DAB
                                • __dosmaperr.LIBCMT ref: 00195DB2
                                • GetLastError.KERNEL32(?,?,?,?), ref: 00195DEC
                                • __dosmaperr.LIBCMT ref: 00195DF3
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ErrorLast__dosmaperr$ByteCharMultiWide
                                • String ID:
                                • API String ID: 1913693674-0
                                • Opcode ID: 496138bb1bb1b1bb94c12f7b797abccb88344cd535d8b3e40c4871e9e8f96e47
                                • Instruction ID: ff5ec377b87b3d7ebef2a02191e991a11976c1e70612092dd73cf8a2ba28dae9
                                • Opcode Fuzzy Hash: 496138bb1bb1b1bb94c12f7b797abccb88344cd535d8b3e40c4871e9e8f96e47
                                • Instruction Fuzzy Hash: BB21D471604A15AFCF22AFB1C88182BB7EAFF14364711852DF815E7150E731ED418BA0
                                Function 00196D94 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 112c3a62bd0b629e2df84f5302a4a8b276582fb3cdda481df2c98d170cdab460
                                • Instruction ID: 1902a2cc34fc92800c8fa87160e5bf532f90ab1bf2200791e909611589997360
                                • Opcode Fuzzy Hash: 112c3a62bd0b629e2df84f5302a4a8b276582fb3cdda481df2c98d170cdab460
                                • Instruction Fuzzy Hash: 3721CD79200219AFCF24EFB5CC9196B77A9FF203647118528F92997250EB30EC429BB0
                                Function 0019805F Relevance: 6.1, APIs: 4, Instructions: 74COMMON
                                Download Yara Rule
                                APIs
                                • GetEnvironmentStringsW.KERNEL32 ref: 00198067
                                  • Part of subcall function 00197F0A: WideCharToMultiByte.KERNEL32(?,00000000,?,00000000,?,?,00000001,0000FDE9,00000000,?,?,?,00191B59,?,00000000,?), ref: 00197FB6
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0019809F
                                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 001980BF
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: EnvironmentStrings$Free$ByteCharMultiWide
                                • String ID:
                                • API String ID: 158306478-0
                                • Opcode ID: 8cda14b397b85b4772c3a3f6f9910a8ca777ef8be5c11f50b0bce1da16a5ceef
                                • Instruction ID: bb048e480a5357c9a3edf32b1cd442972929e1ba42027ddb9d7f4cfcbc856a9a
                                • Opcode Fuzzy Hash: 8cda14b397b85b4772c3a3f6f9910a8ca777ef8be5c11f50b0bce1da16a5ceef
                                • Instruction Fuzzy Hash: FC1122F190561ABFAF2627B1AC8EC7F699CEE9A3A83180625F402D2101FF30DD4441B0
                                Function 00148060 Relevance: 6.1, APIs: 4, Instructions: 60COMMON
                                Download Yara Rule
                                APIs
                                • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003), ref: 001480CE
                                • VerSetConditionMask.KERNEL32(00000000), ref: 001480D2
                                • VerSetConditionMask.KERNEL32(00000000), ref: 001480D6
                                • VerifyVersionInfoW.KERNEL32(?,00000023,00000000), ref: 001480F9
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ConditionMask$InfoVerifyVersion
                                • String ID:
                                • API String ID: 2793162063-0
                                • Opcode ID: 37aae48f156f5dd2e16d0c39d4d68ce3b2a8d9ef0dc9bc0620279432e3433ddb
                                • Instruction ID: 1abce06ddc315bef9bc3bb497c3bb07c6300b04fae81d1076d9f32038d960fb8
                                • Opcode Fuzzy Hash: 37aae48f156f5dd2e16d0c39d4d68ce3b2a8d9ef0dc9bc0620279432e3433ddb
                                • Instruction Fuzzy Hash: E41156B1658310AEE730DF25DC5AFAB7BE8EF99B14F00081EB588D72C0D67456188766
                                Function 00146B80 Relevance: 6.1, APIs: 4, Instructions: 59stringCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: FreeLocal$lstrcmpi
                                • String ID:
                                • API String ID: 4076108973-0
                                • Opcode ID: 58049f941312b4c90a2549725b88c69775ab36f92017523f0db73e7102589096
                                • Instruction ID: 7a31484f39131cd069fccc82faf0569dbd5ac62d89142098a4aff90c50e68627
                                • Opcode Fuzzy Hash: 58049f941312b4c90a2549725b88c69775ab36f92017523f0db73e7102589096
                                • Instruction Fuzzy Hash: B21152B1B402139BDB105F6EBCE8A4537E9EB5735DB140427E445E3270E771E8A1C612
                                Function 00136FF0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 56COMMON
                                Download Yara Rule
                                APIs
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,true,true,?,00000040,?,00000000), ref: 00137053
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ByteCharMultiWide
                                • String ID: Settings$false$true
                                • API String ID: 626452242-540067373
                                • Opcode ID: 3c15eaab65a3923d510271bc1bfaea52876d2d33a650b99c804926454375f861
                                • Instruction ID: c8b14252cc838b12b5d97e7480dc0236928e58a3f1edaeecb07d376a2473e247
                                • Opcode Fuzzy Hash: 3c15eaab65a3923d510271bc1bfaea52876d2d33a650b99c804926454375f861
                                • Instruction Fuzzy Hash: 300142B27142405BE738CA789D51FF777E9DBC6300F044429B599D71C0DB7088088761
                                Function 00181528 Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                Download Yara Rule
                                APIs
                                • CreateThread.KERNEL32(00000000,00143860,0018127D,00000000,00000004,00000000), ref: 00181577
                                • GetLastError.KERNEL32(?,?,?,0014326C,00143860), ref: 00181583
                                • __dosmaperr.LIBCMT ref: 0018158A
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: CreateErrorLastThread__dosmaperr
                                • String ID:
                                • API String ID: 2744730728-0
                                • Opcode ID: 4447d5211323cb7c40f94cef0f4c4b4a98f247948c68d9f87aac82b3a62de285
                                • Instruction ID: 63f0fe0ed10248de62e949e7ab229cb5dfa5541efbd064e24db43133746240f8
                                • Opcode Fuzzy Hash: 4447d5211323cb7c40f94cef0f4c4b4a98f247948c68d9f87aac82b3a62de285
                                • Instruction Fuzzy Hash: B901C4B3900204BBCB10BBA5DC05BAE7AADEF86371F204219F521960D0DB70CA43DB50
                                Function 001450E0 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 001450E9
                                • LoadStringA.USER32(?,00000000,?), ref: 00145104
                                • LoadStringA.USER32(?,00000000,?), ref: 0014511B
                                • LocalFree.KERNEL32(00000000), ref: 0014513C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: LoadLocalString$AllocFree
                                • String ID:
                                • API String ID: 1922530790-0
                                • Opcode ID: 6b8662d326a23208f17a308c5815e2f240dfd61a6e0039d9d553cb401b23bedb
                                • Instruction ID: 65903992f046dc8ed8d1028d96d930c2612a2ab660983f30ea18e40e7d900743
                                • Opcode Fuzzy Hash: 6b8662d326a23208f17a308c5815e2f240dfd61a6e0039d9d553cb401b23bedb
                                • Instruction Fuzzy Hash: 17018F723002596FE7219B65EC88F2B7FEDEB8AB95F150069F949D2122E731DC0187B1
                                Function 001A574E Relevance: 6.1, APIs: 4, Instructions: 54COMMON
                                Download Yara Rule
                                APIs
                                • SetFilePointerEx.KERNEL32(?,00000000,00000000,?,00000001,?), ref: 001A5764
                                • GetLastError.KERNEL32(?,?,?,?), ref: 001A5771
                                • SetFilePointerEx.KERNEL32(?,?,?,?,?), ref: 001A5797
                                • SetFilePointerEx.KERNEL32(?,?,?,00000000,00000000,?,?,?), ref: 001A57BD
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: FilePointer$ErrorLast
                                • String ID:
                                • API String ID: 142388799-0
                                • Opcode ID: 911632d0f80af79cdcf73c4114419f4e2b824bfb4ae0b7293efe1d87c6c4f6f8
                                • Instruction ID: 23e6dfc126382ea06f3dfc9b1b294a510283b44e0472118df3b43f60c6427ee8
                                • Opcode Fuzzy Hash: 911632d0f80af79cdcf73c4114419f4e2b824bfb4ae0b7293efe1d87c6c4f6f8
                                • Instruction Fuzzy Hash: 2B115776805228FBDF109F94CC8899F7FBAEF02760F204205F824A65A0C731DA90DBA0
                                Function 00148120 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,00000000), ref: 00148186
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014818A
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014818E
                                • VerifyVersionInfoW.KERNEL32(00000023), ref: 001481B3
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ConditionMask$InfoVerifyVersion
                                • String ID:
                                • API String ID: 2793162063-0
                                • Opcode ID: e3c01f6051a0b9f6bd273fe64ca0be899cc62e852c57dffc82198bc4de5d8088
                                • Instruction ID: 917d05f09d91fa5038673e7893961c3cd21261df201d12c8fc5120bd3ae9f1fc
                                • Opcode Fuzzy Hash: e3c01f6051a0b9f6bd273fe64ca0be899cc62e852c57dffc82198bc4de5d8088
                                • Instruction Fuzzy Hash: 371121B0658305AEE760DF24DC1AFAB7BE8EF85710F40481DB588D62C0D7B496588B96
                                Function 001481E0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,00000000), ref: 00148246
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014824A
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014824E
                                • VerifyVersionInfoW.KERNEL32(00000023), ref: 00148273
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ConditionMask$InfoVerifyVersion
                                • String ID:
                                • API String ID: 2793162063-0
                                • Opcode ID: 814c425c6e50abd54c37fbd727228a348c2f1d7337c5f5fc47ae35e83d98010c
                                • Instruction ID: 0c550554a1694d5df0674b4bb54ed78d83eca8ec5f882b4df7655b44a64661da
                                • Opcode Fuzzy Hash: 814c425c6e50abd54c37fbd727228a348c2f1d7337c5f5fc47ae35e83d98010c
                                • Instruction Fuzzy Hash: BC1121B0648305AEE760DF24DC1AFAB7BE8EF85710F40481DB588D62C0D77496588B96
                                Function 001482A0 Relevance: 6.1, APIs: 4, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,00000000), ref: 00148306
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014830A
                                • VerSetConditionMask.KERNEL32(00000000), ref: 0014830E
                                • VerifyVersionInfoW.KERNEL32(00000023), ref: 00148333
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ConditionMask$InfoVerifyVersion
                                • String ID:
                                • API String ID: 2793162063-0
                                • Opcode ID: 813d0b0d97773725aca93450ff5a16197220e92e9f523d414ca07de09d8de8a0
                                • Instruction ID: befbebe37ba6bba06cb91d14005fdeb3b9a920df4841f7e944ad7792134f2830
                                • Opcode Fuzzy Hash: 813d0b0d97773725aca93450ff5a16197220e92e9f523d414ca07de09d8de8a0
                                • Instruction Fuzzy Hash: 981121B0644305AEE760DF24DC1AFAB7BE8EF85710F40481DB588D62C0D77496588B96
                                Function 00143E40 Relevance: 6.1, APIs: 4, Instructions: 52windowCOMMON
                                Download Yara Rule
                                APIs
                                • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00143E5C
                                • SendMessageW.USER32(?,0000100C,000000FF,00000002), ref: 00143E6C
                                • SendMessageW.USER32(?,?,?,0000104B), ref: 00143E91
                                • SHGetDataFromIDListW.SHELL32(?,?,00000001,?,00000250), ref: 00143EAB
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageSend$DataFromList
                                • String ID:
                                • API String ID: 101582348-0
                                • Opcode ID: 965c0f3be8e1b6804bd1c1d6e777f91b28f705b4952850fdb596a73452a6ae29
                                • Instruction ID: 342b28c27876f8fad11d2babc4effc7f771b8fdeb83ad63c349eb7c83cde1bdc
                                • Opcode Fuzzy Hash: 965c0f3be8e1b6804bd1c1d6e777f91b28f705b4952850fdb596a73452a6ae29
                                • Instruction Fuzzy Hash: 0801D4713443007BF7009B189C42F5A77D8AF89770F50061AF660E62E0C3E5DD058666
                                Function 00146E40 Relevance: 6.1, APIs: 4, Instructions: 51stringCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: FreeLocallstrcmplstrcmpi
                                • String ID:
                                • API String ID: 2513707357-0
                                • Opcode ID: 2b04d5096a6be7a18b7dd53bc60581665b7869a9f4ffd15180e8a020b7c88c0c
                                • Instruction ID: d459cc434ad3dc937bdcab1c40bba0a37fd862e559de95adfa0b47b18872eb14
                                • Opcode Fuzzy Hash: 2b04d5096a6be7a18b7dd53bc60581665b7869a9f4ffd15180e8a020b7c88c0c
                                • Instruction Fuzzy Hash: 5911A535700623DBC714DF28D948B96F7E4FF42309F018525E969A3121D730B85187A1
                                Function 028E03BA Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 028E03C1
                                • std::_Lockit::_Lockit.LIBCPMT ref: 028E03CB
                                  • Part of subcall function 028A9540: std::_Lockit::_Lockit.LIBCPMT ref: 028A954F
                                  • Part of subcall function 028A9540: std::_Lockit::~_Lockit.LIBCPMT ref: 028A956A
                                • std::_Facet_Register.LIBCPMT ref: 028E041C
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 028E043C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: ffe0e8b79d942bedcb969c0724a561e725256f46f4793bd8761bac58449162d7
                                • Instruction ID: 31054abf30b220bfda5aa9f5134fc8e5e22a942d027da0eb259c63ced48e248c
                                • Opcode Fuzzy Hash: ffe0e8b79d942bedcb969c0724a561e725256f46f4793bd8761bac58449162d7
                                • Instruction Fuzzy Hash: 0001C03D9042259BCF05EBA8C4106BEB7A2AF84318F254809D819EB390DF749E09CB92
                                Function 028E0325 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 028E032C
                                • std::_Lockit::_Lockit.LIBCPMT ref: 028E0336
                                  • Part of subcall function 028A9540: std::_Lockit::_Lockit.LIBCPMT ref: 028A954F
                                  • Part of subcall function 028A9540: std::_Lockit::~_Lockit.LIBCPMT ref: 028A956A
                                • std::_Facet_Register.LIBCPMT ref: 028E0387
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 028E03A7
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: 4b011230b59d5221f84b1aff7e7ca629c4aa41d0821e290f60ab7fb6ddc34d4a
                                • Instruction ID: 0d90e7b15c0cf9717c1de1b4aa28286203c1d8636d5abc62a357dc1605018b7c
                                • Opcode Fuzzy Hash: 4b011230b59d5221f84b1aff7e7ca629c4aa41d0821e290f60ab7fb6ddc34d4a
                                • Instruction Fuzzy Hash: 3D01613D9042159BCF05EB68C854ABEB7B3AF85314F250509D815EB290DF709A45CB92
                                Function 028E00D1 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 028E00D8
                                • std::_Lockit::_Lockit.LIBCPMT ref: 028E00E2
                                  • Part of subcall function 028A9540: std::_Lockit::_Lockit.LIBCPMT ref: 028A954F
                                  • Part of subcall function 028A9540: std::_Lockit::~_Lockit.LIBCPMT ref: 028A956A
                                • std::_Facet_Register.LIBCPMT ref: 028E0133
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 028E0153
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: b6ffe920ebdf8e55838e463091ed4b2f3ef1e33a4f9d9e9dbb63e8c68cee5380
                                • Instruction ID: 5e9042d57ab00ee913db2623b4dd9e96b4fe2d604254e5e10ab9b1cdf0006cda
                                • Opcode Fuzzy Hash: b6ffe920ebdf8e55838e463091ed4b2f3ef1e33a4f9d9e9dbb63e8c68cee5380
                                • Instruction Fuzzy Hash: A201843D9042199BCF06EBA8C8147BEB7A3BF44314F250509D915FB390DF709A45CB92
                                Function 028E003C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 028E0043
                                • std::_Lockit::_Lockit.LIBCPMT ref: 028E004D
                                  • Part of subcall function 028A9540: std::_Lockit::_Lockit.LIBCPMT ref: 028A954F
                                  • Part of subcall function 028A9540: std::_Lockit::~_Lockit.LIBCPMT ref: 028A956A
                                • std::_Facet_Register.LIBCPMT ref: 028E009E
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 028E00BE
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: f59c0c67f4ad0e982f50a7c0649cb9452fe217b7403da2e6dc803a29e7065381
                                • Instruction ID: da8edfc41076ba8811a2edf098b61031bff356a7fc083535265416138793471d
                                • Opcode Fuzzy Hash: f59c0c67f4ad0e982f50a7c0649cb9452fe217b7403da2e6dc803a29e7065381
                                • Instruction Fuzzy Hash: FB01C03E9042259BCF05EBA8C4546BEB7A2BF84315F250908D81AEB290DF749E05CF92
                                Function 028E0166 Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3.LIBCMT ref: 028E016D
                                • std::_Lockit::_Lockit.LIBCPMT ref: 028E0177
                                  • Part of subcall function 028A9540: std::_Lockit::_Lockit.LIBCPMT ref: 028A954F
                                  • Part of subcall function 028A9540: std::_Lockit::~_Lockit.LIBCPMT ref: 028A956A
                                • std::_Facet_Register.LIBCPMT ref: 028E01C8
                                • std::_Lockit::~_Lockit.LIBCPMT ref: 028E01E8
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_H_prolog3Register
                                • String ID:
                                • API String ID: 2854358121-0
                                • Opcode ID: 3f3573d5a709a09a6dc4cdf710c2370fd1d7eb1e51346a833ea31d34bd3d9543
                                • Instruction ID: 936ca1b1097cf193ae814a5b98605b88d11b466b40052aa13ab3b5fc5a66ca26
                                • Opcode Fuzzy Hash: 3f3573d5a709a09a6dc4cdf710c2370fd1d7eb1e51346a833ea31d34bd3d9543
                                • Instruction Fuzzy Hash: 0B01C43D9042159BCF05EB68C8147BE77B6BF85310F250509D81AEB290DF749A05CB92
                                Function 0014C674 Relevance: 6.0, APIs: 4, Instructions: 44stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00147A20: FindResourceW.KERNEL32(00000000,?,00000005,?,?), ref: 00147A37
                                  • Part of subcall function 00147A20: LoadResource.KERNEL32(00000000,00000000), ref: 00147A4A
                                  • Part of subcall function 00147A20: LockResource.KERNEL32(00000000), ref: 00147A5B
                                  • Part of subcall function 00147A20: SizeofResource.KERNEL32(00000000,00000000), ref: 00147A6E
                                  • Part of subcall function 00147A20: LocalAlloc.KERNEL32(00000040,00000040), ref: 00147A84
                                  • Part of subcall function 00147A20: FreeResource.KERNEL32(00000000), ref: 00147AA0
                                  • Part of subcall function 00147A20: lstrlenW.KERNEL32(?), ref: 00147B1D
                                • DialogBoxIndirectParamW.USER32(00000000,00000000,?,Function_00011DE0,?), ref: 0014C696
                                • LocalFree.KERNEL32(00000000,?,Function_00011DE0,?), ref: 0014C6A3
                                • lstrcpyW.KERNEL32(?,?,?,Function_00011DE0,?), ref: 0014C6C2
                                • CreateDirectoryW.KERNEL32(?,00000000,?,Function_00011DE0,?), ref: 0014C6D2
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Resource$FreeLocal$AllocCreateDialogDirectoryFindIndirectLoadLockParamSizeoflstrcpylstrlen
                                • String ID:
                                • API String ID: 3032008022-0
                                • Opcode ID: 90529cf14657914fefa8fb3dfe5faaf593d2c955e64f7d76a7ac4b8690544acc
                                • Instruction ID: 6f3b18e12267fe6978bd9e3b2b51d24515ac88769f3c5afb308f0f2bb8578990
                                • Opcode Fuzzy Hash: 90529cf14657914fefa8fb3dfe5faaf593d2c955e64f7d76a7ac4b8690544acc
                                • Instruction Fuzzy Hash: 1E01F9B7A042206BE32097A0EC49FEF73EDFB89351F450525F549C3160EF3499448692
                                Function 00147E20 Relevance: 6.0, APIs: 4, Instructions: 37COMMON
                                Download Yara Rule
                                APIs
                                • SystemParametersInfoW.USER32(00000048,00000008,00000000), ref: 00147E44
                                • GetWindowRect.USER32(?,?), ref: 00147E57
                                  • Part of subcall function 00147C80: FindWindowExW.USER32(00000000,00000000,Shell_TrayWnd,00000000), ref: 00147CA3
                                  • Part of subcall function 00147C80: FindWindowExW.USER32(00000000,00000000,TrayNotifyWnd,00000000), ref: 00147CB3
                                  • Part of subcall function 00147C80: GetWindowRect.USER32(00000000,?), ref: 00147CBB
                                • DrawAnimatedRects.USER32(?,00000003,?,?,?,?), ref: 00147E73
                                • ShowWindow.USER32(?,00000000), ref: 00147E7C
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Window$FindRect$AnimatedDrawInfoParametersRectsShowSystem
                                • String ID:
                                • API String ID: 56971534-0
                                • Opcode ID: f09c15716373165d31ab5102b40de6273865798ec6629cc69dedbd276e9a77b6
                                • Instruction ID: c4768a4b46ff06182d6d5a4844ff0ce114a571e929e5b2ad51addce3a7f95730
                                • Opcode Fuzzy Hash: f09c15716373165d31ab5102b40de6273865798ec6629cc69dedbd276e9a77b6
                                • Instruction Fuzzy Hash: 50F04F71144305ABE311DB10EC5AFAF7BECFF49705F404819F585D61A0EB749A88CBA2
                                Function 001A7E41 Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                                Download Yara Rule
                                APIs
                                • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 001A7E5B
                                • GetLastError.KERNEL32 ref: 001A7E67
                                  • Part of subcall function 001A7F10: CloseHandle.KERNEL32(FFFFFFFE,001A7F5A,?,001A68E1,?,00000001,?,?,?,001A3949,?,?,00000000,?,?), ref: 001A7F20
                                • ___initconout.LIBCMT ref: 001A7E77
                                  • Part of subcall function 001A7ED2: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001A7F01,001A68CE,?,?,001A3949,?,?,00000000,?), ref: 001A7EE5
                                • WriteConsoleW.KERNEL32(?,?,?,00000000), ref: 001A7E8B
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                • String ID:
                                • API String ID: 2744216297-0
                                • Opcode ID: b9064b5423d1730dc223ba85946d15d91fbd246b5a7af40176c6b2edf5dfc663
                                • Instruction ID: 0ab946a19834d77c8e8ec69ca01b831e76a460ec1ac46ffd4e8ac696aee39504
                                • Opcode Fuzzy Hash: b9064b5423d1730dc223ba85946d15d91fbd246b5a7af40176c6b2edf5dfc663
                                • Instruction Fuzzy Hash: 59F0123E100601AFCB222B95EC04D467FEBEFDA751B104429F69982970CB32DD919F61
                                Function 0014D43C Relevance: 6.0, APIs: 4, Instructions: 29windowCOMMON
                                Download Yara Rule
                                APIs
                                • ShowWindow.USER32 ref: 0014D44C
                                • GetFocus.USER32 ref: 0014D45C
                                • GetDlgCtrlID.USER32(00000000), ref: 0014D463
                                • SetFocus.USER32 ref: 0014D476
                                  • Part of subcall function 00145C50: GetClientRect.USER32(?,?), ref: 00145C67
                                  • Part of subcall function 00145C50: SendMessageW.USER32(?,00000005,00000000,?), ref: 00145C82
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Focus$ClientCtrlMessageRectSendShowWindow
                                • String ID:
                                • API String ID: 297912541-0
                                • Opcode ID: ccfbb3eb2dd94dadc42881a8d74405a0667265e63d0eb89278b1821273bfbf8e
                                • Instruction ID: 2c6151c806e2ab7c16ff1ececdadcf471995e4395979b0e5103ab59c17720215
                                • Opcode Fuzzy Hash: ccfbb3eb2dd94dadc42881a8d74405a0667265e63d0eb89278b1821273bfbf8e
                                • Instruction Fuzzy Hash: 05F0A7767082048FCB056BB4BC6C66DB7D5FB5531AF95483AE002C1572EB354498C703
                                Function 001A7F27 Relevance: 6.0, APIs: 4, Instructions: 29COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,?,001A68E1,?,00000001,?,?,?,001A3949,?,?,00000000), ref: 001A7F3E
                                • GetLastError.KERNEL32(?,001A68E1,?,00000001,?,?,?,001A3949,?,?,00000000,?,?,?,001A3F18,?), ref: 001A7F4A
                                  • Part of subcall function 001A7F10: CloseHandle.KERNEL32(FFFFFFFE,001A7F5A,?,001A68E1,?,00000001,?,?,?,001A3949,?,?,00000000,?,?), ref: 001A7F20
                                • ___initconout.LIBCMT ref: 001A7F5A
                                  • Part of subcall function 001A7ED2: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,001A7F01,001A68CE,?,?,001A3949,?,?,00000000,?), ref: 001A7EE5
                                • WriteConsoleW.KERNEL32(?,?,00000000,00000000,?,001A68E1,?,00000001,?,?,?,001A3949,?,?,00000000,?), ref: 001A7F6F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
                                • String ID:
                                • API String ID: 2744216297-0
                                • Opcode ID: e86718dc11bd3829ac1cd7959b268a0ef23ef5e2deb7794cb6ad987abb109216
                                • Instruction ID: 4ac64e20994bd247e0c0ee85f865ec87eeb8d8d3a7840b0c28fd407e4807fdec
                                • Opcode Fuzzy Hash: e86718dc11bd3829ac1cd7959b268a0ef23ef5e2deb7794cb6ad987abb109216
                                • Instruction Fuzzy Hash: C5F0C736544115BFCF122F95EC05D997FA5FB063A1F044510FA58D5570C732CE619B91
                                Function 001467E0 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                Download Yara Rule
                                APIs
                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000010,?), ref: 001467F0
                                • SHGetPathFromIDListW.SHELL32(?), ref: 001467FF
                                • CoTaskMemFree.OLE32(?), ref: 00146809
                                • GetWindowsDirectoryW.KERNEL32 ref: 00146815
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: DirectoryFolderFreeFromListLocationPathSpecialTaskWindows
                                • String ID:
                                • API String ID: 2330934124-0
                                • Opcode ID: 6a113e8365be6683e91cfd6c64de606373fd4a5b6cdd9ca2cdfac9a5e2af4f71
                                • Instruction ID: 7c526f1f5837aee26ac07c15051ed0b2c41cb2eb8795655ffa9e57152573853b
                                • Opcode Fuzzy Hash: 6a113e8365be6683e91cfd6c64de606373fd4a5b6cdd9ca2cdfac9a5e2af4f71
                                • Instruction Fuzzy Hash: 9DE04F76201220BBD7241B15FC0CFDB7FA8EFC6772F10883AF546C2460DB7188919A61
                                Function 00152F30 Relevance: 6.0, APIs: 4, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • SleepConditionVariableCS.KERNELBASE(?,00152EB5,00000064), ref: 00152F53
                                • LeaveCriticalSection.KERNEL32(0028EC94,?,?,00152EB5,00000064), ref: 00152F5D
                                • WaitForSingleObjectEx.KERNEL32(?,00000000,?,00152EB5,00000064), ref: 00152F6E
                                • EnterCriticalSection.KERNEL32(0028EC94,?,00152EB5,00000064), ref: 00152F75
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: CriticalSection$ConditionEnterLeaveObjectSingleSleepVariableWait
                                • String ID:
                                • API String ID: 3269011525-0
                                • Opcode ID: ecf93ce021498716dbe7ab6010e6b81e840a5067ce5fa0f234300584d4373a71
                                • Instruction ID: b2395946df04ce3fb3b74c486153eed617a1ccf700ca2f578faee08c9c887f6b
                                • Opcode Fuzzy Hash: ecf93ce021498716dbe7ab6010e6b81e840a5067ce5fa0f234300584d4373a71
                                • Instruction Fuzzy Hash: 15E01236A52224BBCE023B50FD09A993F75AB17752B020012F90D965A0CBA158548BD6
                                Function 001467A0 Relevance: 6.0, APIs: 4, Instructions: 24COMMON
                                Download Yara Rule
                                APIs
                                • SHGetSpecialFolderLocation.SHELL32(00000000,00000005,?), ref: 001467AD
                                • SHGetPathFromIDListW.SHELL32(?), ref: 001467BC
                                • CoTaskMemFree.OLE32(?), ref: 001467C6
                                • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 001467D5
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: DirectoryFolderFreeFromListLocationPathSpecialTaskWindows
                                • String ID:
                                • API String ID: 2330934124-0
                                • Opcode ID: 1cab3d84ce539c0e426161884888b019dc036d9b5e804170ea4524153bc842a5
                                • Instruction ID: 59f783d90a49846d11284ce8266215dd2148cbeeaf9a3a948c2c2e7fc4296eb0
                                • Opcode Fuzzy Hash: 1cab3d84ce539c0e426161884888b019dc036d9b5e804170ea4524153bc842a5
                                • Instruction Fuzzy Hash: 7EE0E671205220BBE6151B50ED0DFDB7FA8FF46B67F104419F547D14A0E7B04C509A52
                                Function 028E4205 Relevance: 5.6, APIs: 2, Strings: 1, Instructions: 326COMMON
                                Download Yara Rule
                                APIs
                                • __EH_prolog3_GS.LIBCMT ref: 028E420F
                                  • Part of subcall function 028E01FB: __EH_prolog3.LIBCMT ref: 028E0202
                                  • Part of subcall function 028E01FB: std::_Lockit::_Lockit.LIBCPMT ref: 028E020C
                                  • Part of subcall function 028E01FB: std::_Lockit::~_Lockit.LIBCPMT ref: 028E027D
                                • _Find_unchecked1.LIBCPMT ref: 028E4463
                                Strings
                                • 0123456789ABCDEFabcdef-+Xx, xrefs: 028E4286
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: Lockitstd::_$Find_unchecked1H_prolog3H_prolog3_Lockit::_Lockit::~_
                                • String ID: 0123456789ABCDEFabcdef-+Xx
                                • API String ID: 1853221402-2799312399
                                • Opcode ID: 69f1b99973cfbbc189455f9f9b2bddf276878e306bc50c54cd9ecbe8767ade99
                                • Instruction ID: 2b5f4cc60228958117c38dbdca0a6060f82968939359ee1f64682f458d0d3d78
                                • Opcode Fuzzy Hash: 69f1b99973cfbbc189455f9f9b2bddf276878e306bc50c54cd9ecbe8767ade99
                                • Instruction Fuzzy Hash: E0D1533DE042588BDF25DF68C8807ECBBB2AF56308F584099D85FEB242DB749985CB51
                                Function 00165E18 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 291COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: __aulldiv
                                • String ID: +$-
                                • API String ID: 3732870572-2137968064
                                • Opcode ID: 1e36058dbef2d6cffd5eeef716eaae77e4669ddada1d7048601d0f8891ad95a6
                                • Instruction ID: f56d2cb775569ec54bbf0601afe4c6b3943f43152afb39a092ea0a8e34263290
                                • Opcode Fuzzy Hash: 1e36058dbef2d6cffd5eeef716eaae77e4669ddada1d7048601d0f8891ad95a6
                                • Instruction Fuzzy Hash: 79A1C331901659AEDF24CE78CC506FEBBA2EF55324F1885AAF8A5DB381D3319912CB50
                                Function 001567E2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • EncodePointer.KERNEL32(00000000,?), ref: 00156807
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: EncodePointer
                                • String ID: MOC$RCC
                                • API String ID: 2118026453-2084237596
                                • Opcode ID: fd59a0f0e1e26c6eb611c7240fae6d4140eccc29987a0741dd0ee850d9fe03bb
                                • Instruction ID: 3c29000b907c338e06d784ecb3a5a2f3bf2a81793abb40588da82bbf1027a73c
                                • Opcode Fuzzy Hash: fd59a0f0e1e26c6eb611c7240fae6d4140eccc29987a0741dd0ee850d9fe03bb
                                • Instruction Fuzzy Hash: A3415971900209EFCF15DF94C881AAEBBB5FF48306F5441A9FD246B261D3359994DB90
                                Function 0015ABA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: NameName::
                                • String ID: A
                                • API String ID: 1333004437-3554254475
                                • Opcode ID: 9e5321bcaf327da94e08d57aeca9712824558e990824238481815174a17a1073
                                • Instruction ID: 26e200a30508c5aa9b1637c5546cd3439593505cd94df44692f95f79969ca7a4
                                • Opcode Fuzzy Hash: 9e5321bcaf327da94e08d57aeca9712824558e990824238481815174a17a1073
                                • Instruction Fuzzy Hash: C721D574904108EFDF05DF64E806AAC7B72FF18301F508299FC665F292C7719989DB82
                                Function 028FA04F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 43COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1559058864.0000000002880000.00000040.00001000.00020000.00000000.sdmp, Offset: 02880000, based on PE: true
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2880000_bgsTrRPJh0.jbxd
                                Yara matches
                                Similarity
                                • API ID: shared_ptr
                                • String ID: volatile$volatile
                                • API String ID: 2025160788-1839175264
                                • Opcode ID: 366b344e0c3d1bb6dbfb5e164731b2b23d3636e9ab2c8140ac75d54e2f5074bc
                                • Instruction ID: 8c9c5819512c22d48748c49cad9bba9c8f1caacd46883dade065623868e41e05
                                • Opcode Fuzzy Hash: 366b344e0c3d1bb6dbfb5e164731b2b23d3636e9ab2c8140ac75d54e2f5074bc
                                • Instruction Fuzzy Hash: F1019E7A904219EFDB48DF98D8549EE7BF8FB48318F008959E559EB240E7319744CF81
                                Function 0015760D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___swprintf_l.LIBCMT ref: 0015762A
                                  • Part of subcall function 0015E056: _vsnprintf.LEGACY_STDIO_DEFINITIONS ref: 0015E066
                                • swprintf.LIBCMT ref: 0015764D
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ___swprintf_l_vsnprintfswprintf
                                • String ID: %lf
                                • API String ID: 3395499991-2891890143
                                • Opcode ID: 4c3a464f286af33f76fcad5a3132e658724fd822efec03fbbd14620548390f44
                                • Instruction ID: 64b0def62e37b030cce50318b59111b064e62248fae00ea609598f553bd0482b
                                • Opcode Fuzzy Hash: 4c3a464f286af33f76fcad5a3132e658724fd822efec03fbbd14620548390f44
                                • Instruction Fuzzy Hash: 99F0C2A5514008FADB047B94DC86FBF7F6CDB58391F014098FA441A182DB755E1493B6
                                Function 0015766D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___swprintf_l.LIBCMT ref: 00157686
                                  • Part of subcall function 0015E056: _vsnprintf.LEGACY_STDIO_DEFINITIONS ref: 0015E066
                                • swprintf.LIBCMT ref: 001576A9
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: ___swprintf_l_vsnprintfswprintf
                                • String ID: %lf
                                • API String ID: 3395499991-2891890143
                                • Opcode ID: 042af0270402caa5aea3801399f33a324475fe5d971d71969157737db8b6a4db
                                • Instruction ID: 20dc31d20f3a2e281100c393c934aa949345963583eba021eaccbb4dce8f41a4
                                • Opcode Fuzzy Hash: 042af0270402caa5aea3801399f33a324475fe5d971d71969157737db8b6a4db
                                • Instruction Fuzzy Hash: 95F024A1204008FADB047B54DC86FBF3B6CCF58390F018058FE441B182DB799E0483B6
                                Function 00146000 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35stringCOMMON
                                Download Yara Rule
                                APIs
                                • PathFindExtensionW.SHLWAPI(?,.lnk,771EF860), ref: 00146027
                                • lstrcmpiW.KERNEL32(00000000), ref: 0014602E
                                  • Part of subcall function 00146080: CoCreateInstance.OLE32(001B378C,00000000,00000001,001AFD7C,?,0000C356,?), ref: 001460AF
                                  • Part of subcall function 00146080: lstrcpyW.KERNEL32(?,?), ref: 001460DB
                                  • Part of subcall function 00146080: ExpandEnvironmentStringsW.KERNEL32(?,?,00000138), ref: 00146152
                                  • Part of subcall function 00146080: lstrcpynW.KERNEL32(?,?,?), ref: 0014616C
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: CreateEnvironmentExpandExtensionFindInstancePathStringslstrcmpilstrcpylstrcpyn
                                • String ID: .lnk
                                • API String ID: 2874927818-24824748
                                • Opcode ID: e8d21ca964bbf0117e2ea3b6c789fe67ed9134f575ec44cec1ac8f2fb17fa100
                                • Instruction ID: 4a38e779179fb764fe7cdd18166c516f155420be4f67268053fa5c1cd7a3f920
                                • Opcode Fuzzy Hash: e8d21ca964bbf0117e2ea3b6c789fe67ed9134f575ec44cec1ac8f2fb17fa100
                                • Instruction Fuzzy Hash: 32F0E972A107105BD734AB78D84A7EF73E4AF59314F954919F859872A0FFB848C482C3
                                Function 00131BC0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                Download Yara Rule
                                APIs
                                • CompareStringOrdinal.KERNEL32(?,000000FF,ImmersiveColorSet,000000FF,00000001), ref: 00131BE0
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: CompareOrdinalString
                                • String ID: ImmersiveColorSet$)t
                                • API String ID: 2409332303-771211771
                                • Opcode ID: 494d5e062b809df73c3d6e49f193bd99769860188849131d14c163ae7a1441a7
                                • Instruction ID: 2745d1dc519ee2bd887daf3a6292cd68ef8cca80935fc54f98f2a38d87c0befe
                                • Opcode Fuzzy Hash: 494d5e062b809df73c3d6e49f193bd99769860188849131d14c163ae7a1441a7
                                • Instruction Fuzzy Hash: E0E0CD795C63013AEE1407247C8E99977323753731F295305F025525FDDF570489D621
                                Function 00131B80 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                                Download Yara Rule
                                APIs
                                • CompareStringOrdinal.KERNEL32(?,000000FF,ImmersiveColorSet,000000FF,00000001), ref: 00131B9B
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.1557399348.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000A.00000002.1557347809.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557575969.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557619435.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557648385.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557742414.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000A.00000002.1557812656.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: CompareOrdinalString
                                • String ID: ImmersiveColorSet$)t
                                • API String ID: 2409332303-771211771
                                • Opcode ID: 378a060c161c9078dbe5c7359eb49e1f09814ebd8ddd216bc428271220867e94
                                • Instruction ID: 3377e47f54021965ed365fa0e5577a8840a6de5e5330ec8e61532cf8e3fe0a06
                                • Opcode Fuzzy Hash: 378a060c161c9078dbe5c7359eb49e1f09814ebd8ddd216bc428271220867e94
                                • Instruction Fuzzy Hash: 2FE02B7ABC73003EEE2807207C4EA9576126B13332F294301F031626E8DB4204808620

                                Execution Graph

                                Execution Coverage:0.8%
                                Dynamic/Decrypted Code Coverage:31.9%
                                Signature Coverage:0%
                                Total number of Nodes:774
                                Total number of Limit Nodes:27
                                execution_graph 106162 153716 106189 153fc6 106162->106189 106164 15371b ___scrt_is_nonwritable_in_current_image 106193 153109 106164->106193 106166 153733 106167 153886 106166->106167 106176 15375d ___scrt_is_nonwritable_in_current_image __CreateFrameInfo ___scrt_release_startup_lock 106166->106176 106249 153acd IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter __CreateFrameInfo 106167->106249 106169 15388d 106250 18ac32 23 API calls __CreateFrameInfo 106169->106250 106171 153893 106251 18abef 23 API calls __CreateFrameInfo 106171->106251 106173 15377c 106174 15389b 106175 1537fd 106201 153be8 106175->106201 106176->106173 106176->106175 106245 18ac0c 46 API calls 3 library calls 106176->106245 106178 153803 106205 148650 GetVersion SetErrorMode 106178->106205 106183 15381f 106183->106169 106184 153823 106183->106184 106185 15382c 106184->106185 106247 18abe0 23 API calls __CreateFrameInfo 106184->106247 106248 15327a 82 API calls ___scrt_uninitialize_crt 106185->106248 106188 153834 106188->106173 106190 153fdc 106189->106190 106192 153fe5 106190->106192 106252 153f79 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 106190->106252 106192->106164 106194 153112 106193->106194 106253 153cd0 IsProcessorFeaturePresent 106194->106253 106196 15311e 106254 155aaa 10 API calls 2 library calls 106196->106254 106198 153123 106200 153127 106198->106200 106255 155adf 7 API calls 2 library calls 106198->106255 106200->106166 106256 155950 106201->106256 106204 153c0e 106204->106178 106258 131e10 106205->106258 106207 148692 14 API calls 106275 14f4e0 GetCommandLineW 106207->106275 106211 148780 106373 134740 lstrcmpiW 106211->106373 106213 148785 106401 134070 106213->106401 106215 14878a 106415 1349f0 106215->106415 106219 148794 106220 14893c 106219->106220 106221 14879c OleInitialize InitCommonControlsEx RegisterWindowMessageW 106219->106221 106246 153c21 GetModuleHandleW 106220->106246 106462 134b90 106221->106462 106224 131e10 67 API calls 106225 1487e2 106224->106225 106226 1487f0 106225->106226 106586 1319e0 SystemParametersInfoW 106225->106586 106228 148801 106226->106228 106229 148808 GetSysColor 106226->106229 106230 14880c CreateSolidBrush 106228->106230 106229->106230 106231 148828 106230->106231 106232 148823 106230->106232 106234 148840 GetSysColor 106231->106234 106235 148839 106231->106235 106587 1319e0 SystemParametersInfoW 106232->106587 106236 148844 CreateSolidBrush GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics 106234->106236 106235->106236 106237 14887e #381 106236->106237 106238 14888f 106236->106238 106237->106238 106239 148898 #381 106238->106239 106240 1488ab LoadCursorW RegisterClassW 106238->106240 106239->106240 106240->106220 106241 148900 106240->106241 106242 148911 LoadLibraryW GlobalAlloc 106241->106242 106242->106242 106243 148922 LoadLibraryW 106242->106243 106244 148934 ExitProcess 106243->106244 106245->106175 106246->106183 106247->106185 106248->106188 106249->106169 106250->106171 106251->106174 106252->106192 106253->106196 106254->106198 106255->106200 106257 153bfb GetStartupInfoW 106256->106257 106257->106204 106259 131e22 RtlGetNtVersionNumbers 106258->106259 106260 131e4e 106258->106260 106259->106260 106266 131f7a 106259->106266 106588 131860 106260->106588 106262 131e5a 106263 131e88 LoadLibraryExW 106262->106263 106262->106266 106603 131990 SystemParametersInfoW 106262->106603 106263->106266 106269 131ec3 106263->106269 106266->106207 106267 131f72 FreeLibrary 106267->106266 106269->106267 106270 131f0d 106269->106270 106271 131f00 FreeLibrary 106269->106271 106593 15edfd 106269->106593 106272 131f71 106270->106272 106273 131f39 VirtualProtect 106270->106273 106271->106207 106272->106267 106273->106272 106274 131f4f VirtualProtect 106273->106274 106274->106272 106276 14f4f5 106275->106276 106277 14877b 106275->106277 106276->106277 106278 14f500 StrChrW 106276->106278 106329 134450 GetModuleFileNameW 106277->106329 106279 14f514 StrChrW 106278->106279 106280 14f525 lstrlenW LocalAlloc lstrlenW LocalAlloc lstrcpyW 106278->106280 106279->106279 106279->106280 106281 14f561 106280->106281 106653 146380 5 API calls __InternalCxxFrameHandler 106281->106653 106283 14f56d 106284 14f586 StrChrW 106283->106284 106299 14f5b7 106283->106299 106654 146380 5 API calls __InternalCxxFrameHandler 106283->106654 106288 14f5b9 106284->106288 106289 14f599 106284->106289 106285 14f5d3 lstrcpyW 106285->106299 106657 146380 5 API calls __InternalCxxFrameHandler 106288->106657 106289->106288 106290 14f5a2 lstrcpyW 106289->106290 106655 146380 5 API calls __InternalCxxFrameHandler 106290->106655 106293 14f95f LocalFree LocalFree 106293->106277 106294 14f5c0 106294->106285 106658 146380 5 API calls __InternalCxxFrameHandler 106294->106658 106295 14f5b0 106656 146380 5 API calls __InternalCxxFrameHandler 106295->106656 106297 14f60a StrChrW 106297->106299 106299->106285 106299->106293 106299->106297 106300 14f61a lstrcpyW 106299->106300 106302 14f674 StrTrimW CharUpperW 106299->106302 106303 14f652 GlobalFree 106299->106303 106304 14f659 GlobalAlloc lstrcpyW 106299->106304 106305 14f8c1 lstrcpyW 106299->106305 106306 14f78e CharUpperW 106299->106306 106308 14f77d lstrcpyW 106299->106308 106309 14f6d8 CharUpperW 106299->106309 106312 14f8f8 StrChrW 106299->106312 106313 14f7f0 StrChrW 106299->106313 106314 14f720 StrChrW 106299->106314 106315 14f908 lstrcpyW 106299->106315 106317 14f800 lstrcpyW 106299->106317 106318 14f730 lstrcpyW 106299->106318 106320 14f933 GlobalFree 106299->106320 106321 14f93a lstrlenW GlobalAlloc lstrcpyW 106299->106321 106323 14f752 StrCpyNW 106299->106323 106326 146380 CharNextW lstrlenW lstrlenW CharPrevW CharPrevW 106299->106326 106661 146380 5 API calls __InternalCxxFrameHandler 106299->106661 106664 144ea0 49 API calls 106299->106664 106659 146380 5 API calls __InternalCxxFrameHandler 106300->106659 106302->106285 106302->106299 106303->106304 106304->106285 106305->106299 106306->106299 106307 14f7a2 CharUpperW 106306->106307 106307->106299 106310 14f7b3 lstrcpyW 106307->106310 106308->106285 106309->106308 106311 14f6e9 lstrcpyW 106309->106311 106310->106299 106311->106299 106312->106299 106313->106299 106314->106299 106665 146380 5 API calls __InternalCxxFrameHandler 106315->106665 106663 146380 5 API calls __InternalCxxFrameHandler 106317->106663 106660 146380 5 API calls __InternalCxxFrameHandler 106318->106660 106320->106321 106321->106285 106662 146380 5 API calls __InternalCxxFrameHandler 106323->106662 106326->106299 106328 14f76d PathUnquoteSpacesW 106328->106285 106330 134567 PathFindFileNameW lstrcpyW PathRenameExtensionW 106329->106330 106331 13448a lstrcmpiW 106329->106331 106332 134160 30 API calls 106330->106332 106333 1344b6 106331->106333 106334 13449e 106331->106334 106337 1345a7 106332->106337 106673 134160 ExpandEnvironmentStringsW PathIsRelativeW 106333->106673 106666 152d0c 106334->106666 106340 1345ab lstrcpyW 106337->106340 106341 1345e8 106337->106341 106338 1344af 106338->106211 106342 134160 30 API calls 106340->106342 106692 134320 107 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 106341->106692 106346 1345c7 106342->106346 106344 1344cb ExpandEnvironmentStringsW 106348 1344e7 lstrcpynW 106344->106348 106349 1344ff PathIsRelativeW 106344->106349 106345 13454a 106350 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106345->106350 106346->106341 106351 1345cb lstrcpyW PathRenameExtensionW 106346->106351 106347 134604 106352 13462a lstrcpyW 106347->106352 106693 134320 107 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 106347->106693 106348->106349 106349->106345 106353 13450e lstrcpyW PathRemoveFileSpecW PathAppendW lstrcpyW 106349->106353 106354 134560 106350->106354 106355 134636 PathRemoveFileSpecW lstrcatW PathFindFileNameW lstrcpyW PathRenameExtensionW 106351->106355 106352->106355 106353->106345 106354->106211 106358 134160 30 API calls 106355->106358 106357 134627 106357->106352 106359 134685 106358->106359 106360 13468b lstrcpyW 106359->106360 106361 1346ca 106359->106361 106363 134160 30 API calls 106360->106363 106694 134320 107 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 106361->106694 106365 1346a7 106363->106365 106364 1346e6 106367 13470c lstrcpyW 106364->106367 106695 134320 107 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 106364->106695 106365->106361 106366 1346ad lstrcpyW PathRenameExtensionW 106365->106366 106368 134718 106366->106368 106367->106368 106371 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106368->106371 106370 134709 106370->106367 106372 134730 106371->106372 106372->106211 106374 134769 lstrcpyW lstrcpyW 106373->106374 106375 13479f PathIsDirectoryW 106373->106375 106376 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106374->106376 106377 1347c5 lstrlenW CharPrevW 106375->106377 106378 1347ed GetModuleFileNameW PathFindFileNameW PathAppendW PathRenameExtensionW PathFileExistsW 106375->106378 106379 134798 106376->106379 106377->106378 106380 134887 PathIsDirectoryW 106377->106380 106381 134838 PathFindFileNameW lstrcpyW PathFileExistsW 106378->106381 106382 13482d PathIsDirectoryW 106378->106382 106379->106213 106385 134892 lstrlenW CharPrevW 106380->106385 106386 1348ba 7 API calls 106380->106386 106383 134852 PathIsDirectoryW 106381->106383 106384 13485d PathFindFileNameW PathFindFileNameW lstrcpyW PathRenameExtensionW 106381->106384 106382->106380 106382->106381 106383->106380 106383->106384 106384->106380 106385->106386 106387 134969 PathFileExistsW 106385->106387 106388 134920 PathFindFileNameW lstrcpyW PathFileExistsW 106386->106388 106389 134915 PathIsDirectoryW 106386->106389 106392 134990 lstrcpyW 106387->106392 106393 13497a PathIsDirectoryW 106387->106393 106390 134945 PathFindFileNameW PathFindFileNameW lstrcpyW PathRenameExtensionW 106388->106390 106391 13493a PathIsDirectoryW 106388->106391 106389->106387 106389->106388 106390->106387 106391->106387 106391->106390 106395 13499c PathFileExistsW 106392->106395 106393->106392 106394 134985 PathIsDirectoryW 106393->106394 106394->106392 106394->106395 106396 1349a7 PathIsDirectoryW 106395->106396 106397 1349b9 lstrcpyW lstrcpyW 106395->106397 106396->106397 106398 1349b2 106396->106398 106397->106398 106399 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106398->106399 106400 1349e5 106399->106400 106400->106213 106402 134081 StrRChrW 106401->106402 106403 134158 106401->106403 106404 1340b0 PathFileExistsW 106402->106404 106405 134096 SHCreateDirectoryExW 106402->106405 106403->106215 106406 13411a CreateFileW 106404->106406 106407 1340bf PathIsDirectoryW 106404->106407 106405->106404 106409 134143 106406->106409 106410 13413c CloseHandle 106406->106410 106407->106406 106408 1340ce CreateFileW 106407->106408 106408->106403 106411 1340f0 GetFileSize CloseHandle 106408->106411 106700 133560 84 API calls 106409->106700 106410->106409 106411->106409 106413 134111 106411->106413 106413->106215 106414 134151 106414->106215 106701 132810 106415->106701 106417 134a32 106712 1329e0 106417->106712 106419 134a4d 106420 134a84 106419->106420 106723 1484f0 106419->106723 106422 134a9e 106420->106422 106424 132ad0 50 API calls 106420->106424 106739 132ad0 106422->106739 106423 134a5f 106742 1333b0 75 API calls 106423->106742 106424->106422 106427 134a81 106427->106420 106429 132ad0 50 API calls 106430 134af4 106429->106430 106431 132ad0 50 API calls 106430->106431 106432 134b19 106431->106432 106433 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106432->106433 106434 134b5b 106433->106434 106435 150030 106434->106435 106436 15022e 106435->106436 106437 15005a 106435->106437 106438 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106436->106438 106437->106436 106439 150067 EnumWindows 106437->106439 106440 15023f 106438->106440 106439->106436 106441 150083 IsWindowEnabled 106439->106441 106772 14ffb0 GetClassNameW 106439->106772 106440->106219 106442 150092 IsIconic 106441->106442 106443 1501aa LoadStringW 106441->106443 106446 1500a0 ShowWindowAsync 106442->106446 106447 1500ac IsWindowVisible 106442->106447 106444 1501e2 StrChrW 106443->106444 106445 1501cb LoadStringW 106443->106445 106448 1501f3 106444->106448 106449 1501fb MessageBoxW 106444->106449 106445->106444 106446->106447 106450 1500e4 SetForegroundWindow 106447->106450 106451 1500c0 SendMessageW SendMessageW 106447->106451 106448->106449 106449->106436 106452 150213 106449->106452 106450->106452 106453 1500fb GlobalSize 106450->106453 106451->106450 106455 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106452->106455 106771 146590 7 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 106453->106771 106457 150227 106455->106457 106456 150111 PathIsRelativeW 106458 150121 GetCurrentDirectoryW PathAppendW lstrcpyW 106456->106458 106459 150153 GlobalSize SendMessageW GlobalFree 106456->106459 106457->106219 106458->106459 106460 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106459->106460 106461 1501a3 106460->106461 106461->106219 106463 132810 75 API calls 106462->106463 106464 134bd2 106463->106464 106778 132cc0 106464->106778 106467 132cc0 47 API calls 106468 134c06 106467->106468 106469 132cc0 47 API calls 106468->106469 106470 134c24 106469->106470 106471 132cc0 47 API calls 106470->106471 106472 134c42 106471->106472 106473 132cc0 47 API calls 106472->106473 106474 134c60 106473->106474 106475 132cc0 47 API calls 106474->106475 106476 134c7e 106475->106476 106477 132cc0 47 API calls 106476->106477 106478 134c9c 106477->106478 106479 132cc0 47 API calls 106478->106479 106480 134cba 106479->106480 106481 132cc0 47 API calls 106480->106481 106482 134cd8 106481->106482 106483 132cc0 47 API calls 106482->106483 106484 134cf6 106483->106484 106485 132cc0 47 API calls 106484->106485 106486 134d14 106485->106486 106487 132cc0 47 API calls 106486->106487 106488 134d32 106487->106488 106489 132ad0 50 API calls 106488->106489 106490 134d55 106489->106490 106491 132ad0 50 API calls 106490->106491 106492 134d8b 106491->106492 106493 1329e0 48 API calls 106492->106493 106494 134dc7 106493->106494 106495 134e0c 106494->106495 106496 134ddc 106494->106496 106497 134e31 106495->106497 106498 134e1c SHGetFolderPathW 106495->106498 106781 1333b0 75 API calls 106496->106781 106782 145e90 21 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 106497->106782 106500 134e43 106498->106500 106504 1329e0 48 API calls 106500->106504 106502 134e09 106502->106495 106503 134e40 106503->106500 106505 134e69 106504->106505 106506 134e70 GetSystemDirectoryW PathAddBackslashW lstrcatW 106505->106506 106507 134e9d 106505->106507 106508 134eaf 106506->106508 106783 145e90 21 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 106507->106783 106511 1325d0 2 API calls 106508->106511 106510 134eac 106510->106508 106512 134eb9 106511->106512 106513 1329e0 48 API calls 106512->106513 106514 134ee4 lstrcpyW 106513->106514 106515 1329e0 48 API calls 106514->106515 106516 134f17 106515->106516 106517 134f44 106516->106517 106518 134f1e 106516->106518 106519 134f67 106517->106519 106520 134f54 SHGetSpecialFolderPathW 106517->106520 106784 1333b0 75 API calls 106518->106784 106785 145e90 21 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 106519->106785 106522 134f79 106520->106522 106526 132ad0 50 API calls 106522->106526 106524 134f41 106524->106517 106525 134f76 106525->106522 106527 134f97 106526->106527 106528 132ad0 50 API calls 106527->106528 106529 134fd0 106528->106529 106530 132cc0 47 API calls 106529->106530 106531 135000 lstrcpyW 106530->106531 106532 135022 106531->106532 106533 135040 lstrcpynW 106531->106533 106534 1329e0 48 API calls 106532->106534 106535 13503b 106533->106535 106534->106535 106537 132cc0 47 API calls 106535->106537 106538 135081 106537->106538 106539 132cc0 47 API calls 106538->106539 106540 13509f 106539->106540 106541 132cc0 47 API calls 106540->106541 106542 1350bd GetSysColor 106541->106542 106543 132ad0 50 API calls 106542->106543 106544 1350e4 GetSysColor 106543->106544 106545 132ad0 50 API calls 106544->106545 106546 13510c lstrcpyW 106545->106546 106547 1329e0 48 API calls 106546->106547 106548 135145 106547->106548 106549 135158 106548->106549 106550 13514c lstrcpyW 106548->106550 106551 132cc0 47 API calls 106549->106551 106550->106549 106552 13516e 106551->106552 106553 132cc0 47 API calls 106552->106553 106554 13518c 106553->106554 106555 132cc0 47 API calls 106554->106555 106556 1351aa 106555->106556 106557 132ad0 50 API calls 106556->106557 106558 1351cd 106557->106558 106559 132ad0 50 API calls 106558->106559 106560 1351f2 106559->106560 106561 132ad0 50 API calls 106560->106561 106562 135217 106561->106562 106563 132ad0 50 API calls 106562->106563 106564 13523c GetSystemMetrics GetSystemMetrics 106563->106564 106565 1329e0 48 API calls 106564->106565 106566 13527a 106565->106566 106567 1329e0 48 API calls 106566->106567 106568 13529b 106567->106568 106569 1329e0 48 API calls 106568->106569 106570 1352bc 106569->106570 106571 1352cc wsprintfW wsprintfW wsprintfW wsprintfW 106570->106571 106573 13537f 106570->106573 106572 132ad0 50 API calls 106571->106572 106574 135325 106572->106574 106575 132ad0 50 API calls 106573->106575 106576 132ad0 50 API calls 106574->106576 106577 1353b6 106575->106577 106578 135343 106576->106578 106582 132ad0 50 API calls 106577->106582 106579 132ad0 50 API calls 106578->106579 106580 135361 106579->106580 106581 132ad0 50 API calls 106580->106581 106581->106573 106583 1353e2 106582->106583 106584 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106583->106584 106585 13541c 106584->106585 106585->106224 106586->106226 106587->106231 106589 131914 106588->106589 106590 131898 106588->106590 106589->106262 106590->106589 106604 152a3c 106590->106604 106594 15ee34 106593->106594 106595 15ee0b 106593->106595 106652 15ee46 46 API calls 3 library calls 106594->106652 106602 15edad 106595->106602 106650 18f28b 14 API calls __dosmaperr 106595->106650 106597 15ee41 106597->106269 106599 15ee16 106651 1811bd 46 API calls __get_errno 106599->106651 106601 15ee21 106601->106269 106602->106269 106603->106263 106607 152a52 ___HrLoadAllImportsForDll@4 106604->106607 106605 1318bb 106605->106262 106607->106605 106608 152a9d 106607->106608 106634 152535 106608->106634 106610 152aad 106611 152b0a 106610->106611 106620 152b2e 106610->106620 106643 152775 6 API calls 3 library calls 106611->106643 106613 152b15 RaiseException 106614 152d03 106613->106614 106614->106607 106615 152ba6 LoadLibraryExA 106616 152c07 106615->106616 106617 152bb9 GetLastError 106615->106617 106619 152c19 106616->106619 106621 152c12 FreeLibrary 106616->106621 106622 152be2 106617->106622 106623 152bcc 106617->106623 106618 152c77 GetProcAddress 106625 152c87 GetLastError 106618->106625 106628 152cd5 106618->106628 106619->106618 106619->106628 106620->106615 106620->106616 106620->106619 106620->106628 106621->106619 106644 152775 6 API calls 3 library calls 106622->106644 106623->106616 106623->106622 106630 152c9a 106625->106630 106626 152bed RaiseException 106626->106614 106646 152775 6 API calls 3 library calls 106628->106646 106630->106628 106645 152775 6 API calls 3 library calls 106630->106645 106631 152cbb RaiseException 106632 152535 DloadAcquireSectionWriteAccess 6 API calls 106631->106632 106633 152cd2 106632->106633 106633->106628 106635 152567 106634->106635 106636 152541 106634->106636 106635->106610 106647 1525de GetModuleHandleW GetProcAddress GetProcAddress DloadReleaseSectionWriteAccess 106636->106647 106638 152546 106639 152562 106638->106639 106648 152707 VirtualQuery GetSystemInfo VirtualProtect DloadProtectSection 106638->106648 106649 152568 GetModuleHandleW GetProcAddress GetProcAddress 106639->106649 106642 1527b0 106642->106610 106643->106613 106644->106626 106645->106631 106646->106614 106647->106638 106648->106639 106649->106642 106650->106599 106651->106601 106652->106597 106653->106283 106654->106284 106655->106295 106656->106299 106657->106294 106658->106299 106659->106299 106660->106299 106661->106323 106662->106328 106663->106299 106664->106299 106665->106299 106667 152d15 IsProcessorFeaturePresent 106666->106667 106668 152d14 106666->106668 106670 15337c 106667->106670 106668->106338 106696 15333f SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 106670->106696 106672 15345f 106672->106338 106674 1341a6 lstrcpyW PathFindFileNameW lstrcpyW PathFileExistsW 106673->106674 106675 1342c4 PathFileExistsW 106673->106675 106678 1341df PathIsDirectoryW 106674->106678 106679 1341ee lstrcpyW PathRemoveFileSpecW lstrcatW lstrcatW PathFileExistsW 106674->106679 106676 1342d6 PathIsDirectoryW 106675->106676 106677 1342fe 106675->106677 106676->106677 106680 1342e8 lstrcpyW 106676->106680 106684 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106677->106684 106678->106679 106681 1342b5 lstrcpyW 106678->106681 106682 134231 PathIsDirectoryW 106679->106682 106683 13423c SHGetFolderPathW 106679->106683 106680->106677 106681->106677 106682->106681 106682->106683 106685 134282 SHGetFolderPathW 106683->106685 106686 134255 PathAppendW PathFileExistsW 106683->106686 106687 134312 106684->106687 106685->106677 106689 134295 PathAppendW 106685->106689 106686->106685 106688 134277 PathIsDirectoryW 106686->106688 106687->106344 106687->106345 106688->106681 106688->106685 106697 1325d0 PathFileExistsW 106689->106697 106692->106347 106693->106357 106694->106364 106695->106370 106696->106672 106698 1325e9 106697->106698 106699 1325de PathIsDirectoryW 106697->106699 106698->106677 106698->106681 106699->106698 106700->106414 106702 1328c2 106701->106702 106703 132822 PathFileExistsW 106701->106703 106702->106417 106703->106702 106704 132835 PathIsDirectoryW 106703->106704 106704->106702 106705 132844 106704->106705 106743 1326c0 62 API calls 2 library calls 106705->106743 106707 13287f 106707->106702 106744 1361b0 54 API calls 106707->106744 106709 132891 106745 1327b0 FlushFileBuffers UnlockFileEx CloseHandle 106709->106745 106711 1328b8 106711->106417 106713 1329f2 106712->106713 106722 132a9f 106712->106722 106713->106722 106746 13b340 47 API calls 106713->106746 106715 132a22 106717 132a35 106715->106717 106747 15efad 47 API calls 2 library calls 106715->106747 106716 132abb lstrlenW 106716->106419 106717->106722 106748 139900 47 API calls 106717->106748 106720 132a6f 106720->106722 106749 15efad 47 API calls 2 library calls 106720->106749 106722->106716 106724 155950 __CreateFrameInfo 106723->106724 106725 14852a GetUserPreferredUILanguages 106724->106725 106726 1485ce 106725->106726 106727 14854b LocalAlloc 106725->106727 106728 1485d5 GetLocaleInfoEx 106726->106728 106729 148618 106726->106729 106730 14860e 106727->106730 106731 148569 GetUserPreferredUILanguages 106727->106731 106728->106729 106732 1485f4 106728->106732 106736 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106729->106736 106730->106728 106738 14857c LocalFree 106731->106738 106734 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106732->106734 106735 148607 106734->106735 106735->106423 106737 148644 106736->106737 106737->106423 106738->106726 106750 1366a0 106739->106750 106742->106427 106743->106707 106744->106709 106745->106711 106746->106715 106747->106717 106748->106720 106749->106722 106751 1366c7 106750->106751 106765 136832 106751->106765 106766 13b340 47 API calls 106751->106766 106753 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106755 132aeb 106753->106755 106754 13670d 106754->106765 106767 15efad 47 API calls 2 library calls 106754->106767 106755->106429 106757 136724 106757->106765 106768 139900 47 API calls 106757->106768 106759 13679b __CreateFrameInfo 106761 1367c5 WideCharToMultiByte 106759->106761 106759->106765 106760 13675c 106760->106759 106760->106765 106769 137c20 47 API calls 106760->106769 106763 1367f0 106761->106763 106761->106765 106763->106765 106770 1672e7 48 API calls 2 library calls 106763->106770 106765->106753 106766->106754 106767->106757 106768->106760 106769->106759 106770->106765 106771->106456 106773 150010 106772->106773 106774 14ffec lstrcmpiW 106772->106774 106776 152d0c __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 106773->106776 106774->106773 106775 150000 IsWindowEnabled 106774->106775 106775->106773 106777 150023 106776->106777 106786 136c00 106778->106786 106781->106502 106782->106503 106783->106510 106784->106524 106785->106525 106787 136c15 106786->106787 106794 132ce7 106787->106794 106796 13b340 47 API calls 106787->106796 106789 136c5c 106789->106794 106797 15efad 47 API calls 2 library calls 106789->106797 106791 136c73 106791->106794 106798 139900 47 API calls 106791->106798 106793 136cab 106793->106794 106799 137c20 47 API calls 106793->106799 106794->106467 106796->106789 106797->106791 106798->106793 106799->106794 106800 294ab81 GetNativeSystemInfo 106801 2961d90 106802 2961d9c ___scrt_is_nonwritable_in_current_image 106801->106802 106831 296150f 106802->106831 106804 2961da3 106805 2961ef6 106804->106805 106811 2961dcd 106804->106811 106864 2962375 4 API calls 2 library calls 106805->106864 106807 2961efd 106857 2972f08 106807->106857 106813 2961dec 106811->106813 106814 2961e0c ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 106811->106814 106837 297d820 106811->106837 106812 2961f0b 106816 2961e6d 106814->106816 106860 2972ee2 GetLastError SetLastError ___scrt_is_nonwritable_in_current_image __CreateFrameInfo 106814->106860 106841 2962490 106816->106841 106820 2961e7b 106848 2903dc0 106820->106848 106825 2961e8f 106825->106807 106826 2961e93 106825->106826 106827 2961e9c 106826->106827 106862 2972ebd 35 API calls __CreateFrameInfo 106826->106862 106863 2961680 7 API calls ___scrt_uninitialize_crt 106827->106863 106830 2961ea4 106830->106813 106832 2961518 106831->106832 106866 296503c 10 API calls 2 library calls 106832->106866 106834 2961529 106835 296152d 106834->106835 106867 296505b 7 API calls 2 library calls 106834->106867 106835->106804 106838 297d82e 106837->106838 106839 297d847 106837->106839 106838->106839 106868 28f14a0 106838->106868 106839->106814 106946 29634d0 106841->106946 106843 29624a3 GetStartupInfoW 106844 2961e73 106843->106844 106845 297d7cd 106844->106845 106948 2989053 106845->106948 106847 297d7d6 106847->106820 106852 2903ddb ctype 106848->106852 106849 2903f4c 106953 29616ea 5 API calls ___raise_securityfailure 106849->106953 106851 2903f6d 106861 29624c6 GetModuleHandleW 106851->106861 106852->106849 106853 28f8e60 18 API calls 106852->106853 106854 2903f73 106852->106854 106853->106852 106954 296cb8f 15 API calls 2 library calls 106854->106954 106955 2972cf0 106857->106955 106860->106816 106861->106825 106862->106827 106863->106830 106864->106807 106865 2972ecc 35 API calls __CreateFrameInfo 106865->106812 106866->106834 106867->106835 106869 28f14cc 106868->106869 106872 292f330 106869->106872 106871 28f14eb 106871->106838 106873 292f36e 106872->106873 106890 2912fd0 106873->106890 106875 292f391 106903 292ec50 CryptAcquireContextA 106875->106903 106877 292f3a0 106917 292f220 106877->106917 106879 292f3ac CryptGenRandom 106880 292f3ba 106879->106880 106881 292f418 106879->106881 106882 292f3cc CryptReleaseContext 106880->106882 106886 292f3d5 106880->106886 106926 292edb0 17 API calls 3 library calls 106881->106926 106882->106886 106884 292f435 106927 2962b24 RaiseException 106884->106927 106925 29616ea 5 API calls ___raise_securityfailure 106886->106925 106888 292f443 106889 292f412 106889->106871 106891 2913026 106890->106891 106895 2913001 106890->106895 106928 29616ea 5 API calls ___raise_securityfailure 106891->106928 106893 291303e 106893->106875 106894 291301c 106894->106891 106896 2913072 106894->106896 106895->106891 106895->106894 106897 2913044 106895->106897 106930 2962b24 RaiseException 106896->106930 106929 2962b24 RaiseException 106897->106929 106900 29130a0 106931 2962aa2 16 API calls 2 library calls 106900->106931 106902 29130f7 106902->106875 106904 292ecc6 106903->106904 106905 292ec9b GetLastError CryptAcquireContextA 106903->106905 106932 29616ea 5 API calls ___raise_securityfailure 106904->106932 106905->106904 106906 292ecb5 CryptAcquireContextA 106905->106906 106906->106904 106908 292ece4 SetLastError 106906->106908 106910 292ecf8 106908->106910 106909 292ece0 106909->106877 106933 292edb0 17 API calls 3 library calls 106910->106933 106912 292ed0b 106934 2962b24 RaiseException 106912->106934 106914 292ed19 106935 2962aa2 16 API calls 2 library calls 106914->106935 106916 292ed67 106916->106877 106920 292f265 106917->106920 106924 292f2b2 ctype 106920->106924 106936 296144d 106920->106936 106921 292ec50 24 API calls 106922 292f28e 106921->106922 106923 292f2a9 CryptReleaseContext 106922->106923 106922->106924 106923->106924 106924->106879 106925->106889 106926->106884 106927->106888 106928->106893 106929->106896 106930->106900 106931->106902 106932->106909 106933->106912 106934->106914 106935->106916 106938 2961452 106936->106938 106939 292f276 106938->106939 106940 2972b8e 106938->106940 106939->106921 106939->106922 106941 298046d 106940->106941 106942 2980496 HeapAlloc 106941->106942 106944 29804ab 106941->106944 106945 298047f _Getvals 106941->106945 106943 29804a9 106942->106943 106942->106945 106943->106944 106944->106938 106945->106942 106945->106944 106947 29634e7 106946->106947 106947->106843 106947->106947 106949 298908e 106948->106949 106950 298905c 106948->106950 106949->106847 106952 2988e5e 24 API calls 2 library calls 106950->106952 106952->106949 106953->106851 106956 2972d2f 106955->106956 106957 2972d1d 106955->106957 106967 2972b99 106956->106967 106978 2972db8 GetModuleHandleW 106957->106978 106960 2972d22 106960->106956 106979 2972e1d GetModuleHandleExW 106960->106979 106961 2972d66 106962 2961f03 106961->106962 106971 2972d87 106961->106971 106962->106865 106966 2972d81 106968 2972ba5 ___scrt_is_nonwritable_in_current_image 106967->106968 106985 2972c05 106968->106985 106970 2972bbc __CreateFrameInfo 106970->106961 106991 2972dfb 106971->106991 106974 2972da5 106976 2972e1d __CreateFrameInfo 3 API calls 106974->106976 106975 2972d95 GetCurrentProcess TerminateProcess 106975->106974 106977 2972dad ExitProcess 106976->106977 106978->106960 106980 2972e7d 106979->106980 106981 2972e5c GetProcAddress 106979->106981 106982 2972e83 FreeLibrary 106980->106982 106983 2972d2e 106980->106983 106981->106980 106984 2972e70 106981->106984 106982->106983 106983->106956 106984->106980 106986 2972c11 ___scrt_is_nonwritable_in_current_image __CreateFrameInfo 106985->106986 106987 297d820 __CreateFrameInfo 27 API calls 106986->106987 106989 2972c95 106986->106989 106990 2972ca6 106986->106990 106987->106989 106988 297d820 __CreateFrameInfo 27 API calls 106988->106990 106989->106988 106990->106970 106992 2972e00 106991->106992 106993 2972e05 GetPEB 106992->106993 106994 2972d91 106992->106994 106993->106994 106994->106974 106994->106975 106995 297c5a9 106996 297c5b2 106995->106996 106999 297c5c8 106995->106999 106996->106999 107001 297c601 106996->107001 106998 297c5bf 106998->106999 107011 297c8df WideCharToMultiByte _vsnprintf 106998->107011 107002 297c60d 107001->107002 107003 297c60a 107001->107003 107004 2989053 24 API calls 107002->107004 107003->106998 107005 297c613 107004->107005 107012 2989355 GetEnvironmentStringsW 107005->107012 107008 297c61e 107008->106998 107010 297c631 107010->106998 107011->106999 107013 298936d 107012->107013 107014 297c618 107012->107014 107029 29853ca WideCharToMultiByte 107013->107029 107014->107008 107028 297c6b0 15 API calls 2 library calls 107014->107028 107016 298938a 107017 298939f 107016->107017 107018 2989394 FreeEnvironmentStringsW 107016->107018 107030 298046d HeapAlloc _Getvals 107017->107030 107018->107014 107020 29893a6 107021 29893bf 107020->107021 107022 29893ae 107020->107022 107031 29853ca WideCharToMultiByte 107021->107031 107024 29893b3 FreeEnvironmentStringsW 107022->107024 107025 29893f0 107024->107025 107025->107014 107026 29893cf 107027 29893e6 FreeEnvironmentStringsW 107026->107027 107027->107025 107028->107010 107029->107016 107030->107020 107031->107026 107032 29842f6 107033 298431d 107032->107033 107034 2984305 107032->107034 107033->107034 107036 2984334 _strrchr _strrchr 107033->107036 107096 296cb7f 15 API calls __strnicoll 107034->107096 107037 2984351 107036->107037 107056 29843ab 107036->107056 107038 29843cc _strrchr 107037->107038 107039 2984355 _strrchr 107037->107039 107040 29843e2 107038->107040 107044 298440d 107038->107044 107039->107038 107043 2984365 107039->107043 107060 2984c75 107040->107060 107042 29843ea 107046 2984315 107042->107046 107067 29844e9 107042->107067 107043->107046 107097 297f16d 15 API calls __strnicoll 107043->107097 107044->107046 107099 297f16d 15 API calls __strnicoll 107044->107099 107049 2984398 107050 29844dc 107049->107050 107098 298e56b 15 API calls __strnicoll 107049->107098 107101 296cbac 11 API calls __CreateFrameInfo 107050->107101 107051 298444b 107051->107046 107051->107050 107057 2984c75 18 API calls 107051->107057 107058 29844ad 107051->107058 107100 297f16d 15 API calls __strnicoll 107051->107100 107054 29844e8 107056->107038 107056->107050 107057->107051 107059 29844e9 47 API calls 107058->107059 107059->107046 107061 2984c83 107060->107061 107064 2984c91 __wsopen_s 107060->107064 107102 2984b78 18 API calls 2 library calls 107061->107102 107063 2984c8d 107063->107042 107066 2984cbf 107064->107066 107103 2984b78 18 API calls 2 library calls 107064->107103 107066->107042 107068 298450c 107067->107068 107069 29844f7 107067->107069 107068->107069 107072 2984522 __fread_nolock 107068->107072 107108 296cb7f 15 API calls __strnicoll 107069->107108 107071 2984507 107071->107046 107095 2984549 107072->107095 107104 298ea05 107072->107104 107074 29845fb 107075 2984652 GetLastError __dosmaperr 107074->107075 107078 29846ed 107074->107078 107079 2984614 107074->107079 107076 298466a 107075->107076 107077 2984663 CloseHandle 107075->107077 107083 298466e CloseHandle 107076->107083 107076->107095 107077->107076 107109 2972ecc 35 API calls __CreateFrameInfo 107078->107109 107080 2984618 WaitForSingleObject GetExitCodeProcess 107079->107080 107081 2984677 107079->107081 107080->107075 107084 2984631 107080->107084 107086 29846b8 107081->107086 107087 298467c 107081->107087 107083->107095 107088 298463b CloseHandle 107084->107088 107089 2984642 107084->107089 107085 29846f4 107090 29846bc CloseHandle 107086->107090 107086->107095 107091 2984680 CloseHandle 107087->107091 107092 2984687 107087->107092 107088->107089 107093 2984646 CloseHandle 107089->107093 107089->107095 107090->107095 107091->107092 107094 298468b CloseHandle 107092->107094 107092->107095 107093->107095 107094->107095 107095->107046 107096->107046 107097->107049 107098->107056 107099->107051 107100->107051 107101->107054 107102->107063 107103->107066 107105 298ea4e __wsopen_s 107104->107105 107106 298eac2 107105->107106 107107 298ea9e CreateProcessW 107105->107107 107106->107074 107107->107106 107108->107071 107109->107085 107110 2973869 107111 2973894 107110->107111 107112 29738a4 107111->107112 107113 2973979 107111->107113 107115 2984c75 18 API calls 107112->107115 107119 29738ae 107112->107119 107121 296cbac 11 API calls __CreateFrameInfo 107113->107121 107115->107119 107116 2973983 107118 2973977 107120 29616ea 5 API calls ___raise_securityfailure 107119->107120 107120->107118 107121->107116

                                Executed Functions

                                Function 00148650 Relevance: 70.2, APIs: 35, Strings: 5, Instructions: 210registrylibrarycomCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetVersion.KERNEL32 ref: 00148662
                                • SetErrorMode.KERNELBASE(00008001), ref: 00148685
                                  • Part of subcall function 00131E10: RtlGetNtVersionNumbers.NTDLL ref: 00131E31
                                  • Part of subcall function 00131E10: LoadLibraryExW.KERNEL32(comctl32.dll,00000000,00000800), ref: 00131EB3
                                  • Part of subcall function 00131E10: FreeLibrary.KERNEL32(00000000), ref: 00131F01
                                • GetSysColor.USER32(00000008), ref: 001486EC
                                • GetSysColor.USER32(00000005), ref: 001486F5
                                • GetSysColor.USER32(00000017), ref: 001486FE
                                • GetSysColor.USER32(00000018), ref: 00148707
                                • GetSysColor.USER32(0000000E), ref: 00148710
                                • GetSysColor.USER32(0000000D), ref: 00148719
                                • GetSysColor.USER32(00000002), ref: 00148722
                                • GetSysColor.USER32(00000001), ref: 0014872B
                                • GetSysColor.USER32(0000000F), ref: 00148734
                                • GetSysColor.USER32(0000000F), ref: 0014873D
                                • GetSysColor.USER32(0000000F), ref: 00148746
                                • GetSysColor.USER32(0000000F), ref: 0014874F
                                • GetSysColor.USER32(0000000F), ref: 00148758
                                • GetSysColor.USER32(0000000F), ref: 00148761
                                  • Part of subcall function 0014F4E0: GetCommandLineW.KERNEL32(?,75A3CF90,?,?,?,0014877B), ref: 0014F4E5
                                  • Part of subcall function 0014F4E0: StrChrW.SHLWAPI(00000000,00000009,?,?,?,0014877B), ref: 0014F509
                                  • Part of subcall function 0014F4E0: StrChrW.SHLWAPI(00000000,00000009,?,?,?,0014877B), ref: 0014F51A
                                  • Part of subcall function 0014F4E0: lstrlenW.KERNEL32(00000000,?,?,?,0014877B), ref: 0014F52C
                                  • Part of subcall function 0014F4E0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,0014877B), ref: 0014F53E
                                  • Part of subcall function 0014F4E0: lstrlenW.KERNEL32(00000000,?,?,?,0014877B), ref: 0014F543
                                  • Part of subcall function 0014F4E0: LocalAlloc.KERNEL32(00000040,00000000,?,?,?,0014877B), ref: 0014F54F
                                  • Part of subcall function 0014F4E0: lstrcpyW.KERNEL32(00000000,00000000,?,?,?,0014877B), ref: 0014F55B
                                  • Part of subcall function 0014F4E0: StrChrW.SHLWAPI(00000000,00000020,?,?,?,0014877B), ref: 0014F593
                                  • Part of subcall function 0014F4E0: lstrcpyW.KERNEL32(00000000,-00000002,?,?,?,0014877B), ref: 0014F5A7
                                  • Part of subcall function 0014F4E0: lstrcpyW.KERNEL32(00000000,00000000,?,?,?,0014877B), ref: 0014F5D5
                                  • Part of subcall function 0014F4E0: StrChrW.SHLWAPI(00000000,00000020,?,?,?,0014877B), ref: 0014F60B
                                  • Part of subcall function 00134450: GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,75A3CF90), ref: 00134476
                                  • Part of subcall function 00134450: lstrcmpiW.KERNEL32(00290388,001BD624), ref: 00134494
                                  • Part of subcall function 00134740: lstrcmpiW.KERNEL32(00290388,001BD624,75A3CF90), ref: 0013475F
                                  • Part of subcall function 00134740: lstrcpyW.KERNEL32(C:\Users\user\Desktop\bgsTrRPJh0.ini,001BD420), ref: 00134779
                                  • Part of subcall function 00134740: lstrcpyW.KERNEL32(00290388,001BD420), ref: 00134785
                                  • Part of subcall function 00134070: StrRChrW.SHLWAPI(00290388,00000000,0000005C,?,?,?,001354A3), ref: 0013408A
                                  • Part of subcall function 00134070: SHCreateDirectoryExW.SHELL32(00000000,00290388,00000000,?,?,?,001354A3), ref: 001340A2
                                  • Part of subcall function 00134070: PathFileExistsW.SHLWAPI(00290388,?,?,?,001354A3), ref: 001340B5
                                  • Part of subcall function 00134070: PathIsDirectoryW.SHLWAPI(00290388), ref: 001340C4
                                  • Part of subcall function 00134070: CreateFileW.KERNEL32(00290388,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,001354A3), ref: 001340E3
                                  • Part of subcall function 00134070: GetFileSize.KERNEL32(00000000,?), ref: 001340FE
                                  • Part of subcall function 00134070: CloseHandle.KERNEL32(00000000), ref: 00134107
                                  • Part of subcall function 00150030: EnumWindows.USER32(0014FFB0,00000000), ref: 00150071
                                  • Part of subcall function 00150030: IsWindowEnabled.USER32(00000000), ref: 00150084
                                  • Part of subcall function 00150030: IsIconic.USER32(00000000), ref: 00150096
                                  • Part of subcall function 00150030: ShowWindowAsync.USER32(00000009,00000009), ref: 001500A6
                                  • Part of subcall function 00150030: IsWindowVisible.USER32(00000000), ref: 001500B0
                                  • Part of subcall function 00150030: SendMessageW.USER32(00000400,00000400,00000000,00000203), ref: 001500D0
                                  • Part of subcall function 00150030: SendMessageW.USER32(00000400,00000400,00000000,00000202), ref: 001500E2
                                  • Part of subcall function 00150030: SetForegroundWindow.USER32(00000000), ref: 001500E8
                                  • Part of subcall function 00150030: GlobalSize.KERNEL32(?), ref: 001500FC
                                  • Part of subcall function 00150030: PathIsRelativeW.SHLWAPI ref: 00150117
                                  • Part of subcall function 00150030: GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0015012B
                                  • Part of subcall function 00150030: PathAppendW.SHLWAPI(?), ref: 0015013C
                                  • Part of subcall function 00150030: lstrcpyW.KERNEL32(?), ref: 0015014D
                                  • Part of subcall function 00150030: GlobalSize.KERNEL32 ref: 00150161
                                  • Part of subcall function 00150030: SendMessageW.USER32(?,0000004A,00000000,?), ref: 00150181
                                  • Part of subcall function 00150030: GlobalFree.KERNEL32 ref: 00150189
                                • OleInitialize.OLE32(00000000), ref: 0014879D
                                • InitCommonControlsEx.COMCTL32(?), ref: 001487BC
                                • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 001487C7
                                  • Part of subcall function 00131E10: VirtualProtect.KERNELBASE(00000000,00000004,00000004,?,?), ref: 00131F49
                                  • Part of subcall function 00131E10: VirtualProtect.KERNELBASE(00000000,00000004,?,?), ref: 00131F6F
                                  • Part of subcall function 00131E10: FreeLibrary.KERNEL32(00000000), ref: 00131F73
                                • GetSysColor.USER32(00000005), ref: 0014880A
                                • CreateSolidBrush.GDI32(00000000), ref: 00148813
                                • GetSysColor.USER32(0000000F), ref: 00148842
                                • CreateSolidBrush.GDI32(00000000), ref: 00148845
                                • GetSystemMetrics.USER32(0000000B), ref: 00148854
                                • GetSystemMetrics.USER32(0000000C), ref: 0014885A
                                • GetSystemMetrics.USER32(00000031), ref: 00148861
                                • GetSystemMetrics.USER32(00000032), ref: 00148868
                                • #381.COMCTL32(?,00000064,00000000,?,00290E68), ref: 0014888A
                                • #381.COMCTL32(?,00000064,?,00000000,00290840), ref: 001488A4
                                • LoadCursorW.USER32(?,00007F00), ref: 001488D3
                                • RegisterClassW.USER32(00002000), ref: 001488F5
                                • LoadLibraryW.KERNELBASE(erherthgrgherhre.erhgerg), ref: 00148916
                                • GlobalAlloc.KERNELBASE(00000000,00000000), ref: 0014891B
                                • LoadLibraryW.KERNEL32(00000000), ref: 0014892A
                                • ExitProcess.KERNEL32 ref: 00148936
                                  • Part of subcall function 001319E0: SystemParametersInfoW.USER32(00000042,0000000C,00000000), ref: 00131A11
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1651130159.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000E.00000002.1650913314.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651458852.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651554572.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651634715.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651961867.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651961867.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1652213975.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Color$lstrcpy$LibrarySystemWindow$CreateFileGlobalLoadMessageMetricsPath$AllocDirectoryFreeSendSize$#381BrushLocalProtectRegisterSolidVersionVirtuallstrcmpilstrlen$AppendAsyncClassCloseCommandCommonControlsCurrentCursorEnabledEnumErrorExistsExitForegroundHandleIconicInfoInitInitializeLineModeModuleNameNumbersParametersProcessRelativeShowVisibleWindows
                                • String ID: *.*$333$MiniPath$TaskbarCreated$erherthgrgherhre.erhgerg
                                • API String ID: 1151885106-3872912507
                                • Opcode ID: 12c332d36bdaa6e485f2ef781984ace4bbf0064fd66a09217db991c95bdc9370
                                • Instruction ID: cd215cd67f7281f49b19ba19aa9e82d7328fb73ccbbb29108c01626a33fc9582
                                • Opcode Fuzzy Hash: 12c332d36bdaa6e485f2ef781984ace4bbf0064fd66a09217db991c95bdc9370
                                • Instruction Fuzzy Hash: 4B814274E40319AAEB10AFB6FD4D7AE3FA4EF09754F00442BE5049B2A1EB754454CFA1
                                Function 00150030 Relevance: 30.1, APIs: 20, Instructions: 137windowstringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • EnumWindows.USER32(0014FFB0,00000000), ref: 00150071
                                • IsWindowEnabled.USER32(00000000), ref: 00150084
                                • IsIconic.USER32(00000000), ref: 00150096
                                • ShowWindowAsync.USER32(00000009,00000009), ref: 001500A6
                                • IsWindowVisible.USER32(00000000), ref: 001500B0
                                • SendMessageW.USER32(00000400,00000400,00000000,00000203), ref: 001500D0
                                • SendMessageW.USER32(00000400,00000400,00000000,00000202), ref: 001500E2
                                • SetForegroundWindow.USER32(00000000), ref: 001500E8
                                • GlobalSize.KERNEL32(?), ref: 001500FC
                                • PathIsRelativeW.SHLWAPI ref: 00150117
                                • GetCurrentDirectoryW.KERNEL32(00000104,?), ref: 0015012B
                                • PathAppendW.SHLWAPI(?), ref: 0015013C
                                • lstrcpyW.KERNEL32(?), ref: 0015014D
                                • GlobalSize.KERNEL32 ref: 00150161
                                • SendMessageW.USER32(?,0000004A,00000000,?), ref: 00150181
                                • GlobalFree.KERNEL32 ref: 00150189
                                • LoadStringW.USER32(0000C35F,?,00000100), ref: 001501C5
                                • LoadStringW.USER32(0000C35F,?,00000100), ref: 001501E0
                                • StrChrW.SHLWAPI(?,0000000A), ref: 001501E9
                                • MessageBoxW.USER32(00000000,00000000,?,00010024), ref: 00150208
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1651130159.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000E.00000002.1650913314.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651458852.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651554572.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651634715.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651961867.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651961867.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1652213975.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: MessageWindow$GlobalSend$LoadPathSizeString$AppendAsyncCurrentDirectoryEnabledEnumForegroundFreeIconicRelativeShowVisibleWindowslstrcpy
                                • String ID:
                                • API String ID: 648661597-0
                                • Opcode ID: e5f97daa65a21c6cfc590d1c83cf6c64a690952c4c9f62d7da5bad3d8ee84367
                                • Instruction ID: 4ab7ad9b31f08f37e3d6adcc862742c8acfb7ac814ee388afbcbe4f9c174f081
                                • Opcode Fuzzy Hash: e5f97daa65a21c6cfc590d1c83cf6c64a690952c4c9f62d7da5bad3d8ee84367
                                • Instruction Fuzzy Hash: 8B516B71640306EFEB219F60EC4EB5A3BE8FF49701F00441AF959DA1B0DB719898CB52
                                Function 001484F0 Relevance: 7.6, APIs: 5, Instructions: 109memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 835 1484f0-148545 call 155950 GetUserPreferredUILanguages 838 1485ce-1485d3 835->838 839 14854b-148563 LocalAlloc 835->839 840 1485d5-1485f2 GetLocaleInfoEx 838->840 841 148618-14864a call 13d900 call 152d0c 838->841 842 14860e-148616 839->842 843 148569-14857a GetUserPreferredUILanguages 839->843 840->841 844 1485f4-14860d call 152d0c 840->844 842->840 846 14857c-148581 843->846 847 1485bf 843->847 846->847 851 148583-148590 846->851 848 1485c7-1485c8 LocalFree 847->848 848->838 852 148592-14859a 851->852 856 1485b0-1485bd 852->856 857 14859c-1485a3 852->857 856->848 857->856 858 1485a5-1485ae 857->858 858->852 858->856
                                APIs
                                • GetUserPreferredUILanguages.KERNELBASE(00000008,?,00000000,00000000), ref: 00148541
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00148559
                                • GetUserPreferredUILanguages.KERNEL32(00000008,?,00000000,?), ref: 00148576
                                • LocalFree.KERNEL32(00000000), ref: 001485C8
                                • GetLocaleInfoEx.KERNEL32(00000000,0000005C,?,00000055), ref: 001485E0
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1651130159.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000E.00000002.1650913314.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651458852.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651554572.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651634715.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651961867.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651961867.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1652213975.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: LanguagesLocalPreferredUser$AllocFreeInfoLocale
                                • String ID:
                                • API String ID: 1113077726-0
                                • Opcode ID: 7723e9623b4fc4cd4d1fae970324d41bcd92b356dbe46e0f4cb0dd87236ef8e1
                                • Instruction ID: ad77b030042c629279fad0d954364c707ef57a5f650881996c75a5e099a843ca
                                • Opcode Fuzzy Hash: 7723e9623b4fc4cd4d1fae970324d41bcd92b356dbe46e0f4cb0dd87236ef8e1
                                • Instruction Fuzzy Hash: D6316DB26043059FE314DF14DC45B6FB7E8EB85711F40842EF955CA291EB74D909CBA2
                                Function 00134740 Relevance: 91.2, APIs: 47, Strings: 5, Instructions: 199stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 152 134740-134767 lstrcmpiW 153 134769-13479e lstrcpyW * 2 call 152d0c 152->153 154 13479f-1347c3 PathIsDirectoryW 152->154 156 1347c5-1347e7 lstrlenW CharPrevW 154->156 157 1347ed-13482b GetModuleFileNameW PathFindFileNameW PathAppendW PathRenameExtensionW PathFileExistsW 154->157 156->157 159 134887-134890 PathIsDirectoryW 156->159 160 134838-134850 PathFindFileNameW lstrcpyW PathFileExistsW 157->160 161 13482d-134836 PathIsDirectoryW 157->161 164 134892-1348b4 lstrlenW CharPrevW 159->164 165 1348ba-134913 GetModuleFileNameW PathRemoveFileSpecW lstrcatW PathFindFileNameW PathAppendW PathRenameExtensionW PathFileExistsW 159->165 162 134852-13485b PathIsDirectoryW 160->162 163 13485d-134881 PathFindFileNameW * 2 lstrcpyW PathRenameExtensionW 160->163 161->159 161->160 162->159 162->163 163->159 164->165 166 134969-134978 PathFileExistsW 164->166 167 134920-134938 PathFindFileNameW lstrcpyW PathFileExistsW 165->167 168 134915-13491e PathIsDirectoryW 165->168 171 134990-13499a lstrcpyW 166->171 172 13497a-134983 PathIsDirectoryW 166->172 169 134945-134963 PathFindFileNameW * 2 lstrcpyW PathRenameExtensionW 167->169 170 13493a-134943 PathIsDirectoryW 167->170 168->166 168->167 169->166 170->166 170->169 174 13499c-1349a5 PathFileExistsW 171->174 172->171 173 134985-13498e PathIsDirectoryW 172->173 173->171 173->174 175 1349a7-1349b0 PathIsDirectoryW 174->175 176 1349b9-1349d1 lstrcpyW * 2 174->176 175->176 177 1349b2-1349b7 175->177 178 1349d3-1349eb call 152d0c 176->178 177->178
                                APIs
                                • lstrcmpiW.KERNEL32(00290388,001BD624,75A3CF90), ref: 0013475F
                                • lstrcpyW.KERNEL32(C:\Users\user\Desktop\bgsTrRPJh0.ini,001BD420), ref: 00134779
                                • lstrcpyW.KERNEL32(00290388,001BD420), ref: 00134785
                                • PathIsDirectoryW.SHLWAPI(00290388), ref: 001347AD
                                • lstrlenW.KERNEL32(00290388), ref: 001347CA
                                • CharPrevW.USER32(00290388,00000000), ref: 001347DD
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 001347F9
                                • PathFindFileNameW.SHLWAPI(?), ref: 00134804
                                • PathAppendW.SHLWAPI(00290388,00000000), ref: 0013480C
                                • PathRenameExtensionW.SHLWAPI(00290388,.ini), ref: 0013481C
                                • PathFileExistsW.SHLWAPI(00290388), ref: 00134827
                                • PathIsDirectoryW.SHLWAPI(00290388), ref: 00134832
                                • PathFindFileNameW.SHLWAPI(00290388,minipath.ini), ref: 00134842
                                • lstrcpyW.KERNEL32(00000000), ref: 00134845
                                • PathFileExistsW.SHLWAPI(00290388), ref: 0013484C
                                • PathIsDirectoryW.SHLWAPI(00290388), ref: 00134857
                                • PathFindFileNameW.SHLWAPI(?), ref: 00134862
                                • PathFindFileNameW.SHLWAPI(00290388), ref: 0013486B
                                • lstrcpyW.KERNEL32(00000000,00000000), ref: 0013486F
                                • PathRenameExtensionW.SHLWAPI(00290388,.ini), ref: 0013487B
                                • PathIsDirectoryW.SHLWAPI(00290180), ref: 0013488C
                                • lstrlenW.KERNEL32(00290180), ref: 00134897
                                • CharPrevW.USER32(00290180,00000000), ref: 001348AA
                                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 001348C6
                                • PathRemoveFileSpecW.SHLWAPI(?), ref: 001348D1
                                • lstrcatW.KERNEL32(?,\Notepad3.exe), ref: 001348E1
                                • PathFindFileNameW.SHLWAPI(?), ref: 001348EC
                                • PathAppendW.SHLWAPI(00290180,00000000), ref: 001348F4
                                • PathRenameExtensionW.SHLWAPI(00290180,.ini), ref: 00134904
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1651130159.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000E.00000002.1650913314.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651458852.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651554572.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651634715.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651961867.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651961867.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1652213975.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Path$File$Name$Find$Directorylstrcpy$ExtensionRename$AppendCharExistsModulePrevlstrlen$RemoveSpeclstrcatlstrcmpi
                                • String ID: .ini$C:\Users\user\Desktop\bgsTrRPJh0.ini$\Notepad3.exe$minipath.ini$notepad3.ini
                                • API String ID: 882991028-2059742083
                                • Opcode ID: 4c6ef488b8c922e1384c92c24b91cc1542159403383ae6bad79ef68dc639b288
                                • Instruction ID: 5aebfe574a2b93373e9f0fd768a7f9d8d03241787af38e50b6256056888b9071
                                • Opcode Fuzzy Hash: 4c6ef488b8c922e1384c92c24b91cc1542159403383ae6bad79ef68dc639b288
                                • Instruction Fuzzy Hash: 3051447275030DBFDF50A7F59C86E6A3AD8AF4AB84F010555FD04D24E0EBA0E8548A7E
                                Function 00134160 Relevance: 42.1, APIs: 23, Strings: 1, Instructions: 145stringCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • ExpandEnvironmentStringsW.KERNEL32(?,?,00000104,75DA4E90,771EF860,?,75DAA6F0), ref: 0013418A
                                • PathIsRelativeW.SHLWAPI(?,?,75DAA6F0), ref: 00134198
                                • lstrcpyW.KERNEL32(?,?,?,75DAA6F0), ref: 001341B2
                                • PathFindFileNameW.SHLWAPI(?,?,?,75DAA6F0), ref: 001341C1
                                • lstrcpyW.KERNEL32(00000000,?,75DAA6F0), ref: 001341C8
                                • PathFileExistsW.KERNELBASE(?,?,75DAA6F0), ref: 001341CF
                                • PathIsDirectoryW.SHLWAPI(?), ref: 001341E4
                                • lstrcpyW.KERNEL32(?,?,?,75DAA6F0), ref: 001341F4
                                • PathRemoveFileSpecW.SHLWAPI(?,?,75DAA6F0), ref: 001341FB
                                • lstrcatW.KERNEL32(?,\np3\,?,75DAA6F0), ref: 00134211
                                • lstrcatW.KERNEL32(?,?,?,75DAA6F0), ref: 00134220
                                • PathFileExistsW.KERNELBASE(?,?,75DAA6F0), ref: 00134227
                                • PathIsDirectoryW.SHLWAPI(?), ref: 00134236
                                • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,?,?,75DAA6F0), ref: 0013424F
                                • PathAppendW.SHLWAPI(?,?,?,75DAA6F0), ref: 00134262
                                • PathFileExistsW.KERNELBASE(?,?,75DAA6F0), ref: 0013426D
                                • PathIsDirectoryW.SHLWAPI(?), ref: 0013427C
                                • SHGetFolderPathW.SHELL32(00000000,00000028,00000000,00000000,?,?,75DAA6F0), ref: 0013428F
                                • PathAppendW.SHLWAPI(?,?,?,75DAA6F0), ref: 001342A2
                                • lstrcpyW.KERNEL32(?,?,?,75DAA6F0), ref: 001342BB
                                • PathFileExistsW.SHLWAPI(?,?,75DAA6F0), ref: 001342CC
                                • PathIsDirectoryW.SHLWAPI(?), ref: 001342DE
                                • lstrcpyW.KERNEL32(?,?,?,75DAA6F0), ref: 001342F1
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1651130159.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000E.00000002.1650913314.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651458852.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651554572.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651634715.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651961867.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651961867.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1652213975.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Path$File$lstrcpy$DirectoryExists$AppendFolderlstrcat$EnvironmentExpandFindNameRelativeRemoveSpecStrings
                                • String ID: \np3\
                                • API String ID: 3472113900-578766168
                                • Opcode ID: 4e82ad9165e2ef041882cad38f9894b9ba17ea115a5b2377bf51ec1c21fdabfa
                                • Instruction ID: a64dab8e2758c046cc6bf4b824e05324d496576e8b79449747a8ae9ca8912774
                                • Opcode Fuzzy Hash: 4e82ad9165e2ef041882cad38f9894b9ba17ea115a5b2377bf51ec1c21fdabfa
                                • Instruction Fuzzy Hash: B941DAB260434AABDB20DBA0EC48FEB77ECBF45740F44082AF645D3050EB74E5898B61
                                Function 001325D0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 896 1325d0-1325dc PathFileExistsW 897 1325f0-1325f3 896->897 898 1325de-1325e7 PathIsDirectoryW 896->898 898->897 899 1325e9-1325ef 898->899
                                APIs
                                • PathFileExistsW.KERNELBASE(C:\Windows\system32\Viewers\Quikview.exe,00000002,00134EB9), ref: 001325D4
                                • PathIsDirectoryW.SHLWAPI(C:\Windows\system32\Viewers\Quikview.exe), ref: 001325DF
                                Strings
                                Memory Dump Source
                                • Source File: 0000000E.00000002.1651130159.0000000000131000.00000020.00000001.01000000.00000003.sdmp, Offset: 00130000, based on PE: true
                                • Associated: 0000000E.00000002.1650913314.0000000000130000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651458852.00000000001AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651554572.00000000001C3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651634715.00000000001C4000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651961867.000000000028E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1651961867.0000000000293000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 0000000E.00000002.1652213975.0000000000295000.00000002.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_14_2_130000_bgsTrRPJh0.jbxd
                                Similarity
                                • API ID: Path$DirectoryExistsFile
                                • String ID: C:\Windows\system32\Viewers\Quikview.exe
                                • API String ID: 1302732169-377476166
                                • Opcode ID: 3c0bf63d45774b2072e72e3d969b7964ae51a6eaa1537e83e1ce03d02d33c313
                                • Instruction ID: 78fab3f1fba6dc1f090ff71933c2e0147b9826d5255e4f86582768c270f115e5
                                • Opcode Fuzzy Hash: 3c0bf63d45774b2072e72e3d969b7964ae51a6eaa1537e83e1ce03d02d33c313
                                • Instruction Fuzzy Hash: 83C012322154219EEF102A287C18BD71288AF02210F094465F401C3048FB64DEC295D4