Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
enxV0qANdU.bin

Overview

General Information

Sample Name:enxV0qANdU.bin (renamed file extension from bin to exe)
Analysis ID:615285
MD5:cf6ff9e0403b8d89e42ae54701026c1f
SHA1:a4f5cb11b9340f80a89022131fb525b888aa8bc6
SHA256:a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b
Tags:exeransomware
Infos:

Detection

Python Ransomware
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Detected unpacking (overwrites its own PE header)
Yara detected Python Ransomware
Found ransom note / readme
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Sigma detected: Drops script at startup location
Multi AV Scanner detection for dropped file
Sigma detected: System File Execution Location Anomaly
Sigma detected: File Created with System Process Name
Found Tor onion address
Machine Learning detection for sample
Modifies existing user documents (likely ransomware behavior)
Sigma detected: Suspicious Svchost Process
Machine Learning detection for dropped file
Deletes shadow drive data (may be related to ransomware)
Drops PE files with benign system names
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Contains long sleeps (>= 3 min)
Enables debug privileges
Sample file is different than original file name gathered from version info
Drops PE files
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • enxV0qANdU.exe (PID: 6416 cmdline: "C:\Users\user\Desktop\enxV0qANdU.exe" MD5: CF6FF9E0403B8D89E42AE54701026C1F)
    • svchost.exe (PID: 6564 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: CF6FF9E0403B8D89E42AE54701026C1F)
      • notepad.exe (PID: 5204 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\readme.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • svchost.exe (PID: 5160 cmdline: "C:\Users\user\AppData\Roaming\svchost.exe" MD5: CF6FF9E0403B8D89E42AE54701026C1F)
    • notepad.exe (PID: 3148 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\readme.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • OpenWith.exe (PID: 5756 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • notepad.exe (PID: 5936 cmdline: "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • OpenWith.exe (PID: 1528 cmdline: C:\Windows\system32\OpenWith.exe -Embedding MD5: D179D03728E95E040A889F760C1FC402)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
enxV0qANdU.exeDestructive_Ransomware_Gen1Detects destructive malwareFlorian Roth
  • 0x4074:$x1: /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  • 0x3ffb:$x2: delete shadows /all /quiet
  • 0x4140:$x3: delete catalog -quiet
enxV0qANdU.exeMALWARE_Win_ChaosDetects Chaos ransomwareditekSHen
  • 0x39da:$s1: <EncyptedKey>
  • 0x39f6:$s1: <EncyptedKey>
  • 0x3dbf:$s2: <EncryptedKey>
  • 0x4176:$s3: C:\Users\
  • 0x4214:$s5: #base64Image
  • 0x4292:$s6: (?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})
  • 0x2c01:$s7: checkSpread
  • 0x2c55:$s7: checkSleep
  • 0x2c9f:$s7: checkAdminPrivilage
  • 0x2cb3:$s7: checkdeleteShadowCopies
  • 0x2ccb:$s7: checkdisableRecoveryMode
  • 0x2ce4:$s7: checkdeleteBackupCatalog
  • 0x2edc:$s8: deleteShadowCopies
  • 0x2eef:$s8: disableRecoveryMode
  • 0x2f03:$s8: deleteBackupCatalog
  • 0x2c0d:$s9: spreadName
  • 0x2c29:$s10: processName
  • 0x2d97:$s11: sleepOutOfTempFolder
  • 0x2dac:$s12: AlreadyRunning
  • 0x2dbb:$s13: random_bytes
  • 0x2e1c:$s14: encryptDirectory

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Roaming\svchost.exeDestructive_Ransomware_Gen1Detects destructive malwareFlorian Roth
  • 0x4074:$x1: /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
  • 0x3ffb:$x2: delete shadows /all /quiet
  • 0x4140:$x3: delete catalog -quiet
C:\Users\user\AppData\Roaming\svchost.exeMALWARE_Win_ChaosDetects Chaos ransomwareditekSHen
  • 0x39da:$s1: <EncyptedKey>
  • 0x39f6:$s1: <EncyptedKey>
  • 0x3dbf:$s2: <EncryptedKey>
  • 0x4176:$s3: C:\Users\
  • 0x4214:$s5: #base64Image
  • 0x4292:$s6: (?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})
  • 0x2c01:$s7: checkSpread
  • 0x2c55:$s7: checkSleep
  • 0x2c9f:$s7: checkAdminPrivilage
  • 0x2cb3:$s7: checkdeleteShadowCopies
  • 0x2ccb:$s7: checkdisableRecoveryMode
  • 0x2ce4:$s7: checkdeleteBackupCatalog
  • 0x2edc:$s8: deleteShadowCopies
  • 0x2eef:$s8: disableRecoveryMode
  • 0x2f03:$s8: deleteBackupCatalog
  • 0x2c0d:$s9: spreadName
  • 0x2c29:$s10: processName
  • 0x2d97:$s11: sleepOutOfTempFolder
  • 0x2dac:$s12: AlreadyRunning
  • 0x2dbb:$s13: random_bytes
  • 0x2e1c:$s14: encryptDirectory

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: enxV0qANdU.exe PID: 6416JoeSecurity_PythonRansomwareYara detected Python RansomwareJoe Security
    Process Memory Space: svchost.exe PID: 6564JoeSecurity_PythonRansomwareYara detected Python RansomwareJoe Security
      Process Memory Space: svchost.exe PID: 5160JoeSecurity_PythonRansomwareYara detected Python RansomwareJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        11.0.svchost.exe.c50000.0.unpackDestructive_Ransomware_Gen1Detects destructive malwareFlorian Roth
        • 0x4074:$x1: /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        • 0x3ffb:$x2: delete shadows /all /quiet
        • 0x4140:$x3: delete catalog -quiet
        11.0.svchost.exe.c50000.0.unpackMALWARE_Win_ChaosDetects Chaos ransomwareditekSHen
        • 0x39da:$s1: <EncyptedKey>
        • 0x39f6:$s1: <EncyptedKey>
        • 0x3dbf:$s2: <EncryptedKey>
        • 0x4176:$s3: C:\Users\
        • 0x4214:$s5: #base64Image
        • 0x4292:$s6: (?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})
        • 0x2c01:$s7: checkSpread
        • 0x2c55:$s7: checkSleep
        • 0x2c9f:$s7: checkAdminPrivilage
        • 0x2cb3:$s7: checkdeleteShadowCopies
        • 0x2ccb:$s7: checkdisableRecoveryMode
        • 0x2ce4:$s7: checkdeleteBackupCatalog
        • 0x2edc:$s8: deleteShadowCopies
        • 0x2eef:$s8: disableRecoveryMode
        • 0x2f03:$s8: deleteBackupCatalog
        • 0x2c0d:$s9: spreadName
        • 0x2c29:$s10: processName
        • 0x2d97:$s11: sleepOutOfTempFolder
        • 0x2dac:$s12: AlreadyRunning
        • 0x2dbb:$s13: random_bytes
        • 0x2e1c:$s14: encryptDirectory
        1.2.svchost.exe.950000.0.unpackDestructive_Ransomware_Gen1Detects destructive malwareFlorian Roth
        • 0x4074:$x1: /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        • 0x3ffb:$x2: delete shadows /all /quiet
        • 0x4140:$x3: delete catalog -quiet
        1.2.svchost.exe.950000.0.unpackMALWARE_Win_ChaosDetects Chaos ransomwareditekSHen
        • 0x39da:$s1: <EncyptedKey>
        • 0x39f6:$s1: <EncyptedKey>
        • 0x3dbf:$s2: <EncryptedKey>
        • 0x4176:$s3: C:\Users\
        • 0x4214:$s5: #base64Image
        • 0x4292:$s6: (?:[13]{1}[a-km-zA-HJ-NP-Z1-9]{26,33}|bc1[a-z0-9]{39,59})
        • 0x2c01:$s7: checkSpread
        • 0x2c55:$s7: checkSleep
        • 0x2c9f:$s7: checkAdminPrivilage
        • 0x2cb3:$s7: checkdeleteShadowCopies
        • 0x2ccb:$s7: checkdisableRecoveryMode
        • 0x2ce4:$s7: checkdeleteBackupCatalog
        • 0x2edc:$s8: deleteShadowCopies
        • 0x2eef:$s8: disableRecoveryMode
        • 0x2f03:$s8: deleteBackupCatalog
        • 0x2c0d:$s9: spreadName
        • 0x2c29:$s10: processName
        • 0x2d97:$s11: sleepOutOfTempFolder
        • 0x2dac:$s12: AlreadyRunning
        • 0x2dbb:$s13: random_bytes
        • 0x2e1c:$s14: encryptDirectory
        11.2.svchost.exe.c50000.0.unpackDestructive_Ransomware_Gen1Detects destructive malwareFlorian Roth
        • 0x4074:$x1: /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
        • 0x3ffb:$x2: delete shadows /all /quiet
        • 0x4140:$x3: delete catalog -quiet
        Click to see the 7 entries

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: System File Execution Location Anomaly
        Source: Process startedAuthor: Florian Roth, Patrick Bareiss, Anton Kutepov, oscd.community: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\enxV0qANdU.exe" , ParentImage: C:\Users\user\Desktop\enxV0qANdU.exe, ParentProcessId: 6416, ParentProcessName: enxV0qANdU.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 6564, ProcessName: svchost.exe
        Sigma detected: File Created with System Process Name
        Source: File createdAuthor: Sander Wiebing, Tim Shelton: Data: EventID: 11, Image: C:\Users\user\Desktop\enxV0qANdU.exe, ProcessId: 6416, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
        Sigma detected: Suspicious Svchost Process
        Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\enxV0qANdU.exe" , ParentImage: C:\Users\user\Desktop\enxV0qANdU.exe, ParentProcessId: 6416, ParentProcessName: enxV0qANdU.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 6564, ProcessName: svchost.exe
        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\enxV0qANdU.exe, ProcessId: 6416, TargetFilename: C:\Users\user\AppData\Roaming\svchost.exe
        Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\svchost.exe, NewProcessName: C:\Users\user\AppData\Roaming\svchost.exe, OriginalFileName: C:\Users\user\AppData\Roaming\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\enxV0qANdU.exe" , ParentImage: C:\Users\user\Desktop\enxV0qANdU.exe, ParentProcessId: 6416, ParentProcessName: enxV0qANdU.exe, ProcessCommandLine: "C:\Users\user\AppData\Roaming\svchost.exe" , ProcessId: 6564, ProcessName: svchost.exe

        Data Obfuscation

        barindex
        Sigma detected: Drops script at startup location
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Roaming\svchost.exe, ProcessId: 6564, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Multi AV Scanner detection for submitted file
        Source: enxV0qANdU.exeVirustotal: Detection: 58%Perma Link
        Source: enxV0qANdU.exeReversingLabs: Detection: 90%
        Antivirus / Scanner detection for submitted sample
        Source: enxV0qANdU.exeAvira: detected
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Roaming\svchost.exeAvira: detection malicious, Label: HEUR/AGEN.1235574
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Roaming\svchost.exeVirustotal: Detection: 58%Perma Link
        Source: C:\Users\user\AppData\Roaming\svchost.exeReversingLabs: Detection: 90%
        Machine Learning detection for sample
        Source: enxV0qANdU.exeJoe Sandbox ML: detected
        Machine Learning detection for dropped file
        Source: C:\Users\user\AppData\Roaming\svchost.exeJoe Sandbox ML: detected

        Compliance

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\enxV0qANdU.exeUnpacked PE file: 0.2.enxV0qANdU.exe.140000.0.unpack
        Source: C:\Users\user\AppData\Roaming\svchost.exeUnpacked PE file: 1.2.svchost.exe.950000.0.unpack
        Source: C:\Users\user\AppData\Roaming\svchost.exeUnpacked PE file: 11.2.svchost.exe.c50000.0.unpack
        Source: enxV0qANdU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Desktop\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Desktop\EEGWXUHVUG\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Desktop\EFOYFBOLXA\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Desktop\NVWZAPQSQL\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Links\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Contacts\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\EEGWXUHVUG\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\My Music\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\My Pictures\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\My Pictures\Camera Roll\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\My Videos\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Favorites\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Favorites\Links\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Spelling\en-US\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\AccountPictures\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Public\Documents\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Public\Documents\My Music\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Public\Desktop\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\GRXZDKKVDB\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\NVWZAPQSQL\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Downloads\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Saved Games\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Searches\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\UProof\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Public\Pictures\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Public\Videos\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\readme.txtJump to behavior
        Source: enxV0qANdU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: .core.pdb.ico.pas source: enxV0qANdU.exe, svchost.exe.0.dr

        Networking

        barindex
        Found Tor onion address
        Source: enxV0qANdU.exeString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: enxV0qANdU.exe, 00000000.00000002.270932618.000000001AE60000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: enxV0qANdU.exe, 00000000.00000002.265855412.0000000000142000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: enxV0qANdU.exe, 00000000.00000002.266142357.0000000002461000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ehttp://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exeString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 00000001.00000002.523254125.0000000002D4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 00000001.00000002.523254125.0000000002D4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ghttp://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 00000001.00000002.520628351.0000000000952000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 00000001.00000002.523107323.0000000002D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 00000001.00000002.523107323.0000000002D04000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ghttp://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 00000001.00000002.522986202.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ehttp://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exeString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 0000000B.00000002.520684486.0000000000C52000.00000002.00000001.01000000.00000007.sdmpString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 0000000B.00000002.523310357.00000000030C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 0000000B.00000002.523310357.00000000030C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ghttp://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 0000000B.00000002.523218317.00000000030A1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ehttp://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 0000000B.00000002.525446953.0000000003423000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 0000000B.00000002.525446953.0000000003423000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Ghttp://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: notepad.exe, 00000016.00000002.522065339.0000018C1184C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: notepad.exe, 00000017.00000002.522030091.00000287E5594000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: notepad.exe, 0000001A.00000002.521662494.000001FA8614A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: notepad.exe, 0000001A.00000002.521785161.000001FA86186000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: enxV0qANdU.exeString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt13.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt12.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt7.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt22.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt9.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt14.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt15.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt6.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt25.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt2.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt14.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt2.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt12.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt13.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt16.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt4.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt15.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt21.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt1.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt8.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt23.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt11.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt1.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt16.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt0.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt18.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe.0.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt7.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt6.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt19.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt5.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt24.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt17.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt8.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt20.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt3.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt3.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt5.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt0.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt11.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt9.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt10.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt10.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: readme.txt4.1.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 0000000B.00000003.376413454.00000000036CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
        Source: svchost.exe, 0000000B.00000003.376413454.00000000036CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
        Source: svchost.exe, 0000000B.00000002.525446953.0000000003423000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000016.00000002.522065339.0000018C1184C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000017.00000002.522030091.00000287E5594000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001A.00000002.521662494.000001FA8614A000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001A.00000002.521785161.000001FA86186000.00000004.00000020.00020000.00000000.sdmp, enxV0qANdU.exe, readme.txt13.11.dr, readme.txt12.1.dr, readme.txt7.11.dr, readme.txt.11.dr, readme.txt22.1.dr, readme.txt9.1.dr, readme.txt14.11.dr, readme.txt15.1.dr, readme.txt6.1.dr, readme.txt.1.dr, readme.txt25.1.dr, readme.txt2.1.dr, readme.txt14.1.dr, readme.txt2.11.dr, readme.txt12.11.drString found in binary or memory: http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion
        Source: svchost.exe, 00000001.00000003.377090952.000000000330B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.live.com/
        Source: svchost.exe, 00000001.00000003.377090952.000000000330B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.reddit.com/
        Source: svchost.exe, 0000000B.00000003.376413454.00000000036CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.twitter.com/
        Source: svchost.exe, 00000001.00000003.377090952.000000000330B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.wikipedia.com/
        Source: svchost.exe, 0000000B.00000003.376413454.00000000036CB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.youtube.com/
        Source: svchost.exe, 0000000B.00000002.525446953.0000000003423000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000016.00000002.522065339.0000018C1184C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000017.00000002.522030091.00000287E5594000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001A.00000002.521662494.000001FA8614A000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001A.00000002.521785161.000001FA86186000.00000004.00000020.00020000.00000000.sdmp, enxV0qANdU.exe, readme.txt13.11.dr, readme.txt12.1.dr, readme.txt7.11.dr, readme.txt.11.dr, readme.txt22.1.dr, readme.txt9.1.dr, readme.txt14.11.dr, readme.txt15.1.dr, readme.txt6.1.dr, readme.txt.1.dr, readme.txt25.1.dr, readme.txt2.1.dr, readme.txt14.1.dr, readme.txt2.11.dr, readme.txt12.11.drString found in binary or memory: https://torproject.org)
        Source: C:\Users\user\AppData\Roaming\svchost.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

        Spam, unwanted Advertisements and Ransom Demands

        barindex
        Yara detected Python Ransomware
        Source: Yara matchFile source: Process Memory Space: enxV0qANdU.exe PID: 6416, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 6564, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5160, type: MEMORYSTR
        Found ransom note / readme
        Source: C:\Users\Public\Documents\readme.txtDropped file: All of your files are currently encrypted by ONYX strain.As you already know, all of your data has been encrypted by our software. It cannot be recovered by any means without contacting our team directly.DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,if you want to try - we recommend choosing the data of the lowest value.DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. So it will be better for both sides if you contact us as soon as possible.DON'T TRY TO CONTACT feds or any recovery companies. We have our informants in these structures, so any of your complaints will be immediately directed to us. So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publication of whole compromised data immediately.To prove that we REALLY CAN get your data back - we offer you to decrypt two random files completely free of charge.You can contact our team directly for further instructions through our website :TOR VERSION :(you should download and install TOR browser first https://torproject.org)http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onionLogin: ampkczPassword: fgh5RgsW73FYOU SHOULD BE AWARE!We will speak only with an authorized person. It can be the CEO, top management, etc. In case you are not such a person - DON'T CONTACT US! Your decisions and action can result in serious harm to your company! Inform your supervisors and stay calm!Jump to dropped file
        Modifies existing user documents (likely ransomware behavior)
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile moved: C:\Users\user\Desktop\EOWRVPQCCS.jpgJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\Desktop\EOWRVPQCCS.jpgJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile moved: C:\Users\user\Desktop\EEGWXUHVUG\BJZFPPWAPT.pngJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile deleted: C:\Users\user\Desktop\EEGWXUHVUG\BJZFPPWAPT.pngJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile moved: C:\Users\user\Desktop\EFOYFBOLXA\EFOYFBOLXA.docxJump to behavior
        Deletes shadow drive data (may be related to ransomware)
        Source: enxV0qANdU.exeBinary or memory string: vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        Source: enxV0qANdU.exe, 00000000.00000002.265855412.0000000000142000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: /C yvssadmin delete shadows /all /quiet & wmic shadowcopy delete
        Source: enxV0qANdU.exe, 00000000.00000002.266142357.0000000002461000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        Source: svchost.exeBinary or memory string: vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        Source: svchost.exe, 00000001.00000002.520628351.0000000000952000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: /C yvssadmin delete shadows /all /quiet & wmic shadowcopy delete
        Source: svchost.exe, 00000001.00000002.522986202.0000000002CE1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        Source: svchost.exeBinary or memory string: vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        Source: svchost.exe, 0000000B.00000002.520684486.0000000000C52000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: /C yvssadmin delete shadows /all /quiet & wmic shadowcopy delete
        Source: svchost.exe, 0000000B.00000002.523218317.00000000030A1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <vssadmin delete shadows /all /quiet & wmic shadowcopy delete
        Source: enxV0qANdU.exeBinary or memory string: /C yvssadmin delete shadows /all /quiet & wmic shadowcopy delete
        Source: svchost.exe.0.drBinary or memory string: /C yvssadmin delete shadows /all /quiet & wmic shadowcopy delete

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: enxV0qANdU.exe, type: SAMPLEMatched rule: Detects destructive malware Author: Florian Roth
        Source: enxV0qANdU.exe, type: SAMPLEMatched rule: Detects Chaos ransomware Author: ditekSHen
        Source: 11.0.svchost.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: Detects destructive malware Author: Florian Roth
        Source: 11.0.svchost.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chaos ransomware Author: ditekSHen
        Source: 1.2.svchost.exe.950000.0.unpack, type: UNPACKEDPEMatched rule: Detects destructive malware Author: Florian Roth
        Source: 1.2.svchost.exe.950000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chaos ransomware Author: ditekSHen
        Source: 11.2.svchost.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: Detects destructive malware Author: Florian Roth
        Source: 11.2.svchost.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chaos ransomware Author: ditekSHen
        Source: 0.2.enxV0qANdU.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Detects destructive malware Author: Florian Roth
        Source: 0.2.enxV0qANdU.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chaos ransomware Author: ditekSHen
        Source: 1.0.svchost.exe.950000.0.unpack, type: UNPACKEDPEMatched rule: Detects destructive malware Author: Florian Roth
        Source: 1.0.svchost.exe.950000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chaos ransomware Author: ditekSHen
        Source: 0.0.enxV0qANdU.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Detects destructive malware Author: Florian Roth
        Source: 0.0.enxV0qANdU.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Detects Chaos ransomware Author: ditekSHen
        Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects destructive malware Author: Florian Roth
        Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Detects Chaos ransomware Author: ditekSHen
        Source: enxV0qANdU.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
        Source: enxV0qANdU.exe, type: SAMPLEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: enxV0qANdU.exe, type: SAMPLEMatched rule: MALWARE_Win_Chaos author = ditekSHen, description = Detects Chaos ransomware
        Source: 11.0.svchost.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.0.svchost.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chaos author = ditekSHen, description = Detects Chaos ransomware
        Source: 1.2.svchost.exe.950000.0.unpack, type: UNPACKEDPEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.2.svchost.exe.950000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chaos author = ditekSHen, description = Detects Chaos ransomware
        Source: 11.2.svchost.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 11.2.svchost.exe.c50000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chaos author = ditekSHen, description = Detects Chaos ransomware
        Source: 0.2.enxV0qANdU.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.2.enxV0qANdU.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chaos author = ditekSHen, description = Detects Chaos ransomware
        Source: 1.0.svchost.exe.950000.0.unpack, type: UNPACKEDPEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 1.0.svchost.exe.950000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chaos author = ditekSHen, description = Detects Chaos ransomware
        Source: 0.0.enxV0qANdU.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: 0.0.enxV0qANdU.exe.140000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_Chaos author = ditekSHen, description = Detects Chaos ransomware
        Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: Destructive_Ransomware_Gen1 date = 2018-02-12, hash1 = ae9a4e244a9b3c77d489dee8aeaf35a7c3ba31b210e76d81ef2e91790f052c85, author = Florian Roth, description = Detects destructive malware, reference = http://blog.talosintelligence.com/2018/02/olympic-destroyer.html, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
        Source: C:\Users\user\AppData\Roaming\svchost.exe, type: DROPPEDMatched rule: MALWARE_Win_Chaos author = ditekSHen, description = Detects Chaos ransomware
        Source: enxV0qANdU.exeBinary or memory string: OriginalFilename vs enxV0qANdU.exe
        Source: enxV0qANdU.exe, 00000000.00000002.265855412.0000000000142000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameamp.exe4 vs enxV0qANdU.exe
        Source: enxV0qANdU.exe, 00000000.00000002.265954054.0000000000590000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs enxV0qANdU.exe
        Source: enxV0qANdU.exeBinary or memory string: OriginalFilenameamp.exe4 vs enxV0qANdU.exe
        Source: enxV0qANdU.exeVirustotal: Detection: 58%
        Source: enxV0qANdU.exeReversingLabs: Detection: 90%
        Source: C:\Users\user\Desktop\enxV0qANdU.exeFile read: C:\Users\user\Desktop\enxV0qANdU.exeJump to behavior
        Source: enxV0qANdU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\enxV0qANdU.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\enxV0qANdU.exe "C:\Users\user\Desktop\enxV0qANdU.exe"
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
        Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe"
        Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\readme.txt
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\readme.txt
        Source: unknownProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt
        Source: unknownProcess created: C:\Windows\System32\OpenWith.exe C:\Windows\system32\OpenWith.exe -Embedding
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\readme.txtJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to behavior
        Source: classification engineClassification label: mal100.rans.expl.evad.winEXE@11/348@0/0
        Source: C:\Users\user\Desktop\enxV0qANdU.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
        Source: enxV0qANdU.exe, svchost.exe.0.drBinary or memory string: .vb.m1v.sln.pst.obj
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile written: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: enxV0qANdU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: enxV0qANdU.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: .core.pdb.ico.pas source: enxV0qANdU.exe, svchost.exe.0.dr

        Data Obfuscation

        barindex
        Detected unpacking (overwrites its own PE header)
        Source: C:\Users\user\Desktop\enxV0qANdU.exeUnpacked PE file: 0.2.enxV0qANdU.exe.140000.0.unpack
        Source: C:\Users\user\AppData\Roaming\svchost.exeUnpacked PE file: 1.2.svchost.exe.950000.0.unpack
        Source: C:\Users\user\AppData\Roaming\svchost.exeUnpacked PE file: 11.2.svchost.exe.c50000.0.unpack

        Persistence and Installation Behavior

        barindex
        Drops PE files with benign system names
        Source: C:\Users\user\Desktop\enxV0qANdU.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
        Source: C:\Users\user\Desktop\enxV0qANdU.exeFile created: C:\Users\user\AppData\Roaming\svchost.exeJump to dropped file
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Desktop\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Desktop\EEGWXUHVUG\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Desktop\EFOYFBOLXA\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Desktop\NVWZAPQSQL\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Links\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Contacts\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\EEGWXUHVUG\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\My Music\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\My Pictures\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\My Pictures\Camera Roll\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\My Videos\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Favorites\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Favorites\Links\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Spelling\en-US\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\AccountPictures\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Public\Documents\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Public\Documents\My Music\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Public\Desktop\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\GRXZDKKVDB\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Documents\NVWZAPQSQL\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Downloads\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Saved Games\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\Searches\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\UProof\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Public\Pictures\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\Public\Videos\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.urlJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.urlJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exe TID: 6444Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\AppData\Roaming\svchost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\enxV0qANdU.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: svchost.exe, 0000000B.00000002.522358325.0000000001097000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeMemory allocated: page read and write | page guardJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeProcess created: C:\Users\user\AppData\Roaming\svchost.exe "C:\Users\user\AppData\Roaming\svchost.exe" Jump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\readme.txtJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeProcess created: C:\Windows\System32\notepad.exe "C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\readme.txtJump to behavior
        Source: C:\Users\user\Desktop\enxV0qANdU.exeQueries volume information: C:\Users\user\Desktop\enxV0qANdU.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost.exe VolumeInformationJump to behavior
        Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\readme.txt VolumeInformationJump to behavior
        Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\readme.txt VolumeInformationJump to behavior
        Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Roaming\svchost.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

        Mitre Att&ck Matrix

        Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
        Valid AccountsWindows Management Instrumentation2
        Registry Run Keys / Startup Folder        		11
        Process Injection        		11
        Masquerading        		OS Credential Dumping1
        Query Registry        		Remote Services1
        Clipboard Data        		Exfiltration Over Other Network Medium1
        Proxy        		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without Authorization1
        Data Encrypted for Impact
        Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts2
        Registry Run Keys / Startup Folder        		1
        Disable or Modify Tools        		LSASS Memory11
        Security Software Discovery        		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
        Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)21
        Virtualization/Sandbox Evasion        		Security Account Manager1
        Process Discovery        		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
        Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
        Process Injection        		NTDS21
        Virtualization/Sandbox Evasion        		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
        Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
        Software Packing        		LSA Secrets2
        File and Directory Discovery        		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
        Replication Through Removable MediaLaunchdRc.commonRc.common1
        File Deletion        		Cached Domain Credentials12
        System Information Discovery        		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 615285 Sample: enxV0qANdU.bin Startdate: 26/04/2022 Architecture: WINDOWS Score: 100 39 Malicious sample detected (through community Yara rule) 2->39 41 Antivirus / Scanner detection for submitted sample 2->41 43 Multi AV Scanner detection for submitted file 2->43 45 9 other signatures 2->45 7 enxV0qANdU.exe 4 2->7         started        11 svchost.exe 3 23 2->11         started        13 notepad.exe 2->13         started        15 2 other processes 2->15 process3 file4 33 C:\Users\user\AppData\Roaming\svchost.exe, PE32 7->33 dropped 35 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 7->35 dropped 37 C:\Users\user\AppData\...\enxV0qANdU.exe.log, ASCII 7->37 dropped 55 Detected unpacking (overwrites its own PE header) 7->55 57 Drops PE files with benign system names 7->57 17 svchost.exe 33 7->17         started        21 notepad.exe 11->21         started        signatures5 process6 file7 25 C:\Users\user\DesktopOWRVPQCCS.jpg, ASCII 17->25 dropped 27 C:\Users\user\Desktop\...FOYFBOLXA.docx, ASCII 17->27 dropped 29 C:\Users\user\Desktop\...\BJZFPPWAPT.png, ASCII 17->29 dropped 31 2 other malicious files 17->31 dropped 47 Antivirus detection for dropped file 17->47 49 Multi AV Scanner detection for dropped file 17->49 51 Detected unpacking (overwrites its own PE header) 17->51 53 2 other signatures 17->53 23 notepad.exe 17->23         started        signatures8 process9

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        enxV0qANdU.exe59%VirustotalBrowse
        enxV0qANdU.exe90%ReversingLabsByteCode-MSIL.Ransomware.FileCoder
        enxV0qANdU.exe100%AviraHEUR/AGEN.1235574
        enxV0qANdU.exe100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Roaming\svchost.exe100%AviraHEUR/AGEN.1235574
        C:\Users\user\AppData\Roaming\svchost.exe100%Joe Sandbox ML
        C:\Users\user\AppData\Roaming\svchost.exe59%VirustotalBrowse
        C:\Users\user\AppData\Roaming\svchost.exe90%ReversingLabsByteCode-MSIL.Ransomware.FileCoder

        Unpacked PE Files

        SourceDetectionScannerLabelLinkDownload
        1.2.svchost.exe.950000.0.unpack100%AviraHEUR/AGEN.1235574Download File
        11.2.svchost.exe.c50000.0.unpack100%AviraHEUR/AGEN.1235574Download File
        0.0.enxV0qANdU.exe.140000.0.unpack100%AviraHEUR/AGEN.1235574Download File
        1.0.svchost.exe.950000.0.unpack100%AviraHEUR/AGEN.1235574Download File
        0.2.enxV0qANdU.exe.140000.0.unpack100%AviraHEUR/AGEN.1235574Download File
        11.0.svchost.exe.c50000.0.unpack100%AviraHEUR/AGEN.1235574Download File

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://www.wikipedia.com/0%URL Reputationsafe
        https://torproject.org)0%Avira URL Cloudsafe
        http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onion0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://www.wikipedia.com/svchost.exe, 00000001.00000003.377090952.000000000330B000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://torproject.org)svchost.exe, 0000000B.00000002.525446953.0000000003423000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000016.00000002.522065339.0000018C1184C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000017.00000002.522030091.00000287E5594000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001A.00000002.521662494.000001FA8614A000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001A.00000002.521785161.000001FA86186000.00000004.00000020.00020000.00000000.sdmp, enxV0qANdU.exe, readme.txt13.11.dr, readme.txt12.1.dr, readme.txt7.11.dr, readme.txt.11.dr, readme.txt22.1.dr, readme.txt9.1.dr, readme.txt14.11.dr, readme.txt15.1.dr, readme.txt6.1.dr, readme.txt.1.dr, readme.txt25.1.dr, readme.txt2.1.dr, readme.txt14.1.dr, readme.txt2.11.dr, readme.txt12.11.drtrue
        • Avira URL Cloud: safe
        		low
        http://www.live.com/svchost.exe, 00000001.00000003.377090952.000000000330B000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://www.reddit.com/svchost.exe, 00000001.00000003.377090952.000000000330B000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://www.twitter.com/svchost.exe, 0000000B.00000003.376413454.00000000036CB000.00000004.00000800.00020000.00000000.sdmpfalse
              		high
              http://ibpwmfrlbwkfd4asg57t4x2vkrczuq3uhrfxf6y35xoalwjlztil54ad.onionsvchost.exe, 0000000B.00000002.525446953.0000000003423000.00000004.00000800.00020000.00000000.sdmp, notepad.exe, 00000016.00000002.522065339.0000018C1184C000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 00000017.00000002.522030091.00000287E5594000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001A.00000002.521662494.000001FA8614A000.00000004.00000020.00020000.00000000.sdmp, notepad.exe, 0000001A.00000002.521785161.000001FA86186000.00000004.00000020.00020000.00000000.sdmp, enxV0qANdU.exe, readme.txt13.11.dr, readme.txt12.1.dr, readme.txt7.11.dr, readme.txt.11.dr, readme.txt22.1.dr, readme.txt9.1.dr, readme.txt14.11.dr, readme.txt15.1.dr, readme.txt6.1.dr, readme.txt.1.dr, readme.txt25.1.dr, readme.txt2.1.dr, readme.txt14.1.dr, readme.txt2.11.dr, readme.txt12.11.drtrue
              • Avira URL Cloud: safe
              		unknown
              http://www.youtube.com/svchost.exe, 0000000B.00000003.376413454.00000000036CB000.00000004.00000800.00020000.00000000.sdmpfalse
                		high

                World Map of Contacted IPs

                No contacted IP infos

                General Information

                Joe Sandbox Version:34.0.0 Boulder Opal
                Analysis ID:615285
                Start date and time: 26/04/202200:17:072022-04-26 00:17:07 +02:00
                Joe Sandbox Product:CloudBasic
                Overall analysis duration:0h 7m 40s
                Hypervisor based Inspection enabled:false
                Report type:full
                Sample file name:enxV0qANdU.bin (renamed file extension from bin to exe)
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                Number of analysed new started processes analysed:34
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • HDC enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Detection:MAL
                Classification:mal100.rans.expl.evad.winEXE@11/348@0/0
                EGA Information:Failed
                HDC Information:
                • Successful, ratio: 5.3% (good quality ratio 5.3%)
                • Quality average: 63%
                • Quality standard deviation: 18.8%
                HCA Information:
                • Successful, ratio: 97%
                • Number of executed functions: 60
                • Number of non-executed functions: 0
                Cookbook Comments:
                • Adjust boot time
                • Enable AMSI

                Warnings

                • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe
                • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, fs.microsoft.com, go.microsoft.com, store-images.s-microsoft.com, login.live.com, sls.update.microsoft.com, ctldl.windowsupdate.com, settings-win.data.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
                • Execution Graph export aborted for target enxV0qANdU.exe, PID 6416 because it is empty
                • Execution Graph export aborted for target svchost.exe, PID 5160 because it is empty
                • Execution Graph export aborted for target svchost.exe, PID 6564 because it is empty
                • Not all processes where analyzed, report is missing behavior information
                • Report size exceeded maximum capacity and may have missing behavior information.
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                TimeTypeDescription
                00:18:30AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url
                00:19:23AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.ampkcz
                00:19:32AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt
                00:19:33API Interceptor2x Sleep call for process: OpenWith.exe modified
                00:19:45AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url.ampkcz

                Joe Sandbox View / Context

                IPs

                No context

                Domains

                No context

                ASNs

                No context

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                C:\Users\Public\Desktop\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):436
                Entropy (8bit):5.949657116339088
                Encrypted:false
                SSDEEP:12:fMEWgjouwUgRG/6JbkfNiZEcwZfG13wQq:fMNNVUP/6VJiT
                MD5:C08BFFFD81398CFD8D6E1AE864D3DEFC
                SHA1:27AAE027E9702D9578EFDFFC3D653386E0F61D3D
                SHA-256:484EA8E6BE157B8C6DDED9928C29899B67ECB7A765CAEED1E4E92445AAD8B9B9
                SHA-512:F74CA995A1B28AC506AFA4353202157CAC0EA8B8C49BD6346698EF7E103841688173B3BDC2ABDDA7B21424127B9BC7A855B1D6123F79BFEA76DD3A157769BF5D
                Malicious:false
                Reputation:low
                Preview:<EncryptedKey>OR7/LJIK0MklooEIxAbBztG75N/ctwR59gEyfPPlkIvcRNw+oERyybUhQ7/N7o1Y9jja5qWappKqxWOOl1dWbc5lUXZJSuck222oHrsNunNDp6M4k2s02et4OaGXY1EgeHmBeVPWG3qhlSKx95/kzXZOqY1l996GXVbm/9Vo4NQ=<EncryptedKey>+ngam2vl3b6gIjZUDj4NVxkvn5+URU3hb1dMvmPOW2rjE+25JdxYZaVPTtMXPf6ut5u7JxAkBsW1mO6qzkEC6zE5FU7nsLwXeogMHq6f1km6gtY8arSikguWqX/Leu+Q4uX2vHyTSzrDsJcixUi7ZPzmJAHgknQtQlyBi71v/y/5r0mJOtSHr79kj++viFELRhh8KGCYdbI1nrricN7X/OXUpjDJgZSdKfUTeQjzB6U=

                C:\Users\Public\Desktop\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):436
                Entropy (8bit):5.949657116339088
                Encrypted:false
                SSDEEP:12:fMEWgjouwUgRG/6JbkfNiZEcwZfG13wQq:fMNNVUP/6VJiT
                MD5:C08BFFFD81398CFD8D6E1AE864D3DEFC
                SHA1:27AAE027E9702D9578EFDFFC3D653386E0F61D3D
                SHA-256:484EA8E6BE157B8C6DDED9928C29899B67ECB7A765CAEED1E4E92445AAD8B9B9
                SHA-512:F74CA995A1B28AC506AFA4353202157CAC0EA8B8C49BD6346698EF7E103841688173B3BDC2ABDDA7B21424127B9BC7A855B1D6123F79BFEA76DD3A157769BF5D
                Malicious:false
                Reputation:low
                Preview:<EncryptedKey>OR7/LJIK0MklooEIxAbBztG75N/ctwR59gEyfPPlkIvcRNw+oERyybUhQ7/N7o1Y9jja5qWappKqxWOOl1dWbc5lUXZJSuck222oHrsNunNDp6M4k2s02et4OaGXY1EgeHmBeVPWG3qhlSKx95/kzXZOqY1l996GXVbm/9Vo4NQ=<EncryptedKey>+ngam2vl3b6gIjZUDj4NVxkvn5+URU3hb1dMvmPOW2rjE+25JdxYZaVPTtMXPf6ut5u7JxAkBsW1mO6qzkEC6zE5FU7nsLwXeogMHq6f1km6gtY8arSikguWqX/Leu+Q4uX2vHyTSzrDsJcixUi7ZPzmJAHgknQtQlyBi71v/y/5r0mJOtSHr79kj++viFELRhh8KGCYdbI1nrricN7X/OXUpjDJgZSdKfUTeQjzB6U=

                C:\Users\Public\Desktop\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Reputation:low
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\Public\Documents\My Music\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):712
                Entropy (8bit):5.970667083796527
                Encrypted:false
                SSDEEP:12:fMEon70NKuh9RarInUehUg0OXs0vlHuonLTPtSE5OZpiW3Mf5GqlT2znuJWwQ/7H:fMWgmoeeDObvJdLBSE5OZpitf5Gqgzuo
                MD5:197B1BA04F9914DCEFAC87604E3B23B5
                SHA1:C3E847FF8227DA9812EB36C33ADBFD87BD4E7816
                SHA-256:09D5ED7279D9BB593DBF3BFB04F241E00502F9CE1C37369797B1FD7D4C4AD781
                SHA-512:DC51AAF9F3B2892715A00DDE1C198C0C0CB7F08E5A129C95094285DAAF8C1E738E0072E81F50AFB0964EC9F990F200E8A31E6B2B4C72A45A6032A773D682D4F7
                Malicious:false
                Reputation:low
                Preview:<EncryptedKey>vB9fO5/gPijw+PiYz4E2uyr1+7N2kTWIcb1fRWRPHIUvZftrwLKOrVolQGzHHAlrEC859rND9S0gIx0QxaVbGJV8+bYefC3lYhRoiuGdhK2Hw/2qDifDp2ThDHGVZOfJNH8N6lg6N58zo5dkPcyrNgHojMdbkp2ywo1clpmQs0o=<EncryptedKey>E+hjNhjxcQF0h1p3Z7RZTmW9SninRHOalyQuteHO6w0QtS4TZ7mVDRXWc/dFZfZM4bQ2DzelFzFPAxEU7BjtGi1CasBZXtorHTjKxKeGy8CZq+a/c92i5g/VyGfPzEmSYUH06pAE2UHVgV/xiazKOtIrWSgY2BcjjtX22KFMCA+S/YbiOnxa+2AjpkLhQomEn69O9f1otyvkIeC8c/1nAwp/c+vXWNJnG+FynzXtcTUBw9VxrptfZpHpT+u9LC9ucYqwYSNe1Wz0lYOsaUbriFZFptGdW/SCIXlCICT3aPOuv+3tyAg9yAhGGz3DMHU1g1WyP0VkWcxLRHK+Dz90AYxZKDJzi9GCUjmas+JE2fkok1qUI2KSYFQsJHkTMPphZI4HL2cJx/ogJqW0umHLmrGacxMEcrPpf/7jF8D35aCs66c3uUK8ZPkbo8jLOb9bUsPIwmRzTh6lEGTg3zmo+BuXChkJOPqwf35/hUSgymxDL2Ur2v1bC2In0Rq0lLpx

                C:\Users\Public\Documents\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):584
                Entropy (8bit):5.958748110240368
                Encrypted:false
                SSDEEP:12:fMEXysXq/XLiTdFggNQCUmUelsE99nZAWwbcoNr2x9sj3Nn:fMaX4XLBgWC7UE9lZ/wbZI9sj3Nn
                MD5:41B5E3F727A5B27497C394F7D673D27E
                SHA1:A3FFF106C4E62FEB0D2462F38F25FE0CF65CB127
                SHA-256:CE2017AD90DF6269D453F8B9482028D9568130ED80F7DD993B8F15954F2BF5E1
                SHA-512:BB94D1311D66B3BFA2E3E1F107A1991B60E5E078DDF408713A24F55D2AA59F8E1A5707344C2A345E8E530197F1894347FE92C3B16A01312B99C96B710233331C
                Malicious:false
                Preview:<EncryptedKey>FIphR5B2MrjaTaoOaAsezB2ycJGk4gnvvLI43I+6JcCeyObn2QJfN7FNI9TryT0/zKDMvsC/f/HHUwu7vIBiWzG5NILT4xdo/HjArcIO5+8wn8AHL+QHRIAen+emBoy1IeGNGiCthn2pBMVfjKaw15VP0+/pmNDatxI0obu2Pfs=<EncryptedKey>WztLY01MZT3Vthqwd4FAXt53+efwkmLF8F3rV4ejU06RupvwFujgTuDiFKuXnzEoemCrNjRjygamXIhskKIWbPEPi87Aao9ptiYuN03cx7YNQWN9BO5Kx4BkyhupIfLhMnBc73nll4qQEsmTayb89Fmk909W/9Fob2KJMvDtp/jUv45wChrNxVZXQ2Oy6RoLkY8wHjuY+OBz7OmNFCJq6SGhYykC+laMd3SsENpNTnticjAgzU7uQMi9HY2qFukn5vISPOK/TaZVZbvLSy9ic6egYtxChpRwWVcKMHiPaDa9OANLA4cJfqZ6zag3sHec0oW0LKOieBpHNzJl+Y1J6tLwKuYl4C70BbelUckVJ8HAR6qOJzwELu6aVSwNttY9

                C:\Users\Public\Documents\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):584
                Entropy (8bit):5.958748110240368
                Encrypted:false
                SSDEEP:12:fMEXysXq/XLiTdFggNQCUmUelsE99nZAWwbcoNr2x9sj3Nn:fMaX4XLBgWC7UE9lZ/wbZI9sj3Nn
                MD5:41B5E3F727A5B27497C394F7D673D27E
                SHA1:A3FFF106C4E62FEB0D2462F38F25FE0CF65CB127
                SHA-256:CE2017AD90DF6269D453F8B9482028D9568130ED80F7DD993B8F15954F2BF5E1
                SHA-512:BB94D1311D66B3BFA2E3E1F107A1991B60E5E078DDF408713A24F55D2AA59F8E1A5707344C2A345E8E530197F1894347FE92C3B16A01312B99C96B710233331C
                Malicious:false
                Preview:<EncryptedKey>FIphR5B2MrjaTaoOaAsezB2ycJGk4gnvvLI43I+6JcCeyObn2QJfN7FNI9TryT0/zKDMvsC/f/HHUwu7vIBiWzG5NILT4xdo/HjArcIO5+8wn8AHL+QHRIAen+emBoy1IeGNGiCthn2pBMVfjKaw15VP0+/pmNDatxI0obu2Pfs=<EncryptedKey>WztLY01MZT3Vthqwd4FAXt53+efwkmLF8F3rV4ejU06RupvwFujgTuDiFKuXnzEoemCrNjRjygamXIhskKIWbPEPi87Aao9ptiYuN03cx7YNQWN9BO5Kx4BkyhupIfLhMnBc73nll4qQEsmTayb89Fmk909W/9Fob2KJMvDtp/jUv45wChrNxVZXQ2Oy6RoLkY8wHjuY+OBz7OmNFCJq6SGhYykC+laMd3SsENpNTnticjAgzU7uQMi9HY2qFukn5vISPOK/TaZVZbvLSy9ic6egYtxChpRwWVcKMHiPaDa9OANLA4cJfqZ6zag3sHec0oW0LKOieBpHNzJl+Y1J6tLwKuYl4C70BbelUckVJ8HAR6qOJzwELu6aVSwNttY9

                C:\Users\Public\Documents\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:true
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\Public\Music\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):712
                Entropy (8bit):5.970667083796527
                Encrypted:false
                SSDEEP:12:fMEon70NKuh9RarInUehUg0OXs0vlHuonLTPtSE5OZpiW3Mf5GqlT2znuJWwQ/7H:fMWgmoeeDObvJdLBSE5OZpitf5Gqgzuo
                MD5:197B1BA04F9914DCEFAC87604E3B23B5
                SHA1:C3E847FF8227DA9812EB36C33ADBFD87BD4E7816
                SHA-256:09D5ED7279D9BB593DBF3BFB04F241E00502F9CE1C37369797B1FD7D4C4AD781
                SHA-512:DC51AAF9F3B2892715A00DDE1C198C0C0CB7F08E5A129C95094285DAAF8C1E738E0072E81F50AFB0964EC9F990F200E8A31E6B2B4C72A45A6032A773D682D4F7
                Malicious:false
                Preview:<EncryptedKey>vB9fO5/gPijw+PiYz4E2uyr1+7N2kTWIcb1fRWRPHIUvZftrwLKOrVolQGzHHAlrEC859rND9S0gIx0QxaVbGJV8+bYefC3lYhRoiuGdhK2Hw/2qDifDp2ThDHGVZOfJNH8N6lg6N58zo5dkPcyrNgHojMdbkp2ywo1clpmQs0o=<EncryptedKey>E+hjNhjxcQF0h1p3Z7RZTmW9SninRHOalyQuteHO6w0QtS4TZ7mVDRXWc/dFZfZM4bQ2DzelFzFPAxEU7BjtGi1CasBZXtorHTjKxKeGy8CZq+a/c92i5g/VyGfPzEmSYUH06pAE2UHVgV/xiazKOtIrWSgY2BcjjtX22KFMCA+S/YbiOnxa+2AjpkLhQomEn69O9f1otyvkIeC8c/1nAwp/c+vXWNJnG+FynzXtcTUBw9VxrptfZpHpT+u9LC9ucYqwYSNe1Wz0lYOsaUbriFZFptGdW/SCIXlCICT3aPOuv+3tyAg9yAhGGz3DMHU1g1WyP0VkWcxLRHK+Dz90AYxZKDJzi9GCUjmas+JE2fkok1qUI2KSYFQsJHkTMPphZI4HL2cJx/ogJqW0umHLmrGacxMEcrPpf/7jF8D35aCs66c3uUK8ZPkbo8jLOb9bUsPIwmRzTh6lEGTg3zmo+BuXChkJOPqwf35/hUSgymxDL2Ur2v1bC2In0Rq0lLpx

                C:\Users\Public\Music\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\Public\Pictures\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):712
                Entropy (8bit):5.968542261036914
                Encrypted:false
                SSDEEP:12:fMEKQ/V9J7P5tJ5SQUBOaFu1XJ5+JJgGal0zrnKWwwPhSr2PtymF6JGiD3:fMGP7htJ5bUBOSu1XJc3UyrKWFPEr2cH
                MD5:1F8FB77223ED2214E8DB880844278843
                SHA1:7239C453671374B510C4925F967E9438B7B0DCF0
                SHA-256:1DC64DE539C99DE983AFF7E7A0C03E50A4AC47227C5723A3C66C76AA2F8F9322
                SHA-512:B96EAF2C197C08A8E1F6F2432B58F3DC149103EABF49F1C9844A36FC540647B5F7814844EE9EA2306E216AA31D43D980AC61698DC964F61CB2A79E363029BAFF
                Malicious:false
                Preview:<EncryptedKey>fPzj54Ddmhm71JI8zZ/3DaAioiY/K5Y8nunElepGXa39dQGM+MDcAVNbum7lieL5pJkUY/jxu+YvLFVI47gsosMXNeo4azkuFWqNJ8D1UEb+6lf2pjsy3Zp9HUNFN+gtG2aNL0ISpiDm0AeCPGOcvFgRpLtwUcMPIMj1cRa4E5I=<EncryptedKey>iJF7Zm5MJobYdGaVCECltNry/Fh7E8i9vrR4Nu2XNxMEf8p5vjL1e2PEU60piSo8CKrFjJSyeEFjNkjVbU6WOQkxCkhWZEQhm2tdgcynTk8IO7FtvtytwJPBNUoIyWnzXuriV2gfr0rgmEPT3le6Tyk3fb8zL3+/GJsRyi37FcYA83qonHWbMgM4Jcx01yR1lRnHzx7M6/0yusATpySm9PvQu0Vpr88/sIQ/OHTYgbEEYLu4iZ7tl6g3dMyn4omD1zK9JUjOe7jOBPe0xBOGb+pETl+AAC86iOj8acNmZtDtPCWYjWc8jDgmlJ+QsUq6Zy7aJ4ujyK7cZLIQgWqJfZtrwHeZ2DrweiNcP7IjqUFMznieaQBNwSpvLuhzy8Vy6CuXTP9m3ryy6HtfIuwPDWwzMF3l4Xxeo1q6SNBZxagcAAUeXOVGtTZxX8qLt8AMY5U7uUFsdzMeAHkETkYSsOR+Gdh9/LwnC9aLok4c5QSQYv3tc9EQlko0/Uh6nX4H

                C:\Users\Public\Pictures\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):712
                Entropy (8bit):5.968542261036914
                Encrypted:false
                SSDEEP:12:fMEKQ/V9J7P5tJ5SQUBOaFu1XJ5+JJgGal0zrnKWwwPhSr2PtymF6JGiD3:fMGP7htJ5bUBOSu1XJc3UyrKWFPEr2cH
                MD5:1F8FB77223ED2214E8DB880844278843
                SHA1:7239C453671374B510C4925F967E9438B7B0DCF0
                SHA-256:1DC64DE539C99DE983AFF7E7A0C03E50A4AC47227C5723A3C66C76AA2F8F9322
                SHA-512:B96EAF2C197C08A8E1F6F2432B58F3DC149103EABF49F1C9844A36FC540647B5F7814844EE9EA2306E216AA31D43D980AC61698DC964F61CB2A79E363029BAFF
                Malicious:false
                Preview:<EncryptedKey>fPzj54Ddmhm71JI8zZ/3DaAioiY/K5Y8nunElepGXa39dQGM+MDcAVNbum7lieL5pJkUY/jxu+YvLFVI47gsosMXNeo4azkuFWqNJ8D1UEb+6lf2pjsy3Zp9HUNFN+gtG2aNL0ISpiDm0AeCPGOcvFgRpLtwUcMPIMj1cRa4E5I=<EncryptedKey>iJF7Zm5MJobYdGaVCECltNry/Fh7E8i9vrR4Nu2XNxMEf8p5vjL1e2PEU60piSo8CKrFjJSyeEFjNkjVbU6WOQkxCkhWZEQhm2tdgcynTk8IO7FtvtytwJPBNUoIyWnzXuriV2gfr0rgmEPT3le6Tyk3fb8zL3+/GJsRyi37FcYA83qonHWbMgM4Jcx01yR1lRnHzx7M6/0yusATpySm9PvQu0Vpr88/sIQ/OHTYgbEEYLu4iZ7tl6g3dMyn4omD1zK9JUjOe7jOBPe0xBOGb+pETl+AAC86iOj8acNmZtDtPCWYjWc8jDgmlJ+QsUq6Zy7aJ4ujyK7cZLIQgWqJfZtrwHeZ2DrweiNcP7IjqUFMznieaQBNwSpvLuhzy8Vy6CuXTP9m3ryy6HtfIuwPDWwzMF3l4Xxeo1q6SNBZxagcAAUeXOVGtTZxX8qLt8AMY5U7uUFsdzMeAHkETkYSsOR+Gdh9/LwnC9aLok4c5QSQYv3tc9EQlko0/Uh6nX4H

                C:\Users\Public\Pictures\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\Public\Videos\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):712
                Entropy (8bit):5.974129377492332
                Encrypted:false
                SSDEEP:12:fMETjuSSXGzW5uYlIQSN6S1sOBJ0Sf77Yq6y4szk3FY0apb8ZP4r3k45OWXmoxR:fMOTnzwraBDfWSf77Y7y4LFY0Ib8CrHf
                MD5:E80783A4AEAF4013CC0098B40D35AD55
                SHA1:E52AB3C9D156589B5874CA2FADCE4E2672955771
                SHA-256:D4EC6BF04C720B51681D3DA1A146C4934E9C84E9E14EA6D04B4959828986A6F3
                SHA-512:32DA48DAA51EDC04135BB1ADD09693B8CF20BAB6BC407DADBB89CF30EBB0F028B354D721A97091333BD69A1BDEFDC690685AE485DD58702E2EE6E658634ED6F2
                Malicious:false
                Preview:<EncryptedKey>wgbFOrEZWlYFXD9PvElB5FY0uXlA2V8VEvp6ZsiaofzAZvjBkDd0vi08Al08tnhitnlkLyfXE9V2v/PhIxEEqnLQPN9ES/lfPAGEGbujz0pBmxMWcgkuWVg2tui8I+9s1oBwaL2Mc+VZiii8dW48sjKcjmWvjeqG3zaXpi0k/jU=<EncryptedKey>c4pXdeu7a3mud2ZsGCZbe9ezK79KwsOTxbf7YHNq1/sSrI1my7gUOOcYoH6vPTxkJkzfyp9TF6+jxiTqbsLcGqY5BBBT27lojpPcRfdlWAfvU7VuEdRAclTUuL34kWziIVNwzHuGqTGXRIyBkcGKrkauN+4O0CwYBg6H79EO+CHaNCh5bCAsY7kg2Q21k9mrCKBIooOki40yjBWTtZA8A6UqS5C6JTFXvXt87BAvmzRoeCrPP8OwztP7mTJiGLABn6s9+jDVkQ9SCnVcrWwpXom1tG5GroO/rbE9fU/2fqvVQl2RLmT1u5eYMWvrSdpYscxKEFgUdb85yzrxOAei0K1THCTJldOOZyMPJYlZS60UV3DxNhrxV/7H6YL3lIHyhGTb13HyfST25OUXHrrofRspQS7CNAJGEIaUWV0VVqa0pbZWT+viFhHUaYJdeUQe2VWTNsu2rVh8fEq96AmDuMzyavGF2UkNRGVK4b2f/gfhJIHSLMZml7OArSi0zoQt

                C:\Users\Public\Videos\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):712
                Entropy (8bit):5.974129377492332
                Encrypted:false
                SSDEEP:12:fMETjuSSXGzW5uYlIQSN6S1sOBJ0Sf77Yq6y4szk3FY0apb8ZP4r3k45OWXmoxR:fMOTnzwraBDfWSf77Y7y4LFY0Ib8CrHf
                MD5:E80783A4AEAF4013CC0098B40D35AD55
                SHA1:E52AB3C9D156589B5874CA2FADCE4E2672955771
                SHA-256:D4EC6BF04C720B51681D3DA1A146C4934E9C84E9E14EA6D04B4959828986A6F3
                SHA-512:32DA48DAA51EDC04135BB1ADD09693B8CF20BAB6BC407DADBB89CF30EBB0F028B354D721A97091333BD69A1BDEFDC690685AE485DD58702E2EE6E658634ED6F2
                Malicious:false
                Preview:<EncryptedKey>wgbFOrEZWlYFXD9PvElB5FY0uXlA2V8VEvp6ZsiaofzAZvjBkDd0vi08Al08tnhitnlkLyfXE9V2v/PhIxEEqnLQPN9ES/lfPAGEGbujz0pBmxMWcgkuWVg2tui8I+9s1oBwaL2Mc+VZiii8dW48sjKcjmWvjeqG3zaXpi0k/jU=<EncryptedKey>c4pXdeu7a3mud2ZsGCZbe9ezK79KwsOTxbf7YHNq1/sSrI1my7gUOOcYoH6vPTxkJkzfyp9TF6+jxiTqbsLcGqY5BBBT27lojpPcRfdlWAfvU7VuEdRAclTUuL34kWziIVNwzHuGqTGXRIyBkcGKrkauN+4O0CwYBg6H79EO+CHaNCh5bCAsY7kg2Q21k9mrCKBIooOki40yjBWTtZA8A6UqS5C6JTFXvXt87BAvmzRoeCrPP8OwztP7mTJiGLABn6s9+jDVkQ9SCnVcrWwpXom1tG5GroO/rbE9fU/2fqvVQl2RLmT1u5eYMWvrSdpYscxKEFgUdb85yzrxOAei0K1THCTJldOOZyMPJYlZS60UV3DxNhrxV/7H6YL3lIHyhGTb13HyfST25OUXHrrofRspQS7CNAJGEIaUWV0VVqa0pbZWT+viFhHUaYJdeUQe2VWTNsu2rVh8fEq96AmDuMzyavGF2UkNRGVK4b2f/gfhJIHSLMZml7OArSi0zoQt

                C:\Users\Public\Videos\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\enxV0qANdU.exe.log

                Download File
                Process:C:\Users\user\Desktop\enxV0qANdU.exe
                File Type:ASCII text, with CRLF line terminators
                Category:modified
                Size (bytes):226
                Entropy (8bit):5.354940450065058
                Encrypted:false
                SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
                MD5:B10E37251C5B495643F331DB2EEC3394
                SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
                SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
                SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
                Malicious:true
                Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):445024
                Entropy (8bit):6.000100679282098
                Encrypted:false
                SSDEEP:12288:EivZ2cjJ1ca+x/nP2GbWEhwgD69Ob+5o/G9aH5rm3cV6OSAd4:HvIcjJ1Z+F+GyQw/sQJA+
                MD5:1D2688056A95F6BE310C5D6C6B4C9216
                SHA1:24566ECA8A6110AC0F8025DECAFB687F1F1BB745
                SHA-256:82C31F4ECACA7D5B299282BD486EA83BBE58C63E00E471AA3F421D1635DE45E4
                SHA-512:D19B79A08F0049D46F85C52274F1E1F897723EC72F3933E01196DC09F4E1A2643DFE4880CD16A33E04FD53219FA6354215283A89AF9C70EE8A52918341E9A438
                Malicious:false
                Preview:<EncryptedKey>BJlNFF77lj3HboOPqpR+0y5bvORMNrDYC/5ccOHI9AkNbdciCAr38Q5B7ypw/ZqeexjgxQ0p5L1YNl/EznOSyyA+cpUjkZMTaeRnxCC3R9Y7nMpw0KmvA86iWm2/PnYVlsOkjRvBC2Ibz8OIJn8wkXX4NfIFHwp2f0kxk6eaNOc=<EncryptedKey>1s7j96ndN8ccnKrUsp3D+aYf5TPEVePIILSSTHwg7xZizSIoajty6P8wSPwKL0v2xUnnA38oN4h6YttD4l8JPcCQ7Usxdim84gYLWCYCHyhGlM5ZbhXb/c7caSCKpXS1YWBYtrmx2brdsxE72Ob0rQPqp7A5U4HGiFmpKOgp5aEfkIcksP/YCpgjXaR4uCN3xIAWRrjk6+mb22y+RYxsFeNok5R59H4S5cORMwGgXKhDLPWUL7n7dlqlGKb2ijd2OZ/zu0FSVmc5LJOMYVTOV+s5cT2r4mReWa4gptVFcuaECYhDdsw9fzykp33gR3QSk5PfRGy/TnbpxhfGyZ102lMK6G+QpgqntuWKLn35/WMRqRXoUzG/bWBVzuxIAi2CLdNzAbeiFu6isBlZcTAGkkbkJkL14joK67jYhEi438Z3z8h3fm8LSRSyy0spQd08/q3DhPQAwEEvJA/kiMF5kYwL1LzgGzUjXum3zpWA+l+HVSQHhLf3YqBz1Y3Nor3ArqhercFyClE3bi8PMLptijm6PefFvsUjEQRcpUfvZZeg3tNZyAz1Vm74d5ux9Q19UJyFi5EnTL3Cd2e0zdW8RD4x1jYs2UYmAyAtOmY20GRanQBId3ID46Xi/r6eYgOrLzr3wdCVfq+qD2aMUk3FhNMSGFkas27/y+mPMvTfaCsJGeZfUN9e/A5Wb05ilzEMdg6eL3ZYwymFNsJINpR5ikzKFzJyEcGWtk8BnkjJF1UYXO1ZuosTPBhAnICdqrtO126dNxAfRVMznRURSR+3m/85B9STRpX0

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\APASixthEditionOfficeOnline.xsl.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):445024
                Entropy (8bit):6.000100679282098
                Encrypted:false
                SSDEEP:12288:EivZ2cjJ1ca+x/nP2GbWEhwgD69Ob+5o/G9aH5rm3cV6OSAd4:HvIcjJ1Z+F+GyQw/sQJA+
                MD5:1D2688056A95F6BE310C5D6C6B4C9216
                SHA1:24566ECA8A6110AC0F8025DECAFB687F1F1BB745
                SHA-256:82C31F4ECACA7D5B299282BD486EA83BBE58C63E00E471AA3F421D1635DE45E4
                SHA-512:D19B79A08F0049D46F85C52274F1E1F897723EC72F3933E01196DC09F4E1A2643DFE4880CD16A33E04FD53219FA6354215283A89AF9C70EE8A52918341E9A438
                Malicious:false
                Preview:<EncryptedKey>BJlNFF77lj3HboOPqpR+0y5bvORMNrDYC/5ccOHI9AkNbdciCAr38Q5B7ypw/ZqeexjgxQ0p5L1YNl/EznOSyyA+cpUjkZMTaeRnxCC3R9Y7nMpw0KmvA86iWm2/PnYVlsOkjRvBC2Ibz8OIJn8wkXX4NfIFHwp2f0kxk6eaNOc=<EncryptedKey>1s7j96ndN8ccnKrUsp3D+aYf5TPEVePIILSSTHwg7xZizSIoajty6P8wSPwKL0v2xUnnA38oN4h6YttD4l8JPcCQ7Usxdim84gYLWCYCHyhGlM5ZbhXb/c7caSCKpXS1YWBYtrmx2brdsxE72Ob0rQPqp7A5U4HGiFmpKOgp5aEfkIcksP/YCpgjXaR4uCN3xIAWRrjk6+mb22y+RYxsFeNok5R59H4S5cORMwGgXKhDLPWUL7n7dlqlGKb2ijd2OZ/zu0FSVmc5LJOMYVTOV+s5cT2r4mReWa4gptVFcuaECYhDdsw9fzykp33gR3QSk5PfRGy/TnbpxhfGyZ102lMK6G+QpgqntuWKLn35/WMRqRXoUzG/bWBVzuxIAi2CLdNzAbeiFu6isBlZcTAGkkbkJkL14joK67jYhEi438Z3z8h3fm8LSRSyy0spQd08/q3DhPQAwEEvJA/kiMF5kYwL1LzgGzUjXum3zpWA+l+HVSQHhLf3YqBz1Y3Nor3ArqhercFyClE3bi8PMLptijm6PefFvsUjEQRcpUfvZZeg3tNZyAz1Vm74d5ux9Q19UJyFi5EnTL3Cd2e0zdW8RD4x1jYs2UYmAyAtOmY20GRanQBId3ID46Xi/r6eYgOrLzr3wdCVfq+qD2aMUk3FhNMSGFkas27/y+mPMvTfaCsJGeZfUN9e/A5Wb05ilzEMdg6eL3ZYwymFNsJINpR5ikzKFzJyEcGWtk8BnkjJF1UYXO1ZuosTPBhAnICdqrtO126dNxAfRVMznRURSR+3m/85B9STRpX0

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):396232
                Entropy (8bit):6.000076573143369
                Encrypted:false
                SSDEEP:12288:08znU0CC7nN16o0kx510DZW1VZ8GjtGP/P7:XznU0C6QK14W1XNw7
                MD5:9292BF8A1044036A409FE84E9625BD2A
                SHA1:3BD74FD55A3609EE3B92E7876634C5D745397DD1
                SHA-256:21241ACC1EA391ED118EDC17B1284A08B9BE9CDDFCA28B3A755A44515A99D372
                SHA-512:7582659A5C38B6852AA3C3012A34315506FFEE1C6CE99F520830F05EFF0ED7A24D0B311F5F61F4B37BC370DEFEB37F78E0C47F0771695465619358849BD49CEE
                Malicious:false
                Preview:<EncryptedKey>SvJhgjfH6k7cwXvwpuS+rkADRfZdTLvEOQSTlobdjthQIctGkYlsKTM2beDuhN0Rs4y5nq69Jbe3aj/XLbn7jpHqAMZZxhT8y2lCG+6oyJZ3Ii2BcWMbQJHY3kndB7yHO92qJhvQG3OZXjvHuLj4LPuF+AE5gQP/ZUvUiIUcxo0=<EncryptedKey>4LJZXLRU6cn8QbvJ0EGja+mVZuW8XhKlZlsi3MD62ICmRnqZ2tJa3DOkDZ5ZG8Xgtm2rR+Pm9fmSSVvUIg2KnGUpCXiCn7GM0Ckrtprr/pxyCjba6t41l64N8pMaLfu20aOgQvZkWm1EnGoFURRBXJtWhXNjHLoLXGdecU/5MnPh+hn7bBbhSedzvNPRqMoUPaQRrDjvU2DfbGUXkjA2nME6s5dHY1UE7gkATADgpDjFMyNfYlewRKk4FMyhfh3nXHpI9dvugGXsJblajmBJYPVPBSIcNxaq+XkT/mBz7rdB3zDgy5iHN+K4I3xEudPRz+7/W2dVMsHziXzdlbUGhXbBCmSVbjl/YJPDCkXoM2go+EFQNseAVJNJ8GtagYfWyffPRDwdbsBAyWtVpohPOImI6tAd1yKl1M74FE4Jx3AzxWkXs7f+ziA4ehtB8sTyJ02g3lzf32kx6Q368vhCqDfP2VFS/XKS3//KqrtxTBa5OC5fqNmGoIuBfTvFZV8TUU/cpl9Wgo2g5yq1hbr2OLZAYYfZSYCKyPD8jBnDy2rsq30AvBMnjOaVbiHVFY2B9TrjoI8MR7zsM5ugg0fD3y9JgVF4Jxkl4xWcW8VxWPDn0fnYP228qoJfoQM3+dcpZ6HuUC/k8yBSU1L/Z3cLBnPgCw0YzVOSb6591Pq3mjmYnvED7BpA+NXsy242GmkTpB0sOy2VcLq8pOMAtzEq1bHVHWxjwAo12qTDp1vSK6/BrHLujVfKKZCjSlw61GSiRKk5PYYmKFoomXaF06qPkBFy/k6q9OWa

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\CHICAGO.XSL.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):396232
                Entropy (8bit):6.000076573143369
                Encrypted:false
                SSDEEP:12288:08znU0CC7nN16o0kx510DZW1VZ8GjtGP/P7:XznU0C6QK14W1XNw7
                MD5:9292BF8A1044036A409FE84E9625BD2A
                SHA1:3BD74FD55A3609EE3B92E7876634C5D745397DD1
                SHA-256:21241ACC1EA391ED118EDC17B1284A08B9BE9CDDFCA28B3A755A44515A99D372
                SHA-512:7582659A5C38B6852AA3C3012A34315506FFEE1C6CE99F520830F05EFF0ED7A24D0B311F5F61F4B37BC370DEFEB37F78E0C47F0771695465619358849BD49CEE
                Malicious:false
                Preview:<EncryptedKey>SvJhgjfH6k7cwXvwpuS+rkADRfZdTLvEOQSTlobdjthQIctGkYlsKTM2beDuhN0Rs4y5nq69Jbe3aj/XLbn7jpHqAMZZxhT8y2lCG+6oyJZ3Ii2BcWMbQJHY3kndB7yHO92qJhvQG3OZXjvHuLj4LPuF+AE5gQP/ZUvUiIUcxo0=<EncryptedKey>4LJZXLRU6cn8QbvJ0EGja+mVZuW8XhKlZlsi3MD62ICmRnqZ2tJa3DOkDZ5ZG8Xgtm2rR+Pm9fmSSVvUIg2KnGUpCXiCn7GM0Ckrtprr/pxyCjba6t41l64N8pMaLfu20aOgQvZkWm1EnGoFURRBXJtWhXNjHLoLXGdecU/5MnPh+hn7bBbhSedzvNPRqMoUPaQRrDjvU2DfbGUXkjA2nME6s5dHY1UE7gkATADgpDjFMyNfYlewRKk4FMyhfh3nXHpI9dvugGXsJblajmBJYPVPBSIcNxaq+XkT/mBz7rdB3zDgy5iHN+K4I3xEudPRz+7/W2dVMsHziXzdlbUGhXbBCmSVbjl/YJPDCkXoM2go+EFQNseAVJNJ8GtagYfWyffPRDwdbsBAyWtVpohPOImI6tAd1yKl1M74FE4Jx3AzxWkXs7f+ziA4ehtB8sTyJ02g3lzf32kx6Q368vhCqDfP2VFS/XKS3//KqrtxTBa5OC5fqNmGoIuBfTvFZV8TUU/cpl9Wgo2g5yq1hbr2OLZAYYfZSYCKyPD8jBnDy2rsq30AvBMnjOaVbiHVFY2B9TrjoI8MR7zsM5ugg0fD3y9JgVF4Jxkl4xWcW8VxWPDn0fnYP228qoJfoQM3+dcpZ6HuUC/k8yBSU1L/Z3cLBnPgCw0YzVOSb6591Pq3mjmYnvED7BpA+NXsy242GmkTpB0sOy2VcLq8pOMAtzEq1bHVHWxjwAo12qTDp1vSK6/BrHLujVfKKZCjSlw61GSiRKk5PYYmKFoomXaF06qPkBFy/k6q9OWa

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):358432
                Entropy (8bit):6.000095970177969
                Encrypted:false
                SSDEEP:6144:ESeOCZiMtXFGZ29AJEZgujtbs5zyAweK+TP1pMJuPvq:ESeNxFV9rbs5WXSPFvq
                MD5:F74AAAE46EA17DAF6CF2C6B573D7B3EC
                SHA1:1F8C8C55B2616B3BCE3AE726F4D18A28B77CA4B0
                SHA-256:515ABC918AD006E9CDD204F315101E64C10678C90F6223F6BEC03D68D599655C
                SHA-512:AA8CEE4E6AAC3887BB7126AF19C8DC13EEF63CEBE88B55E991B63177EE234346F5113C89D480EC41A05114E37D1F248FC7092C7003D39BDDDD602DB96901D558
                Malicious:false
                Preview:<EncryptedKey>bstPsG/Sn5Y07ybebV2BKkEiJIEZqqG+rMhlL249xcHt2GNR/A89GjUBxSfVQLc6I0eXVHXMbnz2cVreEq6kKPw8ybIez3UXTceNkSTgSxSQPEmMPu8ATINBHHUC3rYSaju9d7lz/xIMgLhfMRfSeJ8mSB9+8N/E1Owp68WiIw8=<EncryptedKey>2e2SsfllHORf7b/VAEqzSmArY4ECqrvjtL85TRidV18yIFsKzOJTowhUaMlhBLHw+yZhbyyyH3yyJaBsFkoLO/MjcPBX17vvZ2PfdSZa53BOrR56UP6+ZUhYEERkMtQVqWZ8ETCOIC2aLrA1WrGIfVA3VukL/n3sNLEPRgg7YXDAmarxqg03oNAel8GUsiArRQcUzC4JdfnqUSjYd1MFq1DBrYvpM65rn1S/xt8wYCK4TGhoc1r7IReJg5DGwEcFp+EjVTrCncNVqTtGD2hEIPCwZYTmBQxREFPXIw+xqxN3INb+jO7pAsVPaopFxZ1JfsIRw4EAGNTHv39/CqdNuPlGICIAmiDLKiy3zjMkjFfkTT/7K7cRi/kW+Xz6sNYP0YPfFVH2CPxD3j/cUuJNg6Ucad4kfiY0jshgQA1B3WJ7QMXbYlZkTZGFrDRNccVscgVAe2fEpkKJYiS1vc0ls8WRuSiawQwuAUPtCj4WLRvfLQeJcisAsRv/vBRDXQWVUPAtPyVAmDRRopg5u0yK5O+aKw4UVEMwGVTlSeEQnzlwDe5M4K6/rEEoMCRaqqzO3ab/nZj5eHUceD6B131SVOkXSEsJMhLWZelOSfPF8UPI/WPw8MURETOCocsXXQl9qhRIK63z2d6x1Hg1m/uSuEN39KCJT1/IsT4+YSwBFFRqZojqMZ6uPo8sFYS7zYvcvNvhLudaIoFvx0Pvge1DLDrRV15HCRaCw70SfQuCB5ByaG7xKeK9ndon7/BusOgt0aTliblRJbSXKxkQ5OcGOGHs0OkV5QP/

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GB.XSL.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):358432
                Entropy (8bit):6.000095970177969
                Encrypted:false
                SSDEEP:6144:ESeOCZiMtXFGZ29AJEZgujtbs5zyAweK+TP1pMJuPvq:ESeNxFV9rbs5WXSPFvq
                MD5:F74AAAE46EA17DAF6CF2C6B573D7B3EC
                SHA1:1F8C8C55B2616B3BCE3AE726F4D18A28B77CA4B0
                SHA-256:515ABC918AD006E9CDD204F315101E64C10678C90F6223F6BEC03D68D599655C
                SHA-512:AA8CEE4E6AAC3887BB7126AF19C8DC13EEF63CEBE88B55E991B63177EE234346F5113C89D480EC41A05114E37D1F248FC7092C7003D39BDDDD602DB96901D558
                Malicious:false
                Preview:<EncryptedKey>bstPsG/Sn5Y07ybebV2BKkEiJIEZqqG+rMhlL249xcHt2GNR/A89GjUBxSfVQLc6I0eXVHXMbnz2cVreEq6kKPw8ybIez3UXTceNkSTgSxSQPEmMPu8ATINBHHUC3rYSaju9d7lz/xIMgLhfMRfSeJ8mSB9+8N/E1Owp68WiIw8=<EncryptedKey>2e2SsfllHORf7b/VAEqzSmArY4ECqrvjtL85TRidV18yIFsKzOJTowhUaMlhBLHw+yZhbyyyH3yyJaBsFkoLO/MjcPBX17vvZ2PfdSZa53BOrR56UP6+ZUhYEERkMtQVqWZ8ETCOIC2aLrA1WrGIfVA3VukL/n3sNLEPRgg7YXDAmarxqg03oNAel8GUsiArRQcUzC4JdfnqUSjYd1MFq1DBrYvpM65rn1S/xt8wYCK4TGhoc1r7IReJg5DGwEcFp+EjVTrCncNVqTtGD2hEIPCwZYTmBQxREFPXIw+xqxN3INb+jO7pAsVPaopFxZ1JfsIRw4EAGNTHv39/CqdNuPlGICIAmiDLKiy3zjMkjFfkTT/7K7cRi/kW+Xz6sNYP0YPfFVH2CPxD3j/cUuJNg6Ucad4kfiY0jshgQA1B3WJ7QMXbYlZkTZGFrDRNccVscgVAe2fEpkKJYiS1vc0ls8WRuSiawQwuAUPtCj4WLRvfLQeJcisAsRv/vBRDXQWVUPAtPyVAmDRRopg5u0yK5O+aKw4UVEMwGVTlSeEQnzlwDe5M4K6/rEEoMCRaqqzO3ab/nZj5eHUceD6B131SVOkXSEsJMhLWZelOSfPF8UPI/WPw8MURETOCocsXXQl9qhRIK63z2d6x1Hg1m/uSuEN39KCJT1/IsT4+YSwBFFRqZojqMZ6uPo8sFYS7zYvcvNvhLudaIoFvx0Pvge1DLDrRV15HCRaCw70SfQuCB5ByaG7xKeK9ndon7/BusOgt0aTliblRJbSXKxkQ5OcGOGHs0OkV5QP/

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):342024
                Entropy (8bit):6.000075585991131
                Encrypted:false
                SSDEEP:6144:CCvUZG3yeXJ9WiA9o5EmFN/KiKqrXCleNpvhI0gMzfiJiwo/F1vaprThi7DEH4I8:CCvUZGiG5EwNZS6nXmJlAPvSThcrI8
                MD5:9C3128A7F0730300DF9C8CAC05605DE2
                SHA1:A05829D3B1965A7745C3FC1A40B959886E682EF3
                SHA-256:90E6037DD7F178AB8851A9C31900C93DC94818BF82CF710F64714CC6FFF7C36A
                SHA-512:1D1F7869244954F61F6948E175D75E68CC21833574DCFB1C7F701724EE502C932683C0D8A67C60FE3EFA323D94DD8D3046AC8AEE688537D09175E5090E1F1413
                Malicious:false
                Preview:<EncryptedKey>FWk6hxXdpVZ9eGAI3RLiXj+v/UCvL7HLOD4D/n2N8p2Pv3X+owEOIM+/3Ys7tS4PVTL+k2E1k0AiSk+sdiDots9qyHLF8jV3/mFuXFZyePlFmYwWmhXV8n/lwvtCUzoh5EZu+rvZAM9wc6HPRZhe9e79dKG9838pa4B2KBfUNNk=<EncryptedKey>Tv6El/SfGNOW4JFZ0CitNqIXMzEF0zzfhstwedXoea0UZAH7Axb4fCQ2Kg5CS1TLIjcWOCSU0xA6wqqmeTSqvp1sjlBLP0R/P9diBcAI6UO2s0CHHvHZNXdPzPZMvEkcm1MqZj8oAXxKaBdT9UjYCgYHOV1dUE6ZsEVVc3rz4aBsQYyXmN36Xc1h5Ku6IEIGbinIezCHEigFVW86QPTWNmd4K/Gl/W+KVSD6FpxlUMrn61GE8aw9NfDVMQy8rkzJ5D61mn9w8kD3bylvbzXweA9qVJNjN2PSvfuebFKL80Wt5GcN6klRa3NX/GiFsqDj3zviKi01/MI/amvvwXGfmiYWCTuWXpvlvkcLXbz2Y7PddxCSqYbVMBIld/clupS2aWseH8DPy9gu9CQO0TULk8gM+UHPdUd8Lc7qfvuosRgturjKiqo0u2jU+SV7BVv1/P73uoIEuGIa0oDq1UFjyXkir2rYURZQ/cbmLzyj06U+rO4WE5qnwcn7/OIC/WFkjr1nEIK+UvTU8CT2KWjXQKlraCYxTY9dAVQCxFvrPRZe2+F/hUUh5OFuoliHODl4cfsZ7uiGW6XUu9z26tYW09EBjSQZawz3qR4RyRK9dJ5iR/c6ilptLZqeVc5bvsNUfXhj03SRW3pgwduDsKw9e38DodFdXpyWcbPBUB6jjRYau0kQUPXzVjHTcSaw453gE/fQCtveVj6t+lk0EuwjWPeeQgKo8z1fhxl6ppyRd8HqTvz9+8A704m5F1dHnFZ+0mjKkobw7MgNiBix+ykXT6polDCwnSyr

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostName.XSL.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):342024
                Entropy (8bit):6.000075585991131
                Encrypted:false
                SSDEEP:6144:CCvUZG3yeXJ9WiA9o5EmFN/KiKqrXCleNpvhI0gMzfiJiwo/F1vaprThi7DEH4I8:CCvUZGiG5EwNZS6nXmJlAPvSThcrI8
                MD5:9C3128A7F0730300DF9C8CAC05605DE2
                SHA1:A05829D3B1965A7745C3FC1A40B959886E682EF3
                SHA-256:90E6037DD7F178AB8851A9C31900C93DC94818BF82CF710F64714CC6FFF7C36A
                SHA-512:1D1F7869244954F61F6948E175D75E68CC21833574DCFB1C7F701724EE502C932683C0D8A67C60FE3EFA323D94DD8D3046AC8AEE688537D09175E5090E1F1413
                Malicious:false
                Preview:<EncryptedKey>FWk6hxXdpVZ9eGAI3RLiXj+v/UCvL7HLOD4D/n2N8p2Pv3X+owEOIM+/3Ys7tS4PVTL+k2E1k0AiSk+sdiDots9qyHLF8jV3/mFuXFZyePlFmYwWmhXV8n/lwvtCUzoh5EZu+rvZAM9wc6HPRZhe9e79dKG9838pa4B2KBfUNNk=<EncryptedKey>Tv6El/SfGNOW4JFZ0CitNqIXMzEF0zzfhstwedXoea0UZAH7Axb4fCQ2Kg5CS1TLIjcWOCSU0xA6wqqmeTSqvp1sjlBLP0R/P9diBcAI6UO2s0CHHvHZNXdPzPZMvEkcm1MqZj8oAXxKaBdT9UjYCgYHOV1dUE6ZsEVVc3rz4aBsQYyXmN36Xc1h5Ku6IEIGbinIezCHEigFVW86QPTWNmd4K/Gl/W+KVSD6FpxlUMrn61GE8aw9NfDVMQy8rkzJ5D61mn9w8kD3bylvbzXweA9qVJNjN2PSvfuebFKL80Wt5GcN6klRa3NX/GiFsqDj3zviKi01/MI/amvvwXGfmiYWCTuWXpvlvkcLXbz2Y7PddxCSqYbVMBIld/clupS2aWseH8DPy9gu9CQO0TULk8gM+UHPdUd8Lc7qfvuosRgturjKiqo0u2jU+SV7BVv1/P73uoIEuGIa0oDq1UFjyXkir2rYURZQ/cbmLzyj06U+rO4WE5qnwcn7/OIC/WFkjr1nEIK+UvTU8CT2KWjXQKlraCYxTY9dAVQCxFvrPRZe2+F/hUUh5OFuoliHODl4cfsZ7uiGW6XUu9z26tYW09EBjSQZawz3qR4RyRK9dJ5iR/c6ilptLZqeVc5bvsNUfXhj03SRW3pgwduDsKw9e38DodFdXpyWcbPBUB6jjRYau0kQUPXzVjHTcSaw453gE/fQCtveVj6t+lk0EuwjWPeeQgKo8z1fhxl6ppyRd8HqTvz9+8A704m5F1dHnFZ+0mjKkobw7MgNiBix+ykXT6polDCwnSyr

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):335476
                Entropy (8bit):6.000097988001217
                Encrypted:false
                SSDEEP:6144:8j+8HT3MR6bfTM8+k4c6V0rGZwya127w7zEymkDNs66nLjP0DtImAbtqhj3+7s:M+ST3MR6rTN+5VAGZqcKRmkDa6O0Dt+m
                MD5:159E84BD4A1F42A425C8FD7774E5AFB7
                SHA1:AE51268F5D06746190B01BA58F6C5E0343A2F1FB
                SHA-256:1D50010715609FAADEEA33A70A80FC3DFA0B7185191A2D083BB1D5A7C77F9EBF
                SHA-512:33AED77E300203DBE0CA78FFEC027675C175338919C2471E022808DAE6DB17976BD52BB9F32951D10983E7125DDBF02E56A4F1DA8EAC4A8FEE789D27E0851E89
                Malicious:false
                Preview:<EncryptedKey>hrOenELQqupHVeQMuelHRGkP6gXk/n5poGc+3nDOU2pUZZIDXM17xWfksruFrzRUouwvAI3szACgKcwno0BAsClNxXATyzJdClm9++qo70VCQsrfmc79zGTswV6veX3nnI4Id+UzqSQBipIVHzo30PvXcXJ36SVrHV2vH3+z7cg=<EncryptedKey>x1KwkHulJnoo33gK3ivH7OREw+dZWTwQRGiLX2kM66O9rUMR2JVHYPJ5nOMJCvGjnvVCAftMWwNy+urgSTY5DL7aPDDE2aWV9RdbX4q5hF/p7LyRNXQ5RFWaLlYhfW9WzCB2QzIRNQZiJW0e0OChm9RaL/dF89TWNRoL++RHko6f6BptXlrZBS03Yz77+sBlAxJkMHwUMQ3K8YriSVRqkxJN5BRmA42Y8fkwBuF9dAY+Ihgh1RLSjSTnwPXwRL8H/KZlE8uwyMo5gDmpgg0E99SQ+Lvs1KxRsgvp9oo5FMjnQALX72Gsj/ERuH9ZJ9+ls4Rd5UrK+5zv4Lh0fyRfL5jcSnZwsy2SOwWETY/YzmXHGUvx4MCahoocHvvJb2fUKZPNMh3wUFnEa8qrUwSMQVOPxjyhvUKTw1TOTHJ1bNOjd+KQfEuEXds1VqUFY4nHY70pasSac4M0IBZH/lFJ5iR98alvB+FyPETwhPggSMCbS6E5AWUvnBU7ZDG5X0jI9nRnkX3gQpk3K7ggjRuNEsNOPeDMwM6MqSZZuvBiw4R/YV4g3Ir+5R5Ws8Ocmwt8hIIKR0cWPd3Vs9lO01w2b6xpjHzImHxyTO6wTNB3/OHCK/Vu73NPLmd5JqIkLrDoyxaeJm4T2ueg5zETURjptWhSHvGS8N40JrmbG/wyDQf53zO2OE4U/LXP2kJasNZTbXtPgi6jLktiC1mFGd6Qb+qE0bIDkw1kj6IMLZ9twxxUQIPJfSqSqLS+aUjGTlqhXFi612fnfMq8CGFWnh6kyA3yRPpxM5sI

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\GostTitle.XSL.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):335476
                Entropy (8bit):6.000097988001217
                Encrypted:false
                SSDEEP:6144:8j+8HT3MR6bfTM8+k4c6V0rGZwya127w7zEymkDNs66nLjP0DtImAbtqhj3+7s:M+ST3MR6rTN+5VAGZqcKRmkDa6O0Dt+m
                MD5:159E84BD4A1F42A425C8FD7774E5AFB7
                SHA1:AE51268F5D06746190B01BA58F6C5E0343A2F1FB
                SHA-256:1D50010715609FAADEEA33A70A80FC3DFA0B7185191A2D083BB1D5A7C77F9EBF
                SHA-512:33AED77E300203DBE0CA78FFEC027675C175338919C2471E022808DAE6DB17976BD52BB9F32951D10983E7125DDBF02E56A4F1DA8EAC4A8FEE789D27E0851E89
                Malicious:false
                Preview:<EncryptedKey>hrOenELQqupHVeQMuelHRGkP6gXk/n5poGc+3nDOU2pUZZIDXM17xWfksruFrzRUouwvAI3szACgKcwno0BAsClNxXATyzJdClm9++qo70VCQsrfmc79zGTswV6veX3nnI4Id+UzqSQBipIVHzo30PvXcXJ36SVrHV2vH3+z7cg=<EncryptedKey>x1KwkHulJnoo33gK3ivH7OREw+dZWTwQRGiLX2kM66O9rUMR2JVHYPJ5nOMJCvGjnvVCAftMWwNy+urgSTY5DL7aPDDE2aWV9RdbX4q5hF/p7LyRNXQ5RFWaLlYhfW9WzCB2QzIRNQZiJW0e0OChm9RaL/dF89TWNRoL++RHko6f6BptXlrZBS03Yz77+sBlAxJkMHwUMQ3K8YriSVRqkxJN5BRmA42Y8fkwBuF9dAY+Ihgh1RLSjSTnwPXwRL8H/KZlE8uwyMo5gDmpgg0E99SQ+Lvs1KxRsgvp9oo5FMjnQALX72Gsj/ERuH9ZJ9+ls4Rd5UrK+5zv4Lh0fyRfL5jcSnZwsy2SOwWETY/YzmXHGUvx4MCahoocHvvJb2fUKZPNMh3wUFnEa8qrUwSMQVOPxjyhvUKTw1TOTHJ1bNOjd+KQfEuEXds1VqUFY4nHY70pasSac4M0IBZH/lFJ5iR98alvB+FyPETwhPggSMCbS6E5AWUvnBU7ZDG5X0jI9nRnkX3gQpk3K7ggjRuNEsNOPeDMwM6MqSZZuvBiw4R/YV4g3Ir+5R5Ws8Ocmwt8hIIKR0cWPd3Vs9lO01w2b6xpjHzImHxyTO6wTNB3/OHCK/Vu73NPLmd5JqIkLrDoyxaeJm4T2ueg5zETURjptWhSHvGS8N40JrmbG/wyDQf53zO2OE4U/LXP2kJasNZTbXtPgi6jLktiC1mFGd6Qb+qE0bIDkw1kj6IMLZ9twxxUQIPJfSqSqLS+aUjGTlqhXFi612fnfMq8CGFWnh6kyA3yRPpxM5sI

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):379956
                Entropy (8bit):6.000122492125616
                Encrypted:false
                SSDEEP:6144:xsIirzmrAYdx14ivaTlZzPqyrTnEPebiW7tYPyPtBGqayAIV5rpgH2lyJVC:ftAYdMMaTlBhm5ktCMtBxAITFCpVC
                MD5:DA9CA45F58FF80E802DA19FBDF5E87E4
                SHA1:DC4EE7E4472D48F36CC9C5D879F217198FC8140F
                SHA-256:E2F6FDD3FD227E838F507BF91CBAF92C569412CC684FCBB8FC5335545A475B8F
                SHA-512:2C66FB61975C13B4861E51F50BE9FE07A7189D3CA57FBEB3EB3C555FCD3B7607E2A15377BC5B2B2B87518C4E5B70758B155F521A7508144DD8F874D82B7CD7EA
                Malicious:false
                Preview:<EncryptedKey>Xb7JsMRUYB3xs+TnaeNws1m0qTFW08dG4cuuko+ml/8ODGPGkQh3dcB5TpygjIZYgmdty4wGz/vmOqx6jpOnWucPFQx/8cgM0uUlyuBo1z4LH51AsK9CBLqVVzNKB3yLyqPCw3oP4318AjY82dkdHO/xUzy7SxRgjdpFtjCj8pQ=<EncryptedKey>DSDMkY+uZ6gIrDcWGksuW/M+iAFyp6I7mAl0vCeqjyOwPgReTsxcFwgClPYXeBC1L2ZPc7eVJ/R5FupKbUnFJgghKbFQNA7yCF/YhTrnhn1zihdeUvyNc5TCUZHll7gkzRcc7Xjw1+gLwODIWuHOrHIcC7UCZXV0GL4g+AKen5fydRX1816rgoGbLhw6lFFcwn+jiXvg3Z605zdSm9jh0Ov3YJ9Sf9BwAbvvpYkwsWBAbDxw3DwM6eMcajXPVtmwJtZCdI4gPgAzo09ONbNz5lO7sDE8GgqD0tmhhS+q5BLMaTenEU1cThqTMKlMZuc7NS2DyRxshE/dtUXOA29DfbHSr23NY5yjWnHe2ncNHOW/qZs4QlAMg2A1MSehhDEtevhh/KDwYWqBzSHyC09Zp7y94dsCd+q6V1CQ7qOo//mmvrHIUssNWiCWkiv8IutRucSx9DfhrW04S4h3kOIZ4tfKnFmTy6xqNO5flnVjFnsHpB5x0XXL5sw/+Et8HVkPEtrI1BBRh4qeBBx3XlcEPhai6hUWazCXXCy1oC1XEXQP7gHTYf0Iy1Y/H46LfY7C6ybhsPiDfxi5tnCBYHEl80AoczpBC3BJ2jkWbbcCDrLKGWi3u8Qbuzw9zRlaswIfJdfDHwQQerZDwjYvOa/cQAHALbwA9fChFN02iiPBv9vGzVfhiqMM1ID1YO1TD3DeVcQmPYGaN2Vbcbl4MWGlU87aFJb4uH3JtLi59MkLsaLi0RvRmkuN/le9k+V0O6nVsLwMysG0tY6GiTck2cvQYslyBoesmxgM

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\HarvardAnglia2008OfficeOnline.xsl.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):379956
                Entropy (8bit):6.000122492125616
                Encrypted:false
                SSDEEP:6144:xsIirzmrAYdx14ivaTlZzPqyrTnEPebiW7tYPyPtBGqayAIV5rpgH2lyJVC:ftAYdMMaTlBhm5ktCMtBxAITFCpVC
                MD5:DA9CA45F58FF80E802DA19FBDF5E87E4
                SHA1:DC4EE7E4472D48F36CC9C5D879F217198FC8140F
                SHA-256:E2F6FDD3FD227E838F507BF91CBAF92C569412CC684FCBB8FC5335545A475B8F
                SHA-512:2C66FB61975C13B4861E51F50BE9FE07A7189D3CA57FBEB3EB3C555FCD3B7607E2A15377BC5B2B2B87518C4E5B70758B155F521A7508144DD8F874D82B7CD7EA
                Malicious:false
                Preview:<EncryptedKey>Xb7JsMRUYB3xs+TnaeNws1m0qTFW08dG4cuuko+ml/8ODGPGkQh3dcB5TpygjIZYgmdty4wGz/vmOqx6jpOnWucPFQx/8cgM0uUlyuBo1z4LH51AsK9CBLqVVzNKB3yLyqPCw3oP4318AjY82dkdHO/xUzy7SxRgjdpFtjCj8pQ=<EncryptedKey>DSDMkY+uZ6gIrDcWGksuW/M+iAFyp6I7mAl0vCeqjyOwPgReTsxcFwgClPYXeBC1L2ZPc7eVJ/R5FupKbUnFJgghKbFQNA7yCF/YhTrnhn1zihdeUvyNc5TCUZHll7gkzRcc7Xjw1+gLwODIWuHOrHIcC7UCZXV0GL4g+AKen5fydRX1816rgoGbLhw6lFFcwn+jiXvg3Z605zdSm9jh0Ov3YJ9Sf9BwAbvvpYkwsWBAbDxw3DwM6eMcajXPVtmwJtZCdI4gPgAzo09ONbNz5lO7sDE8GgqD0tmhhS+q5BLMaTenEU1cThqTMKlMZuc7NS2DyRxshE/dtUXOA29DfbHSr23NY5yjWnHe2ncNHOW/qZs4QlAMg2A1MSehhDEtevhh/KDwYWqBzSHyC09Zp7y94dsCd+q6V1CQ7qOo//mmvrHIUssNWiCWkiv8IutRucSx9DfhrW04S4h3kOIZ4tfKnFmTy6xqNO5flnVjFnsHpB5x0XXL5sw/+Et8HVkPEtrI1BBRh4qeBBx3XlcEPhai6hUWazCXXCy1oC1XEXQP7gHTYf0Iy1Y/H46LfY7C6ybhsPiDfxi5tnCBYHEl80AoczpBC3BJ2jkWbbcCDrLKGWi3u8Qbuzw9zRlaswIfJdfDHwQQerZDwjYvOa/cQAHALbwA9fChFN02iiPBv9vGzVfhiqMM1ID1YO1TD3DeVcQmPYGaN2Vbcbl4MWGlU87aFJb4uH3JtLi59MkLsaLi0RvRmkuN/le9k+V0O6nVsLwMysG0tY6GiTck2cvQYslyBoesmxgM

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):392904
                Entropy (8bit):6.000047409653343
                Encrypted:false
                SSDEEP:6144:shO6lDbsL7PUILfB22JeuAEBZ1x4DJWiA5pdj2P9x1V8atRF7IOXKp/+RivXySVe:B6u7PUKfBreG9iA5pdIV8atz0OXa+RiE
                MD5:C43E03FA2DF5CC9D000AD98720B866B9
                SHA1:B464DEA31BFB3BFA9B5EBBEB88AE8F9E9C95E0B5
                SHA-256:C7D96E14592AB7DA479F405CE1DBC23F2094ED0B022B542EDF6F45FB008DCEB1
                SHA-512:26B24E3AA779402B749F3398BF01DDCCD835801AA4FEEE0194740CED2D4C6D7C79713332FF155BA48DABE69171EC30362A6B3F9F68DBEB146C0518EAFB666731
                Malicious:false
                Preview:<EncryptedKey>d+3ZqGRxYgkdiDC/abyiQgN22a4cjPGjiHrSr49UXN8y3eHCOxXSTr5NlGDj8y7PRY+Mqgs6NwjUQ2shqiTZuSyh/Xopm+cAzA1H7M9dQNlA8Er3sGxPShF0NNnYbHa48k11gcMAkkmsKe+JxAR0m46ppW+0dxdgBF/6tQ4WedA=<EncryptedKey>xjvtCtPm66R1vuLu4M9JH7+qV6Oni2/QtQb0LfN2mSDiWAeUA/oLdIRw5ublJzm+6ZRu10Wqn+vclAaUa1hi1wGXehVSNOe224N9yQ7t4JqVgzvzzn2zt5NZYZFdCcv+XfCgjD1/Kg1N15QMQ68xSVQxYM+GNYauywcuHwwt371c2sd6cAtk2dRC6e6YrP6r4y/OVh+s2SqWLMGd+SKUrMKohpWkL63/pXX6LNnQe2ViT+xqDilHC+shB5lD0wHUOSXXvz3Vg3AVnpeWcm827S6aJjN+Yd2UIk+Nl4e7RbULUChnzJDIBy/9qhn7kTQts5CewBF3If1DtIlRY7xrwwz894/ZKe8KbiiRSFmLDtEOaO1e1gYyzbN87l2vVeEuPneeTLf6fp6+ljGGaLQopM3P10fmY8Dp2FDHNRWPNj2Yzud/NjltX4IEmyfpBgxKQK3YPTeOUaWIwq8TvgF3gcpMwSqHc/xpqw9g37cOnSEXKKF7Ze2RgQkkEAB4wnctNR5O9k3uHaYXr4v+BKn8Qn0g8FKtE0Zp2ATkRsFOat9EJ5YM7+ZHDSapXGCr8PH5hyb+0nRkpg4fjutUguqKqD+W6qUaqP9O/7H0M5S346QbO6ETFOFOiaucNBKbkhTkeYjKTtxagoE9nC/wSTNoxv9XdjYI8IY6hc3fZtt9LvRB3Ev+rnK7EJ+Pt3riCC/CfAwzku4TvUPni0duiK2SAOXkpa+2A9pxHQB4M5WFwn0sjL4GjXE90VKWALSHOdrr8EWRzSPTeBfRncnVjBbH1HlqlwHbNALn

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\IEEE2006OfficeOnline.xsl.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):392904
                Entropy (8bit):6.000047409653343
                Encrypted:false
                SSDEEP:6144:shO6lDbsL7PUILfB22JeuAEBZ1x4DJWiA5pdj2P9x1V8atRF7IOXKp/+RivXySVe:B6u7PUKfBreG9iA5pdIV8atz0OXa+RiE
                MD5:C43E03FA2DF5CC9D000AD98720B866B9
                SHA1:B464DEA31BFB3BFA9B5EBBEB88AE8F9E9C95E0B5
                SHA-256:C7D96E14592AB7DA479F405CE1DBC23F2094ED0B022B542EDF6F45FB008DCEB1
                SHA-512:26B24E3AA779402B749F3398BF01DDCCD835801AA4FEEE0194740CED2D4C6D7C79713332FF155BA48DABE69171EC30362A6B3F9F68DBEB146C0518EAFB666731
                Malicious:false
                Preview:<EncryptedKey>d+3ZqGRxYgkdiDC/abyiQgN22a4cjPGjiHrSr49UXN8y3eHCOxXSTr5NlGDj8y7PRY+Mqgs6NwjUQ2shqiTZuSyh/Xopm+cAzA1H7M9dQNlA8Er3sGxPShF0NNnYbHa48k11gcMAkkmsKe+JxAR0m46ppW+0dxdgBF/6tQ4WedA=<EncryptedKey>xjvtCtPm66R1vuLu4M9JH7+qV6Oni2/QtQb0LfN2mSDiWAeUA/oLdIRw5ublJzm+6ZRu10Wqn+vclAaUa1hi1wGXehVSNOe224N9yQ7t4JqVgzvzzn2zt5NZYZFdCcv+XfCgjD1/Kg1N15QMQ68xSVQxYM+GNYauywcuHwwt371c2sd6cAtk2dRC6e6YrP6r4y/OVh+s2SqWLMGd+SKUrMKohpWkL63/pXX6LNnQe2ViT+xqDilHC+shB5lD0wHUOSXXvz3Vg3AVnpeWcm827S6aJjN+Yd2UIk+Nl4e7RbULUChnzJDIBy/9qhn7kTQts5CewBF3If1DtIlRY7xrwwz894/ZKe8KbiiRSFmLDtEOaO1e1gYyzbN87l2vVeEuPneeTLf6fp6+ljGGaLQopM3P10fmY8Dp2FDHNRWPNj2Yzud/NjltX4IEmyfpBgxKQK3YPTeOUaWIwq8TvgF3gcpMwSqHc/xpqw9g37cOnSEXKKF7Ze2RgQkkEAB4wnctNR5O9k3uHaYXr4v+BKn8Qn0g8FKtE0Zp2ATkRsFOat9EJ5YM7+ZHDSapXGCr8PH5hyb+0nRkpg4fjutUguqKqD+W6qUaqP9O/7H0M5S346QbO6ETFOFOiaucNBKbkhTkeYjKTtxagoE9nC/wSTNoxv9XdjYI8IY6hc3fZtt9LvRB3Ev+rnK7EJ+Pt3riCC/CfAwzku4TvUPni0duiK2SAOXkpa+2A9pxHQB4M5WFwn0sjL4GjXE90VKWALSHOdrr8EWRzSPTeBfRncnVjBbH1HlqlwHbNALn

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):361076
                Entropy (8bit):6.000081672213277
                Encrypted:false
                SSDEEP:6144:rMK3HR2gxbNSmF/uYeRbDyzHz+jl1DtcMEWMk8Pj2aIpuDJcrZXGd7sqR48WRUvJ:rMSx2gx57SyitqrqtpuYGdwq1Hvt
                MD5:780FDF8B2E3CDDF5C6F022C4AB5B30D2
                SHA1:5112A92D59AE4C846AB0D8F5BD32A4036E14EEF8
                SHA-256:2E907FA61221DD06D37C0FFF539BF7F435092FD3DBF0711DBE6A3CA7C75FA159
                SHA-512:A35605799111844B5B3FE96A53C05B41B57871B2B808A1178D3DA43B41354BED7873DA44709491C56AA59A2ECBA2CCD6FFDDF85049F07E22BA5D0D28C827E430
                Malicious:false
                Preview:<EncryptedKey>OP0SmQbRduXGdxIrS6QmCXTWoFpqk62LTBCrSuJKBX9zYONRr8J+HZXSaasIg1mKBsd3ZuBgWKA8moqyVaICJeP4cpJOK1D5rHVRKk9Qj8TsGTZz+L8d61Kgr5iMQ+mtRnwU4NlG0lCBmhMyis8DUH5mzL6FwZ4rtlUhjpbLvzI=<EncryptedKey>YGmpUkXXqZcGtJ2jrODT9jJ6WV2yGsOBmuso9sD9D8+G0U/HwMwaiDNgY8oehbkLO+Neq9hAhNQK5C2hWX0vlIDQCniKW6Djr4yIH17gmss15utdlsLNcT3IpyDtSpoaLLNQzPLOpz2VOtR3+fDNkPbaDJ6mf2GOJXKOdx+D207gWqdy/bOQJYc1BirDEvRIoNSdUuTXp96mEVcpmxm1wq/Sky8J87otRbQzE9u8V2mix2WLLkJ6YiPL8NTmwGYN3WzX5ykFdRaFnNnVCNqm1ChfA4cA98kyZoVpUNwk5IantgNZiXOirhmhOAFyTXfaFq6pLKU8CZhkiSRwtoU6KG+gqjR5+jmn4Re6B2O+3ek5ULbYtXQ1+Y7d9fS84ddDVa/Y4rGt94dfWYN1aVAdl9ho4fzmiRo2G+m303r3na1SDFFtjX9TYNCu493ToBw91k/fAvNaj8ZV1r/PAlecUXyOcfAmw0n1U6mwiqaPlVVBnRvpRhWaFRqjNKli5cmqnSGdIU0QMNFO8ysqi5aNp1eFWMgKqQYienGLCrEazOYy1fPf+DuOdErvwaCZJwiXNoPu25o1uBOlKGLYVHhwRfa9rMkWSsWa8oanxK9xqjp6XWV4vJrWGCvorRU9dc6I2r/Wo6Gm3eOgan1fJ/BGxo1Ahro24bVApnuwYDpBzTgMI3Rvpjm+783cr9yNDZzhRnKrKt2lxyaZwxi0kYohhcDxUL13ez8IzryNqQMDvpb8IuvECX0pi7Wa80l6Z1QpnegGac0J7/NODKJNgFEEogL4PgueHtNv

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690.XSL.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):361076
                Entropy (8bit):6.000081672213277
                Encrypted:false
                SSDEEP:6144:rMK3HR2gxbNSmF/uYeRbDyzHz+jl1DtcMEWMk8Pj2aIpuDJcrZXGd7sqR48WRUvJ:rMSx2gx57SyitqrqtpuYGdwq1Hvt
                MD5:780FDF8B2E3CDDF5C6F022C4AB5B30D2
                SHA1:5112A92D59AE4C846AB0D8F5BD32A4036E14EEF8
                SHA-256:2E907FA61221DD06D37C0FFF539BF7F435092FD3DBF0711DBE6A3CA7C75FA159
                SHA-512:A35605799111844B5B3FE96A53C05B41B57871B2B808A1178D3DA43B41354BED7873DA44709491C56AA59A2ECBA2CCD6FFDDF85049F07E22BA5D0D28C827E430
                Malicious:false
                Preview:<EncryptedKey>OP0SmQbRduXGdxIrS6QmCXTWoFpqk62LTBCrSuJKBX9zYONRr8J+HZXSaasIg1mKBsd3ZuBgWKA8moqyVaICJeP4cpJOK1D5rHVRKk9Qj8TsGTZz+L8d61Kgr5iMQ+mtRnwU4NlG0lCBmhMyis8DUH5mzL6FwZ4rtlUhjpbLvzI=<EncryptedKey>YGmpUkXXqZcGtJ2jrODT9jJ6WV2yGsOBmuso9sD9D8+G0U/HwMwaiDNgY8oehbkLO+Neq9hAhNQK5C2hWX0vlIDQCniKW6Djr4yIH17gmss15utdlsLNcT3IpyDtSpoaLLNQzPLOpz2VOtR3+fDNkPbaDJ6mf2GOJXKOdx+D207gWqdy/bOQJYc1BirDEvRIoNSdUuTXp96mEVcpmxm1wq/Sky8J87otRbQzE9u8V2mix2WLLkJ6YiPL8NTmwGYN3WzX5ykFdRaFnNnVCNqm1ChfA4cA98kyZoVpUNwk5IantgNZiXOirhmhOAFyTXfaFq6pLKU8CZhkiSRwtoU6KG+gqjR5+jmn4Re6B2O+3ek5ULbYtXQ1+Y7d9fS84ddDVa/Y4rGt94dfWYN1aVAdl9ho4fzmiRo2G+m303r3na1SDFFtjX9TYNCu493ToBw91k/fAvNaj8ZV1r/PAlecUXyOcfAmw0n1U6mwiqaPlVVBnRvpRhWaFRqjNKli5cmqnSGdIU0QMNFO8ysqi5aNp1eFWMgKqQYienGLCrEazOYy1fPf+DuOdErvwaCZJwiXNoPu25o1uBOlKGLYVHhwRfa9rMkWSsWa8oanxK9xqjp6XWV4vJrWGCvorRU9dc6I2r/Wo6Gm3eOgan1fJ/BGxo1Ahro24bVApnuwYDpBzTgMI3Rvpjm+783cr9yNDZzhRnKrKt2lxyaZwxi0kYohhcDxUL13ez8IzryNqQMDvpb8IuvECX0pi7Wa80l6Z1QpnegGac0J7/NODKJNgFEEogL4PgueHtNv

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):290312
                Entropy (8bit):6.000087904471013
                Encrypted:false
                SSDEEP:6144:5RG0zaK8wUHwuDdRpPg5VYU41cjjh1mlgYWoKsIT5Som0hDuFrU:5Iev8q4xSu1cjjzmCCKsIdRm0sFrU
                MD5:B47DA62794EF9A8B171FB62363A153F4
                SHA1:8CC8ADFC9FABFA0939B40B1CED44E3160043B2F4
                SHA-256:D163D97255ACF19BE1EFC53916DBF00FC971DDFA0571F37F64EC924238503CF3
                SHA-512:8F929E54AEAC98C3F3B5C8CA2DDE77DA668324A44A78FE649C53DA852C91C93C81E9D30A48C0092CADC9A6CC702C28CB7B4D02B13B3A954D107711B0E77CA883
                Malicious:false
                Preview:<EncryptedKey>Nd2+Fe7YOgRCtDzBy8ULwo+QrYyV7EDP+GxG0GaDQt8lGVqdwTvbw4Xw8LP2tF/ioeUXMrWcbH5Ibc8qKErvkujINJDmVCAql8dTDTfKrWwh4sJg0gYrpcs0K6gFwju9Masb2OV2pnIp9ExlQ669cw892d123fFKnAqGhgvwEDM=<EncryptedKey>XeCndwhv5ZN9VtM355l0ChzDCclUNwZCmdfCNTL0T2NSE8YH4Q1lre4vk2iAb0HoDUl+GXF5WulCRE8IWkyXoLW7iRu1bBvvOgth/fRlf4bTatZ1ccgId/5ox9ikvXw8nlGdNZyO7js1rBHkptECu65WXJ618srlJMPptXGctwQr2SSdJA+FdBtrqnTUHWkAJo4UKuTjqExdYSkAU9MTt4D05WdXkVIWAFqf9N/46xgGh7VeboKVZ0epH9VTiHOHo5Mms2Z0jCCmST3VIQ5znWcrH775bVfpI3G5M5Lm7gO2slCO7ylHf6mNmF2w14xVWhKnqKsPzyMhvjjowqyMoRRfyYBCm+L2bZptj2VAnKJk7x2KLF+gXhHXyVMsHVAzSRObfelAltGaBokDDV08u7hAM8IfL4h1/qVv2dFlxFrdVZRFXz9tDYpBG0IytOO/zfTxd24hXSVUpjy6c8b6yo9HrxYOOdBFgMEstfYbHiMsnnw+rwKc8gMpmBgycgRcByz9OnGvi/kHEjs3eIF39ArjegrKra3tv+0srFrcZr+a97tgnVSC5vTbRzzoq/F6irJ21Q0Wb1mn9hhiqotjyfYYyQl4l3F6qs2B8YWVJa4T4tVQ7a71tkciCuxschWsnl50yaBM8D05xQ111lJst2RbTpZJSAsg7wahXT3wsPoRUnttsV2JVhWQxdU/sTCKabQUBt4Gsr91k8EBMX1caPy21jNxqRKKFYhnzJ16mNt8cz1kV0pkS/GjTAxqEWCkeFl4KCcmGKE0sMRJRNFaDK1aX55XzeOl

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\ISO690Nmerical.XSL.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):290312
                Entropy (8bit):6.000087904471013
                Encrypted:false
                SSDEEP:6144:5RG0zaK8wUHwuDdRpPg5VYU41cjjh1mlgYWoKsIT5Som0hDuFrU:5Iev8q4xSu1cjjzmCCKsIdRm0sFrU
                MD5:B47DA62794EF9A8B171FB62363A153F4
                SHA1:8CC8ADFC9FABFA0939B40B1CED44E3160043B2F4
                SHA-256:D163D97255ACF19BE1EFC53916DBF00FC971DDFA0571F37F64EC924238503CF3
                SHA-512:8F929E54AEAC98C3F3B5C8CA2DDE77DA668324A44A78FE649C53DA852C91C93C81E9D30A48C0092CADC9A6CC702C28CB7B4D02B13B3A954D107711B0E77CA883
                Malicious:false
                Preview:<EncryptedKey>Nd2+Fe7YOgRCtDzBy8ULwo+QrYyV7EDP+GxG0GaDQt8lGVqdwTvbw4Xw8LP2tF/ioeUXMrWcbH5Ibc8qKErvkujINJDmVCAql8dTDTfKrWwh4sJg0gYrpcs0K6gFwju9Masb2OV2pnIp9ExlQ669cw892d123fFKnAqGhgvwEDM=<EncryptedKey>XeCndwhv5ZN9VtM355l0ChzDCclUNwZCmdfCNTL0T2NSE8YH4Q1lre4vk2iAb0HoDUl+GXF5WulCRE8IWkyXoLW7iRu1bBvvOgth/fRlf4bTatZ1ccgId/5ox9ikvXw8nlGdNZyO7js1rBHkptECu65WXJ618srlJMPptXGctwQr2SSdJA+FdBtrqnTUHWkAJo4UKuTjqExdYSkAU9MTt4D05WdXkVIWAFqf9N/46xgGh7VeboKVZ0epH9VTiHOHo5Mms2Z0jCCmST3VIQ5znWcrH775bVfpI3G5M5Lm7gO2slCO7ylHf6mNmF2w14xVWhKnqKsPzyMhvjjowqyMoRRfyYBCm+L2bZptj2VAnKJk7x2KLF+gXhHXyVMsHVAzSRObfelAltGaBokDDV08u7hAM8IfL4h1/qVv2dFlxFrdVZRFXz9tDYpBG0IytOO/zfTxd24hXSVUpjy6c8b6yo9HrxYOOdBFgMEstfYbHiMsnnw+rwKc8gMpmBgycgRcByz9OnGvi/kHEjs3eIF39ArjegrKra3tv+0srFrcZr+a97tgnVSC5vTbRzzoq/F6irJ21Q0Wb1mn9hhiqotjyfYYyQl4l3F6qs2B8YWVJa4T4tVQ7a71tkciCuxschWsnl50yaBM8D05xQ111lJst2RbTpZJSAsg7wahXT3wsPoRUnttsV2JVhWQxdU/sTCKabQUBt4Gsr91k8EBMX1caPy21jNxqRKKFYhnzJ16mNt8cz1kV0pkS/GjTAxqEWCkeFl4KCcmGKE0sMRJRNFaDK1aX55XzeOl

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):340512
                Entropy (8bit):6.000100722594385
                Encrypted:false
                SSDEEP:6144:NhDt0pfAGiBi8aoO/d6bNKCHfPeNDImjBY0EhnpjByVOc0RQTq:Nn0RCBi5dFgFH3VRhdBSY9
                MD5:21BB31F78187DB64410BDBAF563C1ABD
                SHA1:1DD78E9745BF2CF7E77CF9EAD4FA1BE0EDBAF942
                SHA-256:F04951754051C446C1F49CE514D710C3E7D824D7C609E12F8837153E5393B47F
                SHA-512:5BAB7E264AC674E31351D5D80B1DF93468B64C917E888D4182011E2CA20274188F70D16C0C678309763DC798E6778216323F39A7FCD29CC4A3FAE8F12D302A28
                Malicious:false
                Preview:<EncryptedKey>UGDS01Skwv4vXt2qp3xBmzzE1w6Iu/rGPjs+ItlqF++nM6ad0/j0rio2KZ4zVX4+nojbWmidY9uCfLQovzVHQpe0nBNd+aAFb/L72krWDARe0/N6AXlrve3nZrl6tsDAVtvNbP/BD7xGG1gYxjyJmWCkwNuDf4BuR8DudjjeDJo=<EncryptedKey>aOSJTbW7euIau47STDOmxu8oFixI8aqYSNCJTLYimiX4RF+qy9PaAnNqPD7Z1Xt5Y4HCPw14b2Op1iPOKnzCAe99k+V7cQ/GfGg7aoGuaPRnz3xX2uJOnXe2McVp+NTXcBC7++5ZmjERTgNI8/dVLvi8TsvnIUleek/xWRaN/4iKBtVNt5IjDmDFuA1KeaLRMMxB5ziKf/9S0+/XwkjmEzWIErbDsXrXYVgcazp48JbYECBLVOqb4pSiAJzie64YUj180brBCDpTUxvhnGk4xTkAzXuid6qzbUkQ10P/7HpyBGEaefaZQOByZjX13DPv3mYnmUw6Tq8+tC/oUEIj+65zJL2R6vz6tQ9eFkeQS7yah700RJBiKw/izekJk/uE+f3FqtAhIzffq29mS1ADBWJ8XnxpNjhdTz8yVNBFDXZUgjgwa1hX3RnMDmzjxoG/HmtNNvqZW+CT4reGHDH7ig2ENYdaDc/CI4dEtfbgGPdwxG4nKeipqxgmAgUx0kyYFqpq4jl6TkvF0Xe1JA33YkPvxvJoo3gD8RA9jr7d34zKNYHw1YAGCwsFn8OOlJ6/nAMJAeivu/kaxD/7HQ7Cr8rKUaCTQ+/M7wKCBAuiNmiOeB+2rFogssz1AaTf1vj88VVNY5CYtWyRHAtDynA2u5zClHfLAmjNuqGXibW5E+b3Kbyy/9FlDefXXaAV9OQql/JzGBiNWFFc7mwd5IbZ7ghSkihzDZ4396LoriqrsSi4TyqfOtF3dXk3Z45d7lc9vpFloQikIhH0gpXHpvGeBnCYOZZRfYgZ

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\MLASeventhEditionOfficeOnline.xsl.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):340512
                Entropy (8bit):6.000100722594385
                Encrypted:false
                SSDEEP:6144:NhDt0pfAGiBi8aoO/d6bNKCHfPeNDImjBY0EhnpjByVOc0RQTq:Nn0RCBi5dFgFH3VRhdBSY9
                MD5:21BB31F78187DB64410BDBAF563C1ABD
                SHA1:1DD78E9745BF2CF7E77CF9EAD4FA1BE0EDBAF942
                SHA-256:F04951754051C446C1F49CE514D710C3E7D824D7C609E12F8837153E5393B47F
                SHA-512:5BAB7E264AC674E31351D5D80B1DF93468B64C917E888D4182011E2CA20274188F70D16C0C678309763DC798E6778216323F39A7FCD29CC4A3FAE8F12D302A28
                Malicious:false
                Preview:<EncryptedKey>UGDS01Skwv4vXt2qp3xBmzzE1w6Iu/rGPjs+ItlqF++nM6ad0/j0rio2KZ4zVX4+nojbWmidY9uCfLQovzVHQpe0nBNd+aAFb/L72krWDARe0/N6AXlrve3nZrl6tsDAVtvNbP/BD7xGG1gYxjyJmWCkwNuDf4BuR8DudjjeDJo=<EncryptedKey>aOSJTbW7euIau47STDOmxu8oFixI8aqYSNCJTLYimiX4RF+qy9PaAnNqPD7Z1Xt5Y4HCPw14b2Op1iPOKnzCAe99k+V7cQ/GfGg7aoGuaPRnz3xX2uJOnXe2McVp+NTXcBC7++5ZmjERTgNI8/dVLvi8TsvnIUleek/xWRaN/4iKBtVNt5IjDmDFuA1KeaLRMMxB5ziKf/9S0+/XwkjmEzWIErbDsXrXYVgcazp48JbYECBLVOqb4pSiAJzie64YUj180brBCDpTUxvhnGk4xTkAzXuid6qzbUkQ10P/7HpyBGEaefaZQOByZjX13DPv3mYnmUw6Tq8+tC/oUEIj+65zJL2R6vz6tQ9eFkeQS7yah700RJBiKw/izekJk/uE+f3FqtAhIzffq29mS1ADBWJ8XnxpNjhdTz8yVNBFDXZUgjgwa1hX3RnMDmzjxoG/HmtNNvqZW+CT4reGHDH7ig2ENYdaDc/CI4dEtfbgGPdwxG4nKeipqxgmAgUx0kyYFqpq4jl6TkvF0Xe1JA33YkPvxvJoo3gD8RA9jr7d34zKNYHw1YAGCwsFn8OOlJ6/nAMJAeivu/kaxD/7HQ7Cr8rKUaCTQ+/M7wKCBAuiNmiOeB+2rFogssz1AaTf1vj88VVNY5CYtWyRHAtDynA2u5zClHfLAmjNuqGXibW5E+b3Kbyy/9FlDefXXaAV9OQql/JzGBiNWFFc7mwd5IbZ7ghSkihzDZ4396LoriqrsSi4TyqfOtF3dXk3Z45d7lc9vpFloQikIhH0gpXHpvGeBnCYOZZRfYgZ

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):335328
                Entropy (8bit):6.0001482158401
                Encrypted:false
                SSDEEP:6144:g0euMHwQF+iCySFJIcAwBxZ1OpjoGoWlaIp3qX03+D3SLMTJ6w5h9:g0euMHsMSFJ4MxZopkCqX0uDigQwH9
                MD5:AF83A065FC54124145EEBA5934D646B4
                SHA1:6834F5F7439ED22B98579C81542F77B412526B0A
                SHA-256:1CD500F7B6E2D63B4B12D17D09AD7FE679440F1D0596FB05002E56EF47383A41
                SHA-512:CBB573F31C9245C380A13E14DFADDB570962D5F33C01B8EA684DA6724696F5E358F2E5A22FCBDD2B178554F980A68025D32FB9DFB17E6EBBF533872DBA770891
                Malicious:false
                Preview:<EncryptedKey>U50f/xY0T0YLPuIbE5dOSbiF/FJE9xzQ9vLosl1QCPNle34oEbF54eZ7LHA9agrxz41wUAkLhuZymYDV8P0W7fD9MtEJRDzn6WC70eIxc0v7XcsULOr3tqK8YA9+TGOVSiXv99Mkjn8OBJ9telWNpyzBi7jMzG2nQA6KBbQGp0I=<EncryptedKey>vOSjUduWihl/xEOwdwIow1vz2nzZqg5qgiwcVfGp1Q7KQEgXsTWnrAbAzXapDz+VcmG8v+wyBqvvqy9TzOkYildNc3T4RJigZBGNigBhsDIMoCWKZrpicWGnH/D2/j/qmEUsrrkLL3degNzzOPYr0HHx/2qtmt9/JtmybJaZHMfAKohlWo10hUck3ujOLPM7xgJVWWxYBewaeJUKeJq49BydI7fPsyrY2sa/4rO/jHHz6VVCX64ULX6UZpm5mUFit+O9CzIF+bAqpIfvZmIZWWEC59XNE+sonQOyTiKF9oIBNnnoETY9c7wSTWFBuo9iZCmDgKeav7+rUV9KVkDa7Cib4CNNj+cOBz23JHtfL0noZ5dMVfxYIMqTcWXDO83+2pL9col6MN0t+HW2es6oGY8ycm60tHzvE8Tn9Q2VLsOFnccZDOeMn/3HJsVyIPktPliM1qGR+knhIrNiZ54gk/hwuyadsRO1ALCSUL8qsMztNjaB9k3bLnjoIjBHAajhXj5u3trySlm5yfaQn58jAxGu+kSzUpjXxeY7AQ5erQp8qQNrk08S+KcrsuvyrpoP/PwEfbHELdaz6X/zrWU/s+fnz6PzL3NVJTN2WoDiG+OQ1zWvRO7mK81++v6F0EOpBNedmsy06cWQBQ7mQRGMBAHPDAIEA+Mxr/nO3bBhpdH8+okPKFDHmj5yPQeAUrzokj4TSZq8nOsSMFziJgMiMJaHUWTrs9TaLTKE7czVRbnV7Atc+TZRxSBoUlp5bSEEBFujnwPwFsUieZWdrnAw/3d6KOIFidD3

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\SIST02.XSL.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):335328
                Entropy (8bit):6.0001482158401
                Encrypted:false
                SSDEEP:6144:g0euMHwQF+iCySFJIcAwBxZ1OpjoGoWlaIp3qX03+D3SLMTJ6w5h9:g0euMHsMSFJ4MxZopkCqX0uDigQwH9
                MD5:AF83A065FC54124145EEBA5934D646B4
                SHA1:6834F5F7439ED22B98579C81542F77B412526B0A
                SHA-256:1CD500F7B6E2D63B4B12D17D09AD7FE679440F1D0596FB05002E56EF47383A41
                SHA-512:CBB573F31C9245C380A13E14DFADDB570962D5F33C01B8EA684DA6724696F5E358F2E5A22FCBDD2B178554F980A68025D32FB9DFB17E6EBBF533872DBA770891
                Malicious:false
                Preview:<EncryptedKey>U50f/xY0T0YLPuIbE5dOSbiF/FJE9xzQ9vLosl1QCPNle34oEbF54eZ7LHA9agrxz41wUAkLhuZymYDV8P0W7fD9MtEJRDzn6WC70eIxc0v7XcsULOr3tqK8YA9+TGOVSiXv99Mkjn8OBJ9telWNpyzBi7jMzG2nQA6KBbQGp0I=<EncryptedKey>vOSjUduWihl/xEOwdwIow1vz2nzZqg5qgiwcVfGp1Q7KQEgXsTWnrAbAzXapDz+VcmG8v+wyBqvvqy9TzOkYildNc3T4RJigZBGNigBhsDIMoCWKZrpicWGnH/D2/j/qmEUsrrkLL3degNzzOPYr0HHx/2qtmt9/JtmybJaZHMfAKohlWo10hUck3ujOLPM7xgJVWWxYBewaeJUKeJq49BydI7fPsyrY2sa/4rO/jHHz6VVCX64ULX6UZpm5mUFit+O9CzIF+bAqpIfvZmIZWWEC59XNE+sonQOyTiKF9oIBNnnoETY9c7wSTWFBuo9iZCmDgKeav7+rUV9KVkDa7Cib4CNNj+cOBz23JHtfL0noZ5dMVfxYIMqTcWXDO83+2pL9col6MN0t+HW2es6oGY8ycm60tHzvE8Tn9Q2VLsOFnccZDOeMn/3HJsVyIPktPliM1qGR+knhIrNiZ54gk/hwuyadsRO1ALCSUL8qsMztNjaB9k3bLnjoIjBHAajhXj5u3trySlm5yfaQn58jAxGu+kSzUpjXxeY7AQ5erQp8qQNrk08S+KcrsuvyrpoP/PwEfbHELdaz6X/zrWU/s+fnz6PzL3NVJTN2WoDiG+OQ1zWvRO7mK81++v6F0EOpBNedmsy06cWQBQ7mQRGMBAHPDAIEA+Mxr/nO3bBhpdH8+okPKFDHmj5yPQeAUrzokj4TSZq8nOsSMFziJgMiMJaHUWTrs9TaLTKE7czVRbnV7Atc+TZRxSBoUlp5bSEEBFujnwPwFsUieZWdrnAw/3d6KOIFidD3

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):459764
                Entropy (8bit):6.0000952765286675
                Encrypted:false
                SSDEEP:12288:Dl2H/e0Lxzxw6CC0a2a3gyyiv83F/BJBhcrNSsS:EfeP6/r2a3gykwS9
                MD5:0F1C079F3AD5841B9AA0D00530DD069A
                SHA1:B60A462877839EC815C41960433481868CC238DE
                SHA-256:A91B7FB287A463A76162A2076CC4D3729E6DB51534207EECD54FF8A6A7028A48
                SHA-512:D41A2ABBCF96974D55A02A78ED0C894BB2E91EAB0461A9201093181BC4048AE32EACB3E90C8636AC14080BBC885DDEB0078CEAEFCF3CD0BBBC817A66784F903E
                Malicious:false
                Preview:<EncryptedKey>mof3LDk8tq/DZl3NoFSBycxOyihXON5SAepuFGXnGA4pOGYOUxIwGfM31Xx9PlRLWinQ3ZhUoa6b2ThWLO01OlAeR48CcEq57GiXqif9XKwHoPerqzi6ZJGSWUuMuiidrh6eRi7+DiFoNmCLqxpIZIs1L5RFcx1yAs8p6ILeFXU=<EncryptedKey>fGQQT/NEcqT4ilOS/rbNc8QxSTLAFzV/JQqFRR5X12z5FubfdSN9Lm/UAD1JDfDYf0/Rv5cBDCdyQG+nC6/Dqh7Re/FMN/fokjNWaX6x1SqJ5SbYZ9xr2m8Vbk6EWpkxWA+tfKUeZ3U84HgCFC4CN5/pvWvRcB1HZvtxr9MJvTa/3Gu/deXDojRfS6vRhKufRvfzNSKSS7/Nkuv69TRL4TOdAZPwshX4LR682kgrnSMoh2aMsksOqr112il5HVaLk9cxs/Vs/H/33H5igJQv/Az50XLfnI/4LphD5Kv4DYrtaU6v2XSy9CsJL7NOznlrNQhFpzN7/NmaPFUfTWNURMHFh0m6jSBu0UbTLZaUou493dquhVH6QBmfCTXH1TcyMZstPjHiQkJfMd6ZdunKRJV1xP1VRabfyIu7LqekPB99NJ2tS+cqXwRpSTXMBPfJjlq0i+0EyNJayIqR8wJS9wZ1f26DAlpIuI4RuVBBKewWVHsElZy/6Spm7HV+qAGt5GjN0WVXs1BS7E8q7+gnc+v7ymfT5m2N4bb68b5dK3g5HWZ8CqXEsAzQIX+CHJhVASBQbEshTuWQ7TEGfgq+nbbaOZp7wO3wqvVMW1voSjHBqwH1ynaXj1IoXZjsMT1gn9O6ldKfELKKlB2LM0Qk1yRwA+cB7/vgFlMlSrl+WOUdmsEVu+tZTammUGcegXnZL1d2V1N4VLkvfzHUq6s6pK+GQo7TwLPP7QErtyrAQ7IKTkkmHunwPETV0EDSvrQaYuLMjS487C8lVF1F4uBPxCrkNvsKMHrs

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\TURABIAN.XSL.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):459764
                Entropy (8bit):6.0000952765286675
                Encrypted:false
                SSDEEP:12288:Dl2H/e0Lxzxw6CC0a2a3gyyiv83F/BJBhcrNSsS:EfeP6/r2a3gykwS9
                MD5:0F1C079F3AD5841B9AA0D00530DD069A
                SHA1:B60A462877839EC815C41960433481868CC238DE
                SHA-256:A91B7FB287A463A76162A2076CC4D3729E6DB51534207EECD54FF8A6A7028A48
                SHA-512:D41A2ABBCF96974D55A02A78ED0C894BB2E91EAB0461A9201093181BC4048AE32EACB3E90C8636AC14080BBC885DDEB0078CEAEFCF3CD0BBBC817A66784F903E
                Malicious:false
                Preview:<EncryptedKey>mof3LDk8tq/DZl3NoFSBycxOyihXON5SAepuFGXnGA4pOGYOUxIwGfM31Xx9PlRLWinQ3ZhUoa6b2ThWLO01OlAeR48CcEq57GiXqif9XKwHoPerqzi6ZJGSWUuMuiidrh6eRi7+DiFoNmCLqxpIZIs1L5RFcx1yAs8p6ILeFXU=<EncryptedKey>fGQQT/NEcqT4ilOS/rbNc8QxSTLAFzV/JQqFRR5X12z5FubfdSN9Lm/UAD1JDfDYf0/Rv5cBDCdyQG+nC6/Dqh7Re/FMN/fokjNWaX6x1SqJ5SbYZ9xr2m8Vbk6EWpkxWA+tfKUeZ3U84HgCFC4CN5/pvWvRcB1HZvtxr9MJvTa/3Gu/deXDojRfS6vRhKufRvfzNSKSS7/Nkuv69TRL4TOdAZPwshX4LR682kgrnSMoh2aMsksOqr112il5HVaLk9cxs/Vs/H/33H5igJQv/Az50XLfnI/4LphD5Kv4DYrtaU6v2XSy9CsJL7NOznlrNQhFpzN7/NmaPFUfTWNURMHFh0m6jSBu0UbTLZaUou493dquhVH6QBmfCTXH1TcyMZstPjHiQkJfMd6ZdunKRJV1xP1VRabfyIu7LqekPB99NJ2tS+cqXwRpSTXMBPfJjlq0i+0EyNJayIqR8wJS9wZ1f26DAlpIuI4RuVBBKewWVHsElZy/6Spm7HV+qAGt5GjN0WVXs1BS7E8q7+gnc+v7ymfT5m2N4bb68b5dK3g5HWZ8CqXEsAzQIX+CHJhVASBQbEshTuWQ7TEGfgq+nbbaOZp7wO3wqvVMW1voSjHBqwH1ynaXj1IoXZjsMT1gn9O6ldKfELKKlB2LM0Qk1yRwA+cB7/vgFlMlSrl+WOUdmsEVu+tZTammUGcegXnZL1d2V1N4VLkvfzHUq6s6pK+GQo7TwLPP7QErtyrAQ7IKTkkmHunwPETV0EDSvrQaYuLMjS487C8lVF1F4uBPxCrkNvsKMHrs

                C:\Users\user\AppData\Roaming\Microsoft\Bibliography\Style\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):2232753
                Entropy (8bit):4.5020163908144335
                Encrypted:false
                SSDEEP:24576:aqm935oZKQ84o5OLDsagUV3YwW8CkOzV2w1cirRamvUAV37kyvUv0OtUA4BX69KY:GnBLRIr
                MD5:A5FECC114A2CE6F71B32957BA8C8CE73
                SHA1:4DFF3AAC57BB62BF6B1B4E76D4600ACC6DA820A9
                SHA-256:C2EDA3C2B6DBA0F7D7297B8AD13DC57FA70CC091EDA464C8AB27EC2913B77E00
                SHA-512:21244648527CB4F2FC111E19D9E249940203532197B2199346C74052EB5869C8424562454CF437C194E77DA3EB3E603BF7E5F3F90C13400A12094210AED36C98
                Malicious:false
                Preview:<EncyptedKey>eGJsM2Yxc3BjY3M4c29qMnppMWxxbG5tYTBqazlmdnY3Y20zbWt2MTE=<EncyptedKey> mu77+9fETvv71+77+9ayZr77+977+9OQjvv73vv700M++/vVDvv70AVO+/ve+/ve+/ve+/vXoASgzvv70XQjHUru+/vRPvv70JRHfvv70EPXrvv73vv71E77+977+977+9MU9v77+9UUvvv73vv73vv70lIO+/ve+/vSLFkCjvv73vv73Qre+/ve+/vd2v77+9RV1O77+9RQrvv73vv73vv73vv71dRG0DGB9WIFMb77+9Dl7vv70A77+9Ne+/ve+/ve+/vUxjBUhQ77+9aXpr77+9PO+/ve+/vU8nX2Pvv71o77+977+977+977+9Ku+/vUDvv73vv73vv71O77+9Nl4v77+977+9PiTvv70a77+927Xvv73vv73vv71AD++/ve+/ve+/ve+/vUbvv70L77+977+9258QaG3vv70d77+9BXTvv73vv70sIT/vv71O77+977+977+9S++/ve+/ve+/vWQG77+9Se+/vWYj77+9MWPvv73vv73vv71HB++/ve+/ve+/vWzvv71Ma39T77+977+9EWDvv73bkO+/vRDvv70J77+9Yu+/vRUOeu+/ve+/ve+/ve+/vVTvv73vv73vv71AEXFbXjjvv73vv71m77+977+9VO+/ve+/vVbSre+/ve+/vT46NVTvv71eJlhw77+977+9QFxy77+977+977+9Hnzvv73vv70QRu+/ve+/vR7vv73vv70J77+977+9De+/ve+/vWFoCu+/ve+/ve+/vTffiO+/ve+/vXTvv73vv70FRu+/ve+/vTDvv70jLe+/vTrvv73vv73vv71uT++/vdaLfu+/vRFU77+9DnB/esqH77+9LV7vv73Xsu+/vRg277+977+9M3Xvv705CVfJkO+/ve+/vULvv70M0bDvv719RO+/vWRY77+

                C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\Built-In Building Blocks.dotx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):2232753
                Entropy (8bit):4.5020163908144335
                Encrypted:false
                SSDEEP:24576:aqm935oZKQ84o5OLDsagUV3YwW8CkOzV2w1cirRamvUAV37kyvUv0OtUA4BX69KY:GnBLRIr
                MD5:A5FECC114A2CE6F71B32957BA8C8CE73
                SHA1:4DFF3AAC57BB62BF6B1B4E76D4600ACC6DA820A9
                SHA-256:C2EDA3C2B6DBA0F7D7297B8AD13DC57FA70CC091EDA464C8AB27EC2913B77E00
                SHA-512:21244648527CB4F2FC111E19D9E249940203532197B2199346C74052EB5869C8424562454CF437C194E77DA3EB3E603BF7E5F3F90C13400A12094210AED36C98
                Malicious:false
                Preview:<EncyptedKey>eGJsM2Yxc3BjY3M4c29qMnppMWxxbG5tYTBqazlmdnY3Y20zbWt2MTE=<EncyptedKey> mu77+9fETvv71+77+9ayZr77+977+9OQjvv73vv700M++/vVDvv70AVO+/ve+/ve+/ve+/vXoASgzvv70XQjHUru+/vRPvv70JRHfvv70EPXrvv73vv71E77+977+977+9MU9v77+9UUvvv73vv73vv70lIO+/ve+/vSLFkCjvv73vv73Qre+/ve+/vd2v77+9RV1O77+9RQrvv73vv73vv73vv71dRG0DGB9WIFMb77+9Dl7vv70A77+9Ne+/ve+/ve+/vUxjBUhQ77+9aXpr77+9PO+/ve+/vU8nX2Pvv71o77+977+977+977+9Ku+/vUDvv73vv73vv71O77+9Nl4v77+977+9PiTvv70a77+927Xvv73vv73vv71AD++/ve+/ve+/ve+/vUbvv70L77+977+9258QaG3vv70d77+9BXTvv73vv70sIT/vv71O77+977+977+9S++/ve+/ve+/vWQG77+9Se+/vWYj77+9MWPvv73vv73vv71HB++/ve+/ve+/vWzvv71Ma39T77+977+9EWDvv73bkO+/vRDvv70J77+9Yu+/vRUOeu+/ve+/ve+/ve+/vVTvv73vv73vv71AEXFbXjjvv73vv71m77+977+9VO+/ve+/vVbSre+/ve+/vT46NVTvv71eJlhw77+977+9QFxy77+977+977+9Hnzvv73vv70QRu+/ve+/vR7vv73vv70J77+977+9De+/ve+/vWFoCu+/ve+/ve+/vTffiO+/ve+/vXTvv73vv70FRu+/ve+/vTDvv70jLe+/vTrvv73vv73vv71uT++/vdaLfu+/vRFU77+9DnB/esqH77+9LV7vv73Xsu+/vRg277+977+9M3Xvv705CVfJkO+/ve+/vULvv70M0bDvv719RO+/vWRY77+

                C:\Users\user\AppData\Roaming\Microsoft\Document Building Blocks\1033\16\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):328
                Entropy (8bit):5.85729333865777
                Encrypted:false
                SSDEEP:6:UGMEUtMtvccyo0Ls6sfurVAVdsgOwmj1aUAsqrO2P4sFqAWSejqyT:fMEDFws12rVAkBaPrL4eD8t
                MD5:8F4BC26B1777976B105F3803E1610233
                SHA1:88F59626A4BCFC84DD0BF5E5602F410CE43D485C
                SHA-256:C9F8A5DBDDDCC7A1CDFF62AD58811AE132FE08158196B2911737ADED0C96400A
                SHA-512:07046F44DEE786FC86773DCFB6216F59B81A777DA9C915A784AB6B9C836A356180194150358224AB378AF335DC57CEA36EC9A8631EC7F40CFA322AF8410931A3
                Malicious:false
                Preview:<EncryptedKey>FsRTE6CJ+TLCVH79wLyKM1Blz4dlNtV9Bnwfcalo6d5dWFeEdE/geL6/EkMlD+pX4+puyQL7k/bX97dvCxgJdkNh3UqdCKmfHCWz5UP2QO+P2WT+WzWFHDyARpxeXpDnCVafOych1dcLzdgb5iCeNTpudhLyp4ttSvWmRCTRPKE=<EncryptedKey>aLQpVvpQki/hqII7KLkK7WvtOB+L8pdRi5JbI2/WrYT3Etu1wojJujR3znICjPv9b81DAYCnM+F25GXiRLvFP3yxxaS7BpnxQ76oTD9JFUbXgBfH3j0Ff7gBwUQRpnSs

                C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):328
                Entropy (8bit):5.85729333865777
                Encrypted:false
                SSDEEP:6:UGMEUtMtvccyo0Ls6sfurVAVdsgOwmj1aUAsqrO2P4sFqAWSejqyT:fMEDFws12rVAkBaPrL4eD8t
                MD5:8F4BC26B1777976B105F3803E1610233
                SHA1:88F59626A4BCFC84DD0BF5E5602F410CE43D485C
                SHA-256:C9F8A5DBDDDCC7A1CDFF62AD58811AE132FE08158196B2911737ADED0C96400A
                SHA-512:07046F44DEE786FC86773DCFB6216F59B81A777DA9C915A784AB6B9C836A356180194150358224AB378AF335DC57CEA36EC9A8631EC7F40CFA322AF8410931A3
                Malicious:false
                Preview:<EncryptedKey>FsRTE6CJ+TLCVH79wLyKM1Blz4dlNtV9Bnwfcalo6d5dWFeEdE/geL6/EkMlD+pX4+puyQL7k/bX97dvCxgJdkNh3UqdCKmfHCWz5UP2QO+P2WT+WzWFHDyARpxeXpDnCVafOych1dcLzdgb5iCeNTpudhLyp4ttSvWmRCTRPKE=<EncryptedKey>aLQpVvpQki/hqII7KLkK7WvtOB+L8pdRi5JbI2/WrYT3Etu1wojJujR3znICjPv9b81DAYCnM+F25GXiRLvFP3yxxaS7BpnxQ76oTD9JFUbXgBfH3j0Ff7gBwUQRpnSs

                C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):416
                Entropy (8bit):5.946417981842567
                Encrypted:false
                SSDEEP:12:fMEkg0Py7JcEY4zQ0VC1fIx3WK0v5a8WMnpl:fMHPyXYa4lKw5a8Lpl
                MD5:97CF5FEA0D322D8E8C7AF6394D46AE2D
                SHA1:FA2658EFEED885DED579A4952BA4EF9365465DBF
                SHA-256:0F373AE4855890870CBF38527FA4D176AA5775BFB97B36A248B948B1982612D1
                SHA-512:A34120DC941765CD10575C58EA9BF33962A766976AC08A54897CFBD8197E2057BA40E857532A862D3EB2EE1BA410E0C1E09CCB90311A5D92BDBDF9BB24EDC446
                Malicious:false
                Preview:<EncryptedKey>Sj3VTCriLS91FoHA9TLwES+/10M1PZHl+tSt83+fxYxB1ZCVOWN2cftZS5qqi+MZ6HGgT7MsJwii77n27rIA0gk0aWU3ZCFuINHVte6vvnpZ2g4EvsVbd5QIzbbNJN4pZc6GzrR9JtiGkyNRnsihtOzRtzg+FjtQkMrYW49PrFc=<EncryptedKey>eGIFui5C1SNzKA4J8RuwlN+GQ6cTERu78jE5VvMeeTuWsPQfolSaGnpTVJ3pwYTRWXWf7Yaoq89a9jzkfkgZUZrxK0OySWGwc6eelDuUsdfiqCM/Su3dXBZNs/eyHLjUubenu4uPvcLAfuds8xeKOk7gJihKEcm9qivcv+ChL+9sqvo8au1ScqRnsVjQIm74PE3khVsbs2jDEB09uL4p3g==

                C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):416
                Entropy (8bit):5.946417981842567
                Encrypted:false
                SSDEEP:12:fMEkg0Py7JcEY4zQ0VC1fIx3WK0v5a8WMnpl:fMHPyXYa4lKw5a8Lpl
                MD5:97CF5FEA0D322D8E8C7AF6394D46AE2D
                SHA1:FA2658EFEED885DED579A4952BA4EF9365465DBF
                SHA-256:0F373AE4855890870CBF38527FA4D176AA5775BFB97B36A248B948B1982612D1
                SHA-512:A34120DC941765CD10575C58EA9BF33962A766976AC08A54897CFBD8197E2057BA40E857532A862D3EB2EE1BA410E0C1E09CCB90311A5D92BDBDF9BB24EDC446
                Malicious:false
                Preview:<EncryptedKey>Sj3VTCriLS91FoHA9TLwES+/10M1PZHl+tSt83+fxYxB1ZCVOWN2cftZS5qqi+MZ6HGgT7MsJwii77n27rIA0gk0aWU3ZCFuINHVte6vvnpZ2g4EvsVbd5QIzbbNJN4pZc6GzrR9JtiGkyNRnsihtOzRtzg+FjtQkMrYW49PrFc=<EncryptedKey>eGIFui5C1SNzKA4J8RuwlN+GQ6cTERu78jE5VvMeeTuWsPQfolSaGnpTVJ3pwYTRWXWf7Yaoq89a9jzkfkgZUZrxK0OySWGwc6eelDuUsdfiqCM/Su3dXBZNs/eyHLjUubenu4uPvcLAfuds8xeKOk7gJihKEcm9qivcv+ChL+9sqvo8au1ScqRnsVjQIm74PE3khVsbs2jDEB09uL4p3g==

                C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):244
                Entropy (8bit):5.824466350608111
                Encrypted:false
                SSDEEP:6:UGMEUnjcDJnJsYa5piTDMydnBRCNeUtSTcNhEep57:fMEnJOSTDLCUdTfepN
                MD5:DF89006E9B225F6AB286606A0BF22CDB
                SHA1:DE7F6539E0397158F2A26334AD6458414CE7CBEF
                SHA-256:4BE91702866F716DDDA70E5641F5D20F6C382A76DEFEF1E0B2B1A623865D205D
                SHA-512:21E66D3C1B92440C43A36B4555C1846CE1AF4BEC62074605C53688A1804FB8612C359E320CC9015DCFE1306B52E5BE7E4CF6E7D27D0337E37039CB81C7F2744D
                Malicious:false
                Preview:<EncryptedKey>AGW2M0FmkJa1gfuYPPgfk4xmo/ar11612ElRE9BOi3++Gy00EZS3Gylg62DJRCostJxPj7y5rKDUXimwx+DjQquluIkLcQBR0994p/TSA3g6Ka7ZqT6BKWDQoEWIm2CJMMYTvZJ8F7ETlr+69Ls6mveBKgSBCIG+jIoiGJmEeWM=<EncryptedKey>/ZKH7vyebdK8dvexvvEyDQrC4TSNblsl3kAU4MPRvZs=

                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):244
                Entropy (8bit):5.824466350608111
                Encrypted:false
                SSDEEP:6:UGMEUnjcDJnJsYa5piTDMydnBRCNeUtSTcNhEep57:fMEnJOSTDLCUdTfepN
                MD5:DF89006E9B225F6AB286606A0BF22CDB
                SHA1:DE7F6539E0397158F2A26334AD6458414CE7CBEF
                SHA-256:4BE91702866F716DDDA70E5641F5D20F6C382A76DEFEF1E0B2B1A623865D205D
                SHA-512:21E66D3C1B92440C43A36B4555C1846CE1AF4BEC62074605C53688A1804FB8612C359E320CC9015DCFE1306B52E5BE7E4CF6E7D27D0337E37039CB81C7F2744D
                Malicious:false
                Preview:<EncryptedKey>AGW2M0FmkJa1gfuYPPgfk4xmo/ar11612ElRE9BOi3++Gy00EZS3Gylg62DJRCostJxPj7y5rKDUXimwx+DjQquluIkLcQBR0994p/TSA3g6Ka7ZqT6BKWDQoEWIm2CJMMYTvZJ8F7ETlr+69Ls6mveBKgSBCIG+jIoiGJmEeWM=<EncryptedKey>/ZKH7vyebdK8dvexvvEyDQrC4TSNblsl3kAU4MPRvZs=

                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):224
                Entropy (8bit):5.806918931807584
                Encrypted:false
                SSDEEP:6:UGMEUW6dLEOqg3HE2oqSXDpON2OJPsPKUWsj1g6k/SIUaUgjlSsT:fME96dLEsPSQ2ONsPlj1g6Qnjt
                MD5:77190B2860BB0AF6AAC63AA7BCBD52EB
                SHA1:0A561F415C83BDD843B1B35A2073B2DFEA5A931C
                SHA-256:C951CC1D3225D42F05AD9728BDE81A744E78EE9A57840002C0BF02EB8E827E8A
                SHA-512:33FA16DB6F7D928E1ED617359AFD5DD2B6D6DFD4548CBA822D5EA9F8D40882E1A409C03C8242BE38F657A88CB379FE0A4FA7A1788A9D40D2E68127297BB1F190
                Malicious:false
                Preview:<EncryptedKey>Pyo008nUOrkVSWQ0dU+d7BRM+2RumpG9rsUwePGhAEBeTCGn/aHGP2TRg1AjNS/LmddraO/Ir7iKgPMbfjUoL/5yeGAl/UybZt9FkSJbcdDZ9uTAIYXjrlv/bqs7KGj4vcIkEf6qgkFuvTGV/S5GrMBkzs6kaJCa+6PgiEmwDug=<EncryptedKey>/BpBVcsrFtfNUddfIHq9uQ==

                C:\Users\user\AppData\Roaming\Microsoft\Spelling\en-US\default.dic.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):224
                Entropy (8bit):5.806918931807584
                Encrypted:false
                SSDEEP:6:UGMEUW6dLEOqg3HE2oqSXDpON2OJPsPKUWsj1g6k/SIUaUgjlSsT:fME96dLEsPSQ2ONsPlj1g6Qnjt
                MD5:77190B2860BB0AF6AAC63AA7BCBD52EB
                SHA1:0A561F415C83BDD843B1B35A2073B2DFEA5A931C
                SHA-256:C951CC1D3225D42F05AD9728BDE81A744E78EE9A57840002C0BF02EB8E827E8A
                SHA-512:33FA16DB6F7D928E1ED617359AFD5DD2B6D6DFD4548CBA822D5EA9F8D40882E1A409C03C8242BE38F657A88CB379FE0A4FA7A1788A9D40D2E68127297BB1F190
                Malicious:false
                Preview:<EncryptedKey>Pyo008nUOrkVSWQ0dU+d7BRM+2RumpG9rsUwePGhAEBeTCGn/aHGP2TRg1AjNS/LmddraO/Ir7iKgPMbfjUoL/5yeGAl/UybZt9FkSJbcdDZ9uTAIYXjrlv/bqs7KGj4vcIkEf6qgkFuvTGV/S5GrMBkzs6kaJCa+6PgiEmwDug=<EncryptedKey>/BpBVcsrFtfNUddfIHq9uQ==

                C:\Users\user\AppData\Roaming\Microsoft\Spelling\en-US\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):244
                Entropy (8bit):5.832360330763957
                Encrypted:false
                SSDEEP:6:UGMEUMTOEOdOnrtX9qMc/yzKuqrWTd/UcUmUDZw8y9w/:fMEDOEomrtYMc/oKuq0d/UcvN7w/
                MD5:35C284381D82CE0E34448E6AD855B835
                SHA1:46D832FB4A968650C06D48E6C9B76AFFB1A0A0FF
                SHA-256:0DA8F36BC99BD5283409BBC4BDA33A32A38F2CFDDA521225D582B62BA7F1E5D8
                SHA-512:0E5FA399B7EAB436755159F6477B1DFB4EEBD1CD04EF24615F6CFCF645C4777769D9E4E9F08B91E8153222C8680AEB84F11D5807A77CF89E662131FE93888052
                Malicious:false
                Preview:<EncryptedKey>eLvkSRcmYfXhl/sUWk1OJ3sV/fch3Oge1SSoEGN2pdNoMl1+ovKtZzrv46pxGv0MQm1PceoGjb/BQEzT31bbL1hllajmVrSUlyvYCmfWIO2BVEEgDbKsLCqoMTxvSTmgYFEg2CkyP0L60XusB8X9PEFYm9zA+VTrAoFWpGM0B2E=<EncryptedKey>ypSWh1y3GcghFCDFZTbUyBdNKK9IVKV4Kp+wH5q798c=

                C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with no line terminators
                Category:dropped
                Size (bytes):244
                Entropy (8bit):5.832360330763957
                Encrypted:false
                SSDEEP:6:UGMEUMTOEOdOnrtX9qMc/yzKuqrWTd/UcUmUDZw8y9w/:fMEDOEomrtYMc/oKuq0d/UcvN7w/
                MD5:35C284381D82CE0E34448E6AD855B835
                SHA1:46D832FB4A968650C06D48E6C9B76AFFB1A0A0FF
                SHA-256:0DA8F36BC99BD5283409BBC4BDA33A32A38F2CFDDA521225D582B62BA7F1E5D8
                SHA-512:0E5FA399B7EAB436755159F6477B1DFB4EEBD1CD04EF24615F6CFCF645C4777769D9E4E9F08B91E8153222C8680AEB84F11D5807A77CF89E662131FE93888052
                Malicious:false
                Preview:<EncryptedKey>eLvkSRcmYfXhl/sUWk1OJ3sV/fch3Oge1SSoEGN2pdNoMl1+ovKtZzrv46pxGv0MQm1PceoGjb/BQEzT31bbL1hllajmVrSUlyvYCmfWIO2BVEEgDbKsLCqoMTxvSTmgYFEg2CkyP0L60XusB8X9PEFYm9zA+VTrAoFWpGM0B2E=<EncryptedKey>ypSWh1y3GcghFCDFZTbUyBdNKK9IVKV4Kp+wH5q798c=

                C:\Users\user\AppData\Roaming\Microsoft\UProof\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):480
                Entropy (8bit):5.9238935076255945
                Encrypted:false
                SSDEEP:12:fMEVJ/3T0V0DBAeHRplHighzjy/OVHYJDo8DReI1:fMo/oV0DBAe1igw/ciHDYC
                MD5:0E11C5055B274179D038F9FB1488C249
                SHA1:91BCCE799839F19D0722ACE47A39B25CC8F6470F
                SHA-256:2E7F065152B0794F83BE8B86329337F8FB91F609BCA703DB1FEB9D7C6CD7B662
                SHA-512:673D5B4F35AF9F5884800E31309EA04DCA2B221A4DB138A6AD30AF2EF11F1F85604C817809624735B233D68899C7BAE27413B81F5E06503AFCA42BC9645A6FFE
                Malicious:false
                Preview:<EncryptedKey>bgHhS7eRR18ZrG/V9ls2lafIatadqd+CtiM3V0WZipk3Uh9Xfl7sp0ZpPlRki78aAWfyFIsDtBqKV5C+E0bSWW/PYoM0mKdjG6xyIenvQhU9RM5Aasw8QFkkh/aw5xsBY12Mu1Ukc4Kf+cFYisWXPRcGfDVRaGGvXqNvez9qnIM=<EncryptedKey>D9N0zA+AlPzGkNaJbLTqWcah9JsuHSh5feG8or5s8Qqqux3PxB3fKA0TbGqrpdqN2tQizimMRXFUcFxoU+8dSIpOo8u955g+p2Wis5Y9ESofv7AuQTfKMpU6AWlyVmERPsQ43r8qYeHMvy2Ejxrvo8lDL9oENoJ9gzq0CNUm0H/Is+VFzUxjahVqLYrvUD1ppUAmD8djMyc9+XUklGc9tkoKAViTYTETFTe5XfinmEO2rgTM5zUdv9PkssyVDAL2AgK9rr3RpuRGMmMk26HUfw==

                C:\Users\user\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):480
                Entropy (8bit):5.9238935076255945
                Encrypted:false
                SSDEEP:12:fMEVJ/3T0V0DBAeHRplHighzjy/OVHYJDo8DReI1:fMo/oV0DBAe1igw/ciHDYC
                MD5:0E11C5055B274179D038F9FB1488C249
                SHA1:91BCCE799839F19D0722ACE47A39B25CC8F6470F
                SHA-256:2E7F065152B0794F83BE8B86329337F8FB91F609BCA703DB1FEB9D7C6CD7B662
                SHA-512:673D5B4F35AF9F5884800E31309EA04DCA2B221A4DB138A6AD30AF2EF11F1F85604C817809624735B233D68899C7BAE27413B81F5E06503AFCA42BC9645A6FFE
                Malicious:false
                Preview:<EncryptedKey>bgHhS7eRR18ZrG/V9ls2lafIatadqd+CtiM3V0WZipk3Uh9Xfl7sp0ZpPlRki78aAWfyFIsDtBqKV5C+E0bSWW/PYoM0mKdjG6xyIenvQhU9RM5Aasw8QFkkh/aw5xsBY12Mu1Ukc4Kf+cFYisWXPRcGfDVRaGGvXqNvez9qnIM=<EncryptedKey>D9N0zA+AlPzGkNaJbLTqWcah9JsuHSh5feG8or5s8Qqqux3PxB3fKA0TbGqrpdqN2tQizimMRXFUcFxoU+8dSIpOo8u955g+p2Wis5Y9ESofv7AuQTfKMpU6AWlyVmERPsQ43r8qYeHMvy2Ejxrvo8lDL9oENoJ9gzq0CNUm0H/Is+VFzUxjahVqLYrvUD1ppUAmD8djMyc9+XUklGc9tkoKAViTYTETFTe5XfinmEO2rgTM5zUdv9PkssyVDAL2AgK9rr3RpuRGMmMk26HUfw==

                C:\Users\user\AppData\Roaming\Microsoft\Windows\AccountPictures\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):712
                Entropy (8bit):5.96278053612452
                Encrypted:false
                SSDEEP:12:fME76agdYI6Xguu7rB9PXTIPvvFbEhIdYgRVoY/DK+q6StD9jGSqYOW1bs3:fMe6a6Zuun+qhIdYqVoY+wSvqW1s
                MD5:8568983C9DE3FEAD2B74BCE39B65BEE6
                SHA1:FD3DDEB3E7FFB875E4957F0B301D2246956636D2
                SHA-256:21B9B278224F4AEF0F2DBEFBBFD6DAAFF68AF099783761294426AC189D3B9C89
                SHA-512:B00D3E5BDFBFB0507857BF8D1DC189346D2062041FEDD6BB600ED0F8D33685FB819679C9F51A0472F5C91C0FB7CDB43EA852F440039DFE5F9259909C044B9E9B
                Malicious:false
                Preview:<EncryptedKey>GovJeUMIZ3RKtHMp7v8Q/i0u8ODP5NblbnHTgfMzXggbg4mcBmbrCnGPUCJcnRn0sr5doWLcPqBE9Eeyzxbq/yLkaNKgzMJJTdNDv+8KYG/4bGcfT9wnSOxw5xXlIjXhjaMutIfkVP1Gwqrp/U5kiKj9D2tEP2tcVqAomGjO3UQ=<EncryptedKey>2bpWj16yvBmtTzXGjtfbdSaWfF9+ejXdWZNPuYtTZH81ama6qmSsYkLbHEmIuKbskQrvRHFbZPxGjPAWl2vULmvEqO39uMm73BUvnZx8QXAJfr1WPWepPr3nYN21DDL06cjuaMcJFFmf9zQ2MVPUJuoMuj3lKbyPjz6MtP4TJ2izPtzYqEt+iiewOTX9bM+w3uuxNr5iC9kvz/LrEfoCW6LuYrPWFVsMZ36VkKKWwhL+QPq6/P8n3ahPDMpFBGnYwv57n1lhsCqbU5OBf/hH9xoqF8y5LqerDDZ61TQC7iHAYTrrAVlGb9yYU9knP399qhQxRq9FQLBWwsxz/6Z2ok87igW8nyOQNSRcvH22JT8DnOCS5Fje9xr+UKNfn0G6yMLoXubZzEayBT2nThXqvJvllv39UmWLbnmwULv+U77JLjsDeB9dYxHdWe+I2ptPBr2JVJweS0lj9Ry4+ph15A29dE94RyzsEJBhdI+nYw/k7AnBE3e5Gh1wn4w5lCgz

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):712
                Entropy (8bit):5.96278053612452
                Encrypted:false
                SSDEEP:12:fME76agdYI6Xguu7rB9PXTIPvvFbEhIdYgRVoY/DK+q6StD9jGSqYOW1bs3:fMe6a6Zuun+qhIdYqVoY+wSvqW1s
                MD5:8568983C9DE3FEAD2B74BCE39B65BEE6
                SHA1:FD3DDEB3E7FFB875E4957F0B301D2246956636D2
                SHA-256:21B9B278224F4AEF0F2DBEFBBFD6DAAFF68AF099783761294426AC189D3B9C89
                SHA-512:B00D3E5BDFBFB0507857BF8D1DC189346D2062041FEDD6BB600ED0F8D33685FB819679C9F51A0472F5C91C0FB7CDB43EA852F440039DFE5F9259909C044B9E9B
                Malicious:false
                Preview:<EncryptedKey>GovJeUMIZ3RKtHMp7v8Q/i0u8ODP5NblbnHTgfMzXggbg4mcBmbrCnGPUCJcnRn0sr5doWLcPqBE9Eeyzxbq/yLkaNKgzMJJTdNDv+8KYG/4bGcfT9wnSOxw5xXlIjXhjaMutIfkVP1Gwqrp/U5kiKj9D2tEP2tcVqAomGjO3UQ=<EncryptedKey>2bpWj16yvBmtTzXGjtfbdSaWfF9+ejXdWZNPuYtTZH81ama6qmSsYkLbHEmIuKbskQrvRHFbZPxGjPAWl2vULmvEqO39uMm73BUvnZx8QXAJfr1WPWepPr3nYN21DDL06cjuaMcJFFmf9zQ2MVPUJuoMuj3lKbyPjz6MtP4TJ2izPtzYqEt+iiewOTX9bM+w3uuxNr5iC9kvz/LrEfoCW6LuYrPWFVsMZ36VkKKWwhL+QPq6/P8n3ahPDMpFBGnYwv57n1lhsCqbU5OBf/hH9xoqF8y5LqerDDZ61TQC7iHAYTrrAVlGb9yYU9knP399qhQxRq9FQLBWwsxz/6Z2ok87igW8nyOQNSRcvH22JT8DnOCS5Fje9xr+UKNfn0G6yMLoXubZzEayBT2nThXqvJvllv39UmWLbnmwULv+U77JLjsDeB9dYxHdWe+I2ptPBr2JVJweS0lj9Ry4+ph15A29dE94RyzsEJBhdI+nYw/k7AnBE3e5Gh1wn4w5lCgz

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Libraries\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1140
                Entropy (8bit):5.980528734245878
                Encrypted:false
                SSDEEP:24:fMBtOXi/lfDnJSrJnnHovony/1omhVgqxVPUJf0ljCQnawacV:UBa2fLJwnn6/1fh1XPUJf01pacV
                MD5:B7492F56C203E6F57148FF22D14244B7
                SHA1:366DE6E281B0413688EDE6D9B4FCF3F9C246BAFD
                SHA-256:1646B0B608FBFC99E4D755756A403F66E7BC2DFF11B988475122154FF251A028
                SHA-512:ED98B212562078CDC551B4BC5EEC1CFDA420ECD6D1C2765772A6C0CCFB0644A1F2AD69D7AAEE4B1FB4A0845740751E41006912FC1B63EC463E1D946DF4056212
                Malicious:false
                Preview:<EncryptedKey>GtIQuvtyH0LEnVLl5RRDDozzcvOk3rEchUfEMiewYP7IrApbE2kbGUdgyqzPT+rs6rD/f+RG+aFF1EdQKGGA4b2iCvZf6i+x9RYJ0GhzrnRR+TV2kNAz5IGtDYOkAkR8jGuFgFh3K4UY620On4fYYPMhd4x2Wq1ObFdenepbM20=<EncryptedKey>yWwQa0fJuYn/Xt+aNoqcNSY5UBNy8zsC21ZssMlFiHNZhqMsZ83sDdgiXD+afx2VxeiU266vkY6L4nwN6l+EU5iSldMeLSPORqsXh2X3MzfAEAeY44VoeXzGzVqg6+W/46TriKg1bVTbcw8hS+dcBd8tbxj2VngO/HFaanSoVpsXqKigOef/mq2J6DY9onfGazjdGpwqwB1e5O2BpuMHCpNCduWthIF2k/TXWXaDCDoJKiyRlrmUjJQkcVDhc+eA0CReEpIBT80J4eIVb5hH2IRR8PEnw7k1s7QdsNzeLl+cE/GW8Tm2yxOgMAU4OB3lI/vkjw89y3qgaRVAlxFtetysEBbuHvrHUAVnNmpw6cInxYFUJVkVWFLW14EZJyxY2y+dqxqkd0c505228UViKsDUcn4yiP1qfjT0NFhc6izoRSKpxniYZMr9agEBoiEpbmmxEbMByUXXhq0raU+gjyMF+vehaGBwZs5MQB3i9n8kb+vmFwXmSSRTZzKoY/cdQUBZFTW4QL6MkIYpWlBLVdAMA8DrBkAm9q09iee3KPn+Q/341AW49tAz0p1/Aag+5myG9hqvDOFoR8kiWxCVsFwIZz2i0aEx25Hpos0nSCMBT9g4BalxkzbZZVSsAGEeAuDQiy0eJoH+ydnoj/cAm0HKJOFFhRl1D0GHJBxLw2zpFr4ZUBDyk6r6RPKkFsQcuyrcyLGqnXR9XsH8Mjm8plaJ1tvsrHaHUifC7/TV88l5BKAcOsKGMDqE8y6vLoTFVAh7NrY6KtrDlt5BbWqhWcSm8q1uLSBa

                C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1140
                Entropy (8bit):5.980528734245878
                Encrypted:false
                SSDEEP:24:fMBtOXi/lfDnJSrJnnHovony/1omhVgqxVPUJf0ljCQnawacV:UBa2fLJwnn6/1fh1XPUJf01pacV
                MD5:B7492F56C203E6F57148FF22D14244B7
                SHA1:366DE6E281B0413688EDE6D9B4FCF3F9C246BAFD
                SHA-256:1646B0B608FBFC99E4D755756A403F66E7BC2DFF11B988475122154FF251A028
                SHA-512:ED98B212562078CDC551B4BC5EEC1CFDA420ECD6D1C2765772A6C0CCFB0644A1F2AD69D7AAEE4B1FB4A0845740751E41006912FC1B63EC463E1D946DF4056212
                Malicious:false
                Preview:<EncryptedKey>GtIQuvtyH0LEnVLl5RRDDozzcvOk3rEchUfEMiewYP7IrApbE2kbGUdgyqzPT+rs6rD/f+RG+aFF1EdQKGGA4b2iCvZf6i+x9RYJ0GhzrnRR+TV2kNAz5IGtDYOkAkR8jGuFgFh3K4UY620On4fYYPMhd4x2Wq1ObFdenepbM20=<EncryptedKey>yWwQa0fJuYn/Xt+aNoqcNSY5UBNy8zsC21ZssMlFiHNZhqMsZ83sDdgiXD+afx2VxeiU266vkY6L4nwN6l+EU5iSldMeLSPORqsXh2X3MzfAEAeY44VoeXzGzVqg6+W/46TriKg1bVTbcw8hS+dcBd8tbxj2VngO/HFaanSoVpsXqKigOef/mq2J6DY9onfGazjdGpwqwB1e5O2BpuMHCpNCduWthIF2k/TXWXaDCDoJKiyRlrmUjJQkcVDhc+eA0CReEpIBT80J4eIVb5hH2IRR8PEnw7k1s7QdsNzeLl+cE/GW8Tm2yxOgMAU4OB3lI/vkjw89y3qgaRVAlxFtetysEBbuHvrHUAVnNmpw6cInxYFUJVkVWFLW14EZJyxY2y+dqxqkd0c505228UViKsDUcn4yiP1qfjT0NFhc6izoRSKpxniYZMr9agEBoiEpbmmxEbMByUXXhq0raU+gjyMF+vehaGBwZs5MQB3i9n8kb+vmFwXmSSRTZzKoY/cdQUBZFTW4QL6MkIYpWlBLVdAMA8DrBkAm9q09iee3KPn+Q/341AW49tAz0p1/Aag+5myG9hqvDOFoR8kiWxCVsFwIZz2i0aEx25Hpos0nSCMBT9g4BalxkzbZZVSsAGEeAuDQiy0eJoH+ydnoj/cAm0HKJOFFhRl1D0GHJBxLw2zpFr4ZUBDyk6r6RPKkFsQcuyrcyLGqnXR9XsH8Mjm8plaJ1tvsrHaHUifC7/TV88l5BKAcOsKGMDqE8y6vLoTFVAh7NrY6KtrDlt5BbWqhWcSm8q1uLSBa

                C:\Users\user\AppData\Roaming\Microsoft\Windows\SendTo\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):968
                Entropy (8bit):5.98116682403208
                Encrypted:false
                SSDEEP:24:fMgZ08NBS48h9mR08RCxVzWxooaPcIsMjTABtOJLEl2bNubCPAIxBSFm:UgZ082nXwJCxogHssYt2kbCPhyFm
                MD5:2D2559E8B763D479703977A6805E6AB8
                SHA1:60A13342C3B523C7E417B268A074CD236D96FB59
                SHA-256:3F9F7BD814A1C4FD00415FF94906F50257ADEC92D235DF487DA2D9A3D90D22D6
                SHA-512:A5CFC181CB5B4977FD5D7CED0D9357BCAB82263235EB749D986FF4EDDBB5616AF1022B60DCEAED584745EBB667FB0DF01DE45E90861FC1D71A3A069A563AEE33
                Malicious:false
                Preview:<EncryptedKey>s2n4Sb8Aw3keYqhtvUkWRfOyPWm7PsQN4szRDI3f3iYQdZinu+dbuurVI34aYv0pN6XInt0akI3+sEnSSUD8jzVSM6kYWVefTd44gHc2dup2A3OhzhqsLpHU1T1s+WBgqoiBKWPYPjQ45hL3KSTyaggyyAFUVXpiv4keqrEBEQY=<EncryptedKey>9dUgHdw4UHWO2DuMonWD84B9uxvjLLLFWoMdFudc1w0IZL2tlVoTJvyVS0aUuxNvCOAckhTM/+iqC3ZFEl7n4B08xR5OWRX9Kw9JUl7Kr4xM6GW4pJWmIyHcd2s5wkQsAY9Ky8TVGYEJmEgVW1gFx7Lf7cTedLvVZJadRbe2tO3Je0greFHR+tLk49qBTg5CakYVn+K1gTT6hbVIErVlUm1XTmWlNmxxH4ekSo/n/Zs3j1aMyJw0HU3HbwIU132SvecUC5+6P1cJfNwteFIQUm4m4t9MP3YtJSNW8VermV80euXTpm8Keib+IeH5VhbhCCYFzqOc+hr/inYhiHokw6CzBlykmidRICFXzYjgvdySs3Bd5/9R8N0QtBGO//M8VBjFBUbZms7XIjSo2LHbpt8JuyiwDl7f1QvMQHBjlxGA7u+D2FLdEIVXR6elc4+RG5U0cDrPXo6UBUmGFKeXKvLTqI9nFAtYpjtQBq3l6VZSUPCX9V2FsZ16fWFLY6UF5qzBP/Z5XJuoFBxNOqEyXJrguImY3RZY9Q3S/5P/E9OO6xhZLtE7oeG6bzossSLD282IiKKbyoao2Im8pkcJpE2wc5lCEqqcUbX1RPKrQUM3YgNEsqf1LBWxOjhO4u/pgCCxPgKjk51V3kMH130M2i5z20j5pejNOckxvpu4wj3sU3QP9Mn/+EWt/PV8fh/3ZlLVnxdSkq8aFQ7yVzrqMM+KU7OmWE+WIgtlyOFPL7tYeYn1fTLKLr8FWNbWzKcx

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\Desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):968
                Entropy (8bit):5.98116682403208
                Encrypted:false
                SSDEEP:24:fMgZ08NBS48h9mR08RCxVzWxooaPcIsMjTABtOJLEl2bNubCPAIxBSFm:UgZ082nXwJCxogHssYt2kbCPhyFm
                MD5:2D2559E8B763D479703977A6805E6AB8
                SHA1:60A13342C3B523C7E417B268A074CD236D96FB59
                SHA-256:3F9F7BD814A1C4FD00415FF94906F50257ADEC92D235DF487DA2D9A3D90D22D6
                SHA-512:A5CFC181CB5B4977FD5D7CED0D9357BCAB82263235EB749D986FF4EDDBB5616AF1022B60DCEAED584745EBB667FB0DF01DE45E90861FC1D71A3A069A563AEE33
                Malicious:false
                Preview:<EncryptedKey>s2n4Sb8Aw3keYqhtvUkWRfOyPWm7PsQN4szRDI3f3iYQdZinu+dbuurVI34aYv0pN6XInt0akI3+sEnSSUD8jzVSM6kYWVefTd44gHc2dup2A3OhzhqsLpHU1T1s+WBgqoiBKWPYPjQ45hL3KSTyaggyyAFUVXpiv4keqrEBEQY=<EncryptedKey>9dUgHdw4UHWO2DuMonWD84B9uxvjLLLFWoMdFudc1w0IZL2tlVoTJvyVS0aUuxNvCOAckhTM/+iqC3ZFEl7n4B08xR5OWRX9Kw9JUl7Kr4xM6GW4pJWmIyHcd2s5wkQsAY9Ky8TVGYEJmEgVW1gFx7Lf7cTedLvVZJadRbe2tO3Je0greFHR+tLk49qBTg5CakYVn+K1gTT6hbVIErVlUm1XTmWlNmxxH4ekSo/n/Zs3j1aMyJw0HU3HbwIU132SvecUC5+6P1cJfNwteFIQUm4m4t9MP3YtJSNW8VermV80euXTpm8Keib+IeH5VhbhCCYFzqOc+hr/inYhiHokw6CzBlykmidRICFXzYjgvdySs3Bd5/9R8N0QtBGO//M8VBjFBUbZms7XIjSo2LHbpt8JuyiwDl7f1QvMQHBjlxGA7u+D2FLdEIVXR6elc4+RG5U0cDrPXo6UBUmGFKeXKvLTqI9nFAtYpjtQBq3l6VZSUPCX9V2FsZ16fWFLY6UF5qzBP/Z5XJuoFBxNOqEyXJrguImY3RZY9Q3S/5P/E9OO6xhZLtE7oeG6bzossSLD282IiKKbyoao2Im8pkcJpE2wc5lCEqqcUbX1RPKrQUM3YgNEsqf1LBWxOjhO4u/pgCCxPgKjk51V3kMH130M2i5z20j5pejNOckxvpu4wj3sU3QP9Mn/+EWt/PV8fh/3ZlLVnxdSkq8aFQ7yVzrqMM+KU7OmWE+WIgtlyOFPL7tYeYn1fTLKLr8FWNbWzKcx

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):820
                Entropy (8bit):5.981183710765848
                Encrypted:false
                SSDEEP:24:fMkIzLukZGUb/IMYIOx4/KG5xxRCXUZzfq:Uk2COSuzfq
                MD5:DC8707402243B13C5EA215F6E9E81CFF
                SHA1:57AC9BAE8DB8C196F2159185E1DB7D05FB200971
                SHA-256:B22CC36BFAACBC5477A2ECE4BF8369A81E8C64D1343039DFA5ED9635AC1AAB66
                SHA-512:F2A066029B2010C01AB739E54C1440EA11A50CAAC6D58D57BB08F2A6B6142DAC75944C3060B0A2EA03A738619371584E15C33E147B2C62E8E88E671573EF08CB
                Malicious:false
                Preview:<EncryptedKey>S/HhgFwErA6/F7mnZnOheYVNMHinAoNvbpievXe18+4R5BYEI4kFUyo9h285VVknmQKQJNzY1VPTQwFktlTE4fN0l25FoR7084PfNtWlQRySXDRsRhyoOCwe7IZCBwIfAfN3vdOteyBZdyl5jFKguR3VAGgQu/A3+HGx6ZuStOY=<EncryptedKey>CaYdgzZ1ErbltcdZhy4jkcw0dxSghxk6JOh0tTQSWHV7W/EnD3Ca6KIjKDRp4+9C8guXqRxowlMnGR+EVyL2QrCXpa4b830hWtLMzB89J2IzZK3g+CER/aq5Fu4ZuUSDu6PsrN5fKVo+GxIlTZmE8+kif3Y7MWbsfsojxrCQGIdaQdq8isf2zupjKTkAS9+9jG5PKgoAuC4DVSvxRr2deOloWROSDD76YwwYOG9FKl/TwUC7JdHgJc5gACWgvjwnQi7eE3bwju49CDeG+A/0bAgDv+CqeYbiFM+X4rCZqxYKkyFBxyI93TvMSkPZdSXvwNiY0dRwVVemnYfheNHlvanO2fXS6tkHqdo/MgHkEDBw2Yo5lN0c8PU60X5OwCh5EvSuMb3x+xvWtImWBaorLTzxP+xOf99OCBBdTsMroBlQ1B6vJF5UAcNhjoy25CVK80MMWvIVaTNiCOBtDKiyhbzdsSB/dti7eXSjYu3N6OS1yR8B0odEaC7qCYiJdEvERQWbPevfjQBI8LxqO5pV1G8cP6HLFiNqZ9t7vMWETXfBzjj7hpT+U/UfXSEHuRUZcyFrIVUpBOZ4If3nKbduAHqr6Xni1elPKzrFSyp8YNc=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):820
                Entropy (8bit):5.981183710765848
                Encrypted:false
                SSDEEP:24:fMkIzLukZGUb/IMYIOx4/KG5xxRCXUZzfq:Uk2COSuzfq
                MD5:DC8707402243B13C5EA215F6E9E81CFF
                SHA1:57AC9BAE8DB8C196F2159185E1DB7D05FB200971
                SHA-256:B22CC36BFAACBC5477A2ECE4BF8369A81E8C64D1343039DFA5ED9635AC1AAB66
                SHA-512:F2A066029B2010C01AB739E54C1440EA11A50CAAC6D58D57BB08F2A6B6142DAC75944C3060B0A2EA03A738619371584E15C33E147B2C62E8E88E671573EF08CB
                Malicious:false
                Preview:<EncryptedKey>S/HhgFwErA6/F7mnZnOheYVNMHinAoNvbpievXe18+4R5BYEI4kFUyo9h285VVknmQKQJNzY1VPTQwFktlTE4fN0l25FoR7084PfNtWlQRySXDRsRhyoOCwe7IZCBwIfAfN3vdOteyBZdyl5jFKguR3VAGgQu/A3+HGx6ZuStOY=<EncryptedKey>CaYdgzZ1ErbltcdZhy4jkcw0dxSghxk6JOh0tTQSWHV7W/EnD3Ca6KIjKDRp4+9C8guXqRxowlMnGR+EVyL2QrCXpa4b830hWtLMzB89J2IzZK3g+CER/aq5Fu4ZuUSDu6PsrN5fKVo+GxIlTZmE8+kif3Y7MWbsfsojxrCQGIdaQdq8isf2zupjKTkAS9+9jG5PKgoAuC4DVSvxRr2deOloWROSDD76YwwYOG9FKl/TwUC7JdHgJc5gACWgvjwnQi7eE3bwju49CDeG+A/0bAgDv+CqeYbiFM+X4rCZqxYKkyFBxyI93TvMSkPZdSXvwNiY0dRwVVemnYfheNHlvanO2fXS6tkHqdo/MgHkEDBw2Yo5lN0c8PU60X5OwCh5EvSuMb3x+xvWtImWBaorLTzxP+xOf99OCBBdTsMroBlQ1B6vJF5UAcNhjoy25CVK80MMWvIVaTNiCOBtDKiyhbzdsSB/dti7eXSjYu3N6OS1yR8B0odEaC7qCYiJdEvERQWbPevfjQBI8LxqO5pV1G8cP6HLFiNqZ9t7vMWETXfBzjj7hpT+U/UfXSEHuRUZcyFrIVUpBOZ4If3nKbduAHqr6Xni1elPKzrFSyp8YNc=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):436
                Entropy (8bit):5.917343231176202
                Encrypted:false
                SSDEEP:12:fMEL9sT4mTKc5zPgrYVqM8JWB4UkNP0B8RD7E:fM2Ol+Sgxc7AjHE
                MD5:096C428E1AE2DEAB368275311AD9D53E
                SHA1:8A08C27F35BB19BF3E22B6D1995F7AF45FA2A1F9
                SHA-256:0A4B04C78BD0C0DFD548955C00FB7A56EAE948C0AB1F910A07B21183F0765135
                SHA-512:08F0DABA86378A5698CB07E477DC9219EA2114FF983C779DF659FFD23CAA93529AA797191ABE9767CA36BBCCAF888BC0A91FA5E0D28F5A54CAFB256DBE5724BC
                Malicious:false
                Preview:<EncryptedKey>rqyC6RZP1qUrxgsZKgGeIeQw70NwzGfs66jByIH72wbTacJzKxdPII+SZaylYesWfRPh6Q1GBowO+E5npnJH7iZHuv465vaJLSDL1nHV3MO2jd/ptmufalrYbQeSEiOZq4R4178yGD6Hph7GjLUy+DcNY8DgLgh+CUJPu6QmjkI=<EncryptedKey>aicauz3qwiZ3HBtBG2RM+QSjsH86Pf5C64ev58OHB6501omqtmt2koic+G9N9fpyXK1HZuzxxdmeAOwnMV420goHl1gFbMiEb15xDybPlYU9JDtPgG6yUTrPBIdtHEYSPfxgFN/tDCeK3rqxjbBIZEYeRL0E12gNzDwG+OgCn30A6Uxk/siutClNZinI4leFUj4+nV6/SicR9yUp33jHODqHdRBPmFB7kSZNRqrczHY=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):436
                Entropy (8bit):5.917343231176202
                Encrypted:false
                SSDEEP:12:fMEL9sT4mTKc5zPgrYVqM8JWB4UkNP0B8RD7E:fM2Ol+Sgxc7AjHE
                MD5:096C428E1AE2DEAB368275311AD9D53E
                SHA1:8A08C27F35BB19BF3E22B6D1995F7AF45FA2A1F9
                SHA-256:0A4B04C78BD0C0DFD548955C00FB7A56EAE948C0AB1F910A07B21183F0765135
                SHA-512:08F0DABA86378A5698CB07E477DC9219EA2114FF983C779DF659FFD23CAA93529AA797191ABE9767CA36BBCCAF888BC0A91FA5E0D28F5A54CAFB256DBE5724BC
                Malicious:false
                Preview:<EncryptedKey>rqyC6RZP1qUrxgsZKgGeIeQw70NwzGfs66jByIH72wbTacJzKxdPII+SZaylYesWfRPh6Q1GBowO+E5npnJH7iZHuv465vaJLSDL1nHV3MO2jd/ptmufalrYbQeSEiOZq4R4178yGD6Hph7GjLUy+DcNY8DgLgh+CUJPu6QmjkI=<EncryptedKey>aicauz3qwiZ3HBtBG2RM+QSjsH86Pf5C64ev58OHB6501omqtmt2koic+G9N9fpyXK1HZuzxxdmeAOwnMV420goHl1gFbMiEb15xDybPlYU9JDtPgG6yUTrPBIdtHEYSPfxgFN/tDCeK3rqxjbBIZEYeRL0E12gNzDwG+OgCn30A6Uxk/siutClNZinI4leFUj4+nV6/SicR9yUp33jHODqHdRBPmFB7kSZNRqrczHY=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):436
                Entropy (8bit):5.9430679374886175
                Encrypted:false
                SSDEEP:12:fMEKfI2ZT1WdDqdtGHLeoB3Z4I9q6HPqS5YXNXpl:fMXflp1Wd+STZtgSaXNXpl
                MD5:B556EFF15660855411419A6ECEE3BEC4
                SHA1:9CC989F4F55426BBBDA6C5C30FFB05EE04BD9F3F
                SHA-256:DBAAEB84E22C1B81B088B6D396FF5ABD29E3B15D09B3CF611949BB9E9D294F20
                SHA-512:2E3F847BCC272622331129A09A8EF48051BDC52EB4C8EE50CEA2210E1803648D4969F049EC615DF9352BFFEF0ED1B6E594DDFD84ED96A20C25995939E3F87D84
                Malicious:false
                Preview:<EncryptedKey>wV7zQXfiPvmlBD7wR2Y2vjBh1efHBwsUymAHmlsLpcZIvrkmMnuFhFjdKwvyjffNXoXsj+cYugLTl7sLAlvWlGvHpI5mjNV84BzI6pi/k6qtReFWlupjkSZH5/L5UA/gCuArQ+UzMDUW8uiFXGuuIYVH9l6dohjaQiX2NlPlKSI=<EncryptedKey>QPy2YSwAI5SOZ/uSCiQBfVSlmj2kUgSq8+73JngRPXnxIyGxaI1VrMjzvdvKWpcnUu3FmyiVU6SKbQEAmAhqx1P4/TJj5Exon1o8fAKyA82lgDokVjhS8DCFbaWps71Lc0wDYaQbyHFkzvTyBg0W7SS5RCRDhU9Vo5AlU8wco3XGqomSn9xl+6kj0y0QghuTNXmZPWrNXxzPJVnrc3N35TewL6P5+JKq0fYthuF6NCs=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):436
                Entropy (8bit):5.9430679374886175
                Encrypted:false
                SSDEEP:12:fMEKfI2ZT1WdDqdtGHLeoB3Z4I9q6HPqS5YXNXpl:fMXflp1Wd+STZtgSaXNXpl
                MD5:B556EFF15660855411419A6ECEE3BEC4
                SHA1:9CC989F4F55426BBBDA6C5C30FFB05EE04BD9F3F
                SHA-256:DBAAEB84E22C1B81B088B6D396FF5ABD29E3B15D09B3CF611949BB9E9D294F20
                SHA-512:2E3F847BCC272622331129A09A8EF48051BDC52EB4C8EE50CEA2210E1803648D4969F049EC615DF9352BFFEF0ED1B6E594DDFD84ED96A20C25995939E3F87D84
                Malicious:false
                Preview:<EncryptedKey>wV7zQXfiPvmlBD7wR2Y2vjBh1efHBwsUymAHmlsLpcZIvrkmMnuFhFjdKwvyjffNXoXsj+cYugLTl7sLAlvWlGvHpI5mjNV84BzI6pi/k6qtReFWlupjkSZH5/L5UA/gCuArQ+UzMDUW8uiFXGuuIYVH9l6dohjaQiX2NlPlKSI=<EncryptedKey>QPy2YSwAI5SOZ/uSCiQBfVSlmj2kUgSq8+73JngRPXnxIyGxaI1VrMjzvdvKWpcnUu3FmyiVU6SKbQEAmAhqx1P4/TJj5Exon1o8fAKyA82lgDokVjhS8DCFbaWps71Lc0wDYaQbyHFkzvTyBg0W7SS5RCRDhU9Vo5AlU8wco3XGqomSn9xl+6kj0y0QghuTNXmZPWrNXxzPJVnrc3N35TewL6P5+JKq0fYthuF6NCs=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):436
                Entropy (8bit):5.967555421161693
                Encrypted:false
                SSDEEP:12:fMEPQjsuYj3n9P6XJnPIl1tiOZLcZFi0m973pOkSf:fMvjsuWnB6XJAYOlIFLczQkSf
                MD5:8E6B9442691772E878C9E62CF49D6A26
                SHA1:BF2AF766A545BF2AD5547B64809C5FC124942741
                SHA-256:85D8AE676B1938C3A351253B938F28540AFD3BF10AEA8DD657FA796F19B6A906
                SHA-512:4618E9445EBA3E3B2705DB9DB8EAB9DC66666B3690850645C1DE8CB2DEC0F7FB1EA6776E9FA0EC4728A85DEB07F064278D421F8A7BB59A157081E3F428A761B5
                Malicious:false
                Preview:<EncryptedKey>ZkrAARb22Gg4WA5Bmk8xDcWi6Q1F3Rmg4fsg7K3kZOioPeNoEwwZlANB7yLJ75JMZ+8K/f2C58RzQfBLSOVKTGM66fXsNcC89WW/GNUZU+VbZlq8X3eOhM9JpUolFFSw4zui6YIgX+NZwAmGY+0UGGBF9H/INbev9YTL5NrJetM=<EncryptedKey>L67WHr8av1IK9B4xlrEkGja/7RSSo0kdJ7g8bngvXR+UO0g29vQHiJ+0iXSjt/qqd60aEgjyR8HKNolFW+x5Zhr/11MMumrcvW4d8rwXFMG2UbeH07RnSFl+rEgv0b4u/ToIRDAKl0FpvIJEGWrrQt6YmzRVcupAnGG6j8gBGHyeh2tVaOCT9ZOAqDzBiuXqKM/5PPFJFnaTB14FXQPAMALhz4E9OWqhffiqSHndIVw=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):436
                Entropy (8bit):5.967555421161693
                Encrypted:false
                SSDEEP:12:fMEPQjsuYj3n9P6XJnPIl1tiOZLcZFi0m973pOkSf:fMvjsuWnB6XJAYOlIFLczQkSf
                MD5:8E6B9442691772E878C9E62CF49D6A26
                SHA1:BF2AF766A545BF2AD5547B64809C5FC124942741
                SHA-256:85D8AE676B1938C3A351253B938F28540AFD3BF10AEA8DD657FA796F19B6A906
                SHA-512:4618E9445EBA3E3B2705DB9DB8EAB9DC66666B3690850645C1DE8CB2DEC0F7FB1EA6776E9FA0EC4728A85DEB07F064278D421F8A7BB59A157081E3F428A761B5
                Malicious:false
                Preview:<EncryptedKey>ZkrAARb22Gg4WA5Bmk8xDcWi6Q1F3Rmg4fsg7K3kZOioPeNoEwwZlANB7yLJ75JMZ+8K/f2C58RzQfBLSOVKTGM66fXsNcC89WW/GNUZU+VbZlq8X3eOhM9JpUolFFSw4zui6YIgX+NZwAmGY+0UGGBF9H/INbev9YTL5NrJetM=<EncryptedKey>L67WHr8av1IK9B4xlrEkGja/7RSSo0kdJ7g8bngvXR+UO0g29vQHiJ+0iXSjt/qqd60aEgjyR8HKNolFW+x5Zhr/11MMumrcvW4d8rwXFMG2UbeH07RnSFl+rEgv0b4u/ToIRDAKl0FpvIJEGWrrQt6YmzRVcupAnGG6j8gBGHyeh2tVaOCT9ZOAqDzBiuXqKM/5PPFJFnaTB14FXQPAMALhz4E9OWqhffiqSHndIVw=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):392
                Entropy (8bit):5.899280214749433
                Encrypted:false
                SSDEEP:12:fMEEW+Hpmbfib1tLstFZg4HN3MC4mj8ir3:fMqPQtLs64dHTz
                MD5:78A311860F3C55CC8FA537F473B3941B
                SHA1:9DA200EC0753197CE88574768C1EB1CBB1F4C8ED
                SHA-256:FD8C03A5DCA47B80F93EA1BABE67140565EB8896C61C0BBE9CF0718EA2A20229
                SHA-512:7CA05F89B24FE636980D0C680B9DAEBBD3B800A39B114C077A78E99CD8A26FB91D163ABE1916737FDA053A86BFF02F2073EA19FBE197FBC40A615262B36E088F
                Malicious:true
                Preview:<EncryptedKey>D84H0rJmE/oBkhigfc+wl8RdgpjQCLvDRw7NneUlFcvMIJjgcr0Qltu/CB6EvCK/lCmA+mR8XfMu3LI0XSSsjg8bdqzvzxNVBkthq8zSNvceLVXTkORa0EmfXTgtvKLjfWkV6CSVFdm2hQT4QItVPH9ZAIaAcQ1DWWQ4YW+yNpk=<EncryptedKey>EgaubBVB90WSBSwWveX0ZPTpQIi8sAdnEuZzgnJQpherV6xfNuuKr3+QHzeFhk9iqfcYBaqtSA2jX/vB2k43R6FxYCh0vuYpxzK58WTbWs5sTIYTR//HrvL6UxR6y6RDh+3eP2rWLPW8THWCxIe1WI5d+eusGinbsBac9zHcMgjfEYU60ak+dL9ekXqezkb3

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):392
                Entropy (8bit):5.899280214749433
                Encrypted:false
                SSDEEP:12:fMEEW+Hpmbfib1tLstFZg4HN3MC4mj8ir3:fMqPQtLs64dHTz
                MD5:78A311860F3C55CC8FA537F473B3941B
                SHA1:9DA200EC0753197CE88574768C1EB1CBB1F4C8ED
                SHA-256:FD8C03A5DCA47B80F93EA1BABE67140565EB8896C61C0BBE9CF0718EA2A20229
                SHA-512:7CA05F89B24FE636980D0C680B9DAEBBD3B800A39B114C077A78E99CD8A26FB91D163ABE1916737FDA053A86BFF02F2073EA19FBE197FBC40A615262B36E088F
                Malicious:false
                Preview:<EncryptedKey>D84H0rJmE/oBkhigfc+wl8RdgpjQCLvDRw7NneUlFcvMIJjgcr0Qltu/CB6EvCK/lCmA+mR8XfMu3LI0XSSsjg8bdqzvzxNVBkthq8zSNvceLVXTkORa0EmfXTgtvKLjfWkV6CSVFdm2hQT4QItVPH9ZAIaAcQ1DWWQ4YW+yNpk=<EncryptedKey>EgaubBVB90WSBSwWveX0ZPTpQIi8sAdnEuZzgnJQpherV6xfNuuKr3+QHzeFhk9iqfcYBaqtSA2jX/vB2k43R6FxYCh0vuYpxzK58WTbWs5sTIYTR//HrvL6UxR6y6RDh+3eP2rWLPW8THWCxIe1WI5d+eusGinbsBac9zHcMgjfEYU60ak+dL9ekXqezkb3

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1268
                Entropy (8bit):5.983841746432034
                Encrypted:false
                SSDEEP:24:fMrnJ3h4Vvzd4qVZVvD6h8+zg+RGhwxJ+c8H+lgVPMLDiGMvADcpSLm/:UrnozlpDe8+zTWXVODi2DcAe
                MD5:79386C72BEF59A8A5D91EE510C1C8AA1
                SHA1:7A38A4797D23504DDEED29D595FF750AD30AB2F2
                SHA-256:EB37BF7F777ADF4E4FF8AFBB6034BE85267398F435B51E5F2FCF93202ECBEAA6
                SHA-512:0B0A87E31C3EB75EB6283A1FE9377A7281239E7A5709F853EBF7CAB3E4964BE11142204B74E61D9E1AC47F27BCFDD5404BC017CFE6527E6ABD58D42ACDF2E796
                Malicious:false
                Preview:<EncryptedKey>VWlcr3wTlt8OYixgbgqtR6Ha44KvlB4w7D1CZhQnfq3mAVGY6wItwlqm987CXPT5bsuvLNtyU+KEQn7ZsSgJ6dHoiY4eL8u7Tuop9NZBWP5tCJ+zKIvGkdcpLmwCVKVw5sqTYgYD5Uvj0plHc75P16jNPGzbi4KefMk+7xA/pQw=<EncryptedKey>mEiKEV2Il09p1PjEuZgMQqh1GMWVXxSi3YJZMRfrcZQ/X8+1PZDl0YIBfGjtWeMv8jAkYTIIMaTcXc0/+dwpv/mJayowvLIT4sRhKIhsfcRuSWwYr3jH+aCHU2Yeb3UDDDL9LbujRer1SkQQQT0zGb4UVfsv5Q+eOg9gAE8gMRSfKKFYNCZTDa5orZfgPg7mZ5KtaUGnD2XB/s1HZcjYZHCnXSx2MbewN8eNj4dmNly1YcU5oLS4tOPLxEyQLHHwYtEmSchkE4ndh6RmblKfusY/ai4IF029F/3NahbMwhHW3gE3hmUYwvoSgIoUYqR2+9hpJy9AFmrp9PIA3GSj8EE25udH5zXJc4XglYxi6Sk4if4MROszE1RnvE66Ywqf7HmV4PVFlZGtjx3X322A7ZX1etbcY0oMY6a3IYChwu5mjzcxW7qMDKT+6WJd3yEOSpBYrvrwh9qMx1elNNDQvHA3YH6wIdUdp3LhMhjMQlW14ODPkDsabI+Kf2InDLUV6KQcBbup7WSkeYp6OIroOVbVEdyk8KgXCeBIUahnO4jzmgeUGTxzrwwFKvxjufrYi/S1eNLHdXx3b9ClM0dcngqHx3gL5RzrCTlERxmWfJZYjGLWGeRhLqkB03fuWkeRxYyw4K5rksFHwN/InqLGRYo17PlIB9B3vckltVlI502a4NleNSlvJYC2gc2Sg7Nyvuwy6CBtHreEuX3MC51qfLhGSebQF6ClB26fdVINwM3BPDKwbk2qvC6HzwPUliOm7dFXqg+BAOAxo5tRaDvmpqWfQ1gDJ0NW

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1268
                Entropy (8bit):5.983841746432034
                Encrypted:false
                SSDEEP:24:fMrnJ3h4Vvzd4qVZVvD6h8+zg+RGhwxJ+c8H+lgVPMLDiGMvADcpSLm/:UrnozlpDe8+zTWXVODi2DcAe
                MD5:79386C72BEF59A8A5D91EE510C1C8AA1
                SHA1:7A38A4797D23504DDEED29D595FF750AD30AB2F2
                SHA-256:EB37BF7F777ADF4E4FF8AFBB6034BE85267398F435B51E5F2FCF93202ECBEAA6
                SHA-512:0B0A87E31C3EB75EB6283A1FE9377A7281239E7A5709F853EBF7CAB3E4964BE11142204B74E61D9E1AC47F27BCFDD5404BC017CFE6527E6ABD58D42ACDF2E796
                Malicious:false
                Preview:<EncryptedKey>VWlcr3wTlt8OYixgbgqtR6Ha44KvlB4w7D1CZhQnfq3mAVGY6wItwlqm987CXPT5bsuvLNtyU+KEQn7ZsSgJ6dHoiY4eL8u7Tuop9NZBWP5tCJ+zKIvGkdcpLmwCVKVw5sqTYgYD5Uvj0plHc75P16jNPGzbi4KefMk+7xA/pQw=<EncryptedKey>mEiKEV2Il09p1PjEuZgMQqh1GMWVXxSi3YJZMRfrcZQ/X8+1PZDl0YIBfGjtWeMv8jAkYTIIMaTcXc0/+dwpv/mJayowvLIT4sRhKIhsfcRuSWwYr3jH+aCHU2Yeb3UDDDL9LbujRer1SkQQQT0zGb4UVfsv5Q+eOg9gAE8gMRSfKKFYNCZTDa5orZfgPg7mZ5KtaUGnD2XB/s1HZcjYZHCnXSx2MbewN8eNj4dmNly1YcU5oLS4tOPLxEyQLHHwYtEmSchkE4ndh6RmblKfusY/ai4IF029F/3NahbMwhHW3gE3hmUYwvoSgIoUYqR2+9hpJy9AFmrp9PIA3GSj8EE25udH5zXJc4XglYxi6Sk4if4MROszE1RnvE66Ywqf7HmV4PVFlZGtjx3X322A7ZX1etbcY0oMY6a3IYChwu5mjzcxW7qMDKT+6WJd3yEOSpBYrvrwh9qMx1elNNDQvHA3YH6wIdUdp3LhMhjMQlW14ODPkDsabI+Kf2InDLUV6KQcBbup7WSkeYp6OIroOVbVEdyk8KgXCeBIUahnO4jzmgeUGTxzrwwFKvxjufrYi/S1eNLHdXx3b9ClM0dcngqHx3gL5RzrCTlERxmWfJZYjGLWGeRhLqkB03fuWkeRxYyw4K5rksFHwN/InqLGRYo17PlIB9B3vckltVlI502a4NleNSlvJYC2gc2Sg7Nyvuwy6CBtHreEuX3MC51qfLhGSebQF6ClB26fdVINwM3BPDKwbk2qvC6HzwPUliOm7dFXqg+BAOAxo5tRaDvmpqWfQ1gDJ0NW

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):500
                Entropy (8bit):5.958472513811131
                Encrypted:false
                SSDEEP:12:fMEJBbLKldgAz7Ibr3BIhAtTx5Lx1ZynKLfz9crSF8R:fMMXIuI7Ibr3Bj5fZynKLGdR
                MD5:0D3DF32AAE32021FDDE1CD2A4A4E7B2F
                SHA1:879570BFF00F38EC527BE935A375760619110E3A
                SHA-256:66E6B14DBC5301CE1C4A53BEF1BBF75CB533A7B62D8F5B038E1B9AE8CC67CA2A
                SHA-512:FBC7466C37914FDCB82DC149B9A5D6DE44145B35F97FA6866548F1372E5BFFA03250FA5DD9CACCA1AFEC88005A1D0AE003C64A0F75D953E4FD2900003297EBD5
                Malicious:false
                Preview:<EncryptedKey>jHZ9Y4CADIsw2Qic2b6EBIaTSvz2j15clatJeetisEB7s0aSPZYRvpgsGttw6uAaUrRc6HBLy963F2sD7RktwwkRj5ZG8j7fFLJ/ZUC5mnnr/AUbqW/EZWg4UdKuyJ1HZqgK9boch6ey8sfiSG+78ne+ZXLthw3lXEJ94JgXqNw=<EncryptedKey>5MVo973iTDtqrg91NZ34bDC2tVRGvYiIl++uq1ulyKteSESBLfBoOFtTfJvjw182ADToP5UNhXVpL1VRpMOzt+k2vGhr5NdJuv8UMBdJKZ5MufnGI/OgmtUd0dWPEy4z7zIo/T0Uj+cEnsFAcTaj/vNrqiJB1+RhUGdXye4vhVCNX15EWjOo85hcnp97cdCB5dTALLHaXc6YyRQ7T/siEAWgxTFNyS6R2XzRRtMmBxpvyZCPqD8WpMsQLnFuUEcL+24N/YyKYsIG1XwrVhLY2QtjVaigk4fkcon2+NzWxTI=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):500
                Entropy (8bit):5.958472513811131
                Encrypted:false
                SSDEEP:12:fMEJBbLKldgAz7Ibr3BIhAtTx5Lx1ZynKLfz9crSF8R:fMMXIuI7Ibr3Bj5fZynKLGdR
                MD5:0D3DF32AAE32021FDDE1CD2A4A4E7B2F
                SHA1:879570BFF00F38EC527BE935A375760619110E3A
                SHA-256:66E6B14DBC5301CE1C4A53BEF1BBF75CB533A7B62D8F5B038E1B9AE8CC67CA2A
                SHA-512:FBC7466C37914FDCB82DC149B9A5D6DE44145B35F97FA6866548F1372E5BFFA03250FA5DD9CACCA1AFEC88005A1D0AE003C64A0F75D953E4FD2900003297EBD5
                Malicious:false
                Preview:<EncryptedKey>jHZ9Y4CADIsw2Qic2b6EBIaTSvz2j15clatJeetisEB7s0aSPZYRvpgsGttw6uAaUrRc6HBLy963F2sD7RktwwkRj5ZG8j7fFLJ/ZUC5mnnr/AUbqW/EZWg4UdKuyJ1HZqgK9boch6ey8sfiSG+78ne+ZXLthw3lXEJ94JgXqNw=<EncryptedKey>5MVo973iTDtqrg91NZ34bDC2tVRGvYiIl++uq1ulyKteSESBLfBoOFtTfJvjw182ADToP5UNhXVpL1VRpMOzt+k2vGhr5NdJuv8UMBdJKZ5MufnGI/OgmtUd0dWPEy4z7zIo/T0Uj+cEnsFAcTaj/vNrqiJB1+RhUGdXye4vhVCNX15EWjOo85hcnp97cdCB5dTALLHaXc6YyRQ7T/siEAWgxTFNyS6R2XzRRtMmBxpvyZCPqD8WpMsQLnFuUEcL+24N/YyKYsIG1XwrVhLY2QtjVaigk4fkcon2+NzWxTI=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):564
                Entropy (8bit):5.953110003683005
                Encrypted:false
                SSDEEP:12:fMEmvSGJiyixUjOf9nZegGiJ+ccVsJKtZ8Gx806RCMymLkPzi6J6:fM/vlTiEOBZIiUjVsJKz8JF9wt6
                MD5:00BB83064118048FBC1D9645DB874564
                SHA1:E969E9AE6E0DF7F74399613E64AF32116C270555
                SHA-256:02A9967F8615244DDC94F4C016E2EA402CC29D5C82B2FBA0CD837EDEE4D22F03
                SHA-512:A74EF8305381FDEC646EC4E449469FFE1D2DF59ED1846AAB79A765D1F829AFFD274C749EA8B09ADEA0C0429B575892C3FEF75F93585848ED2A1DF084766ED227
                Malicious:false
                Preview:<EncryptedKey>RzKLvRNXG2TvNzkBr0wrMdqujwINQxgJm9P+DRtlZ74sDJ9hNkjtZXXGHmayR5B1W2Z0cozewl9Cidt6rlancM3elz9GqRzx9sIrBUFc6ymfvD/moj74jrqybnpkVyY2s1o1wv3hqBWKNScD9M+w078upi13WS7ubM2cilCWrV4=<EncryptedKey>WUvMqzZNeINQ6/N/ZJEW+7W5FCMXXS+Cw/Bk1VcjbsKyrGpAnusJKVi46u21589uY2+MeX2rYVPlFN7S48TD91kB628S/ca0ntTHgbIUtJJka9Bi2nR6RJI0W1D/ro4oCaUT5NcfHNGTeAnUfzbMGQj/5A4kXfaBra2vi0ZMaI3Lp0ZJhmzo6F4/jZkMJaKOlrrZLP20I7HNtVnLZzBq2fU9rm00GVHlIforwDL5c/+Anueu8MoGKoRvyuxDGUtQFNFzOO9ryuXMlBo0WSg2lwBuzrHPGxZgeYKv0/UDtnq/3SQ93AP9HVFLUznhhFAgstMEEzaDVl7dGShIWavlDxzjUoIuw3Q21h4j/1sLcmo=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):564
                Entropy (8bit):5.953110003683005
                Encrypted:false
                SSDEEP:12:fMEmvSGJiyixUjOf9nZegGiJ+ccVsJKtZ8Gx806RCMymLkPzi6J6:fM/vlTiEOBZIiUjVsJKz8JF9wt6
                MD5:00BB83064118048FBC1D9645DB874564
                SHA1:E969E9AE6E0DF7F74399613E64AF32116C270555
                SHA-256:02A9967F8615244DDC94F4C016E2EA402CC29D5C82B2FBA0CD837EDEE4D22F03
                SHA-512:A74EF8305381FDEC646EC4E449469FFE1D2DF59ED1846AAB79A765D1F829AFFD274C749EA8B09ADEA0C0429B575892C3FEF75F93585848ED2A1DF084766ED227
                Malicious:false
                Preview:<EncryptedKey>RzKLvRNXG2TvNzkBr0wrMdqujwINQxgJm9P+DRtlZ74sDJ9hNkjtZXXGHmayR5B1W2Z0cozewl9Cidt6rlancM3elz9GqRzx9sIrBUFc6ymfvD/moj74jrqybnpkVyY2s1o1wv3hqBWKNScD9M+w078upi13WS7ubM2cilCWrV4=<EncryptedKey>WUvMqzZNeINQ6/N/ZJEW+7W5FCMXXS+Cw/Bk1VcjbsKyrGpAnusJKVi46u21589uY2+MeX2rYVPlFN7S48TD91kB628S/ca0ntTHgbIUtJJka9Bi2nR6RJI0W1D/ro4oCaUT5NcfHNGTeAnUfzbMGQj/5A4kXfaBra2vi0ZMaI3Lp0ZJhmzo6F4/jZkMJaKOlrrZLP20I7HNtVnLZzBq2fU9rm00GVHlIforwDL5c/+Anueu8MoGKoRvyuxDGUtQFNFzOO9ryuXMlBo0WSg2lwBuzrHPGxZgeYKv0/UDtnq/3SQ93AP9HVFLUznhhFAgstMEEzaDVl7dGShIWavlDxzjUoIuw3Q21h4j/1sLcmo=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):436
                Entropy (8bit):5.9264550740491675
                Encrypted:false
                SSDEEP:12:fMEf3J2+BgDqFlxk4XcKQj7mBEdq1VVamG3HX:fMKCDqFLcKeWXVVamGXX
                MD5:B90E62817F159CFF20A1BA0F465B33B5
                SHA1:D23A2C260BF0B8F21D581C97AB29FA6607F43EEF
                SHA-256:9D35BC20C5613C8A530DC7E57D97B9B0134882980B4683079E8E3178C0D2D59A
                SHA-512:BA6187E4046DAE3DFB1E4076A7378F285A11EF48424890AEB59FD1706667F77B3174800338376256AE34F99A278F9DD3FF041E77994E6FB7803CD029A038EFB5
                Malicious:false
                Preview:<EncryptedKey>ksjWaLwV2XbT7m7SqxMN6Ckmavn94vSjeRPvYk9jbPXH+ZVshYtYZFQx+kxPOYMYYJI1d5JBuo4N2Sg+2eXxxKqKPdJqNiY5zVZS5xYbGcEmO1JAYDWVYVngQujYQzPoek9ppVfoTzx58hA6rxm2QVQ4o6VwmvhAjNkwx84hAVo=<EncryptedKey>C907bXZ7qtL4l8/GohgXtTD48sJ6FUCbaha7L0WS6RotszlYAXyJU4KICtUY++gZknNQq8c6CYa7N7bLXPxpXMRGXP2MIZzlaPkNKx7iorAha0MougxuSJEtFtFlRmMBMt1XrqRB4GJfRLUvNgbFs2kcOcjrEumi9DerAvdlrtBV18EB9gQRck7FDXNZjJ4zEjpj1G50miYud8x9ObDSyZrNd6Z0A372TBEjJ0wAn30=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):436
                Entropy (8bit):5.9264550740491675
                Encrypted:false
                SSDEEP:12:fMEf3J2+BgDqFlxk4XcKQj7mBEdq1VVamG3HX:fMKCDqFLcKeWXVVamGXX
                MD5:B90E62817F159CFF20A1BA0F465B33B5
                SHA1:D23A2C260BF0B8F21D581C97AB29FA6607F43EEF
                SHA-256:9D35BC20C5613C8A530DC7E57D97B9B0134882980B4683079E8E3178C0D2D59A
                SHA-512:BA6187E4046DAE3DFB1E4076A7378F285A11EF48424890AEB59FD1706667F77B3174800338376256AE34F99A278F9DD3FF041E77994E6FB7803CD029A038EFB5
                Malicious:false
                Preview:<EncryptedKey>ksjWaLwV2XbT7m7SqxMN6Ckmavn94vSjeRPvYk9jbPXH+ZVshYtYZFQx+kxPOYMYYJI1d5JBuo4N2Sg+2eXxxKqKPdJqNiY5zVZS5xYbGcEmO1JAYDWVYVngQujYQzPoek9ppVfoTzx58hA6rxm2QVQ4o6VwmvhAjNkwx84hAVo=<EncryptedKey>C907bXZ7qtL4l8/GohgXtTD48sJ6FUCbaha7L0WS6RotszlYAXyJU4KICtUY++gZknNQq8c6CYa7N7bLXPxpXMRGXP2MIZzlaPkNKx7iorAha0MougxuSJEtFtFlRmMBMt1XrqRB4GJfRLUvNgbFs2kcOcjrEumi9DerAvdlrtBV18EB9gQRck7FDXNZjJ4zEjpj1G50miYud8x9ObDSyZrNd6Z0A372TBEjJ0wAn30=

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):98868
                Entropy (8bit):6.000234821521619
                Encrypted:false
                SSDEEP:3072:MAd8jqYW0e4fWYwvPkM9H7VBHc0sCeW4ygkOljKedHnX:HYW0XWFPk87XzsCeW4yg2uX
                MD5:EAF34477A00C58BEE02B5A84516808FE
                SHA1:7FA221BFD5BBFDCE08ADBFF2B358C0E8EF5935D7
                SHA-256:C8858EB567C93F566BFF9E9B6B13A3B626A009D30518D1D2BE338A547B95FA05
                SHA-512:FB1F7BDDE07E9FF36725C61E92F7EEA1E79CF8D22BAD23F22CEC8AF7AAB0E87F06C6B3AD8027EBC5725E3BA621CA720F039A76BF6F99A4611C0CBBF0DEAE6456
                Malicious:false
                Preview:<EncryptedKey>uDs+etYqN2EAF+V8mdUU5G3aoCxOI30EPrpl4IA/ECNTpRy8eNxnseKON55WRh2sGaSIT7xRNJvqGMoGZRljaSyxI39GzOXZrkzBiBwZ0CG9odG2psea+piEMAIwFzpwl86qDI+HpebP65piyOfEfekP/BydQXQa04bx7zRMGzg=<EncryptedKey>WrMeMXvo1IR+16TFI12MGAC+hbzc2n03zRpJ83y+RF2D2PiG8WJJay4Aa5HdKtLdIQ8iCQbKAMaHNZv5smTUoo9jQ1UWPk6vVRDVtVe5SepSPeODcWXc2pExU4XeBgrzjpgrhbyfVARdyKJJ5nOvOLRr/7qcouHjWF36qYFCJCS11P7zEmSRvLS3kJ4yfnj/kP9VBzswdkeDpcc0syPc2tyCDfstDCNgVC4T/vc+leQWqBzqs8XVagnZR/GaFTkanqsY0shH7C1BZCQ/eBaqGnC1qAL6Xa5FJlcUt77vz/QKb1G3d5LoP3WWXxTD/bJRMru68hIuzMfembdSv7bwR806LCnCOFB/y+giFup1hnycpr3/Naj8T1fllAbmZfIBugrt6bHBlGMaTufzn/cRU8xiov/lBQBC7k+BufHYhn2aOfZSniA8E9FzjXUlK0ieVmtW5gx5LO3IRn6Tm55qKJ+wddkrtqBx2m5jzcQaZsa50JRGDJE0dTfLjkbsvY2iCn6Soi8/+UvFCfqUz5faFWKuNaPQ6BA+kmDGur2MGJsTxQlakDyFqSdqve+gmKdoF+sMDQwEh3xl9/Oj3pI123YrZUzIWclIGlpaq8D8PR05roSjmPWjY0Sff6u3aV1JCdWD64KBmXNyoG6W2oRbaykgRWFPaPXM9Y8sz/cL7f3cmr5cvFi5oPyIh52RpJIFVwj7cKp4YEKQcBxv99aKUr55a80jxbKbjlxegc7UQg1kmiW2LXuG2RLilzBSWO6jOIp5K49fEH3yf/PLpAdtsrnEScG9ACcH

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_1024_POS4.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):98868
                Entropy (8bit):6.000234821521619
                Encrypted:false
                SSDEEP:3072:MAd8jqYW0e4fWYwvPkM9H7VBHc0sCeW4ygkOljKedHnX:HYW0XWFPk87XzsCeW4yg2uX
                MD5:EAF34477A00C58BEE02B5A84516808FE
                SHA1:7FA221BFD5BBFDCE08ADBFF2B358C0E8EF5935D7
                SHA-256:C8858EB567C93F566BFF9E9B6B13A3B626A009D30518D1D2BE338A547B95FA05
                SHA-512:FB1F7BDDE07E9FF36725C61E92F7EEA1E79CF8D22BAD23F22CEC8AF7AAB0E87F06C6B3AD8027EBC5725E3BA621CA720F039A76BF6F99A4611C0CBBF0DEAE6456
                Malicious:false
                Preview:<EncryptedKey>uDs+etYqN2EAF+V8mdUU5G3aoCxOI30EPrpl4IA/ECNTpRy8eNxnseKON55WRh2sGaSIT7xRNJvqGMoGZRljaSyxI39GzOXZrkzBiBwZ0CG9odG2psea+piEMAIwFzpwl86qDI+HpebP65piyOfEfekP/BydQXQa04bx7zRMGzg=<EncryptedKey>WrMeMXvo1IR+16TFI12MGAC+hbzc2n03zRpJ83y+RF2D2PiG8WJJay4Aa5HdKtLdIQ8iCQbKAMaHNZv5smTUoo9jQ1UWPk6vVRDVtVe5SepSPeODcWXc2pExU4XeBgrzjpgrhbyfVARdyKJJ5nOvOLRr/7qcouHjWF36qYFCJCS11P7zEmSRvLS3kJ4yfnj/kP9VBzswdkeDpcc0syPc2tyCDfstDCNgVC4T/vc+leQWqBzqs8XVagnZR/GaFTkanqsY0shH7C1BZCQ/eBaqGnC1qAL6Xa5FJlcUt77vz/QKb1G3d5LoP3WWXxTD/bJRMru68hIuzMfembdSv7bwR806LCnCOFB/y+giFup1hnycpr3/Naj8T1fllAbmZfIBugrt6bHBlGMaTufzn/cRU8xiov/lBQBC7k+BufHYhn2aOfZSniA8E9FzjXUlK0ieVmtW5gx5LO3IRn6Tm55qKJ+wddkrtqBx2m5jzcQaZsa50JRGDJE0dTfLjkbsvY2iCn6Soi8/+UvFCfqUz5faFWKuNaPQ6BA+kmDGur2MGJsTxQlakDyFqSdqve+gmKdoF+sMDQwEh3xl9/Oj3pI123YrZUzIWclIGlpaq8D8PR05roSjmPWjY0Sff6u3aV1JCdWD64KBmXNyoG6W2oRbaykgRWFPaPXM9Y8sz/cL7f3cmr5cvFi5oPyIh52RpJIFVwj7cKp4YEKQcBxv99aKUr55a80jxbKbjlxegc7UQg1kmiW2LXuG2RLilzBSWO6jOIp5K49fEH3yf/PLpAdtsrnEScG9ACcH

                C:\Users\user\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:modified
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\AppData\Roaming\svchost.exe

                Download File
                Process:C:\Users\user\Desktop\enxV0qANdU.exe
                File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Category:dropped
                Size (bytes):26624
                Entropy (8bit):5.040668756488705
                Encrypted:false
                SSDEEP:384:Uo3Mg/bqo25M0RHcY5pmyjuwzUHJhr91CHW8wNa9get:UWqo2Zn5pPjKphr9z8wNHet
                MD5:CF6FF9E0403B8D89E42AE54701026C1F
                SHA1:A4F5CB11B9340F80A89022131FB525B888AA8BC6
                SHA-256:A7F09CFDE433F3D47FC96502BF2B623AE5E7626DA85D0A0130DCD19D1679AF9B
                SHA-512:DCA369DE908FF4D8A6B095243D8837AD9EB885C78544565586196451F99303E9BEB8635E01254514B485F22298B3EAF69AFB3666B6032959AE3E9567E78DC575
                Malicious:true
                Yara Hits:
                • Rule: Destructive_Ransomware_Gen1, Description: Detects destructive malware, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Florian Roth
                • Rule: MALWARE_Win_Chaos, Description: Detects Chaos ransomware, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                Antivirus:
                • Antivirus: Avira, Detection: 100%
                • Antivirus: Joe Sandbox ML, Detection: 100%
                • Antivirus: Virustotal, Detection: 59%, Browse
                • Antivirus: ReversingLabs, Detection: 90%
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...._b.................^...........|... ........@.. ....................................@..................................|..S.................................................................................... ............... ..H............text....]... ...^.................. ..`.rsrc................`..............@..@.reloc...............f..............@..B.................|......H........=...>...........................................................(....*..0..........(....,..(....~....,.(....~....,.~....(....+.~....,.~....(....~....,.(....(....~....,$~....,.(....~....,.(....~....,.(....~....,.~....(....(....~....(....~....-........s.........~....s....(....*.s$...(....*....0..2.......(....o....(.......(.......(....,.~.... ....Z(....*...0..e.......(.....(...........+E.......o.....o....o....(....o....(....,..o.....o............&.....X.......i2..*.*...

                C:\Users\user\AppData\Roaming\svchost.exe:Zone.Identifier

                Download File
                Process:C:\Users\user\Desktop\enxV0qANdU.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):26
                Entropy (8bit):3.95006375643621
                Encrypted:false
                SSDEEP:3:ggPYV:rPYV
                MD5:187F488E27DB4AF347237FE461A079AD
                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                Malicious:true
                Preview:[ZoneTransfer]....ZoneId=0

                C:\Users\user\Contacts\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):756
                Entropy (8bit):5.954711952684122
                Encrypted:false
                SSDEEP:12:fMEbjj4/fvbtBwZpqrk4xT7/f181qcP0k64zNGT7qp6g8lczgA1UXTV5lD0Sb3fd:fMCfObTSArk4x7/NQPVcypv8OzfGTV5F
                MD5:5358E5C7834303F13EFC25D664A73F98
                SHA1:C52CBF978CE2B1E678ABC571A28803D97A40C849
                SHA-256:81174350189D12D558F6D1F35B3078EB755B19CBEAD1CB7FA8F764D857C61824
                SHA-512:0B95BA3357E75D0E362EC4C7C3E8B9013D6032F6840439442861D8CEA72B7DD4DB0EB6457673CE466F0E76DF73114266773DC538B6971C951005A09D2E544E56
                Malicious:false
                Preview:<EncryptedKey>lceAET1VxVcuLeIaWWocRume6pwDLjsqWw0FvZOg3wYZ1frMloJieCunOR0SAkldqvPYSXUtwwYCCXDQLW2vExw5IVFjRoDD/SBrwXj1BUwP0+U47K8YY9pCdojORnqW3ztzUzE+8kNJQ4d6vEisqsydwpaJdPCz0tJFhN2POh0=<EncryptedKey>AYBJ+oFqnVaZq0XXNxYuoip7yzuZDwutNHv5oDLdD3mA1FEXpFP9xp0sfWD0MADykc1Drk16unXAOPChXTlAq39LmJv8KNHDKRZhLasjt1uSpxIznViobopKXIeuelh0U76Jp5RhMpX34VB4WCCdxm5f7C1uU54fXeEYQKreGL7D7RXnIXbdD2MBe8bOvUzNAoB4y3vePTGukX26/F0ttau9zlaA/FTYbIb9FSirACgTLay+GCkstpKyxcWpsD7suhbwTa1YuCS3eukLlRfC1EH+v2eT7f92laqTrogebasnQa2904lqL/Ig3SntQOEqPsWdShb5pFGDIiGJZwGn9phZXjdi3JIiidqCxrPnYtAfEaW1gshEex/mqUcDoAAdbYCe4rjUf85SuXQ1FOntNvOjn8k6yDWPIvGdIXrlMEtM/Xh2N62asR4b3tARJnKVezgJL8uMGnz6IApsnPvdFVc6seg++9unCgZyX64Ddk9djkYFFwQbx7sx2bzppJu+ufywi2Pg60TEj/hotghe/3g9ZF/teuw2Ja8hC5xSppI=

                C:\Users\user\Contacts\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):756
                Entropy (8bit):5.954711952684122
                Encrypted:false
                SSDEEP:12:fMEbjj4/fvbtBwZpqrk4xT7/f181qcP0k64zNGT7qp6g8lczgA1UXTV5lD0Sb3fd:fMCfObTSArk4x7/NQPVcypv8OzfGTV5F
                MD5:5358E5C7834303F13EFC25D664A73F98
                SHA1:C52CBF978CE2B1E678ABC571A28803D97A40C849
                SHA-256:81174350189D12D558F6D1F35B3078EB755B19CBEAD1CB7FA8F764D857C61824
                SHA-512:0B95BA3357E75D0E362EC4C7C3E8B9013D6032F6840439442861D8CEA72B7DD4DB0EB6457673CE466F0E76DF73114266773DC538B6971C951005A09D2E544E56
                Malicious:false
                Preview:<EncryptedKey>lceAET1VxVcuLeIaWWocRume6pwDLjsqWw0FvZOg3wYZ1frMloJieCunOR0SAkldqvPYSXUtwwYCCXDQLW2vExw5IVFjRoDD/SBrwXj1BUwP0+U47K8YY9pCdojORnqW3ztzUzE+8kNJQ4d6vEisqsydwpaJdPCz0tJFhN2POh0=<EncryptedKey>AYBJ+oFqnVaZq0XXNxYuoip7yzuZDwutNHv5oDLdD3mA1FEXpFP9xp0sfWD0MADykc1Drk16unXAOPChXTlAq39LmJv8KNHDKRZhLasjt1uSpxIznViobopKXIeuelh0U76Jp5RhMpX34VB4WCCdxm5f7C1uU54fXeEYQKreGL7D7RXnIXbdD2MBe8bOvUzNAoB4y3vePTGukX26/F0ttau9zlaA/FTYbIb9FSirACgTLay+GCkstpKyxcWpsD7suhbwTa1YuCS3eukLlRfC1EH+v2eT7f92laqTrogebasnQa2904lqL/Ig3SntQOEqPsWdShb5pFGDIiGJZwGn9phZXjdi3JIiidqCxrPnYtAfEaW1gshEex/mqUcDoAAdbYCe4rjUf85SuXQ1FOntNvOjn8k6yDWPIvGdIXrlMEtM/Xh2N62asR4b3tARJnKVezgJL8uMGnz6IApsnPvdFVc6seg++9unCgZyX64Ddk9djkYFFwQbx7sx2bzppJu+ufywi2Pg60TEj/hotghe/3g9ZF/teuw2Ja8hC5xSppI=

                C:\Users\user\Contacts\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Desktop\BJZFPPWAPT.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.984847726169774
                Encrypted:false
                SSDEEP:48:UPk17lEzbJyMCUrTjoXvccK1r3YzsrBwnZtRWWKQ8:UPkbooMCUrTSUcUIzsrBs8Ww
                MD5:6651577AE0EE46916E51557610350E7A
                SHA1:11D94487E43D3A9E59267208E22893D69490D243
                SHA-256:C69DFC4E2A456C9FB7946F4C1E870BA0AE206423E4E5E010215A696C9697D926
                SHA-512:F247CEBAF9C3F7258CD50EA302BBC6809068FD65E132313CA5432CE4E163621C0AD32DFD67D21B454FAE91FE172FA9CECE75C222F94454E78A3AF03707193B0A
                Malicious:false
                Preview:<EncryptedKey>koQfhqirndbRzh2BCoWmWl7IOKIQL4Wa4pnHKOmUbaukEURCoGgE/yIX+/Vqi84Rds2D8Hp+FM3u6B0hCDEiPBzI7dRyc/8hl5WewnOxLeFPmWP1cqEmPIThu4Lrfa193V9WsQHA82swq4qJ7j4U8gWhmkxIP0EOTv8kxbSQY4g=<EncryptedKey>dzVGtXPVvPV/L6du89M7r8r1uu6Sxgo/1R8/S2P7gVeb6SEAuxenxHZ6qG7Q8Kat1kpiIdCDdCmgC/5g/CAIoXrtNmfLHhxaoSW/9pmCNYnXWZ+Lg5IbPvXRruvHEomdnavoDFx3/VjRV0NAkdnyWwiNB4Uv23WOdnX+jsVRso2JS9BVtggc+zHs3QZXdLjLD0bjN5RxFWEk1Toos+xcoWCM/ec8xkZEiXiLS0Atm4f6KDgf/wt5TSXXcAHC2sahMhvJkcPWPnC25jbc7/A43Fhm3sA3DO/8RsHg8ksLj0NZsXTeAIPR0HuvAFRkwjCnPjQFZ7CE35S7PFbFAX49i304y0HWHXrVGVHm0wXuVKlOv/cqLmIaiM4AtAt/PdtEw96JSuNvNuhCaQfKRkddITHOIJID1yMEZqhnHntrpMJBatZ8sXgp6tv/RCqCcnlUKQ40c3COfR7W6C+OzU52dG8jYIyoQ98N6Sm0b2kr1ud8KDD88/54SP3vND3d1YFlI3P7qOCwn8fg+XVgQHHJWrAmj+tqAsFTfyzG24sPWvdx9doSx7t1C9ssViB+CyNGkDXpNoRTJezvij/WCx/2TFap6zyuk5ET9QKmH/T2+uaMln/p9xzYgdbRFUOgsm4WIyAFYD/rDWnEbM4EZ2kJhWSpCK2+e6ALJ6PAewkG6PtQENgqTWI2O1Ja7dfdSzEY6TpiIBm6Bba16Hf1OCb1F7H1LxKMGGeMtMf24Bydl7GEMEeQOXZBHCJnsuNOFQLHNWwR3nSx1NqptvLL0VbPI4sxjwD021YN

                C:\Users\user\Desktop\BJZFPPWAPT.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.984847726169774
                Encrypted:false
                SSDEEP:48:UPk17lEzbJyMCUrTjoXvccK1r3YzsrBwnZtRWWKQ8:UPkbooMCUrTSUcUIzsrBs8Ww
                MD5:6651577AE0EE46916E51557610350E7A
                SHA1:11D94487E43D3A9E59267208E22893D69490D243
                SHA-256:C69DFC4E2A456C9FB7946F4C1E870BA0AE206423E4E5E010215A696C9697D926
                SHA-512:F247CEBAF9C3F7258CD50EA302BBC6809068FD65E132313CA5432CE4E163621C0AD32DFD67D21B454FAE91FE172FA9CECE75C222F94454E78A3AF03707193B0A
                Malicious:false
                Preview:<EncryptedKey>koQfhqirndbRzh2BCoWmWl7IOKIQL4Wa4pnHKOmUbaukEURCoGgE/yIX+/Vqi84Rds2D8Hp+FM3u6B0hCDEiPBzI7dRyc/8hl5WewnOxLeFPmWP1cqEmPIThu4Lrfa193V9WsQHA82swq4qJ7j4U8gWhmkxIP0EOTv8kxbSQY4g=<EncryptedKey>dzVGtXPVvPV/L6du89M7r8r1uu6Sxgo/1R8/S2P7gVeb6SEAuxenxHZ6qG7Q8Kat1kpiIdCDdCmgC/5g/CAIoXrtNmfLHhxaoSW/9pmCNYnXWZ+Lg5IbPvXRruvHEomdnavoDFx3/VjRV0NAkdnyWwiNB4Uv23WOdnX+jsVRso2JS9BVtggc+zHs3QZXdLjLD0bjN5RxFWEk1Toos+xcoWCM/ec8xkZEiXiLS0Atm4f6KDgf/wt5TSXXcAHC2sahMhvJkcPWPnC25jbc7/A43Fhm3sA3DO/8RsHg8ksLj0NZsXTeAIPR0HuvAFRkwjCnPjQFZ7CE35S7PFbFAX49i304y0HWHXrVGVHm0wXuVKlOv/cqLmIaiM4AtAt/PdtEw96JSuNvNuhCaQfKRkddITHOIJID1yMEZqhnHntrpMJBatZ8sXgp6tv/RCqCcnlUKQ40c3COfR7W6C+OzU52dG8jYIyoQ98N6Sm0b2kr1ud8KDD88/54SP3vND3d1YFlI3P7qOCwn8fg+XVgQHHJWrAmj+tqAsFTfyzG24sPWvdx9doSx7t1C9ssViB+CyNGkDXpNoRTJezvij/WCx/2TFap6zyuk5ET9QKmH/T2+uaMln/p9xzYgdbRFUOgsm4WIyAFYD/rDWnEbM4EZ2kJhWSpCK2+e6ALJ6PAewkG6PtQENgqTWI2O1Ja7dfdSzEY6TpiIBm6Bba16Hf1OCb1F7H1LxKMGGeMtMf24Bydl7GEMEeQOXZBHCJnsuNOFQLHNWwR3nSx1NqptvLL0VbPI4sxjwD021YN

                C:\Users\user\Desktop\EEGWXUHVUG.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.988082999674575
                Encrypted:false
                SSDEEP:48:ULxzyhD7iQKCXLYLASdtKxst97Wz49GFZKbiLD:UdzDCXL2A00cSIGF8u
                MD5:FB2DA3B6AC24BFABB8E70B80E50878EF
                SHA1:F95E26D09FB592E80EB8E0A3FD517A20D093CB49
                SHA-256:A3DCAC98C62004320A1C207E9D6351A79C249DA6AEA0D6F4D254DE2C3817E398
                SHA-512:EDC443919B45884F05BF8A8802B2B6FE77D51DE5011FC80B41FF99C458F49B925E46109482634951C7E98EADFEF603BC2838B0853DAE637A0AEE44D991D728A5
                Malicious:false
                Preview:<EncryptedKey>NroTTa3lCzjQgKFDB+Pyw4nQFaU3FoZzA3dXMM7Q6nNZ+ig8YOLaWZeCzeheRExcFFnkyjo1IbH1FOeG0kg56ieAoFbDy5Q5m8P4iJACmE+sz7JJGreGq5yyObNJ6TtA/PvtJH9Ub1VSiQNVwrs4+lRPMWVOPe1tbq6bixnjgq0=<EncryptedKey>kqtlSxm658NhtjvUVCmOkQZvwC199vdbE7sL2M+1LkRXj2kw0mdXLcEjoJ9UwY0HGQo7oer3T4K/zHw6Tnpzr+NXMgWqWZC9NddD9SCXuD0BHsdDt5z+2IaQm15u3oIkj1R/fQTuLuH+A8b0xl1TxU3ds1LORJ9oG8zVn8kWwiXDZAldSr6EKktab5ipXVRHTnpeLFSvgg7dRo3qh1iNo8+7KguLzzWxZ9oQzyBln4wAGW1p1B4cnyEej1JbmnRS7hycdH1Hs2t5fAMmS0FSjRmUPL6GRtS9lfnRP+tC3VIWiawHam9CAVo6SqDpCIClfnOmH5OlDXgtKlJYYDkfpvpxv0oAqdJQUJrgmotSrdIVxwJilYJt1qCq9AQrn5zXrPWqTVwpBz5UaLfL0xzLgSOSS+lKfP6DDIDdR9o/pJmnFlDJ7chQ6f0XuS1kwh3Oi4ELqogkQF8+t2fMtyuBVvdaLQr4/yPHz9kx+nBLOW4cU7hphiWeDndDZS9nHVvg68eHVLe/2eoffsL+lQ5Ust8nDpIYYsGT6FqsQWQgayzm/dBW9PtCTUVCPFVmVeGP1queJI/7NS8jnPIykiDcXeOqg/VAv7rMLd+b8B5bGhY5ytWXmT8+k+I59gOirdAyV8n/9vEV4quhydX71EXT8Gryprt/1aMdx8sTCHaKJs+IPliNKsAc/HqQk+lXN667b0vkRt22auO/BTBrVC8mxl8vbO35yNtkUKNllCrGoIecweZ7U/DB542DXI4qLHhJXoHacJ4SAxTKzTkbB34X3SeuWJ70FUdP

                C:\Users\user\Desktop\EEGWXUHVUG.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.988082999674575
                Encrypted:false
                SSDEEP:48:ULxzyhD7iQKCXLYLASdtKxst97Wz49GFZKbiLD:UdzDCXL2A00cSIGF8u
                MD5:FB2DA3B6AC24BFABB8E70B80E50878EF
                SHA1:F95E26D09FB592E80EB8E0A3FD517A20D093CB49
                SHA-256:A3DCAC98C62004320A1C207E9D6351A79C249DA6AEA0D6F4D254DE2C3817E398
                SHA-512:EDC443919B45884F05BF8A8802B2B6FE77D51DE5011FC80B41FF99C458F49B925E46109482634951C7E98EADFEF603BC2838B0853DAE637A0AEE44D991D728A5
                Malicious:false
                Preview:<EncryptedKey>NroTTa3lCzjQgKFDB+Pyw4nQFaU3FoZzA3dXMM7Q6nNZ+ig8YOLaWZeCzeheRExcFFnkyjo1IbH1FOeG0kg56ieAoFbDy5Q5m8P4iJACmE+sz7JJGreGq5yyObNJ6TtA/PvtJH9Ub1VSiQNVwrs4+lRPMWVOPe1tbq6bixnjgq0=<EncryptedKey>kqtlSxm658NhtjvUVCmOkQZvwC199vdbE7sL2M+1LkRXj2kw0mdXLcEjoJ9UwY0HGQo7oer3T4K/zHw6Tnpzr+NXMgWqWZC9NddD9SCXuD0BHsdDt5z+2IaQm15u3oIkj1R/fQTuLuH+A8b0xl1TxU3ds1LORJ9oG8zVn8kWwiXDZAldSr6EKktab5ipXVRHTnpeLFSvgg7dRo3qh1iNo8+7KguLzzWxZ9oQzyBln4wAGW1p1B4cnyEej1JbmnRS7hycdH1Hs2t5fAMmS0FSjRmUPL6GRtS9lfnRP+tC3VIWiawHam9CAVo6SqDpCIClfnOmH5OlDXgtKlJYYDkfpvpxv0oAqdJQUJrgmotSrdIVxwJilYJt1qCq9AQrn5zXrPWqTVwpBz5UaLfL0xzLgSOSS+lKfP6DDIDdR9o/pJmnFlDJ7chQ6f0XuS1kwh3Oi4ELqogkQF8+t2fMtyuBVvdaLQr4/yPHz9kx+nBLOW4cU7hphiWeDndDZS9nHVvg68eHVLe/2eoffsL+lQ5Ust8nDpIYYsGT6FqsQWQgayzm/dBW9PtCTUVCPFVmVeGP1queJI/7NS8jnPIykiDcXeOqg/VAv7rMLd+b8B5bGhY5ytWXmT8+k+I59gOirdAyV8n/9vEV4quhydX71EXT8Gryprt/1aMdx8sTCHaKJs+IPliNKsAc/HqQk+lXN667b0vkRt22auO/BTBrVC8mxl8vbO35yNtkUKNllCrGoIecweZ7U/DB542DXI4qLHhJXoHacJ4SAxTKzTkbB34X3SeuWJ70FUdP

                C:\Users\user\Desktop\EEGWXUHVUG\BJZFPPWAPT.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.98731274326057
                Encrypted:false
                SSDEEP:48:UkHnaH+siZzTRjELT7TCFFiotSBMbuQj0f+:U0a9iZzNjELTOLtZJ
                MD5:06BCAE551CDE7FD1291F025EA6915B5D
                SHA1:8DDDEDD7BFCF60FC670B43453B2888097456B2E3
                SHA-256:0B09FE890E198CED098A913A7FCC98339F0E3A44E68411FD2E7084150578D2CF
                SHA-512:AEFB78461FD02E3202CD3B7506090744354F6F9B10390E70CADE14BB4FBD820A66C4A96141D754F793F31785C5495CEE5BCD4D35DDF22EE0FDC9F9153416AF3B
                Malicious:true
                Preview:<EncryptedKey>SPBqju9pTwaZpgnMNss8HDhgyggoS1eXtL9VrIC4pqMI2XoCamuATjvgjbj96/WRviWl6Ls/lKQpQXU2xDse/wZLSy7Fj+QprxorCdh/aVZ86Qv92wXgdC0H1gWrERYAaQSrqrC020KQtKQwemD/xGHDrwzWpTE1Cw8facDIoSk=<EncryptedKey>jPXnNzybnpih4hu2QVsmd+Cb6jGfeU0K182tW4RC7ugwlT9hGP1JF8mh84W8fMTaPONw/YqrCk3R/my6M8ew4OBpC+KAerT/Fr3YrzkVjmvyTciUTYnvhlvgCBI66b0Zm8BEh5gfIg0tkXFnuoWtR48ebRw3ltNDKIpFz7WTjVOTNTiaTKIlzxqOjoCJLLZQQMWKu1otg+gJKLwGlQi+KkSwWgdNvuN1ARkpHeHzr7Pq3GXWim8L0Kya+girOPqwpgBmioP6Fz2EKqOFv0U1f+3CIASaQKR5+pdIWw+/bM+ThPN9H3QZUy2jF//QcDLvY5Nqr0AY2MqKJFrAu3d2hqU5fQHMEjzLhhR9rhlrHE9odkAU4tnjhhkAAJQm1YvqhCSMieZ7P8YvvQc87D2qgPFzWIzJzAga5lFQMfzfbWBK82lL8/iPCUipH2XZKZq/2U2WeIOukAULN9lSmTg8OJSVrcMc78DUnkythkIgGKPtcfvegwAnKPwgxYHgXBPMrlH2+s9EPfWI8QMpl2Y9HSauKSyxiNxja09gl+3uFnr/csK1F+Xj7Ew96pdPL5IPplxWgyhkAjQg+SJH5nLW4slYgFoAsmgONTTO+MR9imADtaZ7FnBtBIJl587ki4J67G82OddqooZ9XNyservjKBri7lxOy2Lv75JknqrQUeT5kcWpQQuV/BJh0NE7j07zfDofasXxLZHDp9fLdKPp9JVss3xjVFj3F4AW049Yz3QQdvJNs5alZI6+EsyljSv6AP9oOm1TGDCrU8ipJD+duDECGSpsngwp

                C:\Users\user\Desktop\EEGWXUHVUG\BJZFPPWAPT.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.98731274326057
                Encrypted:false
                SSDEEP:48:UkHnaH+siZzTRjELT7TCFFiotSBMbuQj0f+:U0a9iZzNjELTOLtZJ
                MD5:06BCAE551CDE7FD1291F025EA6915B5D
                SHA1:8DDDEDD7BFCF60FC670B43453B2888097456B2E3
                SHA-256:0B09FE890E198CED098A913A7FCC98339F0E3A44E68411FD2E7084150578D2CF
                SHA-512:AEFB78461FD02E3202CD3B7506090744354F6F9B10390E70CADE14BB4FBD820A66C4A96141D754F793F31785C5495CEE5BCD4D35DDF22EE0FDC9F9153416AF3B
                Malicious:false
                Preview:<EncryptedKey>SPBqju9pTwaZpgnMNss8HDhgyggoS1eXtL9VrIC4pqMI2XoCamuATjvgjbj96/WRviWl6Ls/lKQpQXU2xDse/wZLSy7Fj+QprxorCdh/aVZ86Qv92wXgdC0H1gWrERYAaQSrqrC020KQtKQwemD/xGHDrwzWpTE1Cw8facDIoSk=<EncryptedKey>jPXnNzybnpih4hu2QVsmd+Cb6jGfeU0K182tW4RC7ugwlT9hGP1JF8mh84W8fMTaPONw/YqrCk3R/my6M8ew4OBpC+KAerT/Fr3YrzkVjmvyTciUTYnvhlvgCBI66b0Zm8BEh5gfIg0tkXFnuoWtR48ebRw3ltNDKIpFz7WTjVOTNTiaTKIlzxqOjoCJLLZQQMWKu1otg+gJKLwGlQi+KkSwWgdNvuN1ARkpHeHzr7Pq3GXWim8L0Kya+girOPqwpgBmioP6Fz2EKqOFv0U1f+3CIASaQKR5+pdIWw+/bM+ThPN9H3QZUy2jF//QcDLvY5Nqr0AY2MqKJFrAu3d2hqU5fQHMEjzLhhR9rhlrHE9odkAU4tnjhhkAAJQm1YvqhCSMieZ7P8YvvQc87D2qgPFzWIzJzAga5lFQMfzfbWBK82lL8/iPCUipH2XZKZq/2U2WeIOukAULN9lSmTg8OJSVrcMc78DUnkythkIgGKPtcfvegwAnKPwgxYHgXBPMrlH2+s9EPfWI8QMpl2Y9HSauKSyxiNxja09gl+3uFnr/csK1F+Xj7Ew96pdPL5IPplxWgyhkAjQg+SJH5nLW4slYgFoAsmgONTTO+MR9imADtaZ7FnBtBIJl587ki4J67G82OddqooZ9XNyservjKBri7lxOy2Lv75JknqrQUeT5kcWpQQuV/BJh0NE7j07zfDofasXxLZHDp9fLdKPp9JVss3xjVFj3F4AW049Yz3QQdvJNs5alZI6+EsyljSv6AP9oOm1TGDCrU8ipJD+duDECGSpsngwp

                C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987216276721579
                Encrypted:false
                SSDEEP:48:UKEcZO7NcxwtLE4SlOj48br/Laf6m/tlBqIu+jVd+9zMl:UKEcQeKtOwbr+is7xjVg1Ml
                MD5:0CAF5C95DE7F31456688AAB38D2C7EEA
                SHA1:43F0244A593DBC68CD8C1EE4E3C744D4B09CE20F
                SHA-256:CF68748C4C08F8F6B67B6FDEB5714EAF2C8FF273C9F4EFDC2CB578CC1F6998CB
                SHA-512:03EB112112833A656DD202923FD70F7B952F3076226B465C9086DC95C2DC274427305B85309E357EE144E7C6170B12CC9B3750F0C3BC88B8253CA234BF489245
                Malicious:false
                Preview:<EncryptedKey>cyfFF6XkqR8NVPxxJjj1ucKIETZLmbwJRsgmdxGC+LCmijTLTSKLCNblyjShy+DS2FVrbWvFtvaBHfm+VFwTmb1R+HIhhr/Wy+vImSmeDMwFoUyQZkWhxzNH476W93FYHNEOq8eJtxaWUdrfL+HYj6qz2jz8Ld3ZOvcnWVueKYM=<EncryptedKey>IPiEDf7pyErF4LC7lBw1ArWSNJKThAQJ6IdD0PEGhkfNGMh+G7NTAQbPbu7kBIDUIQKLdIpMpG4kx0T7rPOou9GOq037brq0vrh2O41j3YWuWM45QSCymwUcAOtJpjv6Wz57/bz5OsQKotGIMn77l3cHUMCNs4LTx0ZEgr39j9QN4CW2ldNlLKZaEMpYDAtGABF79YdweaPsUALSmtJKj7pzBj0goQqu4jbA3Qw6XTBZt+YCpho+4npygz18ZBaQTAkOk1Uc1xn5O8Zirt6hPnpl7lBm7jCUf0C/aXWr9AOMInV/ND1YmiR4t0V9GQFRfEitqa7bbqqldavN//RUn7IIg9GgQvZ55W0yRxJ5CTx2zXJS+zUWqXtvQcd+ojKZIIpe5FLNAmSbhxPnXGcPmGNTE7lqv4znhZy1Mjzphh+f1IEJItLuY9ccJRpjMdXgLWvNyQwlzh8WUrtM3eLj7R/GC3670/QYN7aCIrhuPdb8th9mWvqGXgWiXChLG6HwjlfIKAEjkcl56ffMMgSyQrx8nBlXM34O939Ehtsg9aBAoocjXzL24dpkKKTQA7G8Y1LvqyOZD0CPKz7rl6E/+3VrWdwfCLPKvgZiLUhumeF9GUelq1UbDxeGosguElUIpigNxQC05co+QibssrajX1fb9DaDUE/ITMXcml2EYSHSoA23ehkWzhKR3kppHzrwzHXwrjvbMFvJOR1fH2yeQb7zbB1Gstgy0OCE1G9muLB1bYMfwxbYfDDiunhvAbvVEBAUCAV8qO3avUyMAWlbhD0tMAwiiSGZ

                C:\Users\user\Desktop\EEGWXUHVUG\EEGWXUHVUG.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987216276721579
                Encrypted:false
                SSDEEP:48:UKEcZO7NcxwtLE4SlOj48br/Laf6m/tlBqIu+jVd+9zMl:UKEcQeKtOwbr+is7xjVg1Ml
                MD5:0CAF5C95DE7F31456688AAB38D2C7EEA
                SHA1:43F0244A593DBC68CD8C1EE4E3C744D4B09CE20F
                SHA-256:CF68748C4C08F8F6B67B6FDEB5714EAF2C8FF273C9F4EFDC2CB578CC1F6998CB
                SHA-512:03EB112112833A656DD202923FD70F7B952F3076226B465C9086DC95C2DC274427305B85309E357EE144E7C6170B12CC9B3750F0C3BC88B8253CA234BF489245
                Malicious:false
                Preview:<EncryptedKey>cyfFF6XkqR8NVPxxJjj1ucKIETZLmbwJRsgmdxGC+LCmijTLTSKLCNblyjShy+DS2FVrbWvFtvaBHfm+VFwTmb1R+HIhhr/Wy+vImSmeDMwFoUyQZkWhxzNH476W93FYHNEOq8eJtxaWUdrfL+HYj6qz2jz8Ld3ZOvcnWVueKYM=<EncryptedKey>IPiEDf7pyErF4LC7lBw1ArWSNJKThAQJ6IdD0PEGhkfNGMh+G7NTAQbPbu7kBIDUIQKLdIpMpG4kx0T7rPOou9GOq037brq0vrh2O41j3YWuWM45QSCymwUcAOtJpjv6Wz57/bz5OsQKotGIMn77l3cHUMCNs4LTx0ZEgr39j9QN4CW2ldNlLKZaEMpYDAtGABF79YdweaPsUALSmtJKj7pzBj0goQqu4jbA3Qw6XTBZt+YCpho+4npygz18ZBaQTAkOk1Uc1xn5O8Zirt6hPnpl7lBm7jCUf0C/aXWr9AOMInV/ND1YmiR4t0V9GQFRfEitqa7bbqqldavN//RUn7IIg9GgQvZ55W0yRxJ5CTx2zXJS+zUWqXtvQcd+ojKZIIpe5FLNAmSbhxPnXGcPmGNTE7lqv4znhZy1Mjzphh+f1IEJItLuY9ccJRpjMdXgLWvNyQwlzh8WUrtM3eLj7R/GC3670/QYN7aCIrhuPdb8th9mWvqGXgWiXChLG6HwjlfIKAEjkcl56ffMMgSyQrx8nBlXM34O939Ehtsg9aBAoocjXzL24dpkKKTQA7G8Y1LvqyOZD0CPKz7rl6E/+3VrWdwfCLPKvgZiLUhumeF9GUelq1UbDxeGosguElUIpigNxQC05co+QibssrajX1fb9DaDUE/ITMXcml2EYSHSoA23ehkWzhKR3kppHzrwzHXwrjvbMFvJOR1fH2yeQb7zbB1Gstgy0OCE1G9muLB1bYMfwxbYfDDiunhvAbvVEBAUCAV8qO3avUyMAWlbhD0tMAwiiSGZ

                C:\Users\user\Desktop\EEGWXUHVUG\EFOYFBOLXA.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.986232674074608
                Encrypted:false
                SSDEEP:24:fMa0WF6h32X2VxOthg/+m17xHS4W3hfnPMoSLVh5cIJUzULvCPpJZxYfSw:Ua0w2hj+4xHS4WRfnPmcK74pJ8fSw
                MD5:A8574935CBE2CFE7BA20273C60472687
                SHA1:AFDF608E4665B19D4AF7EABF709180B6383FA9B2
                SHA-256:F92F8C01DE62AABB319BA5C6EE6A9E3F7B8CBD69D175CE8D1F795DE863F216DA
                SHA-512:7D72428CE2244D9E599C371FE0348DA5B9E0F60E1805E8A293536BA815244EB5E5AE7EAB74930C4878DE3D78077F67A6509D185C525A9E8FF93AAEC1CA8BEB80
                Malicious:false
                Preview:<EncryptedKey>QQ7B/FKbmz3jjnobME0uXA08mEUjhiUf86hwQnFzlfWR95/OqdQkPi+HIPJrmU6mLQDQY/tjQovCKR9lNR8HCUCSIlJJePp8+0+d3SxaGOVWYVUKY/fCHSex0beTFw7spVMqbqAWXZ4lZ5EmVOTQXZOABDB1+leEK/aa1lQgfOE=<EncryptedKey>zmctEL+iSwjaUcxlxIC0xxKcrPGldgnMfT2qmehlfzX9uONJGNZ5E8XxnRLJnmDBCnYB0triKWGOy4YyrI0z1o7vJdOjFs7E5iZoCqBH2sVPv98txHX0JwbvdnOmcxICG3+Wdg/TArye0QVus5r8X8ZG5Ptc6eKZXjbXbVDIXHpf+wUUFTwNl2lgMCZkSpHRd/ecTFJ6UqJuiTJLUXNB7/ZCJ9V97Au+Q3is81eirqDEfCazXOZVnTfXTwfheVcMkfpQ9qGjRo7qf4UJwvbr3z2RBys3WjuWjDvCZaqwPkInDySofDC6rnvZm5f5F5z0v5FYOFdEUOjn1+PDGFyF8pi+5pWtiAIVP6laZMrq6zUALx0dAZhoMG3t5FznBiTeEYhxKFq+iWrsBNJTOglHKhyXAVZbvmvT5Dfcf6nZd0SnGpQLjGbbKCBRvYEespNh32nA537H0ZiT8/M964iTAkiFnRRk7EAHr0FK9PPiypvkdJkxjHCL85vYkUeW0A2RzWKnugCKDIjvDrw3f76M+B6ssczt/30z37frmKeOf5GzfW+r/RPu58XXmKaPXN+N1QiovZgBBJISi3kAkEq6r4ArQXzn4Vayfa1ACC+QRJrlQPBs04T2DukXX62eRkJ0znIoDdO+njyNtUqHnm3nSvqbBoljCbnVUkyALeZBSffqVDqkjsMn+MWhZ9tH56ldug5fcUlR3TrGnLunLopsIJe4vU4j8+cTD2aIE6W+ChZa5idVR/GZLjPvCt0wCxfZ5z9qNSeSSZvotnOaIV/aHC6gC9t7rhqz

                C:\Users\user\Desktop\EEGWXUHVUG\EFOYFBOLXA.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.986232674074608
                Encrypted:false
                SSDEEP:24:fMa0WF6h32X2VxOthg/+m17xHS4W3hfnPMoSLVh5cIJUzULvCPpJZxYfSw:Ua0w2hj+4xHS4WRfnPmcK74pJ8fSw
                MD5:A8574935CBE2CFE7BA20273C60472687
                SHA1:AFDF608E4665B19D4AF7EABF709180B6383FA9B2
                SHA-256:F92F8C01DE62AABB319BA5C6EE6A9E3F7B8CBD69D175CE8D1F795DE863F216DA
                SHA-512:7D72428CE2244D9E599C371FE0348DA5B9E0F60E1805E8A293536BA815244EB5E5AE7EAB74930C4878DE3D78077F67A6509D185C525A9E8FF93AAEC1CA8BEB80
                Malicious:false
                Preview:<EncryptedKey>QQ7B/FKbmz3jjnobME0uXA08mEUjhiUf86hwQnFzlfWR95/OqdQkPi+HIPJrmU6mLQDQY/tjQovCKR9lNR8HCUCSIlJJePp8+0+d3SxaGOVWYVUKY/fCHSex0beTFw7spVMqbqAWXZ4lZ5EmVOTQXZOABDB1+leEK/aa1lQgfOE=<EncryptedKey>zmctEL+iSwjaUcxlxIC0xxKcrPGldgnMfT2qmehlfzX9uONJGNZ5E8XxnRLJnmDBCnYB0triKWGOy4YyrI0z1o7vJdOjFs7E5iZoCqBH2sVPv98txHX0JwbvdnOmcxICG3+Wdg/TArye0QVus5r8X8ZG5Ptc6eKZXjbXbVDIXHpf+wUUFTwNl2lgMCZkSpHRd/ecTFJ6UqJuiTJLUXNB7/ZCJ9V97Au+Q3is81eirqDEfCazXOZVnTfXTwfheVcMkfpQ9qGjRo7qf4UJwvbr3z2RBys3WjuWjDvCZaqwPkInDySofDC6rnvZm5f5F5z0v5FYOFdEUOjn1+PDGFyF8pi+5pWtiAIVP6laZMrq6zUALx0dAZhoMG3t5FznBiTeEYhxKFq+iWrsBNJTOglHKhyXAVZbvmvT5Dfcf6nZd0SnGpQLjGbbKCBRvYEespNh32nA537H0ZiT8/M964iTAkiFnRRk7EAHr0FK9PPiypvkdJkxjHCL85vYkUeW0A2RzWKnugCKDIjvDrw3f76M+B6ssczt/30z37frmKeOf5GzfW+r/RPu58XXmKaPXN+N1QiovZgBBJISi3kAkEq6r4ArQXzn4Vayfa1ACC+QRJrlQPBs04T2DukXX62eRkJ0znIoDdO+njyNtUqHnm3nSvqbBoljCbnVUkyALeZBSffqVDqkjsMn+MWhZ9tH56ldug5fcUlR3TrGnLunLopsIJe4vU4j8+cTD2aIE6W+ChZa5idVR/GZLjPvCt0wCxfZ5z9qNSeSSZvotnOaIV/aHC6gC9t7rhqz

                C:\Users\user\Desktop\EEGWXUHVUG\GRXZDKKVDB.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.982071074114198
                Encrypted:false
                SSDEEP:24:fMgvXzzOMgcx3S99pRbYOtrWb0IPwW1mtIKs5AalNd0D6lAGN2L0NqKe3MmdZXKs:UZcwTef1myKsjtf2Ave3Pdcghv+D1j2
                MD5:A300C2FF539D5DE5409070AABCEDE659
                SHA1:C1D8DF445D4FDF386B65B097BC83188812821296
                SHA-256:9C7D83ADB26B70A1DDA15B5D3E89182152C90877EB36460779D4D799C8FDA203
                SHA-512:E74BEFA3BD3B4A86F4910A553590D139A83FF5930BA16EF678222EAC7421029849789D4D92E4134A6ECFAA099D39C371816360EAB65AE7F2873DCFD49973E36F
                Malicious:false
                Preview:<EncryptedKey>ucl1CvE4QNCSIY818Rw640lSTy8lQNV+AxRJBqvUw0IqKU7rjZsBUqWAUCD0Lnz5lo+Gdycp8TVdXBwAmoSHL13XjZ8kXTc81JMivxwNPb+zVkmWC6iXlQ0Sn6UbXrq+fd8KB/ws3AJTGdBmDLd5/asyutiQbXJ2HFn+H6hklA0=<EncryptedKey>Xhrz8D1v2SLXxxZqQzyyTQ8Ct2AKW3o+imVCdUcjUsKhHVy8/v8deCOrCJOOSHo/Cs98o3dxFKk9V3NQ21OpZDdCRFkbTZnfJIz4evlXVi7xsxmSeRnw6uwrtVP0fx8cDgY0IKKE19+OPmiYOtb0bWO9jzzXYn0M6Hyl0T8rPbZj9P7qEKXlS+MZavvz3FflehsqA0g3AEJHG/uuRc+kdgN+0GzC0nbulpDWnj4k5azkbo71qZU06pEZOlHZITuDbBf7q2cRpODquKrzgoQ5ZVgE3sUDyYn2kX5k1MVcjy6O6TaoXKSfL4hEUcbiCVyBNWOetZZic+cPA3QQYPUifEDs+w1h2a6W0R+cYld/IJMc4+pZoybB2nh6ghbChPKozOm3dXcM7Lad/njQHnGzx9sSdBADbyuWmS9beVuMZ4r2Ry1sfAYAmIT/e0MjAjyA9kKSzKnjq4agQBEVgDGEAk9NZidQVzaulQA9E6524T996QDSo4Qo6IGcpD1O/K9joMsx4kzgrNRUFo/cbKw1G+UbgCJT7sFQI6qyVQ7T1t2FWepM94e1u2i6kHlDjWdPYRbLA3x1XmICme8IfIFIXdoYgmlSItrvc4TFuT6BLiI+lxRR2yo514aBc1zxZ3X7E3ma6ej4fARBLKtQxGJc7HbJKkXH3KE+h/4Lkqby5xxTCCoCNZ71KwPv2/pjQfCqWGHGmb4ghD+PyMUovRfWOIWeP3SzUi8EiMKmJdepVj05RhfEZgEuqX4cKrOiimx7VJNULb2hMElIshAYKEOM7+p4w6OUDa/D

                C:\Users\user\Desktop\EEGWXUHVUG\GRXZDKKVDB.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.982071074114198
                Encrypted:false
                SSDEEP:24:fMgvXzzOMgcx3S99pRbYOtrWb0IPwW1mtIKs5AalNd0D6lAGN2L0NqKe3MmdZXKs:UZcwTef1myKsjtf2Ave3Pdcghv+D1j2
                MD5:A300C2FF539D5DE5409070AABCEDE659
                SHA1:C1D8DF445D4FDF386B65B097BC83188812821296
                SHA-256:9C7D83ADB26B70A1DDA15B5D3E89182152C90877EB36460779D4D799C8FDA203
                SHA-512:E74BEFA3BD3B4A86F4910A553590D139A83FF5930BA16EF678222EAC7421029849789D4D92E4134A6ECFAA099D39C371816360EAB65AE7F2873DCFD49973E36F
                Malicious:false
                Preview:<EncryptedKey>ucl1CvE4QNCSIY818Rw640lSTy8lQNV+AxRJBqvUw0IqKU7rjZsBUqWAUCD0Lnz5lo+Gdycp8TVdXBwAmoSHL13XjZ8kXTc81JMivxwNPb+zVkmWC6iXlQ0Sn6UbXrq+fd8KB/ws3AJTGdBmDLd5/asyutiQbXJ2HFn+H6hklA0=<EncryptedKey>Xhrz8D1v2SLXxxZqQzyyTQ8Ct2AKW3o+imVCdUcjUsKhHVy8/v8deCOrCJOOSHo/Cs98o3dxFKk9V3NQ21OpZDdCRFkbTZnfJIz4evlXVi7xsxmSeRnw6uwrtVP0fx8cDgY0IKKE19+OPmiYOtb0bWO9jzzXYn0M6Hyl0T8rPbZj9P7qEKXlS+MZavvz3FflehsqA0g3AEJHG/uuRc+kdgN+0GzC0nbulpDWnj4k5azkbo71qZU06pEZOlHZITuDbBf7q2cRpODquKrzgoQ5ZVgE3sUDyYn2kX5k1MVcjy6O6TaoXKSfL4hEUcbiCVyBNWOetZZic+cPA3QQYPUifEDs+w1h2a6W0R+cYld/IJMc4+pZoybB2nh6ghbChPKozOm3dXcM7Lad/njQHnGzx9sSdBADbyuWmS9beVuMZ4r2Ry1sfAYAmIT/e0MjAjyA9kKSzKnjq4agQBEVgDGEAk9NZidQVzaulQA9E6524T996QDSo4Qo6IGcpD1O/K9joMsx4kzgrNRUFo/cbKw1G+UbgCJT7sFQI6qyVQ7T1t2FWepM94e1u2i6kHlDjWdPYRbLA3x1XmICme8IfIFIXdoYgmlSItrvc4TFuT6BLiI+lxRR2yo514aBc1zxZ3X7E3ma6ej4fARBLKtQxGJc7HbJKkXH3KE+h/4Lkqby5xxTCCoCNZ71KwPv2/pjQfCqWGHGmb4ghD+PyMUovRfWOIWeP3SzUi8EiMKmJdepVj05RhfEZgEuqX4cKrOiimx7VJNULb2hMElIshAYKEOM7+p4w6OUDa/D

                C:\Users\user\Desktop\EEGWXUHVUG\NVWZAPQSQL.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.993094228324529
                Encrypted:false
                SSDEEP:48:UToAKXSeyL5/kv0b8lDrqSm09bIsfwzxwJb/mHc6n:UTXKXyN/G0b2DeX0tIs4twJzmHLn
                MD5:6CECB9DD798B2CC38BA2706527E93C51
                SHA1:9B75D9603B7BDBA517BAE0E70C3302F57F7F5F3F
                SHA-256:2B6CE602B8628F852A6CCBE0499DA10166A34444CD6C168144B39403622F7D68
                SHA-512:7694B86717E6FF20C81B26E446D00A21F5271741BBA3910EDCC724328581EA024EC61FFA1E7002B01A918358066BACD40BACC1C7A3F2D9034225A5BBB7B5B387
                Malicious:false
                Preview:<EncryptedKey>R5jh9RkJeQ41nzDnvM3VOaQhsc5iGc180YeL1JFhGLx8OfyOAnA3o4oDhJI2TsWyMqV85ffXDtgAoZK75xZergvIE60cW0NsWzklpao7zXlLTSyYKFlXjNNrcWoan/F3rtfzJbqacPV23a4rbpObGw1ZxDtduX8EG5REEdJ58TQ=<EncryptedKey>DPTxDnys1sbDpYjy/27sJDgX0tOWjpP6GvUapTPVs+iMUc/dHe9rY2LVfJmbhXzsjBxGSsrsvFkhG9E1NxTFGtyNEQ73S6eeLKVjOZsJFm1dqT5eM6Ll1s5XZfNT+6mE053Qr0ocBOmGoWCOm8Q/hYq4g8CMAGA1XEWOth9TW7RPEV2n2smDMVbp0aAshoMcowt4RP+Q91jUuXE3CzM6d01HHYXnq+XDJ0I3ttDywsgzRZZin6vBjhUXEerVOTxBRjG8NFiQi3kkDucLtYurmLwE44MD8qBKNojfzEkOkpN5wKg+c7Tj54eo98l3XeFEMACBEaya9R55cIorZ7/h3VxX9RgFSvKg0EugbYMaFeN+Ln9pQgpT9Y1AA7brrZlIwEjH5fbGKCp2NgNJw1xvHflvEs0G7R5Pm0He2hXpGDDwkT9vcH/lb15lYp9l+DJWbIPu8hKNEM4orR5cVXuw6xqQ2IU31NFkWjqBfPNRTvXUTHRCo7im/xos0mxeXSjLwH0KIo3piG/u3Ou6YQvYQjM86VCkhLkzrCX4TUjVxkmOeHJ+Lc4cIG43OdSdwy8Zy73TRSZKsewIJYiYfAyVQPMFchIbqCy1UJTolI9FERSWNePtgYswMPefP6dYpxkKaG5odQRZGmBW5az3vA5rLbzgKDhCQmPwsKwbpoiGRU+Pg0Q3ZJm+nYoFMbq/809Zc6h1dXnlROgE+gtaI3VXq13jTPBSO8onJvL806yZyie+jxfC+m3BumV9dF/rDPorXbjanUE2BVHyeb76hod3JRehvtzuBmCZ

                C:\Users\user\Desktop\EEGWXUHVUG\NVWZAPQSQL.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.993094228324529
                Encrypted:false
                SSDEEP:48:UToAKXSeyL5/kv0b8lDrqSm09bIsfwzxwJb/mHc6n:UTXKXyN/G0b2DeX0tIs4twJzmHLn
                MD5:6CECB9DD798B2CC38BA2706527E93C51
                SHA1:9B75D9603B7BDBA517BAE0E70C3302F57F7F5F3F
                SHA-256:2B6CE602B8628F852A6CCBE0499DA10166A34444CD6C168144B39403622F7D68
                SHA-512:7694B86717E6FF20C81B26E446D00A21F5271741BBA3910EDCC724328581EA024EC61FFA1E7002B01A918358066BACD40BACC1C7A3F2D9034225A5BBB7B5B387
                Malicious:false
                Preview:<EncryptedKey>R5jh9RkJeQ41nzDnvM3VOaQhsc5iGc180YeL1JFhGLx8OfyOAnA3o4oDhJI2TsWyMqV85ffXDtgAoZK75xZergvIE60cW0NsWzklpao7zXlLTSyYKFlXjNNrcWoan/F3rtfzJbqacPV23a4rbpObGw1ZxDtduX8EG5REEdJ58TQ=<EncryptedKey>DPTxDnys1sbDpYjy/27sJDgX0tOWjpP6GvUapTPVs+iMUc/dHe9rY2LVfJmbhXzsjBxGSsrsvFkhG9E1NxTFGtyNEQ73S6eeLKVjOZsJFm1dqT5eM6Ll1s5XZfNT+6mE053Qr0ocBOmGoWCOm8Q/hYq4g8CMAGA1XEWOth9TW7RPEV2n2smDMVbp0aAshoMcowt4RP+Q91jUuXE3CzM6d01HHYXnq+XDJ0I3ttDywsgzRZZin6vBjhUXEerVOTxBRjG8NFiQi3kkDucLtYurmLwE44MD8qBKNojfzEkOkpN5wKg+c7Tj54eo98l3XeFEMACBEaya9R55cIorZ7/h3VxX9RgFSvKg0EugbYMaFeN+Ln9pQgpT9Y1AA7brrZlIwEjH5fbGKCp2NgNJw1xvHflvEs0G7R5Pm0He2hXpGDDwkT9vcH/lb15lYp9l+DJWbIPu8hKNEM4orR5cVXuw6xqQ2IU31NFkWjqBfPNRTvXUTHRCo7im/xos0mxeXSjLwH0KIo3piG/u3Ou6YQvYQjM86VCkhLkzrCX4TUjVxkmOeHJ+Lc4cIG43OdSdwy8Zy73TRSZKsewIJYiYfAyVQPMFchIbqCy1UJTolI9FERSWNePtgYswMPefP6dYpxkKaG5odQRZGmBW5az3vA5rLbzgKDhCQmPwsKwbpoiGRU+Pg0Q3ZJm+nYoFMbq/809Zc6h1dXnlROgE+gtaI3VXq13jTPBSO8onJvL806yZyie+jxfC+m3BumV9dF/rDPorXbjanUE2BVHyeb76hod3JRehvtzuBmCZ

                C:\Users\user\Desktop\EEGWXUHVUG\PALRGUCVEH.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991532784251102
                Encrypted:false
                SSDEEP:24:fM3kT1TqRmmAe2X6HdxmfZDxmEnEwZXXgg/RzvSDej339sB9hW2fM5wKft7qocVG:UUT1THmAeha5x5xHtJvei9sBV0pwTLGv
                MD5:AEA4EB6798BC40B8C9AD8DDF81291DC6
                SHA1:36D9878D3D2D4A3C30A835D0DDA8C92FA0169AD7
                SHA-256:FF252C4424B3077D82D1368F32C6DCDD56178898E7BC941B72A90B43363DAC35
                SHA-512:CC5B4AE1DF0487BD832EE5B6A017CA92504C918DA0CC6B2379C1F0C50811B0BD9D57A0ED0132DF773DA45C8633C0873F92D03C0291218DEFD50B2B77F63C1AA2
                Malicious:false
                Preview:<EncryptedKey>RQIpQEwOWpXk9O9SB+2qcNM9MhmZ9ujh5kk+/Rd5PduNcgBSPU+VMJRY6Zz9Cl7oTzKh48v7cDggdsUJ+cD43YLxFOGwR4czkj3Dz/0KxH/teI2SKCiduoKjecmGqw6YNMxKGROxlEcS8vtrCoheBRXMXBBLK3/RIv9jguKtTKg=<EncryptedKey>NY3zhJsvHYwd0fcUcTgbRfvZHWslWWsMCbZKcL2UM6gQs8UYALVOjYCrI3rRi4SD8ox9rLGq6jYx3pBOVMQRlieG86NnZx4QJnmkT0kCy/lI7XAiRyx8rHlE1JIcLJAIngp4MbSbbZ7qNqLIRBpPViSG7ZqgriinQecZCsFiuK343Tnq1XBHtTorf6CZKcZ1dhAT42TYlHN8LSK26sde4p9/RAQqef/pzm0BKq/EpF24KuJMxVkna5eZzNKptMUri95ZAMTDbCX4d9t2ScmuwpKqUySeQNlc2DDDevDI2cvqZLnon/I3ta0mpOjvD16cslcrNdQ3eadHIf4TTTxaVuPnbMtmSg+MxcKN7LiP896t0mzSV6m0smtdqCbhUhVFvVxoPHiSkPhMIHy54E0dUqTKY+IEGnu9U57IoCGWHfhP1L+apLFLOim6ueLa+Dxo20rmwmrK1iiGcHZBXJrDFl62+pyARWwVnH6vHYd1qVpwEzyo3aBxNe4WHy/sl03D53QA8OpKimvONWpT2E0CYcGA8Ji9fsoN02He6LD+UktRxqnkg/TheP2n4MAL97BPfxnXGs2BWIafwRNLACXQmdBezw+Hts7r7h3gJMSXSfGrk1urHF53M5PlNP5O2/v9omZ8ItbscArY3xCfYouoi52R0YC7hOGrOY2Kwl8kuUfiIqhhvYoTyPlxFfCm9e/ln5G0VHf9C+yzhVh318SGGD+EQdwuSaGT7YLy0UFDAUPJgcrBy+Bg3Qg/UveHIULZ6HKwLFhvSCK/hsBzGBRbPZ0f1aWnvlIu

                C:\Users\user\Desktop\EEGWXUHVUG\PALRGUCVEH.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991532784251102
                Encrypted:false
                SSDEEP:24:fM3kT1TqRmmAe2X6HdxmfZDxmEnEwZXXgg/RzvSDej339sB9hW2fM5wKft7qocVG:UUT1THmAeha5x5xHtJvei9sBV0pwTLGv
                MD5:AEA4EB6798BC40B8C9AD8DDF81291DC6
                SHA1:36D9878D3D2D4A3C30A835D0DDA8C92FA0169AD7
                SHA-256:FF252C4424B3077D82D1368F32C6DCDD56178898E7BC941B72A90B43363DAC35
                SHA-512:CC5B4AE1DF0487BD832EE5B6A017CA92504C918DA0CC6B2379C1F0C50811B0BD9D57A0ED0132DF773DA45C8633C0873F92D03C0291218DEFD50B2B77F63C1AA2
                Malicious:false
                Preview:<EncryptedKey>RQIpQEwOWpXk9O9SB+2qcNM9MhmZ9ujh5kk+/Rd5PduNcgBSPU+VMJRY6Zz9Cl7oTzKh48v7cDggdsUJ+cD43YLxFOGwR4czkj3Dz/0KxH/teI2SKCiduoKjecmGqw6YNMxKGROxlEcS8vtrCoheBRXMXBBLK3/RIv9jguKtTKg=<EncryptedKey>NY3zhJsvHYwd0fcUcTgbRfvZHWslWWsMCbZKcL2UM6gQs8UYALVOjYCrI3rRi4SD8ox9rLGq6jYx3pBOVMQRlieG86NnZx4QJnmkT0kCy/lI7XAiRyx8rHlE1JIcLJAIngp4MbSbbZ7qNqLIRBpPViSG7ZqgriinQecZCsFiuK343Tnq1XBHtTorf6CZKcZ1dhAT42TYlHN8LSK26sde4p9/RAQqef/pzm0BKq/EpF24KuJMxVkna5eZzNKptMUri95ZAMTDbCX4d9t2ScmuwpKqUySeQNlc2DDDevDI2cvqZLnon/I3ta0mpOjvD16cslcrNdQ3eadHIf4TTTxaVuPnbMtmSg+MxcKN7LiP896t0mzSV6m0smtdqCbhUhVFvVxoPHiSkPhMIHy54E0dUqTKY+IEGnu9U57IoCGWHfhP1L+apLFLOim6ueLa+Dxo20rmwmrK1iiGcHZBXJrDFl62+pyARWwVnH6vHYd1qVpwEzyo3aBxNe4WHy/sl03D53QA8OpKimvONWpT2E0CYcGA8Ji9fsoN02He6LD+UktRxqnkg/TheP2n4MAL97BPfxnXGs2BWIafwRNLACXQmdBezw+Hts7r7h3gJMSXSfGrk1urHF53M5PlNP5O2/v9omZ8ItbscArY3xCfYouoi52R0YC7hOGrOY2Kwl8kuUfiIqhhvYoTyPlxFfCm9e/ln5G0VHf9C+yzhVh318SGGD+EQdwuSaGT7YLy0UFDAUPJgcrBy+Bg3Qg/UveHIULZ6HKwLFhvSCK/hsBzGBRbPZ0f1aWnvlIu

                C:\Users\user\Desktop\EEGWXUHVUG\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Desktop\EFOYFBOLXA.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.992177363697527
                Encrypted:false
                SSDEEP:24:fM0rPO7LTUMSikiYotpkB0TbkRhR3Um1mkASYHKESIgTeBNqxDkeqwqs3u51LvSj:UjzS9iYD0HYhmm1dYqjTONqJZ4TWO4
                MD5:2C681EBA24095E11018F2E0AC506BB8C
                SHA1:2CE9482B86C9B33E18FC04283F272E269C27B2DA
                SHA-256:E2681AA5A5D2AE6AB6BB23BF54A0B9EC7E1CDC88CA5D12E5AC98B78C7D8BC752
                SHA-512:B97CF33AC3A1E53D6F185786056E460D6275E641B9C996FA662DDD0FE02E34C2BF63D06ABA43B304A6A2BD62DDA9DD3722FE3BA13E4A7660888770AA58FBB06F
                Malicious:false
                Preview:<EncryptedKey>mLMoWWRcjuFolm0LrRcjWkmAsZiMD1gC4E1/2+rCZA+aluxLPWmTj9muc/elnmAWiziFrukff5/2WMuvrUD1AnJciSKtMUNTX6IueZVjejDJauBx310t5jyJgLtbsBbTLerp80qip3DbWkBUakCoV9hL/zJTCmtgC7/Q9nvwcjo=<EncryptedKey>UCjkTT6a572A+3oFiDz1giZ65BV5q6OZxJGU40mqIvG9la7efdhba+s9isqGRDMdjSCDZsSfuN2Z456/7gRADTj/uLc8tHeVRQfbJZTcY0XGZilW0uosyiFl7buLdQSX4BsOOyvAKIS7WWPrM0WbVtfCzghlMGdEJ/q98/IUMQDyrXu78PM9Wgkr22D9ZA8BC0cnkn87BG8nIfk2afrUig/2MBLba+PHLDmV6RlBXeLyamYsraxKHURdvSXLNX17BlyGvPvyIB6zeHii6REX1j6yhRtw89h3ZrrMVLMdk6ZS7Fk2IWe1pfNlRQEgzvbGi1YI7KWedJvuIquVZmuXbzWrnQcvrKTIurzHH/9bFtj8jN7JfefZbcv5Zcrx9vLVFuhDV7gKkt6ClNGh7dGw1jeGn6GRMpdrE4muieR/5pLM7ryfMPkkHEGfCkiaKLzVjOwxepiozypBnTIPQZgSUdxewnqAdpVuXpKcswfgdbDhWC61J1GVQ6aL/VnPDwt42humP9MABga27OzqpeyfSG99ho/ogjbHhoAovarv/eTSJLzvD0J22z04q6lkf7JWQ1j+gkYCVTQEYMrJzQfLHB+XGhQzq6qInPYHPBQ1oiBaol2B7B/X/mTyQBL2uS9gJ7l2hoLwAMrt0CovZmIuKA+Y+4uETYaEqbZMrXgcaqScLGhxYaIzSXSY1JnNMily3b/NzM4IzhLm0NebdfoPf9KQIgv9lkmmxEEwI7T59DHnlROfMmdoRPd2t5dOv7yD+L0yip1wcwmAXSt4PuxwQHqDTzQVjMlu

                C:\Users\user\Desktop\EFOYFBOLXA.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.992177363697527
                Encrypted:false
                SSDEEP:24:fM0rPO7LTUMSikiYotpkB0TbkRhR3Um1mkASYHKESIgTeBNqxDkeqwqs3u51LvSj:UjzS9iYD0HYhmm1dYqjTONqJZ4TWO4
                MD5:2C681EBA24095E11018F2E0AC506BB8C
                SHA1:2CE9482B86C9B33E18FC04283F272E269C27B2DA
                SHA-256:E2681AA5A5D2AE6AB6BB23BF54A0B9EC7E1CDC88CA5D12E5AC98B78C7D8BC752
                SHA-512:B97CF33AC3A1E53D6F185786056E460D6275E641B9C996FA662DDD0FE02E34C2BF63D06ABA43B304A6A2BD62DDA9DD3722FE3BA13E4A7660888770AA58FBB06F
                Malicious:false
                Preview:<EncryptedKey>mLMoWWRcjuFolm0LrRcjWkmAsZiMD1gC4E1/2+rCZA+aluxLPWmTj9muc/elnmAWiziFrukff5/2WMuvrUD1AnJciSKtMUNTX6IueZVjejDJauBx310t5jyJgLtbsBbTLerp80qip3DbWkBUakCoV9hL/zJTCmtgC7/Q9nvwcjo=<EncryptedKey>UCjkTT6a572A+3oFiDz1giZ65BV5q6OZxJGU40mqIvG9la7efdhba+s9isqGRDMdjSCDZsSfuN2Z456/7gRADTj/uLc8tHeVRQfbJZTcY0XGZilW0uosyiFl7buLdQSX4BsOOyvAKIS7WWPrM0WbVtfCzghlMGdEJ/q98/IUMQDyrXu78PM9Wgkr22D9ZA8BC0cnkn87BG8nIfk2afrUig/2MBLba+PHLDmV6RlBXeLyamYsraxKHURdvSXLNX17BlyGvPvyIB6zeHii6REX1j6yhRtw89h3ZrrMVLMdk6ZS7Fk2IWe1pfNlRQEgzvbGi1YI7KWedJvuIquVZmuXbzWrnQcvrKTIurzHH/9bFtj8jN7JfefZbcv5Zcrx9vLVFuhDV7gKkt6ClNGh7dGw1jeGn6GRMpdrE4muieR/5pLM7ryfMPkkHEGfCkiaKLzVjOwxepiozypBnTIPQZgSUdxewnqAdpVuXpKcswfgdbDhWC61J1GVQ6aL/VnPDwt42humP9MABga27OzqpeyfSG99ho/ogjbHhoAovarv/eTSJLzvD0J22z04q6lkf7JWQ1j+gkYCVTQEYMrJzQfLHB+XGhQzq6qInPYHPBQ1oiBaol2B7B/X/mTyQBL2uS9gJ7l2hoLwAMrt0CovZmIuKA+Y+4uETYaEqbZMrXgcaqScLGhxYaIzSXSY1JnNMily3b/NzM4IzhLm0NebdfoPf9KQIgv9lkmmxEEwI7T59DHnlROfMmdoRPd2t5dOv7yD+L0yip1wcwmAXSt4PuxwQHqDTzQVjMlu

                C:\Users\user\Desktop\EFOYFBOLXA.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.989256738468917
                Encrypted:false
                SSDEEP:24:fMNASPuqUDhT0YKW7dcoQ0Ii10uVxW2FIG4/vfVP3NAZ69noA46BE5wMcKLQvoet:Uan0E2i19xf4NU6J12LQEk
                MD5:723E7B1AD04B0E78144F4B7393363D2A
                SHA1:DB4E42A5000E68E92602778EAD0F351F78FA747C
                SHA-256:36D0125C360D09DAD2B5433DEC270DDEF2714C086BD12434836FF90894B9B647
                SHA-512:53152759747D8C555E1E73F9A20269407D65D58A1F1712D16EC06CC31F78FA0A523F73928AF0378CAECF3D130F59BF83D2174ABDA4D0807B8F6BEB3A37F2A753
                Malicious:false
                Preview:<EncryptedKey>Y6E8N1J8E5msnks/nRPy7MlTH9ym382zlNNhfOE5OoTqQEkI9CGiYmH3TSeG9o9g4z1pAXJiIz/91JmvwbuLla9FjzC6PSfQ1vzIqV9VbCfVsc2QPImkbsTo+NYY9D9VfMv01mYQik84VUlZgVzop6/ygcfO/2lTjtjW2acKjTg=<EncryptedKey>joNL9XD2LCMhlB4eHi0+Qz2uudlHuQGxo6HB/QjpXK2iuk+Ibpt0rZBOyLLfCMYy7VK3D4urWXZAWlbFzKrZ2POigS5lu+x8Z1Ehl1Nw5pVQpv3py52AreXce5MI63lUBN3dm3VQ1Hdrj0QkawZWVVqk1Sjm+6tdNaz9wr4lZ0PwDlHkvucP6QjEy+whlp9UjbZZLtKnkU2iGdvqqvU30Xk/ikhj+9WkHREGRHA+d1i/6Njko/u3VqCT7093yc7Txz8JapfUm2KSOnGIUZYb8B3HG0eauMYEK6TuIHQw0ljwTKW4rpUjZSduS30BFTdx51DW2tgD24fGKQF5jAFyDKbvIh6C99106ZLRLrZQwPx6ivYRAaBMhlrFD/B5LaAxadpfhZRxjGeqN+AAb03e+zpWXYREuGd5zSYj7zWVzDhvtOZh3NXWDA3nDkQn07LHDNgPagPTlwbaxPK7JFcs5x0KC5R+DH4JjCEVoNQDKZ1hSsSQEBvXsVD0KP/xg1tYkGuFTJsmtk/1KuPZH4TmHSBVCRvY34ByVvYXItUHH2hrorzLH3MRfYM5TTaisGOLwHIgQImGPVcLVmphe/4++1UPbFovKBcRceDX00dTw18YDAXOoGHF2xudPtiEPRg99DA49wyfq9iCnGFUKmFzdBxrfS10sOSVCRGYqBeuti0/1wKIzHOVrQzTe5tPVD5zwXqqD0oX/69K6TwHcT2XUY1Rai77CjO4n8O1Qm+THFAppvL+7EPzt/4q+C+Bj9tIdRDzX1iwbPwCENPSIJz5hMnHWoUf5thx

                C:\Users\user\Desktop\EFOYFBOLXA.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.989256738468917
                Encrypted:false
                SSDEEP:24:fMNASPuqUDhT0YKW7dcoQ0Ii10uVxW2FIG4/vfVP3NAZ69noA46BE5wMcKLQvoet:Uan0E2i19xf4NU6J12LQEk
                MD5:723E7B1AD04B0E78144F4B7393363D2A
                SHA1:DB4E42A5000E68E92602778EAD0F351F78FA747C
                SHA-256:36D0125C360D09DAD2B5433DEC270DDEF2714C086BD12434836FF90894B9B647
                SHA-512:53152759747D8C555E1E73F9A20269407D65D58A1F1712D16EC06CC31F78FA0A523F73928AF0378CAECF3D130F59BF83D2174ABDA4D0807B8F6BEB3A37F2A753
                Malicious:false
                Preview:<EncryptedKey>Y6E8N1J8E5msnks/nRPy7MlTH9ym382zlNNhfOE5OoTqQEkI9CGiYmH3TSeG9o9g4z1pAXJiIz/91JmvwbuLla9FjzC6PSfQ1vzIqV9VbCfVsc2QPImkbsTo+NYY9D9VfMv01mYQik84VUlZgVzop6/ygcfO/2lTjtjW2acKjTg=<EncryptedKey>joNL9XD2LCMhlB4eHi0+Qz2uudlHuQGxo6HB/QjpXK2iuk+Ibpt0rZBOyLLfCMYy7VK3D4urWXZAWlbFzKrZ2POigS5lu+x8Z1Ehl1Nw5pVQpv3py52AreXce5MI63lUBN3dm3VQ1Hdrj0QkawZWVVqk1Sjm+6tdNaz9wr4lZ0PwDlHkvucP6QjEy+whlp9UjbZZLtKnkU2iGdvqqvU30Xk/ikhj+9WkHREGRHA+d1i/6Njko/u3VqCT7093yc7Txz8JapfUm2KSOnGIUZYb8B3HG0eauMYEK6TuIHQw0ljwTKW4rpUjZSduS30BFTdx51DW2tgD24fGKQF5jAFyDKbvIh6C99106ZLRLrZQwPx6ivYRAaBMhlrFD/B5LaAxadpfhZRxjGeqN+AAb03e+zpWXYREuGd5zSYj7zWVzDhvtOZh3NXWDA3nDkQn07LHDNgPagPTlwbaxPK7JFcs5x0KC5R+DH4JjCEVoNQDKZ1hSsSQEBvXsVD0KP/xg1tYkGuFTJsmtk/1KuPZH4TmHSBVCRvY34ByVvYXItUHH2hrorzLH3MRfYM5TTaisGOLwHIgQImGPVcLVmphe/4++1UPbFovKBcRceDX00dTw18YDAXOoGHF2xudPtiEPRg99DA49wyfq9iCnGFUKmFzdBxrfS10sOSVCRGYqBeuti0/1wKIzHOVrQzTe5tPVD5zwXqqD0oX/69K6TwHcT2XUY1Rai77CjO4n8O1Qm+THFAppvL+7EPzt/4q+C+Bj9tIdRDzX1iwbPwCENPSIJz5hMnHWoUf5thx

                C:\Users\user\Desktop\EFOYFBOLXA\EFOYFBOLXA.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.992910524938339
                Encrypted:false
                SSDEEP:48:ULFjGR7INOSvCbWjkvDg9fvJEnx52TNrOKGKDq54:UZjK7IfCyjWU9fvJ82YCO6
                MD5:D020E12F21314265CF29806ED12E0E87
                SHA1:38B1831C0EB65A378C28C6AE725AE0D478D646C7
                SHA-256:91B031F315BA4478219C99F08CF26C9850AEBC7FEF5034A222034D0D9D286898
                SHA-512:CA09801E4B817A2B6632E22A02C2A651CDD02EEF3513D4FBF9A7E2D2755E2BFDF95437521F8B9CDB2C58DE0129CF1A690E2A0C9ED4BD8B94BA10BF15A7D27531
                Malicious:true
                Preview:<EncryptedKey>iDlsajusaz+mJVOVbj52xFONiVPkfdemM7XOOss7QZ1G+Is9yAa1vZrbxmAR2y/bgGlkMjW8sEtxqVrWf4hZTsYBfx3ggv4A2G1NBEntj67JJdU8CPLKQjWvzPYB++QgVrWDicRFgEhIsqrrwhZQsd8/ec2AwNXQNwQokyzjR2g=<EncryptedKey>plbRXdI9zgalrKpfiqizre9gGspT11qKCR+7DyXrjSoajjmK1GWpXmZy0YjTIfyZcG4TLS0dMQzU1nm2NpKdVMf4Nnkvps0FUh7R2Rg8CDtekA8349ObZpg4iyYS+rIGHufrUdsWLe5EJuaktFNOVY7RI5v9UnWQtfSHxwY+WXoKyOMkgCqt18pTvXdIuLdo378yg2VthDGGCpCdO5gO8PBidh5ST+mSJ9Eop/FeCBDqAB6NecxmPV+SOyJbZ95zpUr0iz5apLu3wI7CifzXdW3K0Cp7Qd1jla2PWkuuOFJhAmkxlq49AAN3m0vxHUtTJQTojAtln6arkJFOnjnGAx2hsmDiHlcvneGUpHg23uXzw/p1bSsCeBQLED4sY0uwMZEAk7+pBHdLamDfJdfAc52JVG8R/8/wt0YuNbKlguHLVwFsO4nj1mS8LYoNxh9aL6WTQipLRpYY6Mbdk0xbOhWQdMBZWd7EeMd7hrs+Af3oYjqOouALLYdt23AL5Pkr/dS14GfIt0Ya94fJf8hpLquQ5uTYxJoqgQbMrMM7+rq1xGrEnAIoVfNKC5Xk1+wd8LuRgIkznXk9+KgVwR33oYfJkDpEIM3UXL6NEylNmrcvWtSBoHUODcFSUxmuN8UIAIGYSjf7XUtQqxctgbvglRAEE2eb4MScI8bt6+dPNKN6VoWLfKygf8nfkYWQ+iMRGh8xCOK62KstKsvdP+U8dHi03ldbHNTfZiz2XJqckSn+MPNBBDuhI2Bf0960YGilZ/4lYoR/pioPs4ooe5eJRR57LXjPEB+M

                C:\Users\user\Desktop\EFOYFBOLXA\EFOYFBOLXA.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.992910524938339
                Encrypted:false
                SSDEEP:48:ULFjGR7INOSvCbWjkvDg9fvJEnx52TNrOKGKDq54:UZjK7IfCyjWU9fvJ82YCO6
                MD5:D020E12F21314265CF29806ED12E0E87
                SHA1:38B1831C0EB65A378C28C6AE725AE0D478D646C7
                SHA-256:91B031F315BA4478219C99F08CF26C9850AEBC7FEF5034A222034D0D9D286898
                SHA-512:CA09801E4B817A2B6632E22A02C2A651CDD02EEF3513D4FBF9A7E2D2755E2BFDF95437521F8B9CDB2C58DE0129CF1A690E2A0C9ED4BD8B94BA10BF15A7D27531
                Malicious:false
                Preview:<EncryptedKey>iDlsajusaz+mJVOVbj52xFONiVPkfdemM7XOOss7QZ1G+Is9yAa1vZrbxmAR2y/bgGlkMjW8sEtxqVrWf4hZTsYBfx3ggv4A2G1NBEntj67JJdU8CPLKQjWvzPYB++QgVrWDicRFgEhIsqrrwhZQsd8/ec2AwNXQNwQokyzjR2g=<EncryptedKey>plbRXdI9zgalrKpfiqizre9gGspT11qKCR+7DyXrjSoajjmK1GWpXmZy0YjTIfyZcG4TLS0dMQzU1nm2NpKdVMf4Nnkvps0FUh7R2Rg8CDtekA8349ObZpg4iyYS+rIGHufrUdsWLe5EJuaktFNOVY7RI5v9UnWQtfSHxwY+WXoKyOMkgCqt18pTvXdIuLdo378yg2VthDGGCpCdO5gO8PBidh5ST+mSJ9Eop/FeCBDqAB6NecxmPV+SOyJbZ95zpUr0iz5apLu3wI7CifzXdW3K0Cp7Qd1jla2PWkuuOFJhAmkxlq49AAN3m0vxHUtTJQTojAtln6arkJFOnjnGAx2hsmDiHlcvneGUpHg23uXzw/p1bSsCeBQLED4sY0uwMZEAk7+pBHdLamDfJdfAc52JVG8R/8/wt0YuNbKlguHLVwFsO4nj1mS8LYoNxh9aL6WTQipLRpYY6Mbdk0xbOhWQdMBZWd7EeMd7hrs+Af3oYjqOouALLYdt23AL5Pkr/dS14GfIt0Ya94fJf8hpLquQ5uTYxJoqgQbMrMM7+rq1xGrEnAIoVfNKC5Xk1+wd8LuRgIkznXk9+KgVwR33oYfJkDpEIM3UXL6NEylNmrcvWtSBoHUODcFSUxmuN8UIAIGYSjf7XUtQqxctgbvglRAEE2eb4MScI8bt6+dPNKN6VoWLfKygf8nfkYWQ+iMRGh8xCOK62KstKsvdP+U8dHi03ldbHNTfZiz2XJqckSn+MPNBBDuhI2Bf0960YGilZ/4lYoR/pioPs4ooe5eJRR57LXjPEB+M

                C:\Users\user\Desktop\EFOYFBOLXA\GIGIYTFFYT.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987747136005826
                Encrypted:false
                SSDEEP:48:UQNo/6TtlQZlPnAq2i5LS2mte5aLe7a0/EPP9DdK3:UQNo/6TvQrPAq2i9mte0U/qDdK3
                MD5:91D146166140FC965BE5CC0926FFC346
                SHA1:65698AFC9812FB276C1C03D69180D80A28DA34C1
                SHA-256:031F849BCC3D9EAB173777B6FCA81EF9A4BDA6774A6B892956EE92258E769C22
                SHA-512:C9F77EF1071395CDBFA74363C465350A8F5B14CA63EC6A5FE9D0D83FFF28EF7E2B3244F44C13A4A7685D2626DACC9CC8AA6A79C5F667C5E69D0BE395E5C8FF90
                Malicious:false
                Preview:<EncryptedKey>mmQ/hNUNHLGq1Cqu4+Tqk+BR6ZfDScyM1we1XqisGh7JEhNDxzrWscGAHVu0SQb9WbM6onJ0PPIxwVFqTPqa13BN33rNuk8Dc3qUwbl5aG1nHZxT3y+l8X+61GFTpqHN7H88loT7iPeDeTIMSRMLCcYNZH/3ZFauNG1KtYyhZqg=<EncryptedKey>PjMek46qdt0HOSiIAylx43qqRLBMpr3z25AVwUh+JUL4fmQzeKYKYDKLhjEflFAR1CsSxFTZzQ/5TmjJz3uFBT3g90bjUksrvC4BDTc5tZKa2dc8LrePAxvixOxG4i5GnI7pvb3NDJc11dyv65+a3dq4phfsogROljXEeKm/xuN5c+1T0PO/BmdVj6os8qTHxicpvW7s5QXuF+5el2057EKxFPOfyEQqWieiBKXCqj1GWBSv8KB3bnnaupzS+XME7WbgqAfuk8AzdEaTxU7DAfKgSGhRmd9KxBSvFe37e0jDQIMgM1Ir2TBmboH761cGPJBPFRH0CsYeSWVjTfGx3wfYBnZ47/c+Vch5TamFuGEb+V1/eTiP9nExScCe/K/icTeHxiq8zCZ2mAGZHria8Tz8zBZ5Wm7+uC0MN4ad5DLYdtU9p9FwEMNSO9cYN/OW7XorcvqPedaIG4LITe0tiaWPbpLa2aotA+bDzp5tnxLR9cnjRiqY9h2bOXJJwVwhjKOO8PZWs4CiQD3uV5xuA/p5UCCcE9BK+s237F1z/DV4ouKLDz4gSq0kq6/RGBUsD+SHuuwomGU7OE4/GgYXhR5inbz06HqcKjcQQeSwrIqEXVeaygimf3XT3oKRi5jFIf0vRbQd3zzpPJAsyDJGODTjbSg5rCazKOe3wlo06vtNXMfJ7QhSOV1nuUBVwhYUzTgoLw15H1G/vRQY/Qy5Qge3DSxAUxZ9J2ivzhOyTD9np816I0lZnAuCyT966RZH9hQ/vIi9aBR2nnxmgCKBELwpSqU+AHS7

                C:\Users\user\Desktop\EFOYFBOLXA\GIGIYTFFYT.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987747136005826
                Encrypted:false
                SSDEEP:48:UQNo/6TtlQZlPnAq2i5LS2mte5aLe7a0/EPP9DdK3:UQNo/6TvQrPAq2i9mte0U/qDdK3
                MD5:91D146166140FC965BE5CC0926FFC346
                SHA1:65698AFC9812FB276C1C03D69180D80A28DA34C1
                SHA-256:031F849BCC3D9EAB173777B6FCA81EF9A4BDA6774A6B892956EE92258E769C22
                SHA-512:C9F77EF1071395CDBFA74363C465350A8F5B14CA63EC6A5FE9D0D83FFF28EF7E2B3244F44C13A4A7685D2626DACC9CC8AA6A79C5F667C5E69D0BE395E5C8FF90
                Malicious:false
                Preview:<EncryptedKey>mmQ/hNUNHLGq1Cqu4+Tqk+BR6ZfDScyM1we1XqisGh7JEhNDxzrWscGAHVu0SQb9WbM6onJ0PPIxwVFqTPqa13BN33rNuk8Dc3qUwbl5aG1nHZxT3y+l8X+61GFTpqHN7H88loT7iPeDeTIMSRMLCcYNZH/3ZFauNG1KtYyhZqg=<EncryptedKey>PjMek46qdt0HOSiIAylx43qqRLBMpr3z25AVwUh+JUL4fmQzeKYKYDKLhjEflFAR1CsSxFTZzQ/5TmjJz3uFBT3g90bjUksrvC4BDTc5tZKa2dc8LrePAxvixOxG4i5GnI7pvb3NDJc11dyv65+a3dq4phfsogROljXEeKm/xuN5c+1T0PO/BmdVj6os8qTHxicpvW7s5QXuF+5el2057EKxFPOfyEQqWieiBKXCqj1GWBSv8KB3bnnaupzS+XME7WbgqAfuk8AzdEaTxU7DAfKgSGhRmd9KxBSvFe37e0jDQIMgM1Ir2TBmboH761cGPJBPFRH0CsYeSWVjTfGx3wfYBnZ47/c+Vch5TamFuGEb+V1/eTiP9nExScCe/K/icTeHxiq8zCZ2mAGZHria8Tz8zBZ5Wm7+uC0MN4ad5DLYdtU9p9FwEMNSO9cYN/OW7XorcvqPedaIG4LITe0tiaWPbpLa2aotA+bDzp5tnxLR9cnjRiqY9h2bOXJJwVwhjKOO8PZWs4CiQD3uV5xuA/p5UCCcE9BK+s237F1z/DV4ouKLDz4gSq0kq6/RGBUsD+SHuuwomGU7OE4/GgYXhR5inbz06HqcKjcQQeSwrIqEXVeaygimf3XT3oKRi5jFIf0vRbQd3zzpPJAsyDJGODTjbSg5rCazKOe3wlo06vtNXMfJ7QhSOV1nuUBVwhYUzTgoLw15H1G/vRQY/Qy5Qge3DSxAUxZ9J2ivzhOyTD9np816I0lZnAuCyT966RZH9hQ/vIi9aBR2nnxmgCKBELwpSqU+AHS7

                C:\Users\user\Desktop\EFOYFBOLXA\JDDHMPCDUJ.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.992048998741292
                Encrypted:false
                SSDEEP:48:UxHcJtqmWse6IF2Z7ShkUaoutmclt56hqhLn72j9f:UN6ne6bykUwmcvZLCV
                MD5:0E7FCA0EF30129C1175BE17A56A81707
                SHA1:A6AE8F1BC6F2177E144E3D212ED711DB23C37AE1
                SHA-256:4F58D0E69E4A651D52869246859939E206F8E7F04677C4F48E518E4322C0CAFF
                SHA-512:642CE1159C85947DF9FEE6B6ED094C57761B287A2C7470EB98E15E1B52DF98D7B5520987809C1686AFA17981E341A3F39FA3012A2F6B0353227E563D04813675
                Malicious:false
                Preview:<EncryptedKey>R0e7mdDLvJIzarXTp9HPWRoUXZFYA1PBlNwHlN8ZcbuBj+3SiM9Y2MDJSJMxtNZRRQXnWsDrN9kR/VgSwN8Rzctg6hNRZHtShGbIkG2JHNt2KZJ9ZdhvrRZQIkoDwvdeGIyv/h7CZsw4WfqN+cuxWsN40YBPGOJRlO7VCxxyu20=<EncryptedKey>AC8eEsLaIHZfLgMufO2D71nWyGQ3QwDRoQyu6dRoUwCfpuTmq2gYpExbs2IWC/UZzRJA9sxcv78UIr9pWb5dz9HThjc5E14bX4cNQZ1+cwVy+dNG6UAkiTCXY4D8Fe3FiQI6FR9Qah+Nk6dr2Ph9M5twKTw0jIkDKhbfI7K/xIAv2jlc707jaz5riyUPlvaDgLnfS5fN5evnLn2DVTSrXz2iAG/PxMybQ+aJ55oCsNBbcdNzGL1Prd+L0I+1apuSvmZJZeHbO+WrD73qsh/WIOHs2iA2bVQzKdj8zVBqIEneF/bZCI3o5gI/2ujdzn2ZqLoyWs3sZ7ANDTNyddNC0JtN1C0Sg67q6XSnwB3yNtXcVRGaOLUtu5u5Z8NHiRKKDUF4W6NinOngtBW2mvfvZl2KoDZNE5fiUK2lIM4qXVARHOHcIS8DqtJn2sZ3Dq+O4EyLwWwYMH6xUxoxJQh+TcUD77O9NfrPpfgHnfXctK0UrGjZv5CzsWjUGJhBSgMGYySXZSYZKHTZmsZdK6u+ahOjQnDY1Wi7j41Jer6oTKU4qHopg9z2oG0lgaFgtkYPgwvEdjt6q7VPCT0LZJM7VYRxS4yfVV4CFJgKnguhwvo1Yqt5XFjUOC/BZ6ZWhdxNnHXj04onlKgM4XnTE2yGbsuqkFv+0Uzg9cyQBmdx1P5n208Qgyw9XmSXKbLGAtSZEkM+OqFExlI8fPXq2MaR/P0vDFryPAP6UdFrCtQ2CfONBSDydwk6Cs3jBhZihc7GYo5tFUBO41mim/cOZhvvtdx32Led3f+f

                C:\Users\user\Desktop\EFOYFBOLXA\JDDHMPCDUJ.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.992048998741292
                Encrypted:false
                SSDEEP:48:UxHcJtqmWse6IF2Z7ShkUaoutmclt56hqhLn72j9f:UN6ne6bykUwmcvZLCV
                MD5:0E7FCA0EF30129C1175BE17A56A81707
                SHA1:A6AE8F1BC6F2177E144E3D212ED711DB23C37AE1
                SHA-256:4F58D0E69E4A651D52869246859939E206F8E7F04677C4F48E518E4322C0CAFF
                SHA-512:642CE1159C85947DF9FEE6B6ED094C57761B287A2C7470EB98E15E1B52DF98D7B5520987809C1686AFA17981E341A3F39FA3012A2F6B0353227E563D04813675
                Malicious:false
                Preview:<EncryptedKey>R0e7mdDLvJIzarXTp9HPWRoUXZFYA1PBlNwHlN8ZcbuBj+3SiM9Y2MDJSJMxtNZRRQXnWsDrN9kR/VgSwN8Rzctg6hNRZHtShGbIkG2JHNt2KZJ9ZdhvrRZQIkoDwvdeGIyv/h7CZsw4WfqN+cuxWsN40YBPGOJRlO7VCxxyu20=<EncryptedKey>AC8eEsLaIHZfLgMufO2D71nWyGQ3QwDRoQyu6dRoUwCfpuTmq2gYpExbs2IWC/UZzRJA9sxcv78UIr9pWb5dz9HThjc5E14bX4cNQZ1+cwVy+dNG6UAkiTCXY4D8Fe3FiQI6FR9Qah+Nk6dr2Ph9M5twKTw0jIkDKhbfI7K/xIAv2jlc707jaz5riyUPlvaDgLnfS5fN5evnLn2DVTSrXz2iAG/PxMybQ+aJ55oCsNBbcdNzGL1Prd+L0I+1apuSvmZJZeHbO+WrD73qsh/WIOHs2iA2bVQzKdj8zVBqIEneF/bZCI3o5gI/2ujdzn2ZqLoyWs3sZ7ANDTNyddNC0JtN1C0Sg67q6XSnwB3yNtXcVRGaOLUtu5u5Z8NHiRKKDUF4W6NinOngtBW2mvfvZl2KoDZNE5fiUK2lIM4qXVARHOHcIS8DqtJn2sZ3Dq+O4EyLwWwYMH6xUxoxJQh+TcUD77O9NfrPpfgHnfXctK0UrGjZv5CzsWjUGJhBSgMGYySXZSYZKHTZmsZdK6u+ahOjQnDY1Wi7j41Jer6oTKU4qHopg9z2oG0lgaFgtkYPgwvEdjt6q7VPCT0LZJM7VYRxS4yfVV4CFJgKnguhwvo1Yqt5XFjUOC/BZ6ZWhdxNnHXj04onlKgM4XnTE2yGbsuqkFv+0Uzg9cyQBmdx1P5n208Qgyw9XmSXKbLGAtSZEkM+OqFExlI8fPXq2MaR/P0vDFryPAP6UdFrCtQ2CfONBSDydwk6Cs3jBhZihc7GYo5tFUBO41mim/cOZhvvtdx32Led3f+f

                C:\Users\user\Desktop\EFOYFBOLXA\NWCXBPIUYI.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.99465600061072
                Encrypted:false
                SSDEEP:48:UOKFz6QgLbXBf7GqzNaU8OxqCA5pIfnj1l7VyVI:UOKFzvgLj9yK5XWS1lEVI
                MD5:429FA3BB5C1C856976DEC05901DECF04
                SHA1:F0B97C8DEBD1D2475DDE666BA8DC4F49B4310FEA
                SHA-256:49A86EB500F15DD304946F40167C6E38698F5EEA8F84C85D720C2C526EA725B1
                SHA-512:3EA8C6D5984167C6B90397AF9BF825DE06EFD8BC9880FEE72FF2E55CEA049D6A38E54C2EF8D83256EF3799484EE21B173DF442DF4F9EB164473CDD1B899D3849
                Malicious:false
                Preview:<EncryptedKey>azRxD8hy1SeIN//LlBdVwUVUBN5BCTLHdCgcC0JSkowqVg6sTY2prvTJDKRXmfs4aX4vwSRtAHuOdCxM9/br9qrX19m+Zj+7WDWNkrAwpOgXZipqUC9SELyHRO9iK4yEZLXUSmUV+SVX0CIrYCglbRFJUJVxkzLvJxPceTVN9UE=<EncryptedKey>pk05TTGeiuBw8skesJ1CW/sUZcERjEEpAJB5o2CUkXEgfLi0knZgT7f9+kNKSGB+Ar4eZCjt5AG1C3wwKIzZnJUd7tLf8e9+tW8NNbTx2wjhtEJPhSEd+wVXzhJcmQoXK0JImp8ktd96Pbd7gWBzAwFu+9Mho1m+ivw+IxkH1hOLSBmtB+vVSDToClnkaGTYhbJhAwbXqva5Tfm6mrbCWxVrPAMKFbnkikIXFH8fyes2ojUni3iByu6uZU5DVzvweUixiuJZIW8GMV5fyjA9BuleFzdEoDzhjaulVl9I0SnbpIdBS80zihLygMwdFAScyUAb+4+t4tJf/8cgYfOWXaX+su6kX+6ZY87Xt1TF5g/p4Qz50pbt8TEgB4wX+pCiRcjuVNhlxWwRfrH1mqSU3OjawZ0WDWAEqKpaDTx+9p9AgWFG60XGoFPyuX4A7Ee68AAYHUQOFJkJi59fWgotMjQXlCmDKvoG4OydaOmD0GspARF2iTkDslGAibt1VQ580jxNdySPQawp32nJdbRpSFIXplw/GzuMH4v0FzVu02Cvv7XtY7n0tE00OIHGDfULY9vsw/xhUX69mxZ75NvV3u5tJ01nn2xNaia6r70cT7RXD/EHVbZhVy19qPWDkvtXU3ZKgQDpuxqZV2KFFw7MCMqbJ98ur2vh6DVnQsNiWgxtsVcGEbcJvzlNk+MLrI1u1PNzWcQvRMnyHIWMwwiMHN58FqdsDPQ/LMxgusQyCS+KZqxAH4d0/vBCLK/poCaMvXk+HDCqTS6Y4s06bNnqf7ZxrhM4+nNF

                C:\Users\user\Desktop\EFOYFBOLXA\NWCXBPIUYI.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.99465600061072
                Encrypted:false
                SSDEEP:48:UOKFz6QgLbXBf7GqzNaU8OxqCA5pIfnj1l7VyVI:UOKFzvgLj9yK5XWS1lEVI
                MD5:429FA3BB5C1C856976DEC05901DECF04
                SHA1:F0B97C8DEBD1D2475DDE666BA8DC4F49B4310FEA
                SHA-256:49A86EB500F15DD304946F40167C6E38698F5EEA8F84C85D720C2C526EA725B1
                SHA-512:3EA8C6D5984167C6B90397AF9BF825DE06EFD8BC9880FEE72FF2E55CEA049D6A38E54C2EF8D83256EF3799484EE21B173DF442DF4F9EB164473CDD1B899D3849
                Malicious:false
                Preview:<EncryptedKey>azRxD8hy1SeIN//LlBdVwUVUBN5BCTLHdCgcC0JSkowqVg6sTY2prvTJDKRXmfs4aX4vwSRtAHuOdCxM9/br9qrX19m+Zj+7WDWNkrAwpOgXZipqUC9SELyHRO9iK4yEZLXUSmUV+SVX0CIrYCglbRFJUJVxkzLvJxPceTVN9UE=<EncryptedKey>pk05TTGeiuBw8skesJ1CW/sUZcERjEEpAJB5o2CUkXEgfLi0knZgT7f9+kNKSGB+Ar4eZCjt5AG1C3wwKIzZnJUd7tLf8e9+tW8NNbTx2wjhtEJPhSEd+wVXzhJcmQoXK0JImp8ktd96Pbd7gWBzAwFu+9Mho1m+ivw+IxkH1hOLSBmtB+vVSDToClnkaGTYhbJhAwbXqva5Tfm6mrbCWxVrPAMKFbnkikIXFH8fyes2ojUni3iByu6uZU5DVzvweUixiuJZIW8GMV5fyjA9BuleFzdEoDzhjaulVl9I0SnbpIdBS80zihLygMwdFAScyUAb+4+t4tJf/8cgYfOWXaX+su6kX+6ZY87Xt1TF5g/p4Qz50pbt8TEgB4wX+pCiRcjuVNhlxWwRfrH1mqSU3OjawZ0WDWAEqKpaDTx+9p9AgWFG60XGoFPyuX4A7Ee68AAYHUQOFJkJi59fWgotMjQXlCmDKvoG4OydaOmD0GspARF2iTkDslGAibt1VQ580jxNdySPQawp32nJdbRpSFIXplw/GzuMH4v0FzVu02Cvv7XtY7n0tE00OIHGDfULY9vsw/xhUX69mxZ75NvV3u5tJ01nn2xNaia6r70cT7RXD/EHVbZhVy19qPWDkvtXU3ZKgQDpuxqZV2KFFw7MCMqbJ98ur2vh6DVnQsNiWgxtsVcGEbcJvzlNk+MLrI1u1PNzWcQvRMnyHIWMwwiMHN58FqdsDPQ/LMxgusQyCS+KZqxAH4d0/vBCLK/poCaMvXk+HDCqTS6Y4s06bNnqf7ZxrhM4+nNF

                C:\Users\user\Desktop\EFOYFBOLXA\PALRGUCVEH.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.996347952932386
                Encrypted:false
                SSDEEP:48:UpTOmWz7P79S9J5LIJBtR7sRvfn/rpm2uzJEC2gw:URWpS9LIntRgRnjKza
                MD5:C1BDA9BA24881F9325E88FCD4188F5BE
                SHA1:0A896389D5EC9D4F5C20CC2153AC8943FC3CCA10
                SHA-256:07BBF90DBDF4F6B71198949F79AFD0CBCB4C1CBA936FF2C0F9482E2DB8D759FE
                SHA-512:7BDF611DC57A615285184BA7C0D60148F06323E167A990717BAAEA6E45379967D5F4DFDC5C387CC5FD061F6A6DFB7CC0EE1E62F2FA84D2CF937004EA147E681B
                Malicious:false
                Preview:<EncryptedKey>ntSTfUAxnK1CkNW/XV1cgw8WAmzfy6QfSGLVmlsfi4U/DFQ3GDtheXPMqq2BUaHMTGy3ly+8mYsjCIh72Ye/fx8N0IiWwqkOydYHPODDKtebFi7G/YinMyWZB8Qiw1aI0WJ9rooZjcwvw767b3kTzPuITtwRtVs1CAfwIFQxBw0=<EncryptedKey>OvvOUWZxWsFMM05UGU7eAjxspGiy7v6wLZfrrg11rBrj10rRQZ5PozhWqOpJjzuieaTItPbAqpC2K/aovDi2XLS0HpLQc553OcSAXnuqMaWWCD1YRoVBGLKpNQUMhmQ4SyYUrh2UsgSwJ5lrPFs8ZHftIewvkGhrtUzm5AeDrlQ4VQ4in1HvkpOU4bo5DnSjYgc/kUNALW2fFBjbL73TnVBX6BTMziYyJkyRBRxZg6OcBWOMSeO/8Vd3eFSaLA4xD1Uk08c+N5nTWtnBMymXkLTjqvC5uhuqGbv9jQr9QCdngItPi8fb8Yj3h6+wPYA+fHPIc8dpi+4ci8VKnXT9jFihv6D/lxZY6Jp0R3431hQ/j4c9vl74vhrXQn1zF/reG6ugOpqbsYcdPT8rovst79wwW3dE1Mf7ETodZEj3Vu8a7HytJ76K5t0s0ReYfFZlssvbsbM+S3jnC8hB58RSiEY81jxNT+czFsgQ70o7rfV+tyQ702M5ABKwEshPhXa2mXXFFXE5ZqZz6b0qiMfm990MnIhzlOgERb2c9TUQPeATKUxuF2eyWR6JgrzUkoA70YbZLIcWUPwahdMPJjNbTxQ3vKIFMROixV3Huo5JR6ZRJO94HNU6g23Fta7SyPlmH5AfRoAivXZ1EmKdjCLk3uExM9DFVyG19xSmZvKn0hjHzr7PksgU3l0Fcc7MIGPGx1oXcflv/XmaHq78jV3OAdKYFQZ2+svgFqTd2M3uRyFJZBPygSxToYs9Mmwh6EWmr+0vYd34cq5IfQZ/chFPvHUBa71IIqVE

                C:\Users\user\Desktop\EFOYFBOLXA\PALRGUCVEH.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.996347952932386
                Encrypted:false
                SSDEEP:48:UpTOmWz7P79S9J5LIJBtR7sRvfn/rpm2uzJEC2gw:URWpS9LIntRgRnjKza
                MD5:C1BDA9BA24881F9325E88FCD4188F5BE
                SHA1:0A896389D5EC9D4F5C20CC2153AC8943FC3CCA10
                SHA-256:07BBF90DBDF4F6B71198949F79AFD0CBCB4C1CBA936FF2C0F9482E2DB8D759FE
                SHA-512:7BDF611DC57A615285184BA7C0D60148F06323E167A990717BAAEA6E45379967D5F4DFDC5C387CC5FD061F6A6DFB7CC0EE1E62F2FA84D2CF937004EA147E681B
                Malicious:false
                Preview:<EncryptedKey>ntSTfUAxnK1CkNW/XV1cgw8WAmzfy6QfSGLVmlsfi4U/DFQ3GDtheXPMqq2BUaHMTGy3ly+8mYsjCIh72Ye/fx8N0IiWwqkOydYHPODDKtebFi7G/YinMyWZB8Qiw1aI0WJ9rooZjcwvw767b3kTzPuITtwRtVs1CAfwIFQxBw0=<EncryptedKey>OvvOUWZxWsFMM05UGU7eAjxspGiy7v6wLZfrrg11rBrj10rRQZ5PozhWqOpJjzuieaTItPbAqpC2K/aovDi2XLS0HpLQc553OcSAXnuqMaWWCD1YRoVBGLKpNQUMhmQ4SyYUrh2UsgSwJ5lrPFs8ZHftIewvkGhrtUzm5AeDrlQ4VQ4in1HvkpOU4bo5DnSjYgc/kUNALW2fFBjbL73TnVBX6BTMziYyJkyRBRxZg6OcBWOMSeO/8Vd3eFSaLA4xD1Uk08c+N5nTWtnBMymXkLTjqvC5uhuqGbv9jQr9QCdngItPi8fb8Yj3h6+wPYA+fHPIc8dpi+4ci8VKnXT9jFihv6D/lxZY6Jp0R3431hQ/j4c9vl74vhrXQn1zF/reG6ugOpqbsYcdPT8rovst79wwW3dE1Mf7ETodZEj3Vu8a7HytJ76K5t0s0ReYfFZlssvbsbM+S3jnC8hB58RSiEY81jxNT+czFsgQ70o7rfV+tyQ702M5ABKwEshPhXa2mXXFFXE5ZqZz6b0qiMfm990MnIhzlOgERb2c9TUQPeATKUxuF2eyWR6JgrzUkoA70YbZLIcWUPwahdMPJjNbTxQ3vKIFMROixV3Huo5JR6ZRJO94HNU6g23Fta7SyPlmH5AfRoAivXZ1EmKdjCLk3uExM9DFVyG19xSmZvKn0hjHzr7PksgU3l0Fcc7MIGPGx1oXcflv/XmaHq78jV3OAdKYFQZ2+svgFqTd2M3uRyFJZBPygSxToYs9Mmwh6EWmr+0vYd34cq5IfQZ/chFPvHUBa71IIqVE

                C:\Users\user\Desktop\EFOYFBOLXA\ZGGKNSUKOP.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.989703665598348
                Encrypted:false
                SSDEEP:48:UZSMBDPv7j2kH9DeAURgHNuHAuBjEELFd9y1D:UZSMlvfJw5iQA4jEAd9y1D
                MD5:D342CBE0BAA61AB44DEE82961DA1CAD1
                SHA1:BB38B161EBE407DA4D11A31001B9880117A17C6F
                SHA-256:BEDAA64BCAA136D83DAE1E5767C9AC2DCE9BDA1A6FECA6D4716A4AF4F0E61301
                SHA-512:8F51767E2D6EB6D58A51086F4354810DEEDF006523BE1C426397428DC5155E20EFBB2BAD4A5F8B16D119407EE37E5323AB7258902F45E72A3065634C7AC65C29
                Malicious:false
                Preview:<EncryptedKey>ANlztCUrHJOLmZaGkJY5ppolWe7S01XRlzbzOTadWlfWeKTsRr6Uq7lASLzBbdlKwRW1wFGF3EvirsaP7h1JXQtSMIsKAYDbi++7KtXo9qFU+0NLUHlYH7Zi4TXe8sqTV/ZXv4+18dpj7Ro86wKF57ANOYGZEpZSyFIlXfqXFv4=<EncryptedKey>Y5swMzjEUyDl6JIb3sYZCDdOS7pRQZ488pS0Kv8G3xci5vTpnpIu0mLarUE3GedX0eDhGxw1bdI6HrAjxNoHef/E1eQXxf0x0ldQ573AYzfmjzv61vxYvZGazUHZXXfYqU+d/kxKszN/5wLle6pQPASVPArbJJj0yw/e0KHQTfWc9NRDDayYy0chqPWjK5qzX414ToxDLmGiBFZFvqw5gMWlWMbrbUhVBvYguzoLHA4BV7htGGC7XDhUwN/LVYfPnrtpRBKHkFJfeSo6ULia9Z8nV2QSPzGgcOtkpFh+OzymcDa1aUl68iiTW3POhwFHbvzvruBf6+LD4rd/OyJf9TeHkto+RTkx439dqElOP3AW1vqeBsMlwZPWdu3icWgX6jFj5QyKw+KBswT9DjJJgE6h/+luAq1H6NjDu5chfPKhz07ALD6S+L/PVF8hFh857SJRruhbw+oWzIrsp63U3xyGkxE6Vyi2iBVlF99KJFj7eYrLt7qWuuWOtJciO+5nEd1k5lAZJArce2qi7hlDtamm/3qTyOTQfW81R27rm+LRK8uTEf9/7cBJ3ne2rJbkkM1RF9GzCanvpSFs24cXHeUiv3fZN5fWNagivEoYaWVVQErv+lJ9BLHkgSh3VJCotPnySxwXdgHQXWqcvgQeKHB/WJ8C0pZUSCS02oei9kChY5n9sqEmmznUkqCsbrIfCw6utQ+ovXYVGiRVI1r9nhQWlbsp8vQQuXC3i7+K72HSKq9hvz/c48B8jAT4mMZVUbjqp7bHrBt4uBbuIm6puJ9NsA2i/JH7

                C:\Users\user\Desktop\EFOYFBOLXA\ZGGKNSUKOP.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.989703665598348
                Encrypted:false
                SSDEEP:48:UZSMBDPv7j2kH9DeAURgHNuHAuBjEELFd9y1D:UZSMlvfJw5iQA4jEAd9y1D
                MD5:D342CBE0BAA61AB44DEE82961DA1CAD1
                SHA1:BB38B161EBE407DA4D11A31001B9880117A17C6F
                SHA-256:BEDAA64BCAA136D83DAE1E5767C9AC2DCE9BDA1A6FECA6D4716A4AF4F0E61301
                SHA-512:8F51767E2D6EB6D58A51086F4354810DEEDF006523BE1C426397428DC5155E20EFBB2BAD4A5F8B16D119407EE37E5323AB7258902F45E72A3065634C7AC65C29
                Malicious:false
                Preview:<EncryptedKey>ANlztCUrHJOLmZaGkJY5ppolWe7S01XRlzbzOTadWlfWeKTsRr6Uq7lASLzBbdlKwRW1wFGF3EvirsaP7h1JXQtSMIsKAYDbi++7KtXo9qFU+0NLUHlYH7Zi4TXe8sqTV/ZXv4+18dpj7Ro86wKF57ANOYGZEpZSyFIlXfqXFv4=<EncryptedKey>Y5swMzjEUyDl6JIb3sYZCDdOS7pRQZ488pS0Kv8G3xci5vTpnpIu0mLarUE3GedX0eDhGxw1bdI6HrAjxNoHef/E1eQXxf0x0ldQ573AYzfmjzv61vxYvZGazUHZXXfYqU+d/kxKszN/5wLle6pQPASVPArbJJj0yw/e0KHQTfWc9NRDDayYy0chqPWjK5qzX414ToxDLmGiBFZFvqw5gMWlWMbrbUhVBvYguzoLHA4BV7htGGC7XDhUwN/LVYfPnrtpRBKHkFJfeSo6ULia9Z8nV2QSPzGgcOtkpFh+OzymcDa1aUl68iiTW3POhwFHbvzvruBf6+LD4rd/OyJf9TeHkto+RTkx439dqElOP3AW1vqeBsMlwZPWdu3icWgX6jFj5QyKw+KBswT9DjJJgE6h/+luAq1H6NjDu5chfPKhz07ALD6S+L/PVF8hFh857SJRruhbw+oWzIrsp63U3xyGkxE6Vyi2iBVlF99KJFj7eYrLt7qWuuWOtJciO+5nEd1k5lAZJArce2qi7hlDtamm/3qTyOTQfW81R27rm+LRK8uTEf9/7cBJ3ne2rJbkkM1RF9GzCanvpSFs24cXHeUiv3fZN5fWNagivEoYaWVVQErv+lJ9BLHkgSh3VJCotPnySxwXdgHQXWqcvgQeKHB/WJ8C0pZUSCS02oei9kChY5n9sqEmmznUkqCsbrIfCw6utQ+ovXYVGiRVI1r9nhQWlbsp8vQQuXC3i7+K72HSKq9hvz/c48B8jAT4mMZVUbjqp7bHrBt4uBbuIm6puJ9NsA2i/JH7

                C:\Users\user\Desktop\EFOYFBOLXA\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Desktop\EIVQSAOTAQ.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.990523308473286
                Encrypted:false
                SSDEEP:48:UUT1B1TCfGFTKAdguQ8lA5DSc4MjtKVN1ZnYTwOzl+JvW5bicwOTvBF:UqXMeFeAdgR2A5DSTUt41uwOZOOcpOTH
                MD5:D8D84E2341AC8A33600345A36D54A9B1
                SHA1:BEFCC37A05D904E5198E05C8275A87B19A4B32AE
                SHA-256:4C7080E82A6559322656B1C0EA2512E4C996E575CB5B2A21848149E959187B27
                SHA-512:272A756B86211EC24B1305F8AA2C302E515D742AAC2485AD362E95E09823A0C2835BEB33F4B3D9988AC3047624ABC25E8F88833CF7F11E25C1772F12917F367E
                Malicious:false
                Preview:<EncryptedKey>a/oGpAD1ZcFOnhgM/S8JDv/YtYvRuLWftFHOnCqg4vUjx6liS65w0lunGLV3A8qoHJ8vDdYCM1d1p49tgindM4IHSTCc57D3Fd9EvYgM1jl7AKrQA6qFbGuynLk1znLEjyknA0VSxcwtpvaXCLZO8TXSnc3zO5ehFuRGkS7nEvk=<EncryptedKey>tPnU114LxQqIHVFIlcW4ZxtMiDw2WXzAulCuqcMPZiuSw7f3h9CXU1KLDyPN9aLVG0q1XmuHsWCPhwkZHUh70ARsb0HXRucYCsLYmR/AfW6gVCerFRqG+GWCHdLihj/Z2CBz0ZzxGr25pICNwqAhGriQ6aOl+lkb2dLqmGI4WYabTwga33TbCDKg7+Ppz9zGzEUm46Kxg1fwgAaLSyYZw4fLMOEfKEDbct+DkhNw7YbHWTvaTzfboXMOeDWUr4Da2Q15nYIBtNYgbZtATfH1AILMAnqRshBCtKfBX2YVVXNpSvxpB7zSv5Acj/x/HK9hjGVmmDJI7opqC931RkhjBBiXmDbhtYliWC9/tKxSVuT2ZPCSpxQ6OHnwTrKDbl1TCbYGJB0PdYjckq59lnVTYWeudiDAYc502OA0i+8sDlAtX1y0wbpyeoq03v5VyZsZKe+49RStXhsVYDgPC0Psxt/4ByLE5dMc6V6Zt1TKYcmmWclkW52TvNQrsvWDXDwtuk6jdoHSGotOwV0gnlyNpH09/X7kwZr00ZRrQF4/tdBTBVQRbWKIf620M0JsXHuEvFlxe+9+zchMeGvO1GpxNI6LY81Xvt7OeG/61hAOYnmN2fsHWLuNadyNd5P86PU4FkSs5lbFRDFcqfC0ROaHGres9nfdy9V2Opmg9oGggDyN7aLEQD00WNxBJGzDlfLSgZ4uO/00xkUUF/QcraMpF9i+Vp6T3GW+w45GrCHR2HrL45vYTH5Ty/ntirob/IBlq2nskIP+FrXmKskyQC4GjgUjOaQX6eTN

                C:\Users\user\Desktop\EIVQSAOTAQ.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.990523308473286
                Encrypted:false
                SSDEEP:48:UUT1B1TCfGFTKAdguQ8lA5DSc4MjtKVN1ZnYTwOzl+JvW5bicwOTvBF:UqXMeFeAdgR2A5DSTUt41uwOZOOcpOTH
                MD5:D8D84E2341AC8A33600345A36D54A9B1
                SHA1:BEFCC37A05D904E5198E05C8275A87B19A4B32AE
                SHA-256:4C7080E82A6559322656B1C0EA2512E4C996E575CB5B2A21848149E959187B27
                SHA-512:272A756B86211EC24B1305F8AA2C302E515D742AAC2485AD362E95E09823A0C2835BEB33F4B3D9988AC3047624ABC25E8F88833CF7F11E25C1772F12917F367E
                Malicious:false
                Preview:<EncryptedKey>a/oGpAD1ZcFOnhgM/S8JDv/YtYvRuLWftFHOnCqg4vUjx6liS65w0lunGLV3A8qoHJ8vDdYCM1d1p49tgindM4IHSTCc57D3Fd9EvYgM1jl7AKrQA6qFbGuynLk1znLEjyknA0VSxcwtpvaXCLZO8TXSnc3zO5ehFuRGkS7nEvk=<EncryptedKey>tPnU114LxQqIHVFIlcW4ZxtMiDw2WXzAulCuqcMPZiuSw7f3h9CXU1KLDyPN9aLVG0q1XmuHsWCPhwkZHUh70ARsb0HXRucYCsLYmR/AfW6gVCerFRqG+GWCHdLihj/Z2CBz0ZzxGr25pICNwqAhGriQ6aOl+lkb2dLqmGI4WYabTwga33TbCDKg7+Ppz9zGzEUm46Kxg1fwgAaLSyYZw4fLMOEfKEDbct+DkhNw7YbHWTvaTzfboXMOeDWUr4Da2Q15nYIBtNYgbZtATfH1AILMAnqRshBCtKfBX2YVVXNpSvxpB7zSv5Acj/x/HK9hjGVmmDJI7opqC931RkhjBBiXmDbhtYliWC9/tKxSVuT2ZPCSpxQ6OHnwTrKDbl1TCbYGJB0PdYjckq59lnVTYWeudiDAYc502OA0i+8sDlAtX1y0wbpyeoq03v5VyZsZKe+49RStXhsVYDgPC0Psxt/4ByLE5dMc6V6Zt1TKYcmmWclkW52TvNQrsvWDXDwtuk6jdoHSGotOwV0gnlyNpH09/X7kwZr00ZRrQF4/tdBTBVQRbWKIf620M0JsXHuEvFlxe+9+zchMeGvO1GpxNI6LY81Xvt7OeG/61hAOYnmN2fsHWLuNadyNd5P86PU4FkSs5lbFRDFcqfC0ROaHGres9nfdy9V2Opmg9oGggDyN7aLEQD00WNxBJGzDlfLSgZ4uO/00xkUUF/QcraMpF9i+Vp6T3GW+w45GrCHR2HrL45vYTH5Ty/ntirob/IBlq2nskIP+FrXmKskyQC4GjgUjOaQX6eTN

                C:\Users\user\Desktop\EOWRVPQCCS.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.989331974387589
                Encrypted:false
                SSDEEP:48:UzMxBpkCuUVV96HHG8CPLMmSfQItJxtS+r:UcpYUVOGTQDPt3r
                MD5:56CFB083F396BD78FF1DEDD52B465C21
                SHA1:E02BCAC18FF5BF68257FBF10E797FFA76F1EF91C
                SHA-256:FF38A69A213875E721C7EAC5939C0F2CC5C6A1562B654FED5DD621F49A7F9129
                SHA-512:1900A5003CB29D7A11DD68F28617E112E4D6E6EE27CD68ACAF98FF5A88D02EC43DD7DB67624A2D7191A4D78E528C1333A973D129B0396DBBD32EE1F4F6E5F4D4
                Malicious:true
                Preview:<EncryptedKey>mTDZdDW1ivvfRtM1Z/kJUjCAFsn4G7FwFuRJ15HNiECHUDtilyACZQ7lCoY838A09lzE5+NmThYNCzfJ8ZL0is8rSzhts+N4toXJvA0Vf1CUIe3q8SCnsjizwnvYhKpH789v5UiKXWJz1PntxaoL3z4pWjeVMVgx6jFMH9VU2VI=<EncryptedKey>BqRgdLqIAW6RiP6h8o/dwhYTIXKUgmB581d6/ASmeg7vYEmP7Rm6fpyX5aSEyeOenkQOIQQ734k4I3cwUhJVbsbMwdWBs8H0Nlryh4a1A2CXq9RAmguVM5pWzqn6RxNDsV54Ve+o26WpTWPQBMa/o6/8knbvE6uUb71iMHGaR8ZLkLhAXaOPqexsOmOQIiTC4wAS/b536GmUPRJb4oEh/RPtUovJ/XbbfF55uyMCW9cBJtF18xIKpMLnTAR3HsTsx7yF1T521I2oAVojYCbECk/tJor/9mCRdQrDNn2UwM80lihFKk7epP29dtAYUwkAQa2vUJlFk2yBDQPJeQoUuUdWokWsk//znvyd5L9MiaQz75y61j32T9QJT6kmDMXPK7efuOizeQqe0gvu2YjqTk63NbEcrS1B1OyAtzY9EvFinfybEX+uqHZrjMuDSvl+bq/I6h0aknxAX0nDwfc0Kr0qRWTBphze6jjj2XU2vPRgdIeYQ4/sai5Nktgbq6aiUGo5zqi1qWlGdO31bsCI5y5rxqP+NOjyY2MWQ1H0CkZnDfA9v69M5KDvJLwustz3lhAJ9u2sLtr3pCG2Wv5FrmHciCg1mcPiKe33cD4rVSePn9BEPBmjOKpRRHbw4tn4r2TDD+mrs2CheRi6iCo7TriZjomGbpF2afmUfuA5rHDkPh4pZMDqeYUnC0uDfkBzXqkzQ4O5f+fYWvFxLdt6j1NzQdDb2+Wmi8XuCgZcIZ5+KFmixb7MDOXlkwCIKwDb5RiQkOLTVW33cr+TORiqSCFo6R0mj2tW

                C:\Users\user\Desktop\EOWRVPQCCS.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.989331974387589
                Encrypted:false
                SSDEEP:48:UzMxBpkCuUVV96HHG8CPLMmSfQItJxtS+r:UcpYUVOGTQDPt3r
                MD5:56CFB083F396BD78FF1DEDD52B465C21
                SHA1:E02BCAC18FF5BF68257FBF10E797FFA76F1EF91C
                SHA-256:FF38A69A213875E721C7EAC5939C0F2CC5C6A1562B654FED5DD621F49A7F9129
                SHA-512:1900A5003CB29D7A11DD68F28617E112E4D6E6EE27CD68ACAF98FF5A88D02EC43DD7DB67624A2D7191A4D78E528C1333A973D129B0396DBBD32EE1F4F6E5F4D4
                Malicious:false
                Preview:<EncryptedKey>mTDZdDW1ivvfRtM1Z/kJUjCAFsn4G7FwFuRJ15HNiECHUDtilyACZQ7lCoY838A09lzE5+NmThYNCzfJ8ZL0is8rSzhts+N4toXJvA0Vf1CUIe3q8SCnsjizwnvYhKpH789v5UiKXWJz1PntxaoL3z4pWjeVMVgx6jFMH9VU2VI=<EncryptedKey>BqRgdLqIAW6RiP6h8o/dwhYTIXKUgmB581d6/ASmeg7vYEmP7Rm6fpyX5aSEyeOenkQOIQQ734k4I3cwUhJVbsbMwdWBs8H0Nlryh4a1A2CXq9RAmguVM5pWzqn6RxNDsV54Ve+o26WpTWPQBMa/o6/8knbvE6uUb71iMHGaR8ZLkLhAXaOPqexsOmOQIiTC4wAS/b536GmUPRJb4oEh/RPtUovJ/XbbfF55uyMCW9cBJtF18xIKpMLnTAR3HsTsx7yF1T521I2oAVojYCbECk/tJor/9mCRdQrDNn2UwM80lihFKk7epP29dtAYUwkAQa2vUJlFk2yBDQPJeQoUuUdWokWsk//znvyd5L9MiaQz75y61j32T9QJT6kmDMXPK7efuOizeQqe0gvu2YjqTk63NbEcrS1B1OyAtzY9EvFinfybEX+uqHZrjMuDSvl+bq/I6h0aknxAX0nDwfc0Kr0qRWTBphze6jjj2XU2vPRgdIeYQ4/sai5Nktgbq6aiUGo5zqi1qWlGdO31bsCI5y5rxqP+NOjyY2MWQ1H0CkZnDfA9v69M5KDvJLwustz3lhAJ9u2sLtr3pCG2Wv5FrmHciCg1mcPiKe33cD4rVSePn9BEPBmjOKpRRHbw4tn4r2TDD+mrs2CheRi6iCo7TriZjomGbpF2afmUfuA5rHDkPh4pZMDqeYUnC0uDfkBzXqkzQ4O5f+fYWvFxLdt6j1NzQdDb2+Wmi8XuCgZcIZ5+KFmixb7MDOXlkwCIKwDb5RiQkOLTVW33cr+TORiqSCFo6R0mj2tW

                C:\Users\user\Desktop\GIGIYTFFYT.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.981609965288653
                Encrypted:false
                SSDEEP:48:Ujr0l/LpJliruyzLU03zYfTxpKr7l+3nwQ9KG4M:Ujr0RLboU8MfOrh+3BwGv
                MD5:B4BBE9D07AE91A54EA66EC0C2927E51C
                SHA1:0CFAB4E6E2F3C80FF9804AEF4EB82D33C92606C7
                SHA-256:461ADF4690041E21468291936D99B87AF32D54BD47A5F0457DA811447703DB44
                SHA-512:BB978A7E7349BAEFA7EB3CA356CA5BBE3A86BCE759AA99E215A2ECC8180B5A69BED3F2548419D7B8843E6DE17A00DE83387FC2E77BC47E4586AA8D402BC53427
                Malicious:false
                Preview:<EncryptedKey>ZEKN11LANZyZ+5lAV6I0n2NpzZ7BOcvlVIjcQuDjNv9tBdXrk6UC6aiEfVBbdW2rHojTXrp+d7vc/8ThlpwFQOA8hTIEjoY3l8kBnl2rUuXGN6qyAQHplYSGIdr2pu7UWOHKdtLLBKqVdBHOYowOjbk55f1NP+l3FQPA8Zsvoy0=<EncryptedKey>qBognon91MuJsgqpprU4BUDXvwKD5p6/0FQxMvd6Epca9KJJenpRc5CGEhCXoNoZDQUY1Vy2uCgspKyD5CafZttP6GUF6e3XCK6GQ91vYHVECgdxiSYjFlRdLlfnu/IypMGl2xTX4+B82dgiuixGwttKw1n93kXz/VW91IfXO343z4drBIg+IDKqfot2kCBlJFMbzmrvOL8Tcq88kjyKm4IivbBE4HEcynTncf2c3AyXOpuE2zsXpRhRK+NNLPaownx8Mv5FldOTkcu92wdco28fAQsCdauHGXA1i8JJTwgin+9xGX9Yp9eoR7HRvX/FmUdd2Fvec5hGAgw4B2HjEKxWpRI8bu2CgB91iQqqzRq+x5BstTjHbofBG2ZC0w4nJGRVTGkg29QASmRljXvSD2c6W8cYMNBXngcVa35IDsuTjxkr2/+8amKq+JEANYvARH0W16TXagkMTzeqUK3ppsWGTr0LV6LMXses/3OBbA4Y3WE1GtSoWy16ANy1f/GYBga4vYxXsriJgYRrp3bp8nZhYnNizqUUk0Xo6q6x82G029KHobNW2SrsI4je+YL247g5BslZfnoTJ7Xl2Opcqm2WfatIikPqTao0RIqTU0TC1hPQTl8ktlAAiA3eK69VJnu2yZJ0cahXIokhrGBwmYBBHXIXqYN9KR8aBJiK/9ymz+EWO7MXtBcXXCU5zHhqi96JLPQBHpiMbo9shAvuvP5HWFX/tHo6QbBs+lzfmoZawPndDj+x8bDzWbNRE7ddhcEfq3ezLt4o4C4hAnOQ1MeSeF2ngTbO

                C:\Users\user\Desktop\GIGIYTFFYT.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.981609965288653
                Encrypted:false
                SSDEEP:48:Ujr0l/LpJliruyzLU03zYfTxpKr7l+3nwQ9KG4M:Ujr0RLboU8MfOrh+3BwGv
                MD5:B4BBE9D07AE91A54EA66EC0C2927E51C
                SHA1:0CFAB4E6E2F3C80FF9804AEF4EB82D33C92606C7
                SHA-256:461ADF4690041E21468291936D99B87AF32D54BD47A5F0457DA811447703DB44
                SHA-512:BB978A7E7349BAEFA7EB3CA356CA5BBE3A86BCE759AA99E215A2ECC8180B5A69BED3F2548419D7B8843E6DE17A00DE83387FC2E77BC47E4586AA8D402BC53427
                Malicious:false
                Preview:<EncryptedKey>ZEKN11LANZyZ+5lAV6I0n2NpzZ7BOcvlVIjcQuDjNv9tBdXrk6UC6aiEfVBbdW2rHojTXrp+d7vc/8ThlpwFQOA8hTIEjoY3l8kBnl2rUuXGN6qyAQHplYSGIdr2pu7UWOHKdtLLBKqVdBHOYowOjbk55f1NP+l3FQPA8Zsvoy0=<EncryptedKey>qBognon91MuJsgqpprU4BUDXvwKD5p6/0FQxMvd6Epca9KJJenpRc5CGEhCXoNoZDQUY1Vy2uCgspKyD5CafZttP6GUF6e3XCK6GQ91vYHVECgdxiSYjFlRdLlfnu/IypMGl2xTX4+B82dgiuixGwttKw1n93kXz/VW91IfXO343z4drBIg+IDKqfot2kCBlJFMbzmrvOL8Tcq88kjyKm4IivbBE4HEcynTncf2c3AyXOpuE2zsXpRhRK+NNLPaownx8Mv5FldOTkcu92wdco28fAQsCdauHGXA1i8JJTwgin+9xGX9Yp9eoR7HRvX/FmUdd2Fvec5hGAgw4B2HjEKxWpRI8bu2CgB91iQqqzRq+x5BstTjHbofBG2ZC0w4nJGRVTGkg29QASmRljXvSD2c6W8cYMNBXngcVa35IDsuTjxkr2/+8amKq+JEANYvARH0W16TXagkMTzeqUK3ppsWGTr0LV6LMXses/3OBbA4Y3WE1GtSoWy16ANy1f/GYBga4vYxXsriJgYRrp3bp8nZhYnNizqUUk0Xo6q6x82G029KHobNW2SrsI4je+YL247g5BslZfnoTJ7Xl2Opcqm2WfatIikPqTao0RIqTU0TC1hPQTl8ktlAAiA3eK69VJnu2yZJ0cahXIokhrGBwmYBBHXIXqYN9KR8aBJiK/9ymz+EWO7MXtBcXXCU5zHhqi96JLPQBHpiMbo9shAvuvP5HWFX/tHo6QbBs+lzfmoZawPndDj+x8bDzWbNRE7ddhcEfq3ezLt4o4C4hAnOQ1MeSeF2ngTbO

                C:\Users\user\Desktop\GIGIYTFFYT.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995022868352035
                Encrypted:false
                SSDEEP:24:fMtItG4EnCeSLN/ITo0pQ6lfiIkxAeKMD8eG0I7YlMp+MjK9OctFjpPo7:UqtZECeSLNg80biIkCech86pTi9Po7
                MD5:66C0E4F32CCBE8D2130CB19A3ECE3992
                SHA1:61CA4B21FE544BE992FBD231A8A9541EEAEB95BD
                SHA-256:75F147A8DCB1F03A1949912F5D58866BC3A3E65A2F20D17A396B54DA06D18624
                SHA-512:FA24B894E78EB2F8623CA55A683D1F0BFD1616630510EB5E7334981CA86C137BA1EA2A41DEB2D715B2EE721A5D9C8436E3C82C1B89B283CD242AEFEDB87F1E6E
                Malicious:false
                Preview:<EncryptedKey>oifgSi4daMGKWW40x/SrLUZjZWomAhM5OE3dz9bIs/yWkY89diRQbZf0a0sqr/QrlGMvyXwd3+45OPzgmh7pVsQ9JA3YaPgAFreXcLJ/jLQ+fcIsWBTniUpkCEXKMK+/Sl1JSfoYUy4aE2jPen3lvqRhVF/f6Aw3xfo5oAh5rKQ=<EncryptedKey>2xBa26jTatw1+v7DbNUahvDeCYfps1t1GeytmvAmxOjVVAI0IrFMSgjNyotjhEU96J2g+RqBAR6ZxrYKz0ZO9VqtL+n2jhGlO91X5dZ4TnnTg6E7w1IQ++v5z8n3hNLOVWBU5H9zqgcb0/1c+4xX2Cx22owK2PejuoS0GZsQ6mTNnLvJkf/QdDECu9YGFh6cPuWt2jJkcPnpGkj2l/tj0inB6PoZVBT7hjjZAi4cHkaWVv7axKymjd/fJBxXDrLsIm0kfI3uiD3/jBWTmApIaM9RPiBzJ6pS2ZmsZjPFYIBeBvU8V3EPIkv8xJQRZOkSaUDl6NbWk/3Pe2ZgqrJMjdg3N9Cawe0R5Ie5hHeLQiexDEQvlJwRbm2AuDdIhALVT16BRKICC1qyutWU1g7HAgtps/gzIjTwG9ZpSU3Q4pKaRC1f0GCG48I4/D8aCYQdohuQLfJD7k2RSp/bBHki/9qcAhaxM9Cyx974db7l44GAzs/dY3ke8rDGlN27jA370dwdubKTcP/d8RtzjPZoChchCkgtbD49+/ojsNoS39zVXl97dynm23Oy3iL7HTLWKnB2+gGvCQS39OdaAyybW3og/LbrYMx0/gFFfHCXXkXMZV7QKt/LiQUiQW2bwMCKZp9R5dljl1lXCfSuCzac6eyJQ5BbJd1p+Zp1AYmJ7d31gWAyPX7ooRiLLEN7jgypnFY11rZE44WCwgzwPU+nZkQYAD0xaeq2P1UosR+8V/s+E/MOvX84OpfgYQcqNk5ju0NzZkeCtb9zjMgqHcL2P9cxUdOajFEY

                C:\Users\user\Desktop\GIGIYTFFYT.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995022868352035
                Encrypted:false
                SSDEEP:24:fMtItG4EnCeSLN/ITo0pQ6lfiIkxAeKMD8eG0I7YlMp+MjK9OctFjpPo7:UqtZECeSLNg80biIkCech86pTi9Po7
                MD5:66C0E4F32CCBE8D2130CB19A3ECE3992
                SHA1:61CA4B21FE544BE992FBD231A8A9541EEAEB95BD
                SHA-256:75F147A8DCB1F03A1949912F5D58866BC3A3E65A2F20D17A396B54DA06D18624
                SHA-512:FA24B894E78EB2F8623CA55A683D1F0BFD1616630510EB5E7334981CA86C137BA1EA2A41DEB2D715B2EE721A5D9C8436E3C82C1B89B283CD242AEFEDB87F1E6E
                Malicious:false
                Preview:<EncryptedKey>oifgSi4daMGKWW40x/SrLUZjZWomAhM5OE3dz9bIs/yWkY89diRQbZf0a0sqr/QrlGMvyXwd3+45OPzgmh7pVsQ9JA3YaPgAFreXcLJ/jLQ+fcIsWBTniUpkCEXKMK+/Sl1JSfoYUy4aE2jPen3lvqRhVF/f6Aw3xfo5oAh5rKQ=<EncryptedKey>2xBa26jTatw1+v7DbNUahvDeCYfps1t1GeytmvAmxOjVVAI0IrFMSgjNyotjhEU96J2g+RqBAR6ZxrYKz0ZO9VqtL+n2jhGlO91X5dZ4TnnTg6E7w1IQ++v5z8n3hNLOVWBU5H9zqgcb0/1c+4xX2Cx22owK2PejuoS0GZsQ6mTNnLvJkf/QdDECu9YGFh6cPuWt2jJkcPnpGkj2l/tj0inB6PoZVBT7hjjZAi4cHkaWVv7axKymjd/fJBxXDrLsIm0kfI3uiD3/jBWTmApIaM9RPiBzJ6pS2ZmsZjPFYIBeBvU8V3EPIkv8xJQRZOkSaUDl6NbWk/3Pe2ZgqrJMjdg3N9Cawe0R5Ie5hHeLQiexDEQvlJwRbm2AuDdIhALVT16BRKICC1qyutWU1g7HAgtps/gzIjTwG9ZpSU3Q4pKaRC1f0GCG48I4/D8aCYQdohuQLfJD7k2RSp/bBHki/9qcAhaxM9Cyx974db7l44GAzs/dY3ke8rDGlN27jA370dwdubKTcP/d8RtzjPZoChchCkgtbD49+/ojsNoS39zVXl97dynm23Oy3iL7HTLWKnB2+gGvCQS39OdaAyybW3og/LbrYMx0/gFFfHCXXkXMZV7QKt/LiQUiQW2bwMCKZp9R5dljl1lXCfSuCzac6eyJQ5BbJd1p+Zp1AYmJ7d31gWAyPX7ooRiLLEN7jgypnFY11rZE44WCwgzwPU+nZkQYAD0xaeq2P1UosR+8V/s+E/MOvX84OpfgYQcqNk5ju0NzZkeCtb9zjMgqHcL2P9cxUdOajFEY

                C:\Users\user\Desktop\GRXZDKKVDB.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.996886456269395
                Encrypted:false
                SSDEEP:24:fMcEYjVIdOQl9DK3HfYTXGiAvFKjIM+PRFF1oBiS3DuhQ0Fcd/l6lZJPAnGdR:UcEYpmOQl9WXgTZjuFbCvSukcRc75eGX
                MD5:C224F9FFE8A738363F181160C86B3AB0
                SHA1:51065EF92BB9AB38A7387380DC90D25E8F71DA04
                SHA-256:DD70CFB0C42FCB98ECEF465DEFE6FABBCD930F6748905D4A3A6413DB81655072
                SHA-512:CF7F91552E93E3DD2AACF03C2C1241C9E3BCDF2E6E051B6793AF0D9B9AAE57AB3195DAF8F5CE5FA92D5AA59A22F9184AB00159CB4C63D659069F0E7DBE6D9A08
                Malicious:false
                Preview:<EncryptedKey>WB29r5oqsX4BNJxFOzu8+DKp2xTwuL/L8rXcyH2lG5Gbqq8GG9Tj8K9W5maEnhw0qRL7CkMi5o1zKmwGzhLpI18GJU+Rfra2Gvbn/sk6lbJ+wg0rELfvDS6yTl5FqADS7uf0ih941gZLpvukntzmjW0W42k6E9i5/CQUOi86m+8=<EncryptedKey>6cbnMPl0R+it41xEPedAmuoF5t0GzVK4XDjkeziXykVziTY3RVvJKu4lCvM8pgEDDKR9FUY0Cda329b7y3qdJZ4vsQSyVinWdQLanK0kOri+beAfcdM4wq3zo7tlSq/c//idFS4MHbbMJGPvJIFSsnXL1n1jKxszV0PzOdxmHRSGgbZqERfj5ONShiUTqj/GzBavWfvnykXaQlQk6TKzqi+1RDsrYGo7W9TB//LV5k1z+/1tYStFzqgW9VgN5656DG6dIUZjbMjunKxRX4y07lJtNFCwHX/Gu0VM0ONYX+rUSDIaufItVhv9yK3yqYfdPqpUslmzb/m+7CQKGzmg2FLlJft5yzuRZUGw1Jc2mH0xjVj8tsqObHzm9o1Vxxb+pvwV6rM6qvjGBfiHAtrwihUQBLvNNOF8g6MWEF2gS5G+FCsmP3DzJADXNWb2ADLRSTAZeDEsYH5ip5K0KpP2rJs5jQv2T3jDt/8RkC0g65s2eMtBUKQUq8P41CLYkg+sUzBKuQd22me49r/mt2gAnok6KEEtXEQhVQL0Kbh2UI6klK3f/qOvN8ZViWnjYxvJVtl3J4AxgsV+QWwqaH5THgF1RN4iD0dBnycos3hF/tqvnabHS+rDHk1DOwDPcOdgno6iFCrMaqKHR1svpd9w7c9/Q8AKbBrmZzO87W7fBf5mpsUkYRabBZeWCaRNS/RMz9fxvSJRG94tWMgx1YvikPAUcFtq/UUqCdIhgqpge6crw1ev3n9O+/IfFldNgW81jJesZ3eOR6HagiLzk1mcN/KJXp6Q3K2k

                C:\Users\user\Desktop\GRXZDKKVDB.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.996886456269395
                Encrypted:false
                SSDEEP:24:fMcEYjVIdOQl9DK3HfYTXGiAvFKjIM+PRFF1oBiS3DuhQ0Fcd/l6lZJPAnGdR:UcEYpmOQl9WXgTZjuFbCvSukcRc75eGX
                MD5:C224F9FFE8A738363F181160C86B3AB0
                SHA1:51065EF92BB9AB38A7387380DC90D25E8F71DA04
                SHA-256:DD70CFB0C42FCB98ECEF465DEFE6FABBCD930F6748905D4A3A6413DB81655072
                SHA-512:CF7F91552E93E3DD2AACF03C2C1241C9E3BCDF2E6E051B6793AF0D9B9AAE57AB3195DAF8F5CE5FA92D5AA59A22F9184AB00159CB4C63D659069F0E7DBE6D9A08
                Malicious:false
                Preview:<EncryptedKey>WB29r5oqsX4BNJxFOzu8+DKp2xTwuL/L8rXcyH2lG5Gbqq8GG9Tj8K9W5maEnhw0qRL7CkMi5o1zKmwGzhLpI18GJU+Rfra2Gvbn/sk6lbJ+wg0rELfvDS6yTl5FqADS7uf0ih941gZLpvukntzmjW0W42k6E9i5/CQUOi86m+8=<EncryptedKey>6cbnMPl0R+it41xEPedAmuoF5t0GzVK4XDjkeziXykVziTY3RVvJKu4lCvM8pgEDDKR9FUY0Cda329b7y3qdJZ4vsQSyVinWdQLanK0kOri+beAfcdM4wq3zo7tlSq/c//idFS4MHbbMJGPvJIFSsnXL1n1jKxszV0PzOdxmHRSGgbZqERfj5ONShiUTqj/GzBavWfvnykXaQlQk6TKzqi+1RDsrYGo7W9TB//LV5k1z+/1tYStFzqgW9VgN5656DG6dIUZjbMjunKxRX4y07lJtNFCwHX/Gu0VM0ONYX+rUSDIaufItVhv9yK3yqYfdPqpUslmzb/m+7CQKGzmg2FLlJft5yzuRZUGw1Jc2mH0xjVj8tsqObHzm9o1Vxxb+pvwV6rM6qvjGBfiHAtrwihUQBLvNNOF8g6MWEF2gS5G+FCsmP3DzJADXNWb2ADLRSTAZeDEsYH5ip5K0KpP2rJs5jQv2T3jDt/8RkC0g65s2eMtBUKQUq8P41CLYkg+sUzBKuQd22me49r/mt2gAnok6KEEtXEQhVQL0Kbh2UI6klK3f/qOvN8ZViWnjYxvJVtl3J4AxgsV+QWwqaH5THgF1RN4iD0dBnycos3hF/tqvnabHS+rDHk1DOwDPcOdgno6iFCrMaqKHR1svpd9w7c9/Q8AKbBrmZzO87W7fBf5mpsUkYRabBZeWCaRNS/RMz9fxvSJRG94tWMgx1YvikPAUcFtq/UUqCdIhgqpge6crw1ev3n9O+/IfFldNgW81jJesZ3eOR6HagiLzk1mcN/KJXp6Q3K2k

                C:\Users\user\Desktop\GRXZDKKVDB.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.993985930845871
                Encrypted:false
                SSDEEP:48:UBjg1Fk6ZBiKg2N01+jmuTXyv8J10vDWiZ2DaYQWhK4:UlgnXZhg2S+Xyk2yZQs
                MD5:BB1283EB34A84826C74A0CEE6FF78C08
                SHA1:E60E3BE324B69D7260AAD0E7F95E12EF519899E1
                SHA-256:EF438AEBB18D93C2597D01137560141518B32A2A6E88250CC75A58CB08E70208
                SHA-512:C5C5028E2AA15755080C95196C2363356110193EEDE12F1A944A9F9370BCCD250036A14AD18C97C58767FD22EAB99F4A8595546731A1E88FCD3BF5A09201C706
                Malicious:false
                Preview:<EncryptedKey>jnXZIVPW25TS7JwxhWFPZGqobHqw4mfa5JiQ5MGtQ4eXOaldvwPAcp97q6NEv17uenJfR9eMOysm1cGBBgiUCl8NU//k/hD0qNINxgDvECCvyfOzURCVrJscORveaLjzR1cst+JpXOi4FdcWjrDyG6TxELnVAd9SoRF/FQABCbU=<EncryptedKey>s/ZXxhpwOQU5hLHeEvUzZbpekm9G0sbmqvTPjWlhHvZcEJw9AtpKtY+bq8dmdw55sEy1dLRnJ17eFy5JKi9liE++VkS4cdo9hJOmLTc7UiA8QHBewZk2+GlDxzBrgaHbplGJ9A7sHdmJgmdJEHSzXnp7nJyjs2pksRBu0r8a5CUpJSOGdA298XA/z8CaagM/Xg7frBk7N7/vE1vUDZ+6Ur3msgad8fSVCIlkwn7P3sp5iWhLplIAm0TcthuBEXWHAibi/07fRJj3CsYPQhoFbOROlX2N4UpPT/x8M+0O4iXnWpU1D2qGRbIDHc/Q68ZvzQ7NT1q4cB1TxoNg97NcAHWbacs3kVfmOyd1YP+/Z/i5/fJjEnKDnm6ibaQ33/WTCXnv6ZLEyi43ofoC42DI2ownDNReCxclFYOIyrgZIl0VKLRczWOOm76FOCaUX/QuZoE54p5MCVMFXLo93D+qFrEMCVj7Aou+wupiXimArlHJO39tFJeIO1PEvW73e2OrxmKU7pqaC1yQg9RRMxFQWrQYj1sDBTLR2n65rk9Z6ivLJK6U1SLDNkyXx1kc44xaUUSKf1eyR8Hg5EikrymoCBKyGGaPC3SIntDesNgCH9UgVxlfSvFwIwIJSg0WviGWp2wLQSZfiZ/1+LADuFKTcJdSylv+2uXlB9UaGPNAz8enfLUM4W2fqnP0TMUpS+7nKer5jH8gUL4C4aOhntxnOvQHNYJoLunAHADLXYUUqYRf0Q940GAXYjr7ZawzPhMcpj+5NywZwHZGr4dGmtA5D5hsso6N+7zy

                C:\Users\user\Desktop\GRXZDKKVDB.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.993985930845871
                Encrypted:false
                SSDEEP:48:UBjg1Fk6ZBiKg2N01+jmuTXyv8J10vDWiZ2DaYQWhK4:UlgnXZhg2S+Xyk2yZQs
                MD5:BB1283EB34A84826C74A0CEE6FF78C08
                SHA1:E60E3BE324B69D7260AAD0E7F95E12EF519899E1
                SHA-256:EF438AEBB18D93C2597D01137560141518B32A2A6E88250CC75A58CB08E70208
                SHA-512:C5C5028E2AA15755080C95196C2363356110193EEDE12F1A944A9F9370BCCD250036A14AD18C97C58767FD22EAB99F4A8595546731A1E88FCD3BF5A09201C706
                Malicious:false
                Preview:<EncryptedKey>jnXZIVPW25TS7JwxhWFPZGqobHqw4mfa5JiQ5MGtQ4eXOaldvwPAcp97q6NEv17uenJfR9eMOysm1cGBBgiUCl8NU//k/hD0qNINxgDvECCvyfOzURCVrJscORveaLjzR1cst+JpXOi4FdcWjrDyG6TxELnVAd9SoRF/FQABCbU=<EncryptedKey>s/ZXxhpwOQU5hLHeEvUzZbpekm9G0sbmqvTPjWlhHvZcEJw9AtpKtY+bq8dmdw55sEy1dLRnJ17eFy5JKi9liE++VkS4cdo9hJOmLTc7UiA8QHBewZk2+GlDxzBrgaHbplGJ9A7sHdmJgmdJEHSzXnp7nJyjs2pksRBu0r8a5CUpJSOGdA298XA/z8CaagM/Xg7frBk7N7/vE1vUDZ+6Ur3msgad8fSVCIlkwn7P3sp5iWhLplIAm0TcthuBEXWHAibi/07fRJj3CsYPQhoFbOROlX2N4UpPT/x8M+0O4iXnWpU1D2qGRbIDHc/Q68ZvzQ7NT1q4cB1TxoNg97NcAHWbacs3kVfmOyd1YP+/Z/i5/fJjEnKDnm6ibaQ33/WTCXnv6ZLEyi43ofoC42DI2ownDNReCxclFYOIyrgZIl0VKLRczWOOm76FOCaUX/QuZoE54p5MCVMFXLo93D+qFrEMCVj7Aou+wupiXimArlHJO39tFJeIO1PEvW73e2OrxmKU7pqaC1yQg9RRMxFQWrQYj1sDBTLR2n65rk9Z6ivLJK6U1SLDNkyXx1kc44xaUUSKf1eyR8Hg5EikrymoCBKyGGaPC3SIntDesNgCH9UgVxlfSvFwIwIJSg0WviGWp2wLQSZfiZ/1+LADuFKTcJdSylv+2uXlB9UaGPNAz8enfLUM4W2fqnP0TMUpS+7nKer5jH8gUL4C4aOhntxnOvQHNYJoLunAHADLXYUUqYRf0Q940GAXYjr7ZawzPhMcpj+5NywZwHZGr4dGmtA5D5hsso6N+7zy

                C:\Users\user\Desktop\JDDHMPCDUJ.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.972499904057436
                Encrypted:false
                SSDEEP:48:UKInAYsQjOWn6uIdK8oUQm7oC2dlf3mAX1SA7Iy:UKIA1QjOq6uI4W12P4Aky
                MD5:ED3C45914C8442160400A6AB3822E761
                SHA1:8C755500A9BA181C0EDED345D9C690E112F75814
                SHA-256:FE9A61505E65BE6328CA709F516494ECCBA902DF106DFF248352626B42FD533F
                SHA-512:519681F4191C5BC33AFB8AFEE24E3805E9DACBFE95B66F1ECA6B27510D0AE68A6CF74D5B8BD2F119DFF180DAEAB098424614C38D888F843515CF3FFDC0C6D92F
                Malicious:false
                Preview:<EncryptedKey>V4xF/BajB0ypNoBEiOk5vtcckLhxS55IJ+JcMsZkWWXMhNzFnKEQPH4h+gS9/+EqGVkIIDSHQ7v3txI8t8puXNym5G9dOc6GSVG43LeP+RfYwFkVcyXTtPmaS7QDlWbvpUZqrllJuDNeT/n2OA2+Fu7slUdPdcPWPzuVqMgDqEU=<EncryptedKey>miRj9R4/HczeeR6JuoDTphoxDhXu6LXYkJVV/q4yGzeBjLI/Jq4jQrzOmt7iu5s0Ci6o/PBH1jGbmrJMmCwcEb4SH4PnaOVyX6Dxm6pJJkDexOG4vQ9TwLFwyndTuWodczoJBgYEW70RTz2thDgQt1tuCqhecbLRXNNTvHQ+B4chO8dJFZW1Uc4H0KkX6g5ktLSbTkDtpDausWfi7dbdd7awDJioW2nQ5Bc4Kqc6Pt+IzTi4ncmpfYAeF2+NziZLypr4MUCt6z7DjBMpAFc7c48fF/MU4nZVJn2HTTbDtdJff5L6oghqea4qK373NZZXr7a6iW16p1UuXfXN7+x5soO5TR7fr6hCUZCL/Bn+MqTNvQpIGImgLueIbQWK7V8wAryqCEW+ar5oMBi5PDmBeC4F35V0JZQ3kM6QjfPXiWlmjCYTjn3WZuezO7hEQLt4Ie5FImgskc6bU65xyXHYHjlrqHYsNH5/5W3k7NXLP5UcP84MdCid4XcuGFRav/Y8jDBJQMdp2R5j3cZBf+aRYDdn4SPW21KVQQv3sglL2ha130HdulvlYKayXeZaGlBJrahwBhYXKJcXcQ5F+QSrtAd1TIcDALuqqadyls0cX4UBFLeypcwcJK50DXMRc1gGxely3lBxdRA21Wjz3Kq8xwCkRW5MThNof6xhsjMDykwMgmkX1qlRhtrTW05nBeBicCGxAGIQekdU+/z1bqTSLbcKu0IU6l6nCe4ARtteuVASpRRDqoZhzRIfMgqaGsNFmQzj56aiAYLV3knQduz9ml/ikGdycy4L

                C:\Users\user\Desktop\JDDHMPCDUJ.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.972499904057436
                Encrypted:false
                SSDEEP:48:UKInAYsQjOWn6uIdK8oUQm7oC2dlf3mAX1SA7Iy:UKIA1QjOq6uI4W12P4Aky
                MD5:ED3C45914C8442160400A6AB3822E761
                SHA1:8C755500A9BA181C0EDED345D9C690E112F75814
                SHA-256:FE9A61505E65BE6328CA709F516494ECCBA902DF106DFF248352626B42FD533F
                SHA-512:519681F4191C5BC33AFB8AFEE24E3805E9DACBFE95B66F1ECA6B27510D0AE68A6CF74D5B8BD2F119DFF180DAEAB098424614C38D888F843515CF3FFDC0C6D92F
                Malicious:false
                Preview:<EncryptedKey>V4xF/BajB0ypNoBEiOk5vtcckLhxS55IJ+JcMsZkWWXMhNzFnKEQPH4h+gS9/+EqGVkIIDSHQ7v3txI8t8puXNym5G9dOc6GSVG43LeP+RfYwFkVcyXTtPmaS7QDlWbvpUZqrllJuDNeT/n2OA2+Fu7slUdPdcPWPzuVqMgDqEU=<EncryptedKey>miRj9R4/HczeeR6JuoDTphoxDhXu6LXYkJVV/q4yGzeBjLI/Jq4jQrzOmt7iu5s0Ci6o/PBH1jGbmrJMmCwcEb4SH4PnaOVyX6Dxm6pJJkDexOG4vQ9TwLFwyndTuWodczoJBgYEW70RTz2thDgQt1tuCqhecbLRXNNTvHQ+B4chO8dJFZW1Uc4H0KkX6g5ktLSbTkDtpDausWfi7dbdd7awDJioW2nQ5Bc4Kqc6Pt+IzTi4ncmpfYAeF2+NziZLypr4MUCt6z7DjBMpAFc7c48fF/MU4nZVJn2HTTbDtdJff5L6oghqea4qK373NZZXr7a6iW16p1UuXfXN7+x5soO5TR7fr6hCUZCL/Bn+MqTNvQpIGImgLueIbQWK7V8wAryqCEW+ar5oMBi5PDmBeC4F35V0JZQ3kM6QjfPXiWlmjCYTjn3WZuezO7hEQLt4Ie5FImgskc6bU65xyXHYHjlrqHYsNH5/5W3k7NXLP5UcP84MdCid4XcuGFRav/Y8jDBJQMdp2R5j3cZBf+aRYDdn4SPW21KVQQv3sglL2ha130HdulvlYKayXeZaGlBJrahwBhYXKJcXcQ5F+QSrtAd1TIcDALuqqadyls0cX4UBFLeypcwcJK50DXMRc1gGxely3lBxdRA21Wjz3Kq8xwCkRW5MThNof6xhsjMDykwMgmkX1qlRhtrTW05nBeBicCGxAGIQekdU+/z1bqTSLbcKu0IU6l6nCe4ARtteuVASpRRDqoZhzRIfMgqaGsNFmQzj56aiAYLV3knQduz9ml/ikGdycy4L

                C:\Users\user\Desktop\NVWZAPQSQL.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991386810849673
                Encrypted:false
                SSDEEP:48:UbCsINg+cBPOaJfaKzlCHb+PKMpra9LhSW+2DMxE:UbCb5cBPBaKhC7+P7prapI9yCE
                MD5:D542AFCA565EEBD13CF07FD62D91DB22
                SHA1:41BA54E29E5D0422DBC6B22477A76E24A6814D69
                SHA-256:4BD46B58776B6F4D3A54ED175F854F7A97893246E4A2604F2FBBB8739FEAACCE
                SHA-512:C5E11528D043042F81EF2658507A1B16F9EBE51D830187D5A24AB0146A49588FF2F99CB37052DED6B3CCAE3B2508641E886964215F3C4B3D4725F92B7E218B9C
                Malicious:false
                Preview:<EncryptedKey>Csij+W9pQ5LnpEsAWdVh/iBXmqLf2Gqtr9lOsL6pTaSnoUIwV6ZCudfgAiVcUxgmLdJO/GOmv+ilGCawq65My6d6fdwQLiyXYszEDHW6t3M1p/B75eaZyzPojllVEJicP8DxGg0jJkq56s1QI42VJcffya3HAp/AtJJoVQz4oj8=<EncryptedKey>kabUcxbgrNQthF7GI5jszBcxDKr6hgYISe2Oq0OZ6fUURxelk/vGlmJqu0pT2wrMouWDWpFZJ7kiGhD3RBzSmXoqwIVhl+OQjygvIiyTuwPlsqAHbsvhZgvgWG62h7gbpkALHz7kdMKt1QBSaxw4iRJ8fcDrPHwqQ0DY/dKRHPhQv2AKpx/M4mUyJURFO/5eHUX6R/9LC+J828BTMO/OtzCChOkYdDsDw6PW0DcbirgOhgtovaKLZbN2tX7z9iUSoBiQS/3ksEuSfZ0Gu9FJBJzTl9Iq7KGmL4v+w9TMLzF26hZtrUxz+sUmn5jsGeCgwv6fdBNOjZzmChLthin85G/2NwC/7WUSIz+NADitl1wEeEvhNgcaBMIRrq9s9qFF1isGyxJGyLmCnWTxv8RIosnYm2SKy8bm1pQPAJfgtHH8KbXlfMUwisqPfHnMlcRNLH+DW5sMWILm8xu7pUSxOMYUWzPBqydJ/kcxqN5WAvfqIsNBIuA3fNQ5oF4Gfwsq1Vg5fXcEhyZRT8+ZDStgWcEqQCHypDQEkFjrwGj+yoYdivOnvsrGP9Zorm6p2Op5oRFK4ScZmNwZOYRPvg01/zZvlUmMj9Hjr5c+MMd0Kabk55wqfiI/O6rhxxARc2hwsjj45ZDa3EbE3DsXbySdStKuEM/TZrsidJuHLS2rrLQQ6lqUNq/InBcb9th4+Dn8GB2dwvyzkjJZnmTh/TH3ZKyn6J0gi0IUbMdRYmW7v7N0WPMalN0Tl1YQGwYpT0kDzWn3pVh6v3evGHLrlypysLdhgszcjuYT

                C:\Users\user\Desktop\NVWZAPQSQL.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991386810849673
                Encrypted:false
                SSDEEP:48:UbCsINg+cBPOaJfaKzlCHb+PKMpra9LhSW+2DMxE:UbCb5cBPBaKhC7+P7prapI9yCE
                MD5:D542AFCA565EEBD13CF07FD62D91DB22
                SHA1:41BA54E29E5D0422DBC6B22477A76E24A6814D69
                SHA-256:4BD46B58776B6F4D3A54ED175F854F7A97893246E4A2604F2FBBB8739FEAACCE
                SHA-512:C5E11528D043042F81EF2658507A1B16F9EBE51D830187D5A24AB0146A49588FF2F99CB37052DED6B3CCAE3B2508641E886964215F3C4B3D4725F92B7E218B9C
                Malicious:false
                Preview:<EncryptedKey>Csij+W9pQ5LnpEsAWdVh/iBXmqLf2Gqtr9lOsL6pTaSnoUIwV6ZCudfgAiVcUxgmLdJO/GOmv+ilGCawq65My6d6fdwQLiyXYszEDHW6t3M1p/B75eaZyzPojllVEJicP8DxGg0jJkq56s1QI42VJcffya3HAp/AtJJoVQz4oj8=<EncryptedKey>kabUcxbgrNQthF7GI5jszBcxDKr6hgYISe2Oq0OZ6fUURxelk/vGlmJqu0pT2wrMouWDWpFZJ7kiGhD3RBzSmXoqwIVhl+OQjygvIiyTuwPlsqAHbsvhZgvgWG62h7gbpkALHz7kdMKt1QBSaxw4iRJ8fcDrPHwqQ0DY/dKRHPhQv2AKpx/M4mUyJURFO/5eHUX6R/9LC+J828BTMO/OtzCChOkYdDsDw6PW0DcbirgOhgtovaKLZbN2tX7z9iUSoBiQS/3ksEuSfZ0Gu9FJBJzTl9Iq7KGmL4v+w9TMLzF26hZtrUxz+sUmn5jsGeCgwv6fdBNOjZzmChLthin85G/2NwC/7WUSIz+NADitl1wEeEvhNgcaBMIRrq9s9qFF1isGyxJGyLmCnWTxv8RIosnYm2SKy8bm1pQPAJfgtHH8KbXlfMUwisqPfHnMlcRNLH+DW5sMWILm8xu7pUSxOMYUWzPBqydJ/kcxqN5WAvfqIsNBIuA3fNQ5oF4Gfwsq1Vg5fXcEhyZRT8+ZDStgWcEqQCHypDQEkFjrwGj+yoYdivOnvsrGP9Zorm6p2Op5oRFK4ScZmNwZOYRPvg01/zZvlUmMj9Hjr5c+MMd0Kabk55wqfiI/O6rhxxARc2hwsjj45ZDa3EbE3DsXbySdStKuEM/TZrsidJuHLS2rrLQQ6lqUNq/InBcb9th4+Dn8GB2dwvyzkjJZnmTh/TH3ZKyn6J0gi0IUbMdRYmW7v7N0WPMalN0Tl1YQGwYpT0kDzWn3pVh6v3evGHLrlypysLdhgszcjuYT

                C:\Users\user\Desktop\NVWZAPQSQL.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991743950388719
                Encrypted:false
                SSDEEP:24:fMB/o0ToNyOVaP3vrGxMtb/pWoBJfIJ7xQSwkYV/XeN/gyAqa5g8YfFDlcRn5vVZ:UBrG9+lzpWoBJgXwXeNYrPnYfYiMILO
                MD5:927224C1C90CF217D3F2660CC4DD18C3
                SHA1:614E8DF6B1532B263F570557F2C56C6BA680FA81
                SHA-256:D798B2C03CDAB6F82A58F39312BA7084555A838BD9E47D81811B3D8E9AF4E2ED
                SHA-512:B9A25915A7B6B9F6183BAF5133A04B6A85F77EC96D06BAD26746CEE20EE9B0B9A5B48B57B02CB9FDBEA86B002B62B076A920805C9C1266ACBBC10C4912FC15E6
                Malicious:false
                Preview:<EncryptedKey>EpEe9N5G5RgrLTQ0YJnjWUz7Fe2YiTx7H5XTbjr29LPJSSjoUDLljZ3z6QEHxBa3fZyk356IsTmcMB5TyzqHxfR/suOkvfXRyCT59crAHLZ9cX9gnwqlwIDFVqDWqVWpWsrIRwsW2Q/UBRbqGhjGm8Gwi0m0cL5UoyRlxBa7r8Y=<EncryptedKey>lkN4CrOeF3/zekPJiyFxhqUikIIW9XtK/LFbjsE9Tj/kBTQriZhkEq90Zh/JRJMYvP25+jxdmVIVNdnBeDdccQ/qnoe//svSKmvdjQyucsCRN7slL0T8TBcxs6NMdGh77AtiNeldjgtJKcVDJj6A+3PzI9zDQ65Jb+ob7G8eMzTUuZlDMqpYVYFpZd3oLMzqhVR1gW1ZXJoYSLyYgNDAs1Y8vmkitxHa2rQDKLY+NtlOpVtMbHypYQnEiGAtXBplzqsfGmaJj/NvjNKDwWCR0hjnSlzjKWA3wDgDCp77Sw26yVsC6aJAGnJMWv2h9rrvwt5jycB8Hmb4TSZjPjA8wZ1v0TQSMB8/Mnde0/2cng3utuQfYq5Wqo8Uf6oPQUpymUABCiunibuVMHVaYrURmcKTiMGloPFOPJXyzVIZz0N0v5jw5SKwotZNgTM/tqxhoyKvCkcjkV+7UpvUItH+wcFMIPCTlHzAOArh1fEoAg5AxD3IQP82tRCs3qlWWd+tkTn/zq2NxcgkUiG2wRdyjrCJzXFc7188rXUQqFU3DH8iWrHpT9Etc4KvumZ259NxtbGzAh/Q3u/7pgM7KWh9Ja/aQpH0TVOFPN9X/VGclF8X6l3f4umksp76a3ze0gy+0NzHQs7asXrG8xXzuu2l57mHMw/5FcG/Q+JBBvEbhS1VWeQ8Uem9+yKTp+XixiFg2RQWmvfsiR07BpYvVNi2q50FsJzCE0IFDpEQNsJ2EJ5t7oPhskQxQJPVfbf+3MajxS0T+/XOJy4QsWLIkOmI9bTKvZlfcvGF

                C:\Users\user\Desktop\NVWZAPQSQL.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991743950388719
                Encrypted:false
                SSDEEP:24:fMB/o0ToNyOVaP3vrGxMtb/pWoBJfIJ7xQSwkYV/XeN/gyAqa5g8YfFDlcRn5vVZ:UBrG9+lzpWoBJgXwXeNYrPnYfYiMILO
                MD5:927224C1C90CF217D3F2660CC4DD18C3
                SHA1:614E8DF6B1532B263F570557F2C56C6BA680FA81
                SHA-256:D798B2C03CDAB6F82A58F39312BA7084555A838BD9E47D81811B3D8E9AF4E2ED
                SHA-512:B9A25915A7B6B9F6183BAF5133A04B6A85F77EC96D06BAD26746CEE20EE9B0B9A5B48B57B02CB9FDBEA86B002B62B076A920805C9C1266ACBBC10C4912FC15E6
                Malicious:false
                Preview:<EncryptedKey>EpEe9N5G5RgrLTQ0YJnjWUz7Fe2YiTx7H5XTbjr29LPJSSjoUDLljZ3z6QEHxBa3fZyk356IsTmcMB5TyzqHxfR/suOkvfXRyCT59crAHLZ9cX9gnwqlwIDFVqDWqVWpWsrIRwsW2Q/UBRbqGhjGm8Gwi0m0cL5UoyRlxBa7r8Y=<EncryptedKey>lkN4CrOeF3/zekPJiyFxhqUikIIW9XtK/LFbjsE9Tj/kBTQriZhkEq90Zh/JRJMYvP25+jxdmVIVNdnBeDdccQ/qnoe//svSKmvdjQyucsCRN7slL0T8TBcxs6NMdGh77AtiNeldjgtJKcVDJj6A+3PzI9zDQ65Jb+ob7G8eMzTUuZlDMqpYVYFpZd3oLMzqhVR1gW1ZXJoYSLyYgNDAs1Y8vmkitxHa2rQDKLY+NtlOpVtMbHypYQnEiGAtXBplzqsfGmaJj/NvjNKDwWCR0hjnSlzjKWA3wDgDCp77Sw26yVsC6aJAGnJMWv2h9rrvwt5jycB8Hmb4TSZjPjA8wZ1v0TQSMB8/Mnde0/2cng3utuQfYq5Wqo8Uf6oPQUpymUABCiunibuVMHVaYrURmcKTiMGloPFOPJXyzVIZz0N0v5jw5SKwotZNgTM/tqxhoyKvCkcjkV+7UpvUItH+wcFMIPCTlHzAOArh1fEoAg5AxD3IQP82tRCs3qlWWd+tkTn/zq2NxcgkUiG2wRdyjrCJzXFc7188rXUQqFU3DH8iWrHpT9Etc4KvumZ259NxtbGzAh/Q3u/7pgM7KWh9Ja/aQpH0TVOFPN9X/VGclF8X6l3f4umksp76a3ze0gy+0NzHQs7asXrG8xXzuu2l57mHMw/5FcG/Q+JBBvEbhS1VWeQ8Uem9+yKTp+XixiFg2RQWmvfsiR07BpYvVNi2q50FsJzCE0IFDpEQNsJ2EJ5t7oPhskQxQJPVfbf+3MajxS0T+/XOJy4QsWLIkOmI9bTKvZlfcvGF

                C:\Users\user\Desktop\NVWZAPQSQL\EIVQSAOTAQ.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991137782645203
                Encrypted:false
                SSDEEP:24:fMfSu3iG36HR0XFLZIYTn3U74Aj3Nu7VAkMv7TrkeGNiO32qH7i4czMgPXgH:UKuSCTXFVFTnM+VUnkHsO3N+roz
                MD5:9B5EEC458575D6B44C1F6BC1BA244F63
                SHA1:94610D6EA84443189BE8868F2038BD74702ABF85
                SHA-256:0B28BA73C1FC2A5C80EBE893A44E7965CE0F7A52C73BD85573889BEE7351D273
                SHA-512:1B98BC6EE9F919636CF94DBE722F3741F17543B8385503CE20B5735144456FFCD9623681421FC411405BE77769D440362FBF102F9801D84B5E1B6134EEF04CA6
                Malicious:false
                Preview:<EncryptedKey>xb8a9wnvZXwiRquCcNi1wNZUF8njpmWPCaucCk4tQ6q+hGqUsg4d9iK06spuXD7Fz6qoxzetObt6yq/iBsVQQRbHnuEIRKLIxoGaxRoSOy1Sf2YuKgW70ivRPgxZhU9emxGUAh6OXIXHrUMbAn4Q8UAEmo6o5cvGZKulKgBWyHw=<EncryptedKey>ginE40cdHcvTrF9Vmv/YQLE26YDAmlbLP6rXg7zV9EstEkrBdZrMd1elVI05EYstR7fmkpJuGbVv54zlhjTz1yrVYMWHvGZpe1Uq4+kWnVo69NYEuYQ0AjIF3N1J9oSZi/rCQ2cUxjHQROD4XP5Fx0CVl2PvPOlK/j8vGTRr/mUco7vNsXlU177ZG5aT270FlLIDPNUaNxSo7yT2v2M2VPuX/Mr1c7Gck2dL42og7f+ue0cGDGCLQVJI2R69k8TOfdnxcboIBUur7JFtNMyjiFSA/wmZtLlOBcpn0Dvi8b4We9tlrhCTYiFqgEh4y8+MiI/FDPOGz5FLdkdOZghblaf3MZVZ12by2djVIdFODUpZlNlaeRqSeHTmqo5BrIYXKhfB22a1iOmBnMbIwt4+Dr5g0q9acO7uk1rFnLTPRPwLB+BgYjVgeLmuztiYSeWkQgkvokXI9AAYj1zEEfzmQE2RzfWKf0H29ajNbsMEe9XvW6rtanpPl3XazDV08Ul5R+5Fd6NOTSGHF50lOl9UVXvQcOiQNGzac+Ig72KJGhv2Jfp67XhsPW4q9Yr6wwsNMTh1i0tjcdSu3KDGcqZyTR+Aqvr+Am0/TOvbB3rujDEEw+eX3MxEJvgDm3l5iADt8WSWNxZbOlRZAxQd7frRt/wntRNfmjHRFKsfaTJ1yWtFfQKuPGkYYJD2eLQmVikGpU0zToxq/NEAUAf9o2V44w0j306fawIlv5AWcfJapXa1LS7YAP7SQL3rZy0u49D7rZbRuOSJWYTQftjNprd0eXSFypXItAbO

                C:\Users\user\Desktop\NVWZAPQSQL\EIVQSAOTAQ.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991137782645203
                Encrypted:false
                SSDEEP:24:fMfSu3iG36HR0XFLZIYTn3U74Aj3Nu7VAkMv7TrkeGNiO32qH7i4czMgPXgH:UKuSCTXFVFTnM+VUnkHsO3N+roz
                MD5:9B5EEC458575D6B44C1F6BC1BA244F63
                SHA1:94610D6EA84443189BE8868F2038BD74702ABF85
                SHA-256:0B28BA73C1FC2A5C80EBE893A44E7965CE0F7A52C73BD85573889BEE7351D273
                SHA-512:1B98BC6EE9F919636CF94DBE722F3741F17543B8385503CE20B5735144456FFCD9623681421FC411405BE77769D440362FBF102F9801D84B5E1B6134EEF04CA6
                Malicious:false
                Preview:<EncryptedKey>xb8a9wnvZXwiRquCcNi1wNZUF8njpmWPCaucCk4tQ6q+hGqUsg4d9iK06spuXD7Fz6qoxzetObt6yq/iBsVQQRbHnuEIRKLIxoGaxRoSOy1Sf2YuKgW70ivRPgxZhU9emxGUAh6OXIXHrUMbAn4Q8UAEmo6o5cvGZKulKgBWyHw=<EncryptedKey>ginE40cdHcvTrF9Vmv/YQLE26YDAmlbLP6rXg7zV9EstEkrBdZrMd1elVI05EYstR7fmkpJuGbVv54zlhjTz1yrVYMWHvGZpe1Uq4+kWnVo69NYEuYQ0AjIF3N1J9oSZi/rCQ2cUxjHQROD4XP5Fx0CVl2PvPOlK/j8vGTRr/mUco7vNsXlU177ZG5aT270FlLIDPNUaNxSo7yT2v2M2VPuX/Mr1c7Gck2dL42og7f+ue0cGDGCLQVJI2R69k8TOfdnxcboIBUur7JFtNMyjiFSA/wmZtLlOBcpn0Dvi8b4We9tlrhCTYiFqgEh4y8+MiI/FDPOGz5FLdkdOZghblaf3MZVZ12by2djVIdFODUpZlNlaeRqSeHTmqo5BrIYXKhfB22a1iOmBnMbIwt4+Dr5g0q9acO7uk1rFnLTPRPwLB+BgYjVgeLmuztiYSeWkQgkvokXI9AAYj1zEEfzmQE2RzfWKf0H29ajNbsMEe9XvW6rtanpPl3XazDV08Ul5R+5Fd6NOTSGHF50lOl9UVXvQcOiQNGzac+Ig72KJGhv2Jfp67XhsPW4q9Yr6wwsNMTh1i0tjcdSu3KDGcqZyTR+Aqvr+Am0/TOvbB3rujDEEw+eX3MxEJvgDm3l5iADt8WSWNxZbOlRZAxQd7frRt/wntRNfmjHRFKsfaTJ1yWtFfQKuPGkYYJD2eLQmVikGpU0zToxq/NEAUAf9o2V44w0j306fawIlv5AWcfJapXa1LS7YAP7SQL3rZy0u49D7rZbRuOSJWYTQftjNprd0eXSFypXItAbO

                C:\Users\user\Desktop\NVWZAPQSQL\EOWRVPQCCS.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.984814379881217
                Encrypted:false
                SSDEEP:48:UpCcS6nS8UeD5FvxUEVe9iFm/3nvpxrGVVIlRX4:U8cSPzejvOE+rhJ4Ilm
                MD5:E3727C6898D9411E7BC5086FEDA48FBD
                SHA1:03EA47E19CE89FAA06137EDF5C1163ABF2835520
                SHA-256:904A1FE6D315F9B7602BFAC496749BC1BD79EFC7E4B50FFF6FA912145C08DB9B
                SHA-512:41FC108E9ED6EC8157386D0376C2CCA6CAAA938DEA7536F25BCE7FB867A960FC6A7E41FFBF51DE8F091589E2B01B9CAE3EF62584D1882A6AABF28E95D822BF9D
                Malicious:false
                Preview:<EncryptedKey>LgVMhqUzjZc99REz9xmycEOiohYh1HcJBd+2DZC5qiAF4DLBYHbY2rw5QcTVNlOW79kKDIs+ionICvQaAtpF3fNakeoSu8H12l+5kuASm7RJ6knuusUbBKir8YKWjSnRM+MMIf1JWxldx8zmUaXRd/XQweEcyU2u0noc3eIsMww=<EncryptedKey>1kkk+4sIaX3grl0sZlvv8ukpl5aA8K5KX/L+3qOZP9budfr5nbqno3RlGMhOCnEO8LuwcJZ7YuUGA2DwauBck7vOz/zZyP6ep1zoRBCaDZcCZdW7yYjHNHIknmm8o8IyYXaYJ94D8kty3UFNi3PrmLxo0gDetVPHTYZBcG3px6UcEm5v0GrBl2knFilwyMDIzzFrGAIaIEv3RHMlVbWsqMWd9Nt4ZtYqroyx+2IoEe4n+sQpsOjXnmwIGxcmzfCevXhpJhvQXDCwo+homQPo+QVhWF/zN6Ku9oYm6Eew2f7Sf5A/ZJ4i0+XnFbQPyz35p7ccQEJHDon4xCl0s0UpA0I5MqFWDF+MwSurgmLFSemeLh8hMwKuBCLWKrZGWEukILf0x7uFhOqB8q39u5SqVJsFZdtNroOf6aHp7510MzTapRtpAOGytSRJAn9gttf0uZ6VGvBB7HhRNt9Uw4+wXvscRjPkoyevErMGucqzsaVcJfnr5U8kZmsJGzSEcDSlOW7kjO2/NOghqyxWEo+y57/mtV9m+u7soCynBvfXzDZebk7UiKi55fJU8RJqejNWujr/61JMsv0hNRrHCoS9zaEZeObH4x+sV3QLIZyykPeFsdVkvptOzrXd0W6AGUk/fcWirLQCTi+sErcsD8e0/rdZes4UPBv7Eal1IcWErjYvfiaiby/8WK8V/r1FA8VlFY5yTHNsQjewDyk1qDhOHKgHO/1sQNWGVpFbMrlC9XUFGiEanQQBdtflxw6LieKKNtOjAN+LeVfl9WIh/4psnZc7+x/DEzvo

                C:\Users\user\Desktop\NVWZAPQSQL\EOWRVPQCCS.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.984814379881217
                Encrypted:false
                SSDEEP:48:UpCcS6nS8UeD5FvxUEVe9iFm/3nvpxrGVVIlRX4:U8cSPzejvOE+rhJ4Ilm
                MD5:E3727C6898D9411E7BC5086FEDA48FBD
                SHA1:03EA47E19CE89FAA06137EDF5C1163ABF2835520
                SHA-256:904A1FE6D315F9B7602BFAC496749BC1BD79EFC7E4B50FFF6FA912145C08DB9B
                SHA-512:41FC108E9ED6EC8157386D0376C2CCA6CAAA938DEA7536F25BCE7FB867A960FC6A7E41FFBF51DE8F091589E2B01B9CAE3EF62584D1882A6AABF28E95D822BF9D
                Malicious:false
                Preview:<EncryptedKey>LgVMhqUzjZc99REz9xmycEOiohYh1HcJBd+2DZC5qiAF4DLBYHbY2rw5QcTVNlOW79kKDIs+ionICvQaAtpF3fNakeoSu8H12l+5kuASm7RJ6knuusUbBKir8YKWjSnRM+MMIf1JWxldx8zmUaXRd/XQweEcyU2u0noc3eIsMww=<EncryptedKey>1kkk+4sIaX3grl0sZlvv8ukpl5aA8K5KX/L+3qOZP9budfr5nbqno3RlGMhOCnEO8LuwcJZ7YuUGA2DwauBck7vOz/zZyP6ep1zoRBCaDZcCZdW7yYjHNHIknmm8o8IyYXaYJ94D8kty3UFNi3PrmLxo0gDetVPHTYZBcG3px6UcEm5v0GrBl2knFilwyMDIzzFrGAIaIEv3RHMlVbWsqMWd9Nt4ZtYqroyx+2IoEe4n+sQpsOjXnmwIGxcmzfCevXhpJhvQXDCwo+homQPo+QVhWF/zN6Ku9oYm6Eew2f7Sf5A/ZJ4i0+XnFbQPyz35p7ccQEJHDon4xCl0s0UpA0I5MqFWDF+MwSurgmLFSemeLh8hMwKuBCLWKrZGWEukILf0x7uFhOqB8q39u5SqVJsFZdtNroOf6aHp7510MzTapRtpAOGytSRJAn9gttf0uZ6VGvBB7HhRNt9Uw4+wXvscRjPkoyevErMGucqzsaVcJfnr5U8kZmsJGzSEcDSlOW7kjO2/NOghqyxWEo+y57/mtV9m+u7soCynBvfXzDZebk7UiKi55fJU8RJqejNWujr/61JMsv0hNRrHCoS9zaEZeObH4x+sV3QLIZyykPeFsdVkvptOzrXd0W6AGUk/fcWirLQCTi+sErcsD8e0/rdZes4UPBv7Eal1IcWErjYvfiaiby/8WK8V/r1FA8VlFY5yTHNsQjewDyk1qDhOHKgHO/1sQNWGVpFbMrlC9XUFGiEanQQBdtflxw6LieKKNtOjAN+LeVfl9WIh/4psnZc7+x/DEzvo

                C:\Users\user\Desktop\NVWZAPQSQL\GIGIYTFFYT.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.985103389077599
                Encrypted:false
                SSDEEP:24:fMw+YZXLPkhfiCFmoIC2HBhz+ixBn7qU8eb7+xp1HeJc4ZnAYa+bar97gYgMw49:UeL7Cy3hz+g9WUnnc4SGGr97gaw49
                MD5:9BEE226164852E9B2790472F584EE408
                SHA1:E04E271B0297A703B900AED51EEEB6574F4AC39B
                SHA-256:428CD2DB5E94EDDE6D676DAC6BAE63EC1B15BCD96E2C1B888F7F342A0A9E4674
                SHA-512:4BD788000BC60FC7061D501918267076B93D2A81044EDFF684FA77E82541133B95EC7347F94825616569AEF0882E42590CE0ECF88043C0B2DA2050E77130ADBD
                Malicious:false
                Preview:<EncryptedKey>waBNFpeC2VF+LFaqsfbHwPdfhZpktHSJ5aLey/7obCozdRfUjt0qKFTLJeqnpzvc6NuNQ2nFlYD/gsF7np58Oj6uvnDwWrHqolqNKDe8vQ1VjBu88e04QODKJrs4vC1Ia8GymIvTNCMM7AmtnEJw6Emb6Dt3c4YyjJUStH606q4=<EncryptedKey>5D7f6SDQU7s/sXMy7FRPMMc+AVjy3CUmxr15IgXm49LPt+ypu3haOEZettmgjXq+bW37/TZ1pwAQIHEp13YpjxbX1EDVLNL/TQIhctDDCdID0BDqGxzWdCwFg2QgHsp7tlcj9chKYRWdbBAUxR0liBl5wl/vtl1wcOSy6XSHViI9N1XNwWThTu0eUcGVPWe94dEUzSAkEbCJxTOhu4UGuPEvi4PITblRmATc2r6MjkN8/LY6ZdqGYLpIL08t/IqdGId+/DmK79N7DOKficjGqb8X54mbknPUuB0iQjTYcv2sK3iUeUhSKdWJQuVwxL62jQV2IFoeDU8DQwBOy3sNtPOfppm0vLOP634/0U9C+4QZZSBPuHOwxfpGXn4yIH7FUmnOM2xPmijrLv+9fyU5g6ikrVhBAQBbOR/s5/CtGXRombjvqtw2xs1gVXilp3KcApYyUt+5vdjTJY/InK0xrBx/1BrUeIsFsTQ2RUoBRx4QYj0uraObD1uyOx3BvNbX9rdH/nWNcFaQtCnizpRd8zAY220v4ONbjofs3MXynRpVXR5a9IaFrLI1kq0GT36zlIN6NP2msFr3K8X2SVryoc5VgWIbmJqi/Q8qrajfhHRxmdN5SB7T6UedVvjL+7rcGhBpAlyyzmZKvj7R++gi/O43QrfIFjJCrUYi8iGectNBKYcG4Dq1aPw38OI5pokPxZBNpjlhKVefpZ/+Y5frR7ewn30It4KpHEh0Bgl21+qqDfX3FHgle2UDfzJE8AC83AMXf5LOIjEZv9jCH3Zpzx9mjK5RgT7p

                C:\Users\user\Desktop\NVWZAPQSQL\GIGIYTFFYT.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.985103389077599
                Encrypted:false
                SSDEEP:24:fMw+YZXLPkhfiCFmoIC2HBhz+ixBn7qU8eb7+xp1HeJc4ZnAYa+bar97gYgMw49:UeL7Cy3hz+g9WUnnc4SGGr97gaw49
                MD5:9BEE226164852E9B2790472F584EE408
                SHA1:E04E271B0297A703B900AED51EEEB6574F4AC39B
                SHA-256:428CD2DB5E94EDDE6D676DAC6BAE63EC1B15BCD96E2C1B888F7F342A0A9E4674
                SHA-512:4BD788000BC60FC7061D501918267076B93D2A81044EDFF684FA77E82541133B95EC7347F94825616569AEF0882E42590CE0ECF88043C0B2DA2050E77130ADBD
                Malicious:false
                Preview:<EncryptedKey>waBNFpeC2VF+LFaqsfbHwPdfhZpktHSJ5aLey/7obCozdRfUjt0qKFTLJeqnpzvc6NuNQ2nFlYD/gsF7np58Oj6uvnDwWrHqolqNKDe8vQ1VjBu88e04QODKJrs4vC1Ia8GymIvTNCMM7AmtnEJw6Emb6Dt3c4YyjJUStH606q4=<EncryptedKey>5D7f6SDQU7s/sXMy7FRPMMc+AVjy3CUmxr15IgXm49LPt+ypu3haOEZettmgjXq+bW37/TZ1pwAQIHEp13YpjxbX1EDVLNL/TQIhctDDCdID0BDqGxzWdCwFg2QgHsp7tlcj9chKYRWdbBAUxR0liBl5wl/vtl1wcOSy6XSHViI9N1XNwWThTu0eUcGVPWe94dEUzSAkEbCJxTOhu4UGuPEvi4PITblRmATc2r6MjkN8/LY6ZdqGYLpIL08t/IqdGId+/DmK79N7DOKficjGqb8X54mbknPUuB0iQjTYcv2sK3iUeUhSKdWJQuVwxL62jQV2IFoeDU8DQwBOy3sNtPOfppm0vLOP634/0U9C+4QZZSBPuHOwxfpGXn4yIH7FUmnOM2xPmijrLv+9fyU5g6ikrVhBAQBbOR/s5/CtGXRombjvqtw2xs1gVXilp3KcApYyUt+5vdjTJY/InK0xrBx/1BrUeIsFsTQ2RUoBRx4QYj0uraObD1uyOx3BvNbX9rdH/nWNcFaQtCnizpRd8zAY220v4ONbjofs3MXynRpVXR5a9IaFrLI1kq0GT36zlIN6NP2msFr3K8X2SVryoc5VgWIbmJqi/Q8qrajfhHRxmdN5SB7T6UedVvjL+7rcGhBpAlyyzmZKvj7R++gi/O43QrfIFjJCrUYi8iGectNBKYcG4Dq1aPw38OI5pokPxZBNpjlhKVefpZ/+Y5frR7ewn30It4KpHEh0Bgl21+qqDfX3FHgle2UDfzJE8AC83AMXf5LOIjEZv9jCH3Zpzx9mjK5RgT7p

                C:\Users\user\Desktop\NVWZAPQSQL\GRXZDKKVDB.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995773337978067
                Encrypted:false
                SSDEEP:24:fMDVXuc+BBcT86yGLdpl0ufB6oc86DRf33QF4O1FjrdesZ8VbtLYJ+njPMQqWA:UxXu/0DLdEs08Kf33cFfQsZ8vLYgzRy
                MD5:7800E28384C7678E75B1DE2B8FF33F4B
                SHA1:8D3DEF2E6C629F9C617F8EF0B92C18F62B04CC9B
                SHA-256:BC9AB28245B66BE759C8B1F8E58E5C832FF4F4632438270DD83AB69E58DD664F
                SHA-512:E7EAB864881FD455DEAC4BBAB367C96C9FACD10DD7836E9D238E9DBFBB70CCC5E360D8ED7C1AD714EF6DF2B5D50356553F1ABF2B98A9ADC9919372498B8DDBA0
                Malicious:false
                Preview:<EncryptedKey>oduDzQv0ekhpgLt+lVA3xWM8HmHpLx4sSBiUXgOFOmUfD6OvJGjZvH2m3sOLo6w63cZEjg+im8IjAo9FqG4ukZ3DXb/ZXGR3QZqMUftQBOiFwWatBehd3dZsFJaEIH0nXOjpq5RZ24YwASX6khHLCxap2LFNgvzeWdl4FLs7G7g=<EncryptedKey>ea6UgeeYSyHSCsirH1VW5KZYePjjDK71jjAwfAmzPvUAKoJx3RHmYhubZ1gK+WoQqNDCIOqfhAljedGg5MiJ1CQ5GQ6jUK/iwOAImkUcc3C+cloj9mUpL+qFNX95rIp/yWynlqiNcsjitjMCQAe/vxJWMfXkvpICAK5llYmhLy38FIsMdJlPqJzAHQN0uDbgK9OxCTN+fj95Qz7G9r961/j162NTwvSqAJD9ZohX0biG4Pcf7T9UMUwcZPTCmvngD2ixr7OAkNFdyztm/uZEUo6RhpQn1Ne83R75pCcgheH2zhKbO3y7Qd49HUdOlJUl6pJeQGwHhweNeE2lGrzXWcCfuEDkMvARE7T8SSnvU0GIvaaXROskDQQBIGBteAKmnzFHhqAS61IwB0Sa0G5VNlGW4khgYbEDzaDRhWNtRggReByr3EfuGmY3wq75P1rD5lGFkvecOh/ULBFx2bB25WEu6VoCzMC9LUpiYe21jG4B0H2OOqXCmpuIN4xYacGWI4nGzeq8/llZiSuTf5fQ0IhuozWiJ3yvKmrG2sJZPN38do1dfYsvRKDQMBsNF2zZLyguPLzEBfzjFkQvqQ0XwuHIo88P/9OV97RWvmR8klAF9nnDqK0LL66AM+bbQ6ex99bgNEUT8bbWRBrely65gPVaKP6HtZD1XVwPCwDyVLqq2kb9eYMvqXbBNtUE2sMRMPz+hUw59tzJz6hFm+UuiDE+MU1Le7iRSxS1Z3ARDdfYccReuYVcJnUVnXFPNhrmxxd02gBDlc8lP3+oIPpgr5CyIL/SvYnO

                C:\Users\user\Desktop\NVWZAPQSQL\GRXZDKKVDB.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995773337978067
                Encrypted:false
                SSDEEP:24:fMDVXuc+BBcT86yGLdpl0ufB6oc86DRf33QF4O1FjrdesZ8VbtLYJ+njPMQqWA:UxXu/0DLdEs08Kf33cFfQsZ8vLYgzRy
                MD5:7800E28384C7678E75B1DE2B8FF33F4B
                SHA1:8D3DEF2E6C629F9C617F8EF0B92C18F62B04CC9B
                SHA-256:BC9AB28245B66BE759C8B1F8E58E5C832FF4F4632438270DD83AB69E58DD664F
                SHA-512:E7EAB864881FD455DEAC4BBAB367C96C9FACD10DD7836E9D238E9DBFBB70CCC5E360D8ED7C1AD714EF6DF2B5D50356553F1ABF2B98A9ADC9919372498B8DDBA0
                Malicious:false
                Preview:<EncryptedKey>oduDzQv0ekhpgLt+lVA3xWM8HmHpLx4sSBiUXgOFOmUfD6OvJGjZvH2m3sOLo6w63cZEjg+im8IjAo9FqG4ukZ3DXb/ZXGR3QZqMUftQBOiFwWatBehd3dZsFJaEIH0nXOjpq5RZ24YwASX6khHLCxap2LFNgvzeWdl4FLs7G7g=<EncryptedKey>ea6UgeeYSyHSCsirH1VW5KZYePjjDK71jjAwfAmzPvUAKoJx3RHmYhubZ1gK+WoQqNDCIOqfhAljedGg5MiJ1CQ5GQ6jUK/iwOAImkUcc3C+cloj9mUpL+qFNX95rIp/yWynlqiNcsjitjMCQAe/vxJWMfXkvpICAK5llYmhLy38FIsMdJlPqJzAHQN0uDbgK9OxCTN+fj95Qz7G9r961/j162NTwvSqAJD9ZohX0biG4Pcf7T9UMUwcZPTCmvngD2ixr7OAkNFdyztm/uZEUo6RhpQn1Ne83R75pCcgheH2zhKbO3y7Qd49HUdOlJUl6pJeQGwHhweNeE2lGrzXWcCfuEDkMvARE7T8SSnvU0GIvaaXROskDQQBIGBteAKmnzFHhqAS61IwB0Sa0G5VNlGW4khgYbEDzaDRhWNtRggReByr3EfuGmY3wq75P1rD5lGFkvecOh/ULBFx2bB25WEu6VoCzMC9LUpiYe21jG4B0H2OOqXCmpuIN4xYacGWI4nGzeq8/llZiSuTf5fQ0IhuozWiJ3yvKmrG2sJZPN38do1dfYsvRKDQMBsNF2zZLyguPLzEBfzjFkQvqQ0XwuHIo88P/9OV97RWvmR8klAF9nnDqK0LL66AM+bbQ6ex99bgNEUT8bbWRBrely65gPVaKP6HtZD1XVwPCwDyVLqq2kb9eYMvqXbBNtUE2sMRMPz+hUw59tzJz6hFm+UuiDE+MU1Le7iRSxS1Z3ARDdfYccReuYVcJnUVnXFPNhrmxxd02gBDlc8lP3+oIPpgr5CyIL/SvYnO

                C:\Users\user\Desktop\NVWZAPQSQL\NVWZAPQSQL.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.980108745635899
                Encrypted:false
                SSDEEP:48:UXfz2VKYs2VlIm+ogpA7YVF8J/YpCcriBTDru:Ub2VJnVlx+A7YVOJQpCcG8
                MD5:0D00F8699DAF170F1E1D33FD612E468D
                SHA1:28EEB70E8A87D9E2E4BC8CEBC1E3AF74600E6C6E
                SHA-256:4FDDA92E91F96BBC458536CA54E04C1A81782921420FEF049838529246874CAB
                SHA-512:74B5FC1C1124848658E9807571114DA5972B0ABA422A01CAD76D00E54C2A153A66763AD8EEDA56DD2E8343079835EE5E10F73CED2942C9ADD1DC10C7F076A2D2
                Malicious:false
                Preview:<EncryptedKey>tlPKU5sgXh9t25EtUgFdB4rtvtniFd73srtdvTv0Ilrnvig1yQK4nyMl4YRfpaodvdmbohsv5Ia4s7N4bLxIZh/ZAM9uxaznIXMFsEefb8fUPJYDyDbd4XJj23EuMv+eVTd3XLAJa1w6iAKdkjjDpjLW5dgEsMpa6MAvSLq7gw8=<EncryptedKey>Jq2fztWQJm+wjm27ebQ8XZC3TxZ1ZeaT/YhTO1kuY9XCLNv8LOBS9Lie9YNmcxWN+ilia/A9CyP9dPe286aAIcj+0Qji+Yd1uWdXzEJ7WEpTr9GbZwmWLO3A5JKSkhmsMjXg1oEAoPyo/cs1ofyOGoGoDXreolJ23P4J78EplqZWMUc8La24h2vUvoA8ZEKwEZlbVHuFIG7Vew8LU5rPrEkOonv+hpbBMG2F4a4oYe0GkxIMzI8WF08Xrr2w1wdDIx5xe2IFcSgVbttkmK+nETUIbAxBnWcLv3eez2N4vlUkax4/XFVPixGaVerzqe0NwP7dT/1qIy4hokVK0hMUDnc4TQLw8TNsThZDja6o2t34Lw7GUPHYBoSt7RMQBICUKGxVenNZfeF4EZllCGgPOdvrANNyo7Xr72+EaFIgyp2dVxxvGIUEMR44AP1C3ev5RXC4YCJNwtpeh0SQx+Gllo2YlphsowLR3bphgqzAXizg4r+Z+g20eIMCaSafPRLWFS9LWOkaaRomjk6rUzj0LGsJBZAZIdxAJpzgS/8OM6Q5ZyyjY360JFa1Xci1u7sYV0jHginnfZDiYAI9/t+eahS6rcsVNT4WdDbgkxMoTxnCRxmvxWsnWsn0wBIAj9lNOajb2rKo9gY+h1YWvwh0Yc0oYWPay9qVw8tGz/dAzCnbNvOUtyUbTTdeq/OuH53Kiuia3At654HEaDrO9ZN+CYJ4CZf7MXaIuO0RAEtsJ/cOedOpEMleajxBgwdAHDsjNRJWq7bhYllqfgyglbdFC6FiaEv3b39c

                C:\Users\user\Desktop\NVWZAPQSQL\NVWZAPQSQL.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.980108745635899
                Encrypted:false
                SSDEEP:48:UXfz2VKYs2VlIm+ogpA7YVF8J/YpCcriBTDru:Ub2VJnVlx+A7YVOJQpCcG8
                MD5:0D00F8699DAF170F1E1D33FD612E468D
                SHA1:28EEB70E8A87D9E2E4BC8CEBC1E3AF74600E6C6E
                SHA-256:4FDDA92E91F96BBC458536CA54E04C1A81782921420FEF049838529246874CAB
                SHA-512:74B5FC1C1124848658E9807571114DA5972B0ABA422A01CAD76D00E54C2A153A66763AD8EEDA56DD2E8343079835EE5E10F73CED2942C9ADD1DC10C7F076A2D2
                Malicious:false
                Preview:<EncryptedKey>tlPKU5sgXh9t25EtUgFdB4rtvtniFd73srtdvTv0Ilrnvig1yQK4nyMl4YRfpaodvdmbohsv5Ia4s7N4bLxIZh/ZAM9uxaznIXMFsEefb8fUPJYDyDbd4XJj23EuMv+eVTd3XLAJa1w6iAKdkjjDpjLW5dgEsMpa6MAvSLq7gw8=<EncryptedKey>Jq2fztWQJm+wjm27ebQ8XZC3TxZ1ZeaT/YhTO1kuY9XCLNv8LOBS9Lie9YNmcxWN+ilia/A9CyP9dPe286aAIcj+0Qji+Yd1uWdXzEJ7WEpTr9GbZwmWLO3A5JKSkhmsMjXg1oEAoPyo/cs1ofyOGoGoDXreolJ23P4J78EplqZWMUc8La24h2vUvoA8ZEKwEZlbVHuFIG7Vew8LU5rPrEkOonv+hpbBMG2F4a4oYe0GkxIMzI8WF08Xrr2w1wdDIx5xe2IFcSgVbttkmK+nETUIbAxBnWcLv3eez2N4vlUkax4/XFVPixGaVerzqe0NwP7dT/1qIy4hokVK0hMUDnc4TQLw8TNsThZDja6o2t34Lw7GUPHYBoSt7RMQBICUKGxVenNZfeF4EZllCGgPOdvrANNyo7Xr72+EaFIgyp2dVxxvGIUEMR44AP1C3ev5RXC4YCJNwtpeh0SQx+Gllo2YlphsowLR3bphgqzAXizg4r+Z+g20eIMCaSafPRLWFS9LWOkaaRomjk6rUzj0LGsJBZAZIdxAJpzgS/8OM6Q5ZyyjY360JFa1Xci1u7sYV0jHginnfZDiYAI9/t+eahS6rcsVNT4WdDbgkxMoTxnCRxmvxWsnWsn0wBIAj9lNOajb2rKo9gY+h1YWvwh0Yc0oYWPay9qVw8tGz/dAzCnbNvOUtyUbTTdeq/OuH53Kiuia3At654HEaDrO9ZN+CYJ4CZf7MXaIuO0RAEtsJ/cOedOpEMleajxBgwdAHDsjNRJWq7bhYllqfgyglbdFC6FiaEv3b39c

                C:\Users\user\Desktop\NVWZAPQSQL\PALRGUCVEH.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.990190716541732
                Encrypted:false
                SSDEEP:48:U8El9VGSsmdF/w783i5Dhzr4bdOJIWJS7:U7l3GV8F/k8S55UbdOfS7
                MD5:6CEE9B09F8591EBC4455BBC996AF03D3
                SHA1:F10C9267AD60088BBAB5AE8F2089A529D13D096D
                SHA-256:4EC6C7065C58EA046106710F68AC74ECBA72B04479CFE32DD45B30A0ADC862B9
                SHA-512:FFED8C8E7EC2FD3B7AC638AB281C5D3BA17CC40226D6A888562FED33BD0E5083A143353143CA01A8C9850B9B80F53A8BACA8F12237529160B8FEAD91F2591426
                Malicious:false
                Preview:<EncryptedKey>cbJ0agIyaSxYbS6mLi81zb/oKJOqpLchhaqf/4z4KS7j33FaenDeptKzvNyQnCr3f1/Po4O2CnPinzrnwVykyRdrN6yLPquHEGw+7OUMHNytSMese+EsLYsXmblfvAtbRw5Aie+CiW7lqZol+UK5RbqnE5+/IoxZhiUGGexOp3w=<EncryptedKey>e1qYX4wW0dnCKC8Fk9KkOZZfd92hvAgLyH9Aiifo3P6YHO9pp8QeZaO4Z8z4QF6wWMgxgELzGfyaqhTS0cPb/Ug9T60L1i69aXkhlfehyIMRrppB2l1cmJkTYyilaz3e7U6G7uFjlCvbBTIXTqTg2JyD4j0tWiFoNarNFbo3jGpgSn3C2aYON3Tw5ZZjUl8u1NeFqgeZnjvBWUhN4mnSHUns97Lub3FWIL8ZGY8/40fW4KqDp9ucVTdVsI6FD/x7TXjjjPSN/klJKvFWu98xotGTmk2IG9oySmYZu6ZEtvjWDfzUGybZo9jmFBkTwFzchXf2h0GOxNQebnaPu/QaMqclQb2v15IN1woKwaZOLYpRXdrzSWQFkSEbLy2GQHyo2mngXJth3/BbSfNI+XAXTEOjW7AegsBOdlvR9KTFb3a9XmIsn0aJ4uAlhXz9zCF2GVxS2SUZ9pIFL+IFpCbsXAwpd56dbwkFMLkbrXZb+E74JbcnbXmbdzQkHgh5OKHh3PXkSKIZXHyl/dRHOUR8lzEZTH1G5RgbDA65fWLmtKAHBwc29l4UXCAjDdqPXyhzd8apzLHF+npvdaMhaXRrFZh1PPa6iZAsHp2LACt2JWAdvHfL4bOonS01SzfaxLBEZEpwdTFBuDGp5/kQHjAlqOmHPmulcMaPTagZpI0k4+NE7FPzEZ3oKjRcI18YyCZ8FlJ8Q6jaIaBgal7VYfhlzGB6V4h5+++llppsOX7S3askvGFuTIzcYFgkvVXc85lsqBuhU9TfOOdChQW6BEzc5VtqDpJ9DRGj

                C:\Users\user\Desktop\NVWZAPQSQL\PALRGUCVEH.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.990190716541732
                Encrypted:false
                SSDEEP:48:U8El9VGSsmdF/w783i5Dhzr4bdOJIWJS7:U7l3GV8F/k8S55UbdOfS7
                MD5:6CEE9B09F8591EBC4455BBC996AF03D3
                SHA1:F10C9267AD60088BBAB5AE8F2089A529D13D096D
                SHA-256:4EC6C7065C58EA046106710F68AC74ECBA72B04479CFE32DD45B30A0ADC862B9
                SHA-512:FFED8C8E7EC2FD3B7AC638AB281C5D3BA17CC40226D6A888562FED33BD0E5083A143353143CA01A8C9850B9B80F53A8BACA8F12237529160B8FEAD91F2591426
                Malicious:false
                Preview:<EncryptedKey>cbJ0agIyaSxYbS6mLi81zb/oKJOqpLchhaqf/4z4KS7j33FaenDeptKzvNyQnCr3f1/Po4O2CnPinzrnwVykyRdrN6yLPquHEGw+7OUMHNytSMese+EsLYsXmblfvAtbRw5Aie+CiW7lqZol+UK5RbqnE5+/IoxZhiUGGexOp3w=<EncryptedKey>e1qYX4wW0dnCKC8Fk9KkOZZfd92hvAgLyH9Aiifo3P6YHO9pp8QeZaO4Z8z4QF6wWMgxgELzGfyaqhTS0cPb/Ug9T60L1i69aXkhlfehyIMRrppB2l1cmJkTYyilaz3e7U6G7uFjlCvbBTIXTqTg2JyD4j0tWiFoNarNFbo3jGpgSn3C2aYON3Tw5ZZjUl8u1NeFqgeZnjvBWUhN4mnSHUns97Lub3FWIL8ZGY8/40fW4KqDp9ucVTdVsI6FD/x7TXjjjPSN/klJKvFWu98xotGTmk2IG9oySmYZu6ZEtvjWDfzUGybZo9jmFBkTwFzchXf2h0GOxNQebnaPu/QaMqclQb2v15IN1woKwaZOLYpRXdrzSWQFkSEbLy2GQHyo2mngXJth3/BbSfNI+XAXTEOjW7AegsBOdlvR9KTFb3a9XmIsn0aJ4uAlhXz9zCF2GVxS2SUZ9pIFL+IFpCbsXAwpd56dbwkFMLkbrXZb+E74JbcnbXmbdzQkHgh5OKHh3PXkSKIZXHyl/dRHOUR8lzEZTH1G5RgbDA65fWLmtKAHBwc29l4UXCAjDdqPXyhzd8apzLHF+npvdaMhaXRrFZh1PPa6iZAsHp2LACt2JWAdvHfL4bOonS01SzfaxLBEZEpwdTFBuDGp5/kQHjAlqOmHPmulcMaPTagZpI0k4+NE7FPzEZ3oKjRcI18YyCZ8FlJ8Q6jaIaBgal7VYfhlzGB6V4h5+++llppsOX7S3askvGFuTIzcYFgkvVXc85lsqBuhU9TfOOdChQW6BEzc5VtqDpJ9DRGj

                C:\Users\user\Desktop\NVWZAPQSQL\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Desktop\PALRGUCVEH.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.993542358388861
                Encrypted:false
                SSDEEP:48:U9SC8DEH6FqY1FxaUeNTaFfP3C5tz/OpdnV9DzZ327:U3AqY4/RvzGp9P938
                MD5:42815A222F966B6133F7B32B3011BA23
                SHA1:7B2780FE732D039A208F8AA0D0B44CC990654581
                SHA-256:778BFFA1A13C3035378CD0D2FEA7C244CC1E1BD9E463F538B9899CE0871EDF43
                SHA-512:1388E45834830AD5F6E7BC80087FFC4B029DC47E7D0AAF0EE7BCF02696E264AEAD943A7DEDC60CACFECE8EC54CF6217D369AEB7F93C7771D443CF6D2873B5C01
                Malicious:false
                Preview:<EncryptedKey>s90LAFI8RexpJ3vEKvWyGqTomyisluBTWRFIPbb8tdUdWUUmOELIwQHcS8CiYaqn1yttkLe1JWD3LjDnfdhjuN73tyeBX4DHzUcs1ySAGw2P2kA9oe0ENXf+4OHeHdWMvTk/P2qf9q1cNGMmlV+P8jPTl29VHPnXXJAFWbwbr+M=<EncryptedKey>tzi78RMHknyRAJgNBvoJpFZF1c0EQxARJXHxMasTjWvZDGxnjqqHCTbAqWWOPIjug0A271nQSHMbWrGyio7QvVpAJkdLWAUeGxu+51xwdywvWnyh6JqrI/ehJwe+3cSywGdjTitTqLtPIe6DrIAVoI+j5LKUik0Kbl0fBHvtVpP9fVm+2zb7RPAmrM/FSZFdQkuCpkDbOSRPtv6aWvIZalxhIjmgbz9o9UK9QmZ8CFKbaj+rQjfCIujNdrA6P1cdPgbcP55EM7L++m+B8zk9VXdIgMGdmChx8iz3WACO6MnljTpSW0NCpIPqCbxSBVN2qKMRlF6VEBlLhoYz4uTDy1oIxNvNgZM7KDOenv3+Ae7qWzNa2g+ii45L0bxpq7HC0T9EqKAZyPsqHC/hee7TPZwU5N3YYsu4TO5keeqAlS2A1eO6SVXFFYci22ZVauvIjJdGY1WQG2VvX+QRNAI62hK9vpjdsKJ0C9jfJlCgU4i4ViJ6sXa4Gh5iTs4t49gBSliox+3TXbuvRxtVJZveOIEfJUlcV1J+eNBc/of+C3t+Osw6WnedePTRMsz2wmZTOwi+Qns4hu39Sq38Ssjl/fUfnUVTTeKgbpvBIWt5RlKtsLlm5RXLs9Oh6vYkxg+sVyjUC3s4njrtW/K5tPqSsYjtvTG5o5xgSenVPPirejRzjrYZBlghnov6+inl0yUQcb2PmWf7DZANMmOGqSNnofcS+VS+LGWapg86s/qMBubJMhwJu631+Fb2a+dM7QL6ZHn/x197bgz6XtXaQafEyXmbKxiQyXrw

                C:\Users\user\Desktop\PALRGUCVEH.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.993542358388861
                Encrypted:false
                SSDEEP:48:U9SC8DEH6FqY1FxaUeNTaFfP3C5tz/OpdnV9DzZ327:U3AqY4/RvzGp9P938
                MD5:42815A222F966B6133F7B32B3011BA23
                SHA1:7B2780FE732D039A208F8AA0D0B44CC990654581
                SHA-256:778BFFA1A13C3035378CD0D2FEA7C244CC1E1BD9E463F538B9899CE0871EDF43
                SHA-512:1388E45834830AD5F6E7BC80087FFC4B029DC47E7D0AAF0EE7BCF02696E264AEAD943A7DEDC60CACFECE8EC54CF6217D369AEB7F93C7771D443CF6D2873B5C01
                Malicious:false
                Preview:<EncryptedKey>s90LAFI8RexpJ3vEKvWyGqTomyisluBTWRFIPbb8tdUdWUUmOELIwQHcS8CiYaqn1yttkLe1JWD3LjDnfdhjuN73tyeBX4DHzUcs1ySAGw2P2kA9oe0ENXf+4OHeHdWMvTk/P2qf9q1cNGMmlV+P8jPTl29VHPnXXJAFWbwbr+M=<EncryptedKey>tzi78RMHknyRAJgNBvoJpFZF1c0EQxARJXHxMasTjWvZDGxnjqqHCTbAqWWOPIjug0A271nQSHMbWrGyio7QvVpAJkdLWAUeGxu+51xwdywvWnyh6JqrI/ehJwe+3cSywGdjTitTqLtPIe6DrIAVoI+j5LKUik0Kbl0fBHvtVpP9fVm+2zb7RPAmrM/FSZFdQkuCpkDbOSRPtv6aWvIZalxhIjmgbz9o9UK9QmZ8CFKbaj+rQjfCIujNdrA6P1cdPgbcP55EM7L++m+B8zk9VXdIgMGdmChx8iz3WACO6MnljTpSW0NCpIPqCbxSBVN2qKMRlF6VEBlLhoYz4uTDy1oIxNvNgZM7KDOenv3+Ae7qWzNa2g+ii45L0bxpq7HC0T9EqKAZyPsqHC/hee7TPZwU5N3YYsu4TO5keeqAlS2A1eO6SVXFFYci22ZVauvIjJdGY1WQG2VvX+QRNAI62hK9vpjdsKJ0C9jfJlCgU4i4ViJ6sXa4Gh5iTs4t49gBSliox+3TXbuvRxtVJZveOIEfJUlcV1J+eNBc/of+C3t+Osw6WnedePTRMsz2wmZTOwi+Qns4hu39Sq38Ssjl/fUfnUVTTeKgbpvBIWt5RlKtsLlm5RXLs9Oh6vYkxg+sVyjUC3s4njrtW/K5tPqSsYjtvTG5o5xgSenVPPirejRzjrYZBlghnov6+inl0yUQcb2PmWf7DZANMmOGqSNnofcS+VS+LGWapg86s/qMBubJMhwJu631+Fb2a+dM7QL6ZHn/x197bgz6XtXaQafEyXmbKxiQyXrw

                C:\Users\user\Desktop\PALRGUCVEH.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991428407588896
                Encrypted:false
                SSDEEP:48:UtFV/KW0qB5j9OXICCoU1vF6HznVzqd4I:UtTSjIjJCWvOVeb
                MD5:9FF74C99259194C8C9D5A311698C8F3F
                SHA1:09060C2E00B63B78125DEB458651497E3F8F00D9
                SHA-256:727145F0D16785F493E8F7C68DABE902F771FEF7173EDE228094DCD2BA515BD3
                SHA-512:87B172906F493574A3C100199C9E596C3E5C17499DDAA552ADEEE306FBC43669435280CFC24CD20C064EB0767760C898EF8BED71897AAEE117AE1F7E1347B9FB
                Malicious:false
                Preview:<EncryptedKey>BkRqzpiLoHdVQoiC+pu/h5Ixr4zCB4qHRmBT9gbx1BCqnrd3HmQXVxl9qpOlOWesBYJQ8ydaxbGhHUulSJGOUQDcI9QjMAaeWcNS2bw6amJVZ6uim0etampUkqrlroZtuW5RP24DDUJfQmYC23H2OwWO3FSCnbLAsKNfwiDY4tA=<EncryptedKey>UNkbhnG1JulLB+p/1av3uG8rol7tClbjD5j2OZ9hPYXdBU2Ok/aIP0zCPHf6Zp+NVi2ITdS0mLo3R1z7MuUhqIEON/yhWAkIpMnwcsKtfPm9euulep9thM/ypa2rmAowXXyvYoWvCoPLjQxLjm0c2rM1P5cjU9Yxwy6s5yzEyhasbBiUvI0eW1kLPIWTiqcnrbSKIW5NzFLvid1DQ6ISlXqsjlJV8y/dEECtk3zEQAfoXLTlHfjFEjs2/dHSb4AFX8hhbQa5qcSRsuFNRxHN92f61p8hrXxAyKU34Nmg+0U1nCW42ahN0JTd5ib0a1EyF+lEQuZyeFykrW3XLjLNtMkTDSjgbcFeGIOP8ppWVwO7E9elxqhZ26rLz4kvjGeEI/gc29Pbanc+8mQ5NVNXKXqJ4j4vMe0Tl+rxjP25pnCNuc5NX5LJq30y3k2oK3+JcCVXmhV9yfCb2zeuzYpJ3mUP/jybEime2h+JL9umL/Aw93CUnI4DE0T9sFsTPLLqMY/g0v4WfcqkzA/X8dlBqR9IoXcJrQusuZtEytBswadDrIwR57gX+kulAPKbc7kZxvz7RSYbrv4SQxA1qRWfDso7wFVT8xYltprJ17xeY5mKWoYHom7QBwdM4/2fZUdqYzcPArLNkWe6YsMN4qGU2YsasiV4SOM+KhJJQB2QWwE/pPCtoFavE+EI2Ol1aMWjyhzknqBX5pP+5cY5vKqEj0qEKZ5clsERL0Olzqy45/wEc494WVBtBaFhJZX7UgTt0mKtF25BuTfsakl1vhgf8vw9hMDogiE+

                C:\Users\user\Desktop\PALRGUCVEH.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991428407588896
                Encrypted:false
                SSDEEP:48:UtFV/KW0qB5j9OXICCoU1vF6HznVzqd4I:UtTSjIjJCWvOVeb
                MD5:9FF74C99259194C8C9D5A311698C8F3F
                SHA1:09060C2E00B63B78125DEB458651497E3F8F00D9
                SHA-256:727145F0D16785F493E8F7C68DABE902F771FEF7173EDE228094DCD2BA515BD3
                SHA-512:87B172906F493574A3C100199C9E596C3E5C17499DDAA552ADEEE306FBC43669435280CFC24CD20C064EB0767760C898EF8BED71897AAEE117AE1F7E1347B9FB
                Malicious:false
                Preview:<EncryptedKey>BkRqzpiLoHdVQoiC+pu/h5Ixr4zCB4qHRmBT9gbx1BCqnrd3HmQXVxl9qpOlOWesBYJQ8ydaxbGhHUulSJGOUQDcI9QjMAaeWcNS2bw6amJVZ6uim0etampUkqrlroZtuW5RP24DDUJfQmYC23H2OwWO3FSCnbLAsKNfwiDY4tA=<EncryptedKey>UNkbhnG1JulLB+p/1av3uG8rol7tClbjD5j2OZ9hPYXdBU2Ok/aIP0zCPHf6Zp+NVi2ITdS0mLo3R1z7MuUhqIEON/yhWAkIpMnwcsKtfPm9euulep9thM/ypa2rmAowXXyvYoWvCoPLjQxLjm0c2rM1P5cjU9Yxwy6s5yzEyhasbBiUvI0eW1kLPIWTiqcnrbSKIW5NzFLvid1DQ6ISlXqsjlJV8y/dEECtk3zEQAfoXLTlHfjFEjs2/dHSb4AFX8hhbQa5qcSRsuFNRxHN92f61p8hrXxAyKU34Nmg+0U1nCW42ahN0JTd5ib0a1EyF+lEQuZyeFykrW3XLjLNtMkTDSjgbcFeGIOP8ppWVwO7E9elxqhZ26rLz4kvjGeEI/gc29Pbanc+8mQ5NVNXKXqJ4j4vMe0Tl+rxjP25pnCNuc5NX5LJq30y3k2oK3+JcCVXmhV9yfCb2zeuzYpJ3mUP/jybEime2h+JL9umL/Aw93CUnI4DE0T9sFsTPLLqMY/g0v4WfcqkzA/X8dlBqR9IoXcJrQusuZtEytBswadDrIwR57gX+kulAPKbc7kZxvz7RSYbrv4SQxA1qRWfDso7wFVT8xYltprJ17xeY5mKWoYHom7QBwdM4/2fZUdqYzcPArLNkWe6YsMN4qGU2YsasiV4SOM+KhJJQB2QWwE/pPCtoFavE+EI2Ol1aMWjyhzknqBX5pP+5cY5vKqEj0qEKZ5clsERL0Olzqy45/wEc494WVBtBaFhJZX7UgTt0mKtF25BuTfsakl1vhgf8vw9hMDogiE+

                C:\Users\user\Desktop\PALRGUCVEH.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.984782515926918
                Encrypted:false
                SSDEEP:24:fMVZP/RaJMudaCdry0X4EOZuyFvUa08n0zjCAqdy5eWqrM6dYsC3cFLd6cQOn:UVZh6MIaCpqEyjS80zj0dYsC3yB
                MD5:3360147666A98032122F5B591E2B406D
                SHA1:6622312156876C4ADC526FBFC70978472D4A42C0
                SHA-256:16713194991BF3B1145BB03434D7C5A58C5505FAEBD2D6E4F7A253CF0004DB3E
                SHA-512:53697788FD80A675C7DE133D2A5F0DB16563FC7405B8F5614D08B244AE8428C824F31AA727428830A4BE76D30B4605D00AA5134E54C5DFD471171E05F81C41E4
                Malicious:false
                Preview:<EncryptedKey>CZV5Dt8T42NvubVv+BTqkTAhv89hgmjOlnSNTnko7rRvJMNJP9MqpkxW6NjtEu0ttZ7cKuSWJHqfln3WWibglMb0X9ZIMympwIhwT66AvRZod6e5D1RjunwmcKV8SAGA4Q6rjhnhZHwlOJU9IvJMNEgYUFWXyqt0hxRphZE3zuE=<EncryptedKey>RKwKlH3ebuHrHYUKNTFVIiMeUeVUzHLWqgXPPkwe4ArnTUrkxTc4mCg/e3CDAbWtmz+p7rto/rf/NPxL3y3tul+U55LpghkrQJJhmB1g8hiTE/RlEaIlSMYCf4EpXIIB6a+3MW7rrH8Nj4IuhvAjEYVFDfGYPlXxp1dmgoMS+lHjxiqp7Ju8lmVLgS29AFa5UOfcRb29CWce/doQmqtTTF1SG+3AUSQKNjmKQm2EUgCp1R34v5fVkiyP4RLJoQqI3S4TdbpHyEZ1qX3iM1LX0d/qxROYFqYrTM13hqo2REZTHHeHXPVd9WjDZYZpFaPzJmeyg5k33U1wMXTVb2s+QEVZcWwUuhaNQkGjB4/CSZZ0Rqt7x51FqxUsRu+JhdLy+q4CrrpiT5ki5oAZ7voFfMoV+uqo/pNKqNXMZkKsl4VpjdkNrICnUp6atGvvBCe8NXUQeSiefWQKRSWIAzAfZyunNcBbr24CDW00Klx+tTBnHPwt0iPjfnrRd7klS8WBMJCmWL+HIR+huAm/Yn54cX1RQrqCUn7OUmkwiY0cQhbNX+7wT6DuAjiyIam+a4iUj5TrK6imWZLUQ5aI6ZAwl0jnb6jMlJIqKNSvbQlxjl+Fia0Yfxq20YQcX3fY0FkBqJS1dQgO0nwkHUfYQnxA0+Brge5YJ9wFBsv+WFIzRRJga220bujGBAzxPAeLeOcKsFHG7RvtuxndTG52vO8EV3aCUtJFBJ+0aIalUGB1FlnW23jo7J9mi6aA9aeRo2kXjm2/CUIkiJe7dgBB8qfAI4rXwslMemSj

                C:\Users\user\Desktop\PALRGUCVEH.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.984782515926918
                Encrypted:false
                SSDEEP:24:fMVZP/RaJMudaCdry0X4EOZuyFvUa08n0zjCAqdy5eWqrM6dYsC3cFLd6cQOn:UVZh6MIaCpqEyjS80zj0dYsC3yB
                MD5:3360147666A98032122F5B591E2B406D
                SHA1:6622312156876C4ADC526FBFC70978472D4A42C0
                SHA-256:16713194991BF3B1145BB03434D7C5A58C5505FAEBD2D6E4F7A253CF0004DB3E
                SHA-512:53697788FD80A675C7DE133D2A5F0DB16563FC7405B8F5614D08B244AE8428C824F31AA727428830A4BE76D30B4605D00AA5134E54C5DFD471171E05F81C41E4
                Malicious:false
                Preview:<EncryptedKey>CZV5Dt8T42NvubVv+BTqkTAhv89hgmjOlnSNTnko7rRvJMNJP9MqpkxW6NjtEu0ttZ7cKuSWJHqfln3WWibglMb0X9ZIMympwIhwT66AvRZod6e5D1RjunwmcKV8SAGA4Q6rjhnhZHwlOJU9IvJMNEgYUFWXyqt0hxRphZE3zuE=<EncryptedKey>RKwKlH3ebuHrHYUKNTFVIiMeUeVUzHLWqgXPPkwe4ArnTUrkxTc4mCg/e3CDAbWtmz+p7rto/rf/NPxL3y3tul+U55LpghkrQJJhmB1g8hiTE/RlEaIlSMYCf4EpXIIB6a+3MW7rrH8Nj4IuhvAjEYVFDfGYPlXxp1dmgoMS+lHjxiqp7Ju8lmVLgS29AFa5UOfcRb29CWce/doQmqtTTF1SG+3AUSQKNjmKQm2EUgCp1R34v5fVkiyP4RLJoQqI3S4TdbpHyEZ1qX3iM1LX0d/qxROYFqYrTM13hqo2REZTHHeHXPVd9WjDZYZpFaPzJmeyg5k33U1wMXTVb2s+QEVZcWwUuhaNQkGjB4/CSZZ0Rqt7x51FqxUsRu+JhdLy+q4CrrpiT5ki5oAZ7voFfMoV+uqo/pNKqNXMZkKsl4VpjdkNrICnUp6atGvvBCe8NXUQeSiefWQKRSWIAzAfZyunNcBbr24CDW00Klx+tTBnHPwt0iPjfnrRd7klS8WBMJCmWL+HIR+huAm/Yn54cX1RQrqCUn7OUmkwiY0cQhbNX+7wT6DuAjiyIam+a4iUj5TrK6imWZLUQ5aI6ZAwl0jnb6jMlJIqKNSvbQlxjl+Fia0Yfxq20YQcX3fY0FkBqJS1dQgO0nwkHUfYQnxA0+Brge5YJ9wFBsv+WFIzRRJga220bujGBAzxPAeLeOcKsFHG7RvtuxndTG52vO8EV3aCUtJFBJ+0aIalUGB1FlnW23jo7J9mi6aA9aeRo2kXjm2/CUIkiJe7dgBB8qfAI4rXwslMemSj

                C:\Users\user\Desktop\ZGGKNSUKOP.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991937586857637
                Encrypted:false
                SSDEEP:48:UWGMQB4oup8RAeWrQbGXaX/zp8zPOwsHUbKNLrIJI:UWGMQB4bKRyfXKzS2wsHUbKZsI
                MD5:20786256D12F6717827A72B827F80D66
                SHA1:30E4853BDEE5405E32BC97E057FE8E42F2E68151
                SHA-256:A236DB2028EDD5805F18FD0FD90C88CCBC0CC84C1A64CC129E26363D6ACD70E9
                SHA-512:924E27E258CC3468EDDFBAA1B56057530F062D2543F2502EA173D3AC54C8A8EE8D5B7BC2E444EA12BDCC75433830066C48FB3A3451C69EA4388272813A250A9E
                Malicious:false
                Preview:<EncryptedKey>vBpNzR2xSQc3pSSL/CVEjOJPwGlv/YqVb59j6dyy/LSiCrppG0Lf4GJXvbI6iYZXBxc8CkFUz8LuEnI3XRe8LfbNAqu1ADXjJyWqBQE1aEWTLTaOaihg0JcwZMmSx8oeUXuMi17dhIRBcXSOgEC4zqoMKRjlB9big+3QdiEpzzk=<EncryptedKey>Q+5g6gshUi1+6r7Zqae/EMvTmIpEkE3doKtT611WDTDVdVTS+SjCWWHqOkqavLrWk0bjyLaOTYQS4sG74XtXJ91usSkHcvaQaoZdrgV6fD78QABVzSKoRhrWGfW7oCzoYq/Uwen9NtFUEJdvlUVQ/AqNM4C9N/6/JrIrQYVa+IhB5856xOYCWGGcG86Ojp+iyi3Oi7uekCIREKgHXEvnZOm3EslRNx3ybkAHHj8NrdcvmC9RhwWTPrQaCo5g7kB/rGpGk+3nfzgkFKgFsR4wHN2CRtm9fJ+Eclh2tIdERoQAz8EB+ru6WTXsk7h+ZbKR7OGY0o5ffTfsA3suiyHu6u+IzdM/zE+d5kcWzOvq5tsbvTYrZ7uyK/+RbVlNDl+H6YkFVWdVx2phaP/Ptl0KJF7kDNv+GGn8PshuU3F8wgw/Ti8aoB6hIQd49mI0BMLQHCd8GilQixChfxO6wEhsFU5x17qxk+6z82056PWvyKYrK/PHpNNMSrIgCWNh/sz9mWeSKlq7oDl+RXb5G8t7HvRtrPo2ONEKRDoDF3i7h/HhYh59lgwraQi/zRk63KdiJQTRxBs7N1ssVxzLPfre+McIpJrv9OXnlw/k02VnOJHLpHq1Cf4wleXukAxdFK1RtDhUGCPY97VU4TUVV4SnPOgfu8rWKTsBQh+rA2sz7UnQMp15jIZch+py9J9ZTPJD1XQe73EOCyaYMUHhAwq9SUdbB05Y2RhvTT+AxrdCqboxPaDnqis+972d5CVBeMF9kJimi7ezyFOKISk6RrFmxVLDrwvH2yaM

                C:\Users\user\Desktop\ZGGKNSUKOP.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991937586857637
                Encrypted:false
                SSDEEP:48:UWGMQB4oup8RAeWrQbGXaX/zp8zPOwsHUbKNLrIJI:UWGMQB4bKRyfXKzS2wsHUbKZsI
                MD5:20786256D12F6717827A72B827F80D66
                SHA1:30E4853BDEE5405E32BC97E057FE8E42F2E68151
                SHA-256:A236DB2028EDD5805F18FD0FD90C88CCBC0CC84C1A64CC129E26363D6ACD70E9
                SHA-512:924E27E258CC3468EDDFBAA1B56057530F062D2543F2502EA173D3AC54C8A8EE8D5B7BC2E444EA12BDCC75433830066C48FB3A3451C69EA4388272813A250A9E
                Malicious:false
                Preview:<EncryptedKey>vBpNzR2xSQc3pSSL/CVEjOJPwGlv/YqVb59j6dyy/LSiCrppG0Lf4GJXvbI6iYZXBxc8CkFUz8LuEnI3XRe8LfbNAqu1ADXjJyWqBQE1aEWTLTaOaihg0JcwZMmSx8oeUXuMi17dhIRBcXSOgEC4zqoMKRjlB9big+3QdiEpzzk=<EncryptedKey>Q+5g6gshUi1+6r7Zqae/EMvTmIpEkE3doKtT611WDTDVdVTS+SjCWWHqOkqavLrWk0bjyLaOTYQS4sG74XtXJ91usSkHcvaQaoZdrgV6fD78QABVzSKoRhrWGfW7oCzoYq/Uwen9NtFUEJdvlUVQ/AqNM4C9N/6/JrIrQYVa+IhB5856xOYCWGGcG86Ojp+iyi3Oi7uekCIREKgHXEvnZOm3EslRNx3ybkAHHj8NrdcvmC9RhwWTPrQaCo5g7kB/rGpGk+3nfzgkFKgFsR4wHN2CRtm9fJ+Eclh2tIdERoQAz8EB+ru6WTXsk7h+ZbKR7OGY0o5ffTfsA3suiyHu6u+IzdM/zE+d5kcWzOvq5tsbvTYrZ7uyK/+RbVlNDl+H6YkFVWdVx2phaP/Ptl0KJF7kDNv+GGn8PshuU3F8wgw/Ti8aoB6hIQd49mI0BMLQHCd8GilQixChfxO6wEhsFU5x17qxk+6z82056PWvyKYrK/PHpNNMSrIgCWNh/sz9mWeSKlq7oDl+RXb5G8t7HvRtrPo2ONEKRDoDF3i7h/HhYh59lgwraQi/zRk63KdiJQTRxBs7N1ssVxzLPfre+McIpJrv9OXnlw/k02VnOJHLpHq1Cf4wleXukAxdFK1RtDhUGCPY97VU4TUVV4SnPOgfu8rWKTsBQh+rA2sz7UnQMp15jIZch+py9J9ZTPJD1XQe73EOCyaYMUHhAwq9SUdbB05Y2RhvTT+AxrdCqboxPaDnqis+972d5CVBeMF9kJimi7ezyFOKISk6RrFmxVLDrwvH2yaM

                C:\Users\user\Desktop\ZIPXYXWIOY.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995466418427964
                Encrypted:false
                SSDEEP:48:UU9LBPY72ufOKsQRXnt5Hfcg8B2Fu9qVv:UU9Bw7JfORQRXt5Ugo2Fu9gv
                MD5:07DA72B7881BF5AF602AA7C0B712EFFE
                SHA1:A3F1CD207982CB1A0F8145434678FD7FE0487B41
                SHA-256:A92D90C5F8968DCEA01E1F917028F61559E34E29C9A6538FB0E8F6FB16F38503
                SHA-512:F15BC69AF6E702B6DFDDC6E1E9DE782C8FD9354CD55FBFB131226AFBD5C62047E95108BCCAAEAF8B5D948534EDAEB2E4BA6D4334F0CE815315CEAA3119C810E6
                Malicious:false
                Preview:<EncryptedKey>a5c5KmVHQ8e5axBXbNlpmvmtYc8Ss33SSvGRW8qiCDqwQucOqHSdtuh1oCvm8oWQpr2oeYx2wZZs5dLDVqIKIuXzoguu+O9L3ec0i3Z0eCUCkEAQapOl8ytRh/QLLkiw/SVkQIsNQ6m58Tpj0bJVBCODC1U8FiQi4PHSGHsDomE=<EncryptedKey>SeP4kOqeuVUxLGnMPGrPwP0mznMacdL3BzFVkBVKcVA3dfFPFBxkdOYAgu7tG+/44Il6GyJ6DrPatcO7D/w2lnsTt/fIfxYIu5uJLciv5JfkiYJX157a2/69wPlYGrVMg4gLhDKMZq7bY9JZwM2Vaxq2AIYWZlEvvErQbrRgh+5CD77aGwz0/VDjqMHumAsJT9jal4MQFh64z1Qy+7YhTIkKBd+TQP7x6QLnxgELhjrm8nDNLf5H70Ai6jC+xiwHJ4eC3OlMdhnTHPX+7LYj1TEe4zwiYlDaHrO266vblTLXavCZOVGpilDZDyGA85Ge7f35u+xtNUo49retLwr9Xi1Y9Ujm4Nyk8/9LyfRO1FU49hk0suT+3O1GojYMH3kBWC407x9C5lw7YmXfty2mLywpkn8HSlVJojJD5G6pdceEwA/wIiq3rwF3CJwd9soNeLXC/DPYN0aaPjeaAK0HAjjRYCAdd/LsPInAZy39bBw69qIR1ZVMRnG7hPO/bhjoe8Ej3PeMkAqDaPn4wxiqf9Wojlh4ll/Qe50h8BywLOixgIhqhgqsQ4+Q7EJh4zi1rnuOFN8v6hsJ7AaisE7sob946gB8XGS9hLOk8ktgXUvWeN6InWVexnX6dqT71LJ3VvELZWi38PivaFqm2eRGq4U9mIFtu+LliQS0qWXI/GHxV37PBHVNUvvQDCK01gBvScOXNc8egYwFm2hhinvbKVV/fZgY3RdEXdUFwRIn06PyFx6h6Wh2AIKNta3y7NOx23idoug20UCv1/q9FXB6j/Il1ENqKny0

                C:\Users\user\Desktop\ZIPXYXWIOY.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995466418427964
                Encrypted:false
                SSDEEP:48:UU9LBPY72ufOKsQRXnt5Hfcg8B2Fu9qVv:UU9Bw7JfORQRXt5Ugo2Fu9gv
                MD5:07DA72B7881BF5AF602AA7C0B712EFFE
                SHA1:A3F1CD207982CB1A0F8145434678FD7FE0487B41
                SHA-256:A92D90C5F8968DCEA01E1F917028F61559E34E29C9A6538FB0E8F6FB16F38503
                SHA-512:F15BC69AF6E702B6DFDDC6E1E9DE782C8FD9354CD55FBFB131226AFBD5C62047E95108BCCAAEAF8B5D948534EDAEB2E4BA6D4334F0CE815315CEAA3119C810E6
                Malicious:false
                Preview:<EncryptedKey>a5c5KmVHQ8e5axBXbNlpmvmtYc8Ss33SSvGRW8qiCDqwQucOqHSdtuh1oCvm8oWQpr2oeYx2wZZs5dLDVqIKIuXzoguu+O9L3ec0i3Z0eCUCkEAQapOl8ytRh/QLLkiw/SVkQIsNQ6m58Tpj0bJVBCODC1U8FiQi4PHSGHsDomE=<EncryptedKey>SeP4kOqeuVUxLGnMPGrPwP0mznMacdL3BzFVkBVKcVA3dfFPFBxkdOYAgu7tG+/44Il6GyJ6DrPatcO7D/w2lnsTt/fIfxYIu5uJLciv5JfkiYJX157a2/69wPlYGrVMg4gLhDKMZq7bY9JZwM2Vaxq2AIYWZlEvvErQbrRgh+5CD77aGwz0/VDjqMHumAsJT9jal4MQFh64z1Qy+7YhTIkKBd+TQP7x6QLnxgELhjrm8nDNLf5H70Ai6jC+xiwHJ4eC3OlMdhnTHPX+7LYj1TEe4zwiYlDaHrO266vblTLXavCZOVGpilDZDyGA85Ge7f35u+xtNUo49retLwr9Xi1Y9Ujm4Nyk8/9LyfRO1FU49hk0suT+3O1GojYMH3kBWC407x9C5lw7YmXfty2mLywpkn8HSlVJojJD5G6pdceEwA/wIiq3rwF3CJwd9soNeLXC/DPYN0aaPjeaAK0HAjjRYCAdd/LsPInAZy39bBw69qIR1ZVMRnG7hPO/bhjoe8Ej3PeMkAqDaPn4wxiqf9Wojlh4ll/Qe50h8BywLOixgIhqhgqsQ4+Q7EJh4zi1rnuOFN8v6hsJ7AaisE7sob946gB8XGS9hLOk8ktgXUvWeN6InWVexnX6dqT71LJ3VvELZWi38PivaFqm2eRGq4U9mIFtu+LliQS0qWXI/GHxV37PBHVNUvvQDCK01gBvScOXNc8egYwFm2hhinvbKVV/fZgY3RdEXdUFwRIn06PyFx6h6Wh2AIKNta3y7NOx23idoug20UCv1/q9FXB6j/Il1ENqKny0

                C:\Users\user\Desktop\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):584
                Entropy (8bit):5.9547041005346095
                Encrypted:false
                SSDEEP:12:fMExvxD31J2LyAiH4E9o/bEhbnoos8Wr+vpVwHp9S9M7ynQb4:fMMv5315HlcEdve7bg
                MD5:5CE43B42E67B145912D75CE8C72DFDC1
                SHA1:C4D436E21591FC11A9744DA8CFB0960015BEC6E9
                SHA-256:23B8AD35C3EA1C3C424A5DFAFE0AECA66428C79808AF0F8261A9E93364CE65A4
                SHA-512:3C3A40307A13F7F4010174AE3A9A880DDEC83BECE5921CB78E72C496D1ADC650DEAC6EB0D989365F5F5A620EF5C1E5F91DD2D125EB525EA9528F83F211D1C31E
                Malicious:false
                Preview:<EncryptedKey>BMOcWyUueGY5ar23EkSCr9Ds0ZDjk5XjWHPMrm6HwC/2yfLAlcSX48ReUXP8Ef4XRU8AcHvJFx6un+kWJJ4jZbyYjaEW5R1h8fNxXe5HoAqQE1+tnrS04rOCG8iLna5IiPddNbElbamoWBNUF8gK7Zxrg4sxMzPP1lYiTlC/dMU=<EncryptedKey>8UMs2G9wSplVPvJ7lzEoY9AZYW44sN4rcPmGQ2syUfPxSAVP8XYzjS3cgJR/G73xN5vr9zwJ/5JJj/xM7+hM9o4D0vEM2Nj+H80iSPouD7FkvFaTwM8rs8G+Chkak6RBSVMY6Iayabxx5srUp8yGAvqIZRBqNBzmS+qUri9fsSabAnOHE/ib5K7W0c6cso6dN5Ip3KPnqS18EwTBJZ5hji20DCG48smThWrCsYIroYCDybegVtUii7v+3hH3P9s6P7nPpcimZWnoD2BPmszJrLs2b6+wIPlq1CABZKb7ib9oyiXEyQdIQ9zDHiCEB+QbjRVEdqKFEU9XgsDZG7VuhZBr3W9xeb2F0q/T8LkWltxPDoTv2p85qxAFh+zv2laF

                C:\Users\user\Desktop\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):584
                Entropy (8bit):5.9547041005346095
                Encrypted:false
                SSDEEP:12:fMExvxD31J2LyAiH4E9o/bEhbnoos8Wr+vpVwHp9S9M7ynQb4:fMMv5315HlcEdve7bg
                MD5:5CE43B42E67B145912D75CE8C72DFDC1
                SHA1:C4D436E21591FC11A9744DA8CFB0960015BEC6E9
                SHA-256:23B8AD35C3EA1C3C424A5DFAFE0AECA66428C79808AF0F8261A9E93364CE65A4
                SHA-512:3C3A40307A13F7F4010174AE3A9A880DDEC83BECE5921CB78E72C496D1ADC650DEAC6EB0D989365F5F5A620EF5C1E5F91DD2D125EB525EA9528F83F211D1C31E
                Malicious:false
                Preview:<EncryptedKey>BMOcWyUueGY5ar23EkSCr9Ds0ZDjk5XjWHPMrm6HwC/2yfLAlcSX48ReUXP8Ef4XRU8AcHvJFx6un+kWJJ4jZbyYjaEW5R1h8fNxXe5HoAqQE1+tnrS04rOCG8iLna5IiPddNbElbamoWBNUF8gK7Zxrg4sxMzPP1lYiTlC/dMU=<EncryptedKey>8UMs2G9wSplVPvJ7lzEoY9AZYW44sN4rcPmGQ2syUfPxSAVP8XYzjS3cgJR/G73xN5vr9zwJ/5JJj/xM7+hM9o4D0vEM2Nj+H80iSPouD7FkvFaTwM8rs8G+Chkak6RBSVMY6Iayabxx5srUp8yGAvqIZRBqNBzmS+qUri9fsSabAnOHE/ib5K7W0c6cso6dN5Ip3KPnqS18EwTBJZ5hji20DCG48smThWrCsYIroYCDybegVtUii7v+3hH3P9s6P7nPpcimZWnoD2BPmszJrLs2b6+wIPlq1CABZKb7ib9oyiXEyQdIQ9zDHiCEB+QbjRVEdqKFEU9XgsDZG7VuhZBr3W9xeb2F0q/T8LkWltxPDoTv2p85qxAFh+zv2laF

                C:\Users\user\Desktop\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Documents\BJZFPPWAPT.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.988940377310056
                Encrypted:false
                SSDEEP:48:UdQb/pOLcgJvDkCayeQdaP5D1geNFHV6Xb:UWtOLcgtkCKG25D1gSF16Xb
                MD5:728E0B373AFC6F0EB88B6D774A22ED3A
                SHA1:50EC96FB20874A405B5A8E349BD99A2004B79C6E
                SHA-256:6376F60B328D1159C1DF3705F9DEC016873A11E79E62D668E060B697CA48C82A
                SHA-512:B6FF2636F84CBB2E71538CCE1A58CFF0ED6F2C7AA0EEEE6D06BAC8226D573B3F0E45365E43850E0B8B86E5EDADC21735D9CE35F095D2AEAB31748F3ABE9C3AD4
                Malicious:false
                Preview:<EncryptedKey>VxNyNIncXX6ijqGVC/AqEnZKrjWuHiEkGt8GGNDRZiJrsd5YvWln6a/1z9xFfMUjVHuEEscdG214006cS+CfB1FJTuiWMwwgyA7qN7F75c+WjEkwdBHxai9o3gmdCodBuqqBgmiCxfXHJlOD3dofublsF1wozCkgqddsaOlR8ZY=<EncryptedKey>BFeYqJt/tOr4PunHomM9VjSJ+6G99XpFnbuNxcNkX5gc1S2uo8iEzG07TUgy31iVKYRjE7+k02oS9Rdr3ZXEMxWpa419+/sjUApfrkCe7KQOIZKwgZJywyiZJGco/4+tNpl/AAN20e4rrqA40qKv1jza5VhgOiBiW2+40J+MYhw1pAWVARhat+FBUigMpYD24IxBvQQcwMHLgh1qZTOby9qpxE3yyUWLCvmb/lSm5ZbOoWywebcuFaijVLnwz9REV/BehSk7Iz8LdkQYa3Ch0TZox2OPgxNBsxkR/W+nLJnPjjVr7LvDjvSJ30CmjemSyfGDcvAfpsjiUTQ9mmB3zcjpOy/nfpzEJ9P639mb2ZRAEV2y/5qSbnivOrsnnvxa9hNQ5gVFjDkqO+gxRAawTKDJSLdZlHfrxQCRLAGV2DaCiH+Jc5qI+4jmRt5AE2+Bh18zpIp9xSXPfObhFL7x4bc9k3Bp1/ELwXwP0NWQO9MUN4mRRSR9mrYM06yFegD1q8QzmDIG360H4Pj2B1a44t13koBMlJRzANdHH8XgrvexrC7ngtnR5q7vErT/iaAMJO6MFqoI+1JmZ4ChgjWeOldsMXVpjx3LaKalx8p969/pcnQL0LndDgcKmoOGw/42BFzAxKRxZ47nEaoCc6Y47UVW7+F5ciJR3KM49binn8/qzyFBEkE7w790KSNniRJIIlmuHLOXBWm2NeH14nOfNf7SM6xQuj2KfYcg7AxTgEnDBs16QgkOAqRxt1KQrDUVl8Q3VXB1HB1ADOTZg7G0JIl3zU5yshiZ

                C:\Users\user\Documents\BJZFPPWAPT.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.988940377310056
                Encrypted:false
                SSDEEP:48:UdQb/pOLcgJvDkCayeQdaP5D1geNFHV6Xb:UWtOLcgtkCKG25D1gSF16Xb
                MD5:728E0B373AFC6F0EB88B6D774A22ED3A
                SHA1:50EC96FB20874A405B5A8E349BD99A2004B79C6E
                SHA-256:6376F60B328D1159C1DF3705F9DEC016873A11E79E62D668E060B697CA48C82A
                SHA-512:B6FF2636F84CBB2E71538CCE1A58CFF0ED6F2C7AA0EEEE6D06BAC8226D573B3F0E45365E43850E0B8B86E5EDADC21735D9CE35F095D2AEAB31748F3ABE9C3AD4
                Malicious:false
                Preview:<EncryptedKey>VxNyNIncXX6ijqGVC/AqEnZKrjWuHiEkGt8GGNDRZiJrsd5YvWln6a/1z9xFfMUjVHuEEscdG214006cS+CfB1FJTuiWMwwgyA7qN7F75c+WjEkwdBHxai9o3gmdCodBuqqBgmiCxfXHJlOD3dofublsF1wozCkgqddsaOlR8ZY=<EncryptedKey>BFeYqJt/tOr4PunHomM9VjSJ+6G99XpFnbuNxcNkX5gc1S2uo8iEzG07TUgy31iVKYRjE7+k02oS9Rdr3ZXEMxWpa419+/sjUApfrkCe7KQOIZKwgZJywyiZJGco/4+tNpl/AAN20e4rrqA40qKv1jza5VhgOiBiW2+40J+MYhw1pAWVARhat+FBUigMpYD24IxBvQQcwMHLgh1qZTOby9qpxE3yyUWLCvmb/lSm5ZbOoWywebcuFaijVLnwz9REV/BehSk7Iz8LdkQYa3Ch0TZox2OPgxNBsxkR/W+nLJnPjjVr7LvDjvSJ30CmjemSyfGDcvAfpsjiUTQ9mmB3zcjpOy/nfpzEJ9P639mb2ZRAEV2y/5qSbnivOrsnnvxa9hNQ5gVFjDkqO+gxRAawTKDJSLdZlHfrxQCRLAGV2DaCiH+Jc5qI+4jmRt5AE2+Bh18zpIp9xSXPfObhFL7x4bc9k3Bp1/ELwXwP0NWQO9MUN4mRRSR9mrYM06yFegD1q8QzmDIG360H4Pj2B1a44t13koBMlJRzANdHH8XgrvexrC7ngtnR5q7vErT/iaAMJO6MFqoI+1JmZ4ChgjWeOldsMXVpjx3LaKalx8p969/pcnQL0LndDgcKmoOGw/42BFzAxKRxZ47nEaoCc6Y47UVW7+F5ciJR3KM49binn8/qzyFBEkE7w790KSNniRJIIlmuHLOXBWm2NeH14nOfNf7SM6xQuj2KfYcg7AxTgEnDBs16QgkOAqRxt1KQrDUVl8Q3VXB1HB1ADOTZg7G0JIl3zU5yshiZ

                C:\Users\user\Documents\DUUDTUBZFW.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987980047220568
                Encrypted:false
                SSDEEP:24:fMxkkqh6iCjwwZg+RhcL3VK0mtJ3Gy3YWfJywPlfpaxRSWGczrxCkN7rrkd/Bg:UxkzsjDe+UIjfJ7Plfp7PK5S/e
                MD5:D1A225E5225FE15B282845CBFCED7A64
                SHA1:FB853376FAEA547C7796F6D3BAD8C76800E10C46
                SHA-256:E1AF3FB3394EDACBED65684EA152A396D5B22D64C9D5CC69E2AA20D4185F255C
                SHA-512:5C00C126CDFE465E1AEA9C5AA5FC51D44C66B874B30699323F2C3E1358DBA4B395BF2A4337DE3DF70142D393C9FFC5893A72564245E08743378118D52B14120B
                Malicious:false
                Preview:<EncryptedKey>XLjAwCrErw6yi6pSSJhEBe5rlKW5eN68yAN7cK+tV+s/j0IKHMnKRgi3CsVHTVKcy07cxfSVPknijkwYOzDbVcPv/OInyXx/xwd9dCb5O8dftS5gdh/UsuwhbZIed4Pa6BjaK4oyP8EvY70KLgODfJ9M7RfhJ4sxAL6xxigZY8g=<EncryptedKey>N0VqcfR3G2FYrenWzFrArnoHYJamXzS2K/sgP+RByC3f0uKRIgpJ9lT8sCNR12CtxYZNSCs5E5fuiH6zwbb12fmjRO9InJrMpAKfWt8YGp90ftvG096qX0E5AuTEnpX8ZZIlKXL+pgbw6TGMkq52Y0qM9SYP1RwTer22gxLDs0mVGOvLavYzD2jeibyk6nk+/J9iJ/Q57nWYHzyzDLM0fxp34n86I3f7BB90f04oa4Bpw30pRUisWbMmsDF/v2CbGYX4gTV84E/uhyXbo6SG+lQZx524d+HmjuvfUXcY5+/XQiSDNZrqibTqnK2nsLpf/8ACqKbEy6pFIR5eVZksFG5fP1a712N7sLZRNOE/a1cXvfoJr1yMXVbKBmJhiv0WHHuiwiVurLKxmYvUi/QGjrtDzbbKI1qZoRwAYX9EQcHbGaC8En66WLmiJd1U5nbI3+U/c/YbQ6ybRqX1qxwcPkoDqXOtyJk1dLOfBYXZKoPORSJ2vFDqxMPuIFsAfIl+pJRF3hM/fYA52YbIGuUl6wYQN+rOufOSfhoVho4ozgrRDJMtRe6XyV85YM1HHra/k5Syy5X7wobOy8FZV9ENCPd0K+9faCpZaBrfrr1gsS+NmZeXv4CR0ZNcua7luNdmjHWaiWY48WsMnZeu9Cefuq+wgSX762TE4qpOa0nMnijko1TfEB10XSyuZS68T3dIl/7BTBklTaqCyhJZ7RPffJ2044g6YJkUAUkgP7jRzthatpaL4yajUbJlqLXRGh922ofbw1YZw+ycXLnYapyDpbjPOwsybS4u

                C:\Users\user\Documents\DUUDTUBZFW.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987980047220568
                Encrypted:false
                SSDEEP:24:fMxkkqh6iCjwwZg+RhcL3VK0mtJ3Gy3YWfJywPlfpaxRSWGczrxCkN7rrkd/Bg:UxkzsjDe+UIjfJ7Plfp7PK5S/e
                MD5:D1A225E5225FE15B282845CBFCED7A64
                SHA1:FB853376FAEA547C7796F6D3BAD8C76800E10C46
                SHA-256:E1AF3FB3394EDACBED65684EA152A396D5B22D64C9D5CC69E2AA20D4185F255C
                SHA-512:5C00C126CDFE465E1AEA9C5AA5FC51D44C66B874B30699323F2C3E1358DBA4B395BF2A4337DE3DF70142D393C9FFC5893A72564245E08743378118D52B14120B
                Malicious:false
                Preview:<EncryptedKey>XLjAwCrErw6yi6pSSJhEBe5rlKW5eN68yAN7cK+tV+s/j0IKHMnKRgi3CsVHTVKcy07cxfSVPknijkwYOzDbVcPv/OInyXx/xwd9dCb5O8dftS5gdh/UsuwhbZIed4Pa6BjaK4oyP8EvY70KLgODfJ9M7RfhJ4sxAL6xxigZY8g=<EncryptedKey>N0VqcfR3G2FYrenWzFrArnoHYJamXzS2K/sgP+RByC3f0uKRIgpJ9lT8sCNR12CtxYZNSCs5E5fuiH6zwbb12fmjRO9InJrMpAKfWt8YGp90ftvG096qX0E5AuTEnpX8ZZIlKXL+pgbw6TGMkq52Y0qM9SYP1RwTer22gxLDs0mVGOvLavYzD2jeibyk6nk+/J9iJ/Q57nWYHzyzDLM0fxp34n86I3f7BB90f04oa4Bpw30pRUisWbMmsDF/v2CbGYX4gTV84E/uhyXbo6SG+lQZx524d+HmjuvfUXcY5+/XQiSDNZrqibTqnK2nsLpf/8ACqKbEy6pFIR5eVZksFG5fP1a712N7sLZRNOE/a1cXvfoJr1yMXVbKBmJhiv0WHHuiwiVurLKxmYvUi/QGjrtDzbbKI1qZoRwAYX9EQcHbGaC8En66WLmiJd1U5nbI3+U/c/YbQ6ybRqX1qxwcPkoDqXOtyJk1dLOfBYXZKoPORSJ2vFDqxMPuIFsAfIl+pJRF3hM/fYA52YbIGuUl6wYQN+rOufOSfhoVho4ozgrRDJMtRe6XyV85YM1HHra/k5Syy5X7wobOy8FZV9ENCPd0K+9faCpZaBrfrr1gsS+NmZeXv4CR0ZNcua7luNdmjHWaiWY48WsMnZeu9Cefuq+wgSX762TE4qpOa0nMnijko1TfEB10XSyuZS68T3dIl/7BTBklTaqCyhJZ7RPffJ2044g6YJkUAUkgP7jRzthatpaL4yajUbJlqLXRGh922ofbw1YZw+ycXLnYapyDpbjPOwsybS4u

                C:\Users\user\Documents\EEGWXUHVUG.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.988791038489357
                Encrypted:false
                SSDEEP:24:fMQBBLs/3vb79wv3WmjOOhWU3/5vXcDfh4gDYpyM90Zfl0bFoV39yKUEcVMkdN4Q:UQXs/T7WeAV3FUfh4Jwtt0uVQR/VB
                MD5:1E83B1D390F70509DD5AA8D116ABC7B7
                SHA1:4468F02070874087F03B7CC644F6DA537E010198
                SHA-256:D597D42E0274D6C581154FADF2C2C45A51BCB06C40D9F7C818ED6BECC62CBAF7
                SHA-512:10134DFC8D20C3FC266F5F55BE4F2A3D11D3A5056C17D21BE92343C9709D259A7BEC9EA7CA8DDA88332A51B790CF37B8198FF3C0F0006CB047A28C167A24D99E
                Malicious:false
                Preview:<EncryptedKey>UMIAONyUyoYQOCXrI7uL4L8IL0NzukddW9UlCftuQX6Zb3IpijkNmTdtvfX2ZRktcXLLOJ1Wf7W5+jBk3nJPz6wNhyOKYwSqWrCl3eo/TkEmqUwsihEi7NwwluGid+8hHaX1WgUI31uiL7+CO0oBVwOQSHBnLtZE1Qi6ALZhsFA=<EncryptedKey>hEjgI+tUmYj34r0EEWwxbrPHFfYOXdt/rgnh6U8Km210lzP0Mc0XaRVaP+24ow1AaQxgtxbgBkPJ8VYgWdakG/rGlLE/Fgv9SHR0+SXyxm3akhX7H3BFS4bBPz3pLJzarCz+b7BpGEvTHDE4s61JBnWdUKwERMqPSO5N4ZFHPy0u9aCCq7cpB979ZUFD065TgkpbKWGNoKwDmrT82joizudxQPbwpUNclhii/Qvw8p0FeOuaEnsYwLrf0cggZRfZUdjvZwKWhcvxUtT/p1CzHNM3zwJaX9GgwVT1gXFAjmO09zGA7y06ct+BSWbySezE6ac1cUXtNAPKESxbn14OmolE5bN9DLWK+ZVM7AnNjSsSpRlCeHMnd+u27oZnnVmy1O4cbJ7QsKdj8XkVLUSOOgKnim6udN2wh3pq1F2JGuV57NWFR8Xx3iZLvyZEA65Cl+Bc6o3svIVblGwAmtMXs1mBMz16ahoyafbATl9sgFaWUUZOFhay20yeeBi2+HGalKZNiw0dTSl1ga0jXYBVxVrF5OGCK2hnXGshA8GAYn1eFj6mXvgjk3XM3ZCmYBB0umZ7aLlOqNpo6Duhj3EEQuT1uaZ3oGHkWKe8hOmR83MAa/xJcvQUpwq5UKfJN0YLP3vaJrm9LoBZ6P74x/6fR00CRjiis8PZny8t5/7+77XVhjeBvJAZF55WWsc/07KaeXSaHIW/mU1GqaUMvG5NpO3D0Gy3q1J4JoZC5EKmXh1Z8Hr0wLLobM8dOKCPkx1gWvl9nnqnkg83yiKroeQ9pinBEE9B0+JD

                C:\Users\user\Documents\EEGWXUHVUG.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.988791038489357
                Encrypted:false
                SSDEEP:24:fMQBBLs/3vb79wv3WmjOOhWU3/5vXcDfh4gDYpyM90Zfl0bFoV39yKUEcVMkdN4Q:UQXs/T7WeAV3FUfh4Jwtt0uVQR/VB
                MD5:1E83B1D390F70509DD5AA8D116ABC7B7
                SHA1:4468F02070874087F03B7CC644F6DA537E010198
                SHA-256:D597D42E0274D6C581154FADF2C2C45A51BCB06C40D9F7C818ED6BECC62CBAF7
                SHA-512:10134DFC8D20C3FC266F5F55BE4F2A3D11D3A5056C17D21BE92343C9709D259A7BEC9EA7CA8DDA88332A51B790CF37B8198FF3C0F0006CB047A28C167A24D99E
                Malicious:false
                Preview:<EncryptedKey>UMIAONyUyoYQOCXrI7uL4L8IL0NzukddW9UlCftuQX6Zb3IpijkNmTdtvfX2ZRktcXLLOJ1Wf7W5+jBk3nJPz6wNhyOKYwSqWrCl3eo/TkEmqUwsihEi7NwwluGid+8hHaX1WgUI31uiL7+CO0oBVwOQSHBnLtZE1Qi6ALZhsFA=<EncryptedKey>hEjgI+tUmYj34r0EEWwxbrPHFfYOXdt/rgnh6U8Km210lzP0Mc0XaRVaP+24ow1AaQxgtxbgBkPJ8VYgWdakG/rGlLE/Fgv9SHR0+SXyxm3akhX7H3BFS4bBPz3pLJzarCz+b7BpGEvTHDE4s61JBnWdUKwERMqPSO5N4ZFHPy0u9aCCq7cpB979ZUFD065TgkpbKWGNoKwDmrT82joizudxQPbwpUNclhii/Qvw8p0FeOuaEnsYwLrf0cggZRfZUdjvZwKWhcvxUtT/p1CzHNM3zwJaX9GgwVT1gXFAjmO09zGA7y06ct+BSWbySezE6ac1cUXtNAPKESxbn14OmolE5bN9DLWK+ZVM7AnNjSsSpRlCeHMnd+u27oZnnVmy1O4cbJ7QsKdj8XkVLUSOOgKnim6udN2wh3pq1F2JGuV57NWFR8Xx3iZLvyZEA65Cl+Bc6o3svIVblGwAmtMXs1mBMz16ahoyafbATl9sgFaWUUZOFhay20yeeBi2+HGalKZNiw0dTSl1ga0jXYBVxVrF5OGCK2hnXGshA8GAYn1eFj6mXvgjk3XM3ZCmYBB0umZ7aLlOqNpo6Duhj3EEQuT1uaZ3oGHkWKe8hOmR83MAa/xJcvQUpwq5UKfJN0YLP3vaJrm9LoBZ6P74x/6fR00CRjiis8PZny8t5/7+77XVhjeBvJAZF55WWsc/07KaeXSaHIW/mU1GqaUMvG5NpO3D0Gy3q1J4JoZC5EKmXh1Z8Hr0wLLobM8dOKCPkx1gWvl9nnqnkg83yiKroeQ9pinBEE9B0+JD

                C:\Users\user\Documents\EEGWXUHVUG\BJZFPPWAPT.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995772245759813
                Encrypted:false
                SSDEEP:24:fMuCi0q2d6sfdZRHgSXZ+mloTgGKu3FeddyrSpk+6e1rGy8OTt+ISWu4ZjvEgGdV:Uu3PoHgeA90l0+kT8GOxBSWV+dH1
                MD5:25BDA35C9710035871159F40EA8147F8
                SHA1:2FA62EF8AC3CDCD76678737608DFC69456FC1C62
                SHA-256:75A2571140D95FE66B6B633B24A1F7DF958A0CCF32FD2DE287CAAA3776C2FC7E
                SHA-512:E155F10D8BCC6CF6DE13B352602B6A48EDD0BD64C2E467FE60BBD1A526C116EA662FEF16B7EEFF852141265D4969FA60C79E22BB5ED0E222AD4F3604A3312ED5
                Malicious:false
                Preview:<EncryptedKey>SMLIU7fT2YcP63KBGgZguhPkvjYS7wJCXVJcRSH3rrsIwd+LwXRBXTeV2tGRjSGZPxgWyHW39XWUYHgPHqedWUROW9fYB2KlxzTVSyUmWW1Q9Ieux5HQVbVYujQPLy/Mv8pc3fnAoIYR/ju/aZTM/JRtIBtmo3GOQF9nMAdKJZI=<EncryptedKey>gBdG4v46tb1LJpA1WYo1NYpeJ7BhmgqOrA8iUt1GNwp35jkON7rmcP6cPHL9TlktfdQM7CAI1NdZNoDUJteyxLWXNBlPCER8xeFLKd53mlD4DoPhvq50ThlyKYpPIuy4164UD047d2gZuXU/OxQmSUir/ms+CBN343grStYZYVWNTpXg8bPJXmibYJgfGSGEk6PAQDkJssHcjmR93zYad7l9KfczQSbAPT+/LPF7sdkZmVYXhCS+O4gtU9xwYHfZ02MfnzmjAi27btJ0/vDxLVJZ9pQ5iHUgMjhG6nudwkrqWG76Ci65uQi+l50K4sRdbv2XEvrtiTKknaD9TcO2aoY5G+Vuv+cmaeK46zF5euA15ekpgaqHnidGxE+6ogyp7uSfJ0MIDHZ/KWTW0e70U9TKpyFisxDslutog3swwXE7Z966b856a4HZ69ppyybsFkgMcsRZHxkGJGfgY2dMeNUlHcym3UelmWEnjKhhtyefORB204SwxSaq2ZjeYCf+3fU1TT8riZKDt9qZFzT/KF94uCrLZqFhFuYqRdVaXkp/dHNBfzjKNBsG0MVCQfPlO0ZSe0l4buKMsgd2NqyXYTlg1BzUdMAk2tqrqwKEKAJc7bL4MfSRhQHvMQHGCIZshFBmfyu1+J1V5QaNw25Jl+fjZbqavE4157gLzoHn0qV2wvNrI1VFFiPOXQJF4fZ6vqqclXiAhu6d+tNLVahhHJac90msFxMFrkZZt05XDwxuXE6XLLrWYfsOOLYwdnG04Nlmv6ZaELtlVDa4la24j/OvqzSxA7aH

                C:\Users\user\Documents\EEGWXUHVUG\BJZFPPWAPT.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995772245759813
                Encrypted:false
                SSDEEP:24:fMuCi0q2d6sfdZRHgSXZ+mloTgGKu3FeddyrSpk+6e1rGy8OTt+ISWu4ZjvEgGdV:Uu3PoHgeA90l0+kT8GOxBSWV+dH1
                MD5:25BDA35C9710035871159F40EA8147F8
                SHA1:2FA62EF8AC3CDCD76678737608DFC69456FC1C62
                SHA-256:75A2571140D95FE66B6B633B24A1F7DF958A0CCF32FD2DE287CAAA3776C2FC7E
                SHA-512:E155F10D8BCC6CF6DE13B352602B6A48EDD0BD64C2E467FE60BBD1A526C116EA662FEF16B7EEFF852141265D4969FA60C79E22BB5ED0E222AD4F3604A3312ED5
                Malicious:false
                Preview:<EncryptedKey>SMLIU7fT2YcP63KBGgZguhPkvjYS7wJCXVJcRSH3rrsIwd+LwXRBXTeV2tGRjSGZPxgWyHW39XWUYHgPHqedWUROW9fYB2KlxzTVSyUmWW1Q9Ieux5HQVbVYujQPLy/Mv8pc3fnAoIYR/ju/aZTM/JRtIBtmo3GOQF9nMAdKJZI=<EncryptedKey>gBdG4v46tb1LJpA1WYo1NYpeJ7BhmgqOrA8iUt1GNwp35jkON7rmcP6cPHL9TlktfdQM7CAI1NdZNoDUJteyxLWXNBlPCER8xeFLKd53mlD4DoPhvq50ThlyKYpPIuy4164UD047d2gZuXU/OxQmSUir/ms+CBN343grStYZYVWNTpXg8bPJXmibYJgfGSGEk6PAQDkJssHcjmR93zYad7l9KfczQSbAPT+/LPF7sdkZmVYXhCS+O4gtU9xwYHfZ02MfnzmjAi27btJ0/vDxLVJZ9pQ5iHUgMjhG6nudwkrqWG76Ci65uQi+l50K4sRdbv2XEvrtiTKknaD9TcO2aoY5G+Vuv+cmaeK46zF5euA15ekpgaqHnidGxE+6ogyp7uSfJ0MIDHZ/KWTW0e70U9TKpyFisxDslutog3swwXE7Z966b856a4HZ69ppyybsFkgMcsRZHxkGJGfgY2dMeNUlHcym3UelmWEnjKhhtyefORB204SwxSaq2ZjeYCf+3fU1TT8riZKDt9qZFzT/KF94uCrLZqFhFuYqRdVaXkp/dHNBfzjKNBsG0MVCQfPlO0ZSe0l4buKMsgd2NqyXYTlg1BzUdMAk2tqrqwKEKAJc7bL4MfSRhQHvMQHGCIZshFBmfyu1+J1V5QaNw25Jl+fjZbqavE4157gLzoHn0qV2wvNrI1VFFiPOXQJF4fZ6vqqclXiAhu6d+tNLVahhHJac90msFxMFrkZZt05XDwxuXE6XLLrWYfsOOLYwdnG04Nlmv6ZaELtlVDa4la24j/OvqzSxA7aH

                C:\Users\user\Documents\EEGWXUHVUG\EEGWXUHVUG.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.99012549611342
                Encrypted:false
                SSDEEP:48:UlIBOboeN6cnpGA4hOhYEJPGI6+jDA3H4:UuOboelpG/SeojDWY
                MD5:8E6A6BAEFC77D8662C1BCBFB1FF9A199
                SHA1:37EEEA39D3F02B2DF4BFC9194C86AF6F1DF1D23E
                SHA-256:74B183A880C117928178A6EF11950203F077C601A0FC980833B7F8A16966144E
                SHA-512:09129F5FF4C02D28DBF0A371FFAAA075A79166B3EE5C0E3568CCF240BFAD14B6E195F1963F364B63095F213CAFCF2C08085169AF71DC396B7587990E3E2D5CFE
                Malicious:false
                Preview:<EncryptedKey>BZaLY8TjQkgdsCcOndSX9qoQTPnsrBOJCBfjiBMKsqZIYOlgRowNqp/EXOvoZ+MttrDtEUaP7MUWXHlrwwEC8nKG8ZyIIoHXoDdvQCPYAx8AY/Ic2c0hJyBAnhwPy9cL1ymeL6XZi+YNkpSoxCLhY9VvXEF14kHWTKS1rGFXkiI=<EncryptedKey>Yk3vT4Lgcdot5AI6dNGmzTZ6xRZU2xyrJQtI7LjPHg2lDOh+IIU5fsWJIgE38rhVwemqb5Oukr7IKiuBTMi7or9NjrZkmzyA6jxVnc9NcyYLpj2XTjyTwtFq+3DbniLypPuhwadHvNCXC/ZGezfU+dVfKd1SIPhZWtjYy+uNDVzkOwU/LLesNj/sWFcVKEzlX78S5V8oSUlblEy/Bc0qj0mibDz7E9dDxhUl5vjluE01k6GDCN/9oKvUjznb1sCY1pQsBo1sRY0nspO/j7A6xbNZYrTTfs9vmWckgItMk5R7UgpAMODy/vthBa3rk0vrAOKbtlDk4XQ/Vq7IlJ9Di5rHM3TDwObIWNTjbm1NRTWbrKVaQeD4kkFA1Sagefl0xZbySd8pJgHnHa//R8MEJYzcTSDwkHUsvxOLvR8qqvWOPHijLoqFNrRfrHrI2psQ+MvuG53OND2HAI1zFqpqBuF1xck5DawpWupRd4q2CR+rmYluvbdpshfV5ty3SGtenNbNjbNgiwKD6WM5zu8o24As/nOdyyzYZy/Lntw6wBnIOnIsy0OhR8T6M9+xMKlU23Wmu2z3XKnh0dcqjnCHBvCJWuMi5qSwh/YiyWS2BojvmZ5O9mWJzsy5jKxfKuWDXvMhrG5ol51v8UXvqsE66UC2GYLBCq8vm4Cjx/yfMTUvcYagVmy3FsCHor3YkaLu8jqJUEBmQ/77mGdCxtpUQlVM6ivrmRIxc75+bqhHxW5+QXy9zbEUlWMzLwr0aI7SXwBACRmppu/+Et5iKRHO6IZXOWBc+R3U

                C:\Users\user\Documents\EEGWXUHVUG\EEGWXUHVUG.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.99012549611342
                Encrypted:false
                SSDEEP:48:UlIBOboeN6cnpGA4hOhYEJPGI6+jDA3H4:UuOboelpG/SeojDWY
                MD5:8E6A6BAEFC77D8662C1BCBFB1FF9A199
                SHA1:37EEEA39D3F02B2DF4BFC9194C86AF6F1DF1D23E
                SHA-256:74B183A880C117928178A6EF11950203F077C601A0FC980833B7F8A16966144E
                SHA-512:09129F5FF4C02D28DBF0A371FFAAA075A79166B3EE5C0E3568CCF240BFAD14B6E195F1963F364B63095F213CAFCF2C08085169AF71DC396B7587990E3E2D5CFE
                Malicious:false
                Preview:<EncryptedKey>BZaLY8TjQkgdsCcOndSX9qoQTPnsrBOJCBfjiBMKsqZIYOlgRowNqp/EXOvoZ+MttrDtEUaP7MUWXHlrwwEC8nKG8ZyIIoHXoDdvQCPYAx8AY/Ic2c0hJyBAnhwPy9cL1ymeL6XZi+YNkpSoxCLhY9VvXEF14kHWTKS1rGFXkiI=<EncryptedKey>Yk3vT4Lgcdot5AI6dNGmzTZ6xRZU2xyrJQtI7LjPHg2lDOh+IIU5fsWJIgE38rhVwemqb5Oukr7IKiuBTMi7or9NjrZkmzyA6jxVnc9NcyYLpj2XTjyTwtFq+3DbniLypPuhwadHvNCXC/ZGezfU+dVfKd1SIPhZWtjYy+uNDVzkOwU/LLesNj/sWFcVKEzlX78S5V8oSUlblEy/Bc0qj0mibDz7E9dDxhUl5vjluE01k6GDCN/9oKvUjznb1sCY1pQsBo1sRY0nspO/j7A6xbNZYrTTfs9vmWckgItMk5R7UgpAMODy/vthBa3rk0vrAOKbtlDk4XQ/Vq7IlJ9Di5rHM3TDwObIWNTjbm1NRTWbrKVaQeD4kkFA1Sagefl0xZbySd8pJgHnHa//R8MEJYzcTSDwkHUsvxOLvR8qqvWOPHijLoqFNrRfrHrI2psQ+MvuG53OND2HAI1zFqpqBuF1xck5DawpWupRd4q2CR+rmYluvbdpshfV5ty3SGtenNbNjbNgiwKD6WM5zu8o24As/nOdyyzYZy/Lntw6wBnIOnIsy0OhR8T6M9+xMKlU23Wmu2z3XKnh0dcqjnCHBvCJWuMi5qSwh/YiyWS2BojvmZ5O9mWJzsy5jKxfKuWDXvMhrG5ol51v8UXvqsE66UC2GYLBCq8vm4Cjx/yfMTUvcYagVmy3FsCHor3YkaLu8jqJUEBmQ/77mGdCxtpUQlVM6ivrmRIxc75+bqhHxW5+QXy9zbEUlWMzLwr0aI7SXwBACRmppu/+Et5iKRHO6IZXOWBc+R3U

                C:\Users\user\Documents\EEGWXUHVUG\EFOYFBOLXA.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.980843855897789
                Encrypted:false
                SSDEEP:24:fM4QKvm47AjGayrj+ajsIqW6/9KKnf5B7lf+wXmOx3TYRYBsHbxdJyxIDqSClK9G:U4QKvmhYr3wWmKgzFVmyTYue/3FqKJcP
                MD5:2C43D90E749320D3F7E756C91F847C1A
                SHA1:4F6865956D2F725DB7429BD8AC8B2F0CF5A4FB4C
                SHA-256:6EB55061A7CD4ABC6B5B11AB71AEB443E459B0BE5FEFCDDDC6ECF02F148149AC
                SHA-512:DD2BF0D57AB7B6EFD6501EBA86938C026F2C7BA561A8F0A204C79F1A242CB10F2E731E0894709CA3FAB110B55F87387C4A10FED29E5D3A5B7EB4E4D2129F256C
                Malicious:false
                Preview:<EncryptedKey>nqnP38XhVp2WNrOiCQSbFPytjRUc5k4X5Dmvuj8mMaXBN32flcDo7x6l2/9B7EFPs2vo6FnC/ld5rInHZ3h/uBLK3IIlYOtJ1RA+2oEMeQesCAvjSaJkZNEMabKGQSL01tVdkCAM7BjFEcC3kAzBU/P/uAiJ8Z8XvksV1F0Jatk=<EncryptedKey>EOyVuk+P2xhT+XWORj6YZfAmI6ZlgzhtnH1U9Ur3Vvykp69maO0XbOWtikMBqplkODV1mELcI7JMOj7nn22Co9vS4ZbNX+ituVTxKmFiElziJU0Djrlc3uwT1RgbB6gjgIk4daXDK6QnL4P97aXPaTCgxBStwyl/ei4/NWf0HYa3/X9QF1trD/4LCqNxU9qr+q14UrVU1UPFMu/zesrD3xe4qsP7n6Jxn6FQRCeZESsgiLNfKVBLfW5ZN4eORpOqzrqdDGAoLf2pakXBvS2IpUrQmrbLdhknj+S2uZH1P2V4fqgLYRVE/7vpyyLBJjOCtJDruGhqYnHXJ3Ksr7q0pXTs8uQ38ZCeyvM/kC7CMwShGKq8J119HCQYdFtNsqm9CMnrUVhQsHe4rfdCVqXgXa48sNrAXLjyufvQbpzRTlbOVcb5JTand/fnNYI0ZpYHeUb8rRkyNiu+pYxrnR+Rn2pkDtDdy0dDjiEL8j4+7NNvqV+0rI+2pZlA0Os73lWseXmv0WXlPJkh7WG4nr1nyu91uFgmM7g0j9bMIScBdrTkIbhvkOS5WFkdv6DepYowtql78cnJYFlXRE2G7eYJTP3bMPrt7EB2j8wlOYrCt1xfyGrfxzBUY/Omefwihjyix9CQXb4aNHEhNB27Idh2oTqwuo1xj4n7niwg285XEWvoDT19htzeNb72Th+BYU7toAKAXMPZt3NiuNHGGhjnxeIhrCvwzPi4cP5cBD08nn46abboPG3EaW4N8xYWt/U2q8equ2sQlrEcgeNdfZhmMQHZHCG3j2KC

                C:\Users\user\Documents\EEGWXUHVUG\EFOYFBOLXA.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.980843855897789
                Encrypted:false
                SSDEEP:24:fM4QKvm47AjGayrj+ajsIqW6/9KKnf5B7lf+wXmOx3TYRYBsHbxdJyxIDqSClK9G:U4QKvmhYr3wWmKgzFVmyTYue/3FqKJcP
                MD5:2C43D90E749320D3F7E756C91F847C1A
                SHA1:4F6865956D2F725DB7429BD8AC8B2F0CF5A4FB4C
                SHA-256:6EB55061A7CD4ABC6B5B11AB71AEB443E459B0BE5FEFCDDDC6ECF02F148149AC
                SHA-512:DD2BF0D57AB7B6EFD6501EBA86938C026F2C7BA561A8F0A204C79F1A242CB10F2E731E0894709CA3FAB110B55F87387C4A10FED29E5D3A5B7EB4E4D2129F256C
                Malicious:false
                Preview:<EncryptedKey>nqnP38XhVp2WNrOiCQSbFPytjRUc5k4X5Dmvuj8mMaXBN32flcDo7x6l2/9B7EFPs2vo6FnC/ld5rInHZ3h/uBLK3IIlYOtJ1RA+2oEMeQesCAvjSaJkZNEMabKGQSL01tVdkCAM7BjFEcC3kAzBU/P/uAiJ8Z8XvksV1F0Jatk=<EncryptedKey>EOyVuk+P2xhT+XWORj6YZfAmI6ZlgzhtnH1U9Ur3Vvykp69maO0XbOWtikMBqplkODV1mELcI7JMOj7nn22Co9vS4ZbNX+ituVTxKmFiElziJU0Djrlc3uwT1RgbB6gjgIk4daXDK6QnL4P97aXPaTCgxBStwyl/ei4/NWf0HYa3/X9QF1trD/4LCqNxU9qr+q14UrVU1UPFMu/zesrD3xe4qsP7n6Jxn6FQRCeZESsgiLNfKVBLfW5ZN4eORpOqzrqdDGAoLf2pakXBvS2IpUrQmrbLdhknj+S2uZH1P2V4fqgLYRVE/7vpyyLBJjOCtJDruGhqYnHXJ3Ksr7q0pXTs8uQ38ZCeyvM/kC7CMwShGKq8J119HCQYdFtNsqm9CMnrUVhQsHe4rfdCVqXgXa48sNrAXLjyufvQbpzRTlbOVcb5JTand/fnNYI0ZpYHeUb8rRkyNiu+pYxrnR+Rn2pkDtDdy0dDjiEL8j4+7NNvqV+0rI+2pZlA0Os73lWseXmv0WXlPJkh7WG4nr1nyu91uFgmM7g0j9bMIScBdrTkIbhvkOS5WFkdv6DepYowtql78cnJYFlXRE2G7eYJTP3bMPrt7EB2j8wlOYrCt1xfyGrfxzBUY/Omefwihjyix9CQXb4aNHEhNB27Idh2oTqwuo1xj4n7niwg285XEWvoDT19htzeNb72Th+BYU7toAKAXMPZt3NiuNHGGhjnxeIhrCvwzPi4cP5cBD08nn46abboPG3EaW4N8xYWt/U2q8equ2sQlrEcgeNdfZhmMQHZHCG3j2KC

                C:\Users\user\Documents\EEGWXUHVUG\GRXZDKKVDB.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.990580279868341
                Encrypted:false
                SSDEEP:48:Ue1ASVz87X1pqV0MtwEqCXFaEAzx3APj6MZiUleUv:UnSSl/MWHIFqJWnmUv
                MD5:6FF34A8ABCDAFDB11CF2713D32C4F95F
                SHA1:2C1E3E383E839D91A0685078E1871E8F322D2B47
                SHA-256:8BFBBE9D8F429454F6553D96C2E3734496F1D41EFE36D9B5A251656B52A0F512
                SHA-512:F0D98DBF2BEA290D066BF21A5B36C881107A1FB3B4018EC304B15094374A82D512EEFB62DE38674C3A41B9D7D8AA4E158C80FC4C217553B30EFBC016FCB67E2F
                Malicious:false
                Preview:<EncryptedKey>rmJjxNgYBAXtSp2Nzn+mPDfa9mcPlVpFY6SOj+/AX9pDtixXHL9bZByY2L00+jZeG9VgfTkqCqScjPUk123FTKtaTEkuUrZtEm+9hV4gXd8JlXSxpo3RN0QpmSHfl8npjGS373nuVylnEwq7F+ifed4t1+U/QVXskrjX8NPOHpE=<EncryptedKey>sWtS/Qe9KSTi4zKsD8OgQ72iXK72ZotwwqHM6EZWUr5ALYOEqCRGbapzOOzfeMoC7gf3UQ3gO8NYciKk0229jExBvrQmahkkcvM+tdLtPBlZHUUHriTRDvtzs2IC5Pj231GWWvUFg3rPeQOsE2QDNGspIwQbSYn9wg38XtdmxaLIJq1Ey1n5bLDDRc3aESJNU3hhpVQFmWKbZLR8OnHniFMxqtU2le5KNi9H4wZzqdLMko/qQQGlLDk3+YpH1PdfUNRoZ0Aal0E4Gv9XfO5f6+2hSVERdWMVBowH7MHk3GE9DIn33WU2d7wkNeoO4ZaVtxp/22RhuYMgB+MCJvPSP7nJewApKLR1+0C6iLyx1Lr7Tz9YbFr9Ab9s4b7YiqtiPpLkXXqFDadYV6+h06bmLPKyN3KJyCuelguKpGEWD9510WYxMzP/M6RwBFQBiTyJ/Vzo/kA0VxHiosivduLd2EEdagjodEle74VE9ktDp2Hdj5qtWB100LyBznXXi05OJ0Z3sGKnvlY+dW6pRfZJOB+51mZJ4G16SPDOFh4RuUU6nAx/IRHSsSYiAvU0mbinYLDCg53aWV0eGAR1XHxIVzbPYTQHInNTIPwQyPmHcskUfrAkUTBwptpnHcKpkOM7Jpn+DQU3dW7+r1KaL7NH9N52Xq5fNoQJjpwOW+H2+mNEkTkOJZeMp7aILkv0hb7aX44ZZfw9kDGDUrbp1ByVL/bUr0PHfEPq5J6mOWS8KU7WS1JkNIhxXa7+YnbaDk/pZhncqe1sR/pAW0VvcI9v2xKezI4mjiUK

                C:\Users\user\Documents\EEGWXUHVUG\GRXZDKKVDB.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.990580279868341
                Encrypted:false
                SSDEEP:48:Ue1ASVz87X1pqV0MtwEqCXFaEAzx3APj6MZiUleUv:UnSSl/MWHIFqJWnmUv
                MD5:6FF34A8ABCDAFDB11CF2713D32C4F95F
                SHA1:2C1E3E383E839D91A0685078E1871E8F322D2B47
                SHA-256:8BFBBE9D8F429454F6553D96C2E3734496F1D41EFE36D9B5A251656B52A0F512
                SHA-512:F0D98DBF2BEA290D066BF21A5B36C881107A1FB3B4018EC304B15094374A82D512EEFB62DE38674C3A41B9D7D8AA4E158C80FC4C217553B30EFBC016FCB67E2F
                Malicious:false
                Preview:<EncryptedKey>rmJjxNgYBAXtSp2Nzn+mPDfa9mcPlVpFY6SOj+/AX9pDtixXHL9bZByY2L00+jZeG9VgfTkqCqScjPUk123FTKtaTEkuUrZtEm+9hV4gXd8JlXSxpo3RN0QpmSHfl8npjGS373nuVylnEwq7F+ifed4t1+U/QVXskrjX8NPOHpE=<EncryptedKey>sWtS/Qe9KSTi4zKsD8OgQ72iXK72ZotwwqHM6EZWUr5ALYOEqCRGbapzOOzfeMoC7gf3UQ3gO8NYciKk0229jExBvrQmahkkcvM+tdLtPBlZHUUHriTRDvtzs2IC5Pj231GWWvUFg3rPeQOsE2QDNGspIwQbSYn9wg38XtdmxaLIJq1Ey1n5bLDDRc3aESJNU3hhpVQFmWKbZLR8OnHniFMxqtU2le5KNi9H4wZzqdLMko/qQQGlLDk3+YpH1PdfUNRoZ0Aal0E4Gv9XfO5f6+2hSVERdWMVBowH7MHk3GE9DIn33WU2d7wkNeoO4ZaVtxp/22RhuYMgB+MCJvPSP7nJewApKLR1+0C6iLyx1Lr7Tz9YbFr9Ab9s4b7YiqtiPpLkXXqFDadYV6+h06bmLPKyN3KJyCuelguKpGEWD9510WYxMzP/M6RwBFQBiTyJ/Vzo/kA0VxHiosivduLd2EEdagjodEle74VE9ktDp2Hdj5qtWB100LyBznXXi05OJ0Z3sGKnvlY+dW6pRfZJOB+51mZJ4G16SPDOFh4RuUU6nAx/IRHSsSYiAvU0mbinYLDCg53aWV0eGAR1XHxIVzbPYTQHInNTIPwQyPmHcskUfrAkUTBwptpnHcKpkOM7Jpn+DQU3dW7+r1KaL7NH9N52Xq5fNoQJjpwOW+H2+mNEkTkOJZeMp7aILkv0hb7aX44ZZfw9kDGDUrbp1ByVL/bUr0PHfEPq5J6mOWS8KU7WS1JkNIhxXa7+YnbaDk/pZhncqe1sR/pAW0VvcI9v2xKezI4mjiUK

                C:\Users\user\Documents\EEGWXUHVUG\NVWZAPQSQL.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.99514056790794
                Encrypted:false
                SSDEEP:48:UmeN1C9mHJ9HMSTRNYiD3uxJVQ/aQXCfNkdWbwIiIOSk8ifqM:UIuMijEAaQUNwWbwNn1
                MD5:6C8DA0A6C8D4A8191566FF662E6EC5A5
                SHA1:C0F7FCA4ED56FD89A0A559E29AC71F712AAA521F
                SHA-256:E083857292603CE31450A758E7CE37080FF688D89D90BFD97ECC0342A0D33435
                SHA-512:2A0AB8C36A3942C04E2403A8447F8FDFDA1B724140413765466286541EEFC6B7131E729B43250D990D8D1ED84C46C87C16D09D4E181C3BD5E2533AC7C937EF2E
                Malicious:false
                Preview:<EncryptedKey>NjQ6RQqGMCaOhekx6Kv1WH+GPU94/YcjSYo8bqT2fTnvw4AERTUcakFrfZvoSv2hSo8zPuYER7Vrir19DYhVPXNqBhK7E3QvPy3KTcLgB2imw1TlSgctbjAvZIzp3y1eblGUfBHPmJj/jsg1MJL5ptb3kL/CoT6gB0UPju4qp6k=<EncryptedKey>0AoKwBAb2BB8d0jKEOxAWnZ2QZdV8mCFQtlHtyomD/CFIJHn+E6IUr8Xp+gbOCyrVpMjw1TYkC3yV3Mzb07uZzx90BJhxluRsAnYA4vJqxixVb7Lyrns+4BChCbdP5Hw8bwGVrrZYyAGgXFXX54AtDJMri5SHoMZH7ZGC1JOThJryM3NI2iFLFdtqKuT+YLMsCBkoq/NwNgxoDcLt8T+q8mRVeh55iWa2pcRmsOyTZjdj3apPLp3kUPxeZi6xXTdfF0Pzx5bZnK9WPOey/nyCedmLOrqoub1lTde5w7XDBdjvUuLN5yGHM7xV0T6F1mpQy1cG1gnlh2jGukhSUCZmDC3Pnu26sVTUBBTP9lpWNZxvnRzMKblrdfNclu4Hu04jPyxjnKCGCZbsTwbXsEvZlcw9/9dSvN86zugiUUox0lvV3gu4GwOz6IXHLPU/rQZsUbyf70FgY5J3i5t0ijvbpHo2JF0QQytYXVTVzCltlIlzwDbO8lTNu9Uuuo4POVg0qwkVmNKCWmZ+U9H1bhPaCGDM0Wnio+BtIYNQoCRKE1hyednSQNOKO08Y15DiDyN2vU2MnE81IJ4C8aAhaaRkdTNzZcGCpTcQbps3LxsxSPqsDkYPZ/yhsl8j4f4sJmP0m7mAu/R9euzsRL4eKxs0LIbxEa66r3SgSA3UcRzJNeLqVzt2+R/uov9vM2aXTD2X50MGyQSd+4nzPrt7T1Ho/wpMvclNLWYctzsdra0Ho+zoqw5d5q1IHajmvJGyORh8OiOSIGKOwhxakWCbuP+tUbXDffYX0WI

                C:\Users\user\Documents\EEGWXUHVUG\NVWZAPQSQL.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.99514056790794
                Encrypted:false
                SSDEEP:48:UmeN1C9mHJ9HMSTRNYiD3uxJVQ/aQXCfNkdWbwIiIOSk8ifqM:UIuMijEAaQUNwWbwNn1
                MD5:6C8DA0A6C8D4A8191566FF662E6EC5A5
                SHA1:C0F7FCA4ED56FD89A0A559E29AC71F712AAA521F
                SHA-256:E083857292603CE31450A758E7CE37080FF688D89D90BFD97ECC0342A0D33435
                SHA-512:2A0AB8C36A3942C04E2403A8447F8FDFDA1B724140413765466286541EEFC6B7131E729B43250D990D8D1ED84C46C87C16D09D4E181C3BD5E2533AC7C937EF2E
                Malicious:false
                Preview:<EncryptedKey>NjQ6RQqGMCaOhekx6Kv1WH+GPU94/YcjSYo8bqT2fTnvw4AERTUcakFrfZvoSv2hSo8zPuYER7Vrir19DYhVPXNqBhK7E3QvPy3KTcLgB2imw1TlSgctbjAvZIzp3y1eblGUfBHPmJj/jsg1MJL5ptb3kL/CoT6gB0UPju4qp6k=<EncryptedKey>0AoKwBAb2BB8d0jKEOxAWnZ2QZdV8mCFQtlHtyomD/CFIJHn+E6IUr8Xp+gbOCyrVpMjw1TYkC3yV3Mzb07uZzx90BJhxluRsAnYA4vJqxixVb7Lyrns+4BChCbdP5Hw8bwGVrrZYyAGgXFXX54AtDJMri5SHoMZH7ZGC1JOThJryM3NI2iFLFdtqKuT+YLMsCBkoq/NwNgxoDcLt8T+q8mRVeh55iWa2pcRmsOyTZjdj3apPLp3kUPxeZi6xXTdfF0Pzx5bZnK9WPOey/nyCedmLOrqoub1lTde5w7XDBdjvUuLN5yGHM7xV0T6F1mpQy1cG1gnlh2jGukhSUCZmDC3Pnu26sVTUBBTP9lpWNZxvnRzMKblrdfNclu4Hu04jPyxjnKCGCZbsTwbXsEvZlcw9/9dSvN86zugiUUox0lvV3gu4GwOz6IXHLPU/rQZsUbyf70FgY5J3i5t0ijvbpHo2JF0QQytYXVTVzCltlIlzwDbO8lTNu9Uuuo4POVg0qwkVmNKCWmZ+U9H1bhPaCGDM0Wnio+BtIYNQoCRKE1hyednSQNOKO08Y15DiDyN2vU2MnE81IJ4C8aAhaaRkdTNzZcGCpTcQbps3LxsxSPqsDkYPZ/yhsl8j4f4sJmP0m7mAu/R9euzsRL4eKxs0LIbxEa66r3SgSA3UcRzJNeLqVzt2+R/uov9vM2aXTD2X50MGyQSd+4nzPrt7T1Ho/wpMvclNLWYctzsdra0Ho+zoqw5d5q1IHajmvJGyORh8OiOSIGKOwhxakWCbuP+tUbXDffYX0WI

                C:\Users\user\Documents\EEGWXUHVUG\PALRGUCVEH.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.999684159557093
                Encrypted:false
                SSDEEP:48:Uzym9q77xQxqpyiSACIoexJ7HWIg1DMNz:UHMN3dDfbWIg1D0z
                MD5:ABFF68DCC265667D802961154E238535
                SHA1:DFCB79E3E8E951D5F7C5F1F8B667899907BCB740
                SHA-256:4E5A34DAE6092FC8B739FBA1A70B052F1F8CB1F31277648BDD01B014E111CF2D
                SHA-512:B48C7CF7BBD1D1BED7DBA00B6AC7F92335D78FAE34B90D5475081CBBF06991A4217E86FABA9E384684F4F1D7A81E092E46A80A3201FBE1A94691EB9FF37F751D
                Malicious:false
                Preview:<EncryptedKey>gKv1KOwA3KOYW2rLfuh83pGEKyraNzrYtKZ1RfUi0TYhzpqaXjb3zreQPkQdDnxLw0udB34dzQ7QoyCX0Q5Q0d2EwySwEwblozOit+l28MPZHBUG/yUnF9hvcqaHFUttgxUD4zXFL39LvQCq2/5JVqAx91CQdAgy1Ky4FiFrVoo=<EncryptedKey>q9zqfua1OCkBYfCYdX2uT4KT/bzkDDn/aLPOPT5mh/fVNn4qCrUybDxmxZ/jchsxIvNF64cOnNi1rQrJtnDH1PLjsWG3HraaDVM09XoImj/6hn/XEsV6sCO+CaY3IIFLYEjV7Zca2y/C8Vz8POjML0yRYb9295FwmK1kXHzzTxfPRXO9JfnZlk9br6s+HNizDXXQ24FyHRQnBrWgm96/XBCtLHmjKBkfKERmS5BLm0GPWwARsITIplXgpdjFjobzpRozbtClz7Z7SMDWxJBI1k80TWV3gJd1/FBhhqXJ05sX/vZQpj/6fK2JdhNJjWEKoMKU663rNLuv8qMKXQGgvF7B67fv/oAJF9VCVfd1rE75rEO/WniZUuU2tQGR9XCzIiqB7gZY/faeXe0Mzks6onS9hBsmJBhQdQFohE9Th5wwFCmCcxEp+/k5vx74NeKk+jvntX/ox2C5EkIv0O3l7z16WT32huAFuowDuFc6zquUll6sSJluBi098abqESg5rIsHXRKgliXSEfhN9jHE2+EiJaHtx8sM7Yg9aeYmTq5rqxxfphP44eLuYBk4D49gz3qYaYJ2s+GlV9WNyjO39Q4t1cwPBbyuhQ/9SGmjGIu7nKSDAGLzFiUTHDZl8pxmYIsh4ZYWjeX+EJfIavMds7pIbtlF3k6KDm5gtlSu+KooBv6gOxgFuwVJykUViJ3FlNiQRh0tSmn6rs2ij8U6/hf6Ox872ZIVKJBsTprC8CGa3GdApLFdyDurmoXby3MfAUc55MGKYXzqaGVDix5lljyRhlz92VTF

                C:\Users\user\Documents\EEGWXUHVUG\PALRGUCVEH.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.999684159557093
                Encrypted:false
                SSDEEP:48:Uzym9q77xQxqpyiSACIoexJ7HWIg1DMNz:UHMN3dDfbWIg1D0z
                MD5:ABFF68DCC265667D802961154E238535
                SHA1:DFCB79E3E8E951D5F7C5F1F8B667899907BCB740
                SHA-256:4E5A34DAE6092FC8B739FBA1A70B052F1F8CB1F31277648BDD01B014E111CF2D
                SHA-512:B48C7CF7BBD1D1BED7DBA00B6AC7F92335D78FAE34B90D5475081CBBF06991A4217E86FABA9E384684F4F1D7A81E092E46A80A3201FBE1A94691EB9FF37F751D
                Malicious:false
                Preview:<EncryptedKey>gKv1KOwA3KOYW2rLfuh83pGEKyraNzrYtKZ1RfUi0TYhzpqaXjb3zreQPkQdDnxLw0udB34dzQ7QoyCX0Q5Q0d2EwySwEwblozOit+l28MPZHBUG/yUnF9hvcqaHFUttgxUD4zXFL39LvQCq2/5JVqAx91CQdAgy1Ky4FiFrVoo=<EncryptedKey>q9zqfua1OCkBYfCYdX2uT4KT/bzkDDn/aLPOPT5mh/fVNn4qCrUybDxmxZ/jchsxIvNF64cOnNi1rQrJtnDH1PLjsWG3HraaDVM09XoImj/6hn/XEsV6sCO+CaY3IIFLYEjV7Zca2y/C8Vz8POjML0yRYb9295FwmK1kXHzzTxfPRXO9JfnZlk9br6s+HNizDXXQ24FyHRQnBrWgm96/XBCtLHmjKBkfKERmS5BLm0GPWwARsITIplXgpdjFjobzpRozbtClz7Z7SMDWxJBI1k80TWV3gJd1/FBhhqXJ05sX/vZQpj/6fK2JdhNJjWEKoMKU663rNLuv8qMKXQGgvF7B67fv/oAJF9VCVfd1rE75rEO/WniZUuU2tQGR9XCzIiqB7gZY/faeXe0Mzks6onS9hBsmJBhQdQFohE9Th5wwFCmCcxEp+/k5vx74NeKk+jvntX/ox2C5EkIv0O3l7z16WT32huAFuowDuFc6zquUll6sSJluBi098abqESg5rIsHXRKgliXSEfhN9jHE2+EiJaHtx8sM7Yg9aeYmTq5rqxxfphP44eLuYBk4D49gz3qYaYJ2s+GlV9WNyjO39Q4t1cwPBbyuhQ/9SGmjGIu7nKSDAGLzFiUTHDZl8pxmYIsh4ZYWjeX+EJfIavMds7pIbtlF3k6KDm5gtlSu+KooBv6gOxgFuwVJykUViJ3FlNiQRh0tSmn6rs2ij8U6/hf6Ox872ZIVKJBsTprC8CGa3GdApLFdyDurmoXby3MfAUc55MGKYXzqaGVDix5lljyRhlz92VTF

                C:\Users\user\Documents\EEGWXUHVUG\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Documents\EFOYFBOLXA.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.992956466791664
                Encrypted:false
                SSDEEP:48:UnIWjxlaK+06VGTj5063Jge28+mo/TWjLtJZZ:UP1lCCPR5gHr4Pb
                MD5:697DBAB6F2772B7E51FBB477EFBE3B70
                SHA1:137380BE2D7DE68A165822BBAD1098DC7C83CF83
                SHA-256:E8E5241617E13744990C494D2785442C45B43D54EC8195F65517FBCFBEF394C2
                SHA-512:225A7D30B43AB88CE06AFA2BF69FB0629709E20A80D24CEA707948FA32D59B64B2741D60D6A8405BDFA360E8DCF70AB9F0264688B6084DC3DCF7849710CD9204
                Malicious:false
                Preview:<EncryptedKey>J6cC3+wS1SK26kB04/5iBmcD/asCMkqFiSQP0HS2YRhyjl52UzgiaZ/PkawWbd5sYeji8JeHhf520NnS0E121mrtAcKnqnBLSYNkhOWukQp+2pWYBzL/FG0VaQffxOnL8pYB1lufweTdmMsfYhqJ5aIleFTnI0yjL17l+jWx5TE=<EncryptedKey>G6qPYoXSEmp5/QHxFy2Kg4CW15EdZipp4+wxsKzL9ymQoOMkU7a/nnjUalt7x4+14SzRyFj5UwTzmozg04aaBpfi2hEgIU9+icDZtSpMQS5pyWzYk9kEynrGDpiZdNqR+z2YLmRCmKzafr8siHOvRRiadOFgDmS0elv0azJpYjcXQVhqMYYhIzyq6zoxJ3U85X8nvjWkuO7lllxChNL4vwQVcMfuMo/JnCmepIgNKUrhIix3bWgK8UTXz/ogzIB3TX1du/fgSZyJwfTvApVyu64VJG/JT5t7GLoApm2vBI3/27E62Vf3dXxG/9lMPpLcrw9U/C9A5SsHN83oJCvEyLUpX7p18HOP2+qyHQ+UU+M1kJkKLkDTvDwhR2NKKtgKn4roA83UWunNtd70L3Oge9SBd8oPljfbya3uV7JtJc3cQbW2gz6/dyjH35wSthUQL+hQZCkm5ut2krDKfkxMHvouIXZATi1yC3TxsCO3iNKmGUrUjz4Nxex0KGY6S2qY2BVC7l1d8bbNsJz5NSZ+cIaKAjZ9ToBSah59lhtk/Jl2Jmifn2gQ5CiXIVWGzBYdVz1y/dQ3/q/okxDIk/Wac4OlN8NJENIRABEf2IDb93WF4V6Evxsyebl7W0lYxSt4sODVuIEtv5uDfMCUU0OxyM/sey2r8ycciT1chl+/THig1Tib+3PTg4FBoMYWfggEF/84/hk5ehkRHakcn4iYMRdiYmF7SOSZxT6ZqwuzMqid23njSnFWyWVJLElLDYiGul+PKbBlnMnp0uLVew8BPf0HGk3WQQ3+

                C:\Users\user\Documents\EFOYFBOLXA.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.992956466791664
                Encrypted:false
                SSDEEP:48:UnIWjxlaK+06VGTj5063Jge28+mo/TWjLtJZZ:UP1lCCPR5gHr4Pb
                MD5:697DBAB6F2772B7E51FBB477EFBE3B70
                SHA1:137380BE2D7DE68A165822BBAD1098DC7C83CF83
                SHA-256:E8E5241617E13744990C494D2785442C45B43D54EC8195F65517FBCFBEF394C2
                SHA-512:225A7D30B43AB88CE06AFA2BF69FB0629709E20A80D24CEA707948FA32D59B64B2741D60D6A8405BDFA360E8DCF70AB9F0264688B6084DC3DCF7849710CD9204
                Malicious:false
                Preview:<EncryptedKey>J6cC3+wS1SK26kB04/5iBmcD/asCMkqFiSQP0HS2YRhyjl52UzgiaZ/PkawWbd5sYeji8JeHhf520NnS0E121mrtAcKnqnBLSYNkhOWukQp+2pWYBzL/FG0VaQffxOnL8pYB1lufweTdmMsfYhqJ5aIleFTnI0yjL17l+jWx5TE=<EncryptedKey>G6qPYoXSEmp5/QHxFy2Kg4CW15EdZipp4+wxsKzL9ymQoOMkU7a/nnjUalt7x4+14SzRyFj5UwTzmozg04aaBpfi2hEgIU9+icDZtSpMQS5pyWzYk9kEynrGDpiZdNqR+z2YLmRCmKzafr8siHOvRRiadOFgDmS0elv0azJpYjcXQVhqMYYhIzyq6zoxJ3U85X8nvjWkuO7lllxChNL4vwQVcMfuMo/JnCmepIgNKUrhIix3bWgK8UTXz/ogzIB3TX1du/fgSZyJwfTvApVyu64VJG/JT5t7GLoApm2vBI3/27E62Vf3dXxG/9lMPpLcrw9U/C9A5SsHN83oJCvEyLUpX7p18HOP2+qyHQ+UU+M1kJkKLkDTvDwhR2NKKtgKn4roA83UWunNtd70L3Oge9SBd8oPljfbya3uV7JtJc3cQbW2gz6/dyjH35wSthUQL+hQZCkm5ut2krDKfkxMHvouIXZATi1yC3TxsCO3iNKmGUrUjz4Nxex0KGY6S2qY2BVC7l1d8bbNsJz5NSZ+cIaKAjZ9ToBSah59lhtk/Jl2Jmifn2gQ5CiXIVWGzBYdVz1y/dQ3/q/okxDIk/Wac4OlN8NJENIRABEf2IDb93WF4V6Evxsyebl7W0lYxSt4sODVuIEtv5uDfMCUU0OxyM/sey2r8ycciT1chl+/THig1Tib+3PTg4FBoMYWfggEF/84/hk5ehkRHakcn4iYMRdiYmF7SOSZxT6ZqwuzMqid23njSnFWyWVJLElLDYiGul+PKbBlnMnp0uLVew8BPf0HGk3WQQ3+

                C:\Users\user\Documents\EIVQSAOTAQ.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.985508990656979
                Encrypted:false
                SSDEEP:48:UOlOkcoHvpMnc3GcpfhVDb9/DcN/yQKQPA:UOIklHvCcWcHvD2UQPA
                MD5:1487031A3747C0A37C0D28EFC5FFC097
                SHA1:BE1A010B4CC1A848E954A09C97AF04819E50815D
                SHA-256:AC5F3181108D93EBFF3BA33402ED01879BAF409C38F706D1E95ABAC3AE8DB45A
                SHA-512:7D15E5BA0EB0A5D7A83321F28795A3C562888991324014605FBAE37F49571C5C762BCDAEE8142A21CD40EED670C2C83F39C2073EE0BE899D6D080CE0340AE770
                Malicious:false
                Preview:<EncryptedKey>PqmNYmqnqEe3zGT4kkXq0dE0KkzxQaDzulLSAl9T24wxbhDJ25A2od7pYG8WCl3YLFhvifaNfanWSrGJvUK1797Gu6yRiQVVO2VLiZ4yiM0icPSZufWt7zZfMz5qw6isDhQpNHO/7epfBTJS8cuyfCLsgbqx9CrVWTDM/UtM5Q0=<EncryptedKey>m8ihFnpSjCk/iLFNaLcOJm9uV+3D7/6SCpH5Y7jlSaztguB5n5lnQr+3zkBb4cXn1GGyuAmhkipfRS66sektznU8ptHKTchTBxErbbP3fCwiQls9qGauvnPUyISK2oaVaGeTG70M448g2jPDXiM0z10v53V6vW49CmBkdyzfzVdFJRyvx2l7BOyGXzG36umERvGJ9EJGM11ueH7U2oc+vF8rH1zENRgaQABqfZmqOAeVnxYAIxJVdvzWdOhPSfp8JySTyVS9FiI+Gw/9f4yKDpoFl8dzVroIqixzkZE1lb0r3HvnxJ/ub9k1ZwqJanfbL21XVazZWjt3jdvgDIsSvlgALqrCShlDVTPnCadhvcJJVDrFgk83ZmXFCikn1eLq9j86A7URRAwcaapWOcte2ql9zU7d7sfL3UWO8VHdmRawSm9Fl5yrJ8t7bb95a1ZLslLfYjA+UMxXQBIRaNPxKx17LlGNTl79z7s1ftoB6zH/VZf0vQQcykhWh9j7szpl04REOWXhmyPu5duU38sv2m8PXnTGauI3ljFrirZw5THAJyR1wCqba/8glla3oTW+2yArvv/bOENL+tZUbYIQlSAVIvcNZJianC6W/blR+rhFm4sPywzu2QrqypcjCiEZTubbAM4nkU7oQ/gC/Y32OCnlJ1aim8uc5ea38bntghsHEO6CE0dCa8b5KAeGX1JoDhNVvw7rz9xSUQbZ5CF511aQF2a1+U/Hvy1mX/RVVE89AUmJI3DDSb6NTTpBgSCNRbkCm9diLXu6BzLDHm2uAy03Zu0q8aea

                C:\Users\user\Documents\EIVQSAOTAQ.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.985508990656979
                Encrypted:false
                SSDEEP:48:UOlOkcoHvpMnc3GcpfhVDb9/DcN/yQKQPA:UOIklHvCcWcHvD2UQPA
                MD5:1487031A3747C0A37C0D28EFC5FFC097
                SHA1:BE1A010B4CC1A848E954A09C97AF04819E50815D
                SHA-256:AC5F3181108D93EBFF3BA33402ED01879BAF409C38F706D1E95ABAC3AE8DB45A
                SHA-512:7D15E5BA0EB0A5D7A83321F28795A3C562888991324014605FBAE37F49571C5C762BCDAEE8142A21CD40EED670C2C83F39C2073EE0BE899D6D080CE0340AE770
                Malicious:false
                Preview:<EncryptedKey>PqmNYmqnqEe3zGT4kkXq0dE0KkzxQaDzulLSAl9T24wxbhDJ25A2od7pYG8WCl3YLFhvifaNfanWSrGJvUK1797Gu6yRiQVVO2VLiZ4yiM0icPSZufWt7zZfMz5qw6isDhQpNHO/7epfBTJS8cuyfCLsgbqx9CrVWTDM/UtM5Q0=<EncryptedKey>m8ihFnpSjCk/iLFNaLcOJm9uV+3D7/6SCpH5Y7jlSaztguB5n5lnQr+3zkBb4cXn1GGyuAmhkipfRS66sektznU8ptHKTchTBxErbbP3fCwiQls9qGauvnPUyISK2oaVaGeTG70M448g2jPDXiM0z10v53V6vW49CmBkdyzfzVdFJRyvx2l7BOyGXzG36umERvGJ9EJGM11ueH7U2oc+vF8rH1zENRgaQABqfZmqOAeVnxYAIxJVdvzWdOhPSfp8JySTyVS9FiI+Gw/9f4yKDpoFl8dzVroIqixzkZE1lb0r3HvnxJ/ub9k1ZwqJanfbL21XVazZWjt3jdvgDIsSvlgALqrCShlDVTPnCadhvcJJVDrFgk83ZmXFCikn1eLq9j86A7URRAwcaapWOcte2ql9zU7d7sfL3UWO8VHdmRawSm9Fl5yrJ8t7bb95a1ZLslLfYjA+UMxXQBIRaNPxKx17LlGNTl79z7s1ftoB6zH/VZf0vQQcykhWh9j7szpl04REOWXhmyPu5duU38sv2m8PXnTGauI3ljFrirZw5THAJyR1wCqba/8glla3oTW+2yArvv/bOENL+tZUbYIQlSAVIvcNZJianC6W/blR+rhFm4sPywzu2QrqypcjCiEZTubbAM4nkU7oQ/gC/Y32OCnlJ1aim8uc5ea38bntghsHEO6CE0dCa8b5KAeGX1JoDhNVvw7rz9xSUQbZ5CF511aQF2a1+U/Hvy1mX/RVVE89AUmJI3DDSb6NTTpBgSCNRbkCm9diLXu6BzLDHm2uAy03Zu0q8aea

                C:\Users\user\Documents\EIVQSAOTAQ.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.997131247945302
                Encrypted:false
                SSDEEP:48:UIdL4p1dtOzy2CxRHCd9JflQf7MnneUJLzuj0YiR:UIdkXKy24CzJuf7bUJXae
                MD5:9D713A90C1494AE7C78BF7D6A75FD5E7
                SHA1:64B9BA7B671B00BEDE5489D1A801365E72306BAB
                SHA-256:34FF866CB33BDCCB2CB70855C16788DEC8D2A681B38111B59E4E9138A5B55417
                SHA-512:1E59644967027491D159712967FF04A8CED569A0C3A57E318998B107A68E0B4E1D8E9B851C46C7BCB5EC9AE2EE29EE5EA6995C1AE082ACF1FC805440E9883993
                Malicious:false
                Preview:<EncryptedKey>OZJkCwt5EROkQlv+X7uGADfWIrcrF+NIIehL+Zk6dVIpWkFd0mNUJubKVdUNA63SWGjV3MXh/9Y8PxGOPvIgZo7y19oZjHDQw452FqaaH+MVE3lbA/VpUAm/HPqT3y8/25YK1OCMlujxjS0UzPEwbvVinLNuhyUwA5bXv0Ro8zE=<EncryptedKey>oc55ali1gM42nHlcIVcYNYq0YnCvBgbtsrNMiNzEt3/J4zmqLT4WvyqoPvqlbzF83KlOV+7nzkI4x4Sgu3LC9+7z8wOUr3aG4xaMKcf41/+xkO9DLgPcwIcAipV72SnneOLMkecLRE2QyegvQwnyIwh5WvUBfQf/snX7LdqRFxdnLuMvqUK3SB62kBJT6aNgyMoQXn7x+CFvBAhxU6HioR88Irsc846Dyf2hhNskdIJY7qslC280Chr7xJW4mrfJHc5j1uqaX6A8nCXxcQFrbaD6SX4vHOgBBgkMHz+yjLP/PLQ4JY/RiCwl1K3e9VEiannTOH8GdeIius8WpdsUq5vLVAwk0PKnyeQHfJYxkbWq+2K1N9UWVgA2tq7nCC+cxPRbHVvBvmYkh9XiXBgJuFc30BeEdFF0kPkmzlLboPAyYvCkp+Mcn7QyszoDg/U1PfJgT3siF7iz4tSh9MnV+lJ5ZBMhZGTPx7tBqUVGfQQQ81WKEprDjmBgvWssbceOMXdYKQfWhF5biVln+vdw0PFsm8Em1EP4kDmEbz924qJmRhEnzl8tg94QWD8PMod6q2r2FevDcKZjijW+6Pu5oDRSL0NYCkAdd19hq/T75ykE/DE7PyFyAhJbakR4mmLRBmk2oNR/TT1xgb2uemd3Elc4uHPHlMn7JFIw2+W4XeB7Mewye9qfGtL+DCaXq//+uZKduNO9MsS1j68n0Kbq/pAzxf+scpPhjakNDkv6fov69Cee3y29fnOoPf/WWdzCQNX6+RwVDZ3W7Y5g0S6IPp7en8CJD2Dv

                C:\Users\user\Documents\EIVQSAOTAQ.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.997131247945302
                Encrypted:false
                SSDEEP:48:UIdL4p1dtOzy2CxRHCd9JflQf7MnneUJLzuj0YiR:UIdkXKy24CzJuf7bUJXae
                MD5:9D713A90C1494AE7C78BF7D6A75FD5E7
                SHA1:64B9BA7B671B00BEDE5489D1A801365E72306BAB
                SHA-256:34FF866CB33BDCCB2CB70855C16788DEC8D2A681B38111B59E4E9138A5B55417
                SHA-512:1E59644967027491D159712967FF04A8CED569A0C3A57E318998B107A68E0B4E1D8E9B851C46C7BCB5EC9AE2EE29EE5EA6995C1AE082ACF1FC805440E9883993
                Malicious:false
                Preview:<EncryptedKey>OZJkCwt5EROkQlv+X7uGADfWIrcrF+NIIehL+Zk6dVIpWkFd0mNUJubKVdUNA63SWGjV3MXh/9Y8PxGOPvIgZo7y19oZjHDQw452FqaaH+MVE3lbA/VpUAm/HPqT3y8/25YK1OCMlujxjS0UzPEwbvVinLNuhyUwA5bXv0Ro8zE=<EncryptedKey>oc55ali1gM42nHlcIVcYNYq0YnCvBgbtsrNMiNzEt3/J4zmqLT4WvyqoPvqlbzF83KlOV+7nzkI4x4Sgu3LC9+7z8wOUr3aG4xaMKcf41/+xkO9DLgPcwIcAipV72SnneOLMkecLRE2QyegvQwnyIwh5WvUBfQf/snX7LdqRFxdnLuMvqUK3SB62kBJT6aNgyMoQXn7x+CFvBAhxU6HioR88Irsc846Dyf2hhNskdIJY7qslC280Chr7xJW4mrfJHc5j1uqaX6A8nCXxcQFrbaD6SX4vHOgBBgkMHz+yjLP/PLQ4JY/RiCwl1K3e9VEiannTOH8GdeIius8WpdsUq5vLVAwk0PKnyeQHfJYxkbWq+2K1N9UWVgA2tq7nCC+cxPRbHVvBvmYkh9XiXBgJuFc30BeEdFF0kPkmzlLboPAyYvCkp+Mcn7QyszoDg/U1PfJgT3siF7iz4tSh9MnV+lJ5ZBMhZGTPx7tBqUVGfQQQ81WKEprDjmBgvWssbceOMXdYKQfWhF5biVln+vdw0PFsm8Em1EP4kDmEbz924qJmRhEnzl8tg94QWD8PMod6q2r2FevDcKZjijW+6Pu5oDRSL0NYCkAdd19hq/T75ykE/DE7PyFyAhJbakR4mmLRBmk2oNR/TT1xgb2uemd3Elc4uHPHlMn7JFIw2+W4XeB7Mewye9qfGtL+DCaXq//+uZKduNO9MsS1j68n0Kbq/pAzxf+scpPhjakNDkv6fov69Cee3y29fnOoPf/WWdzCQNX6+RwVDZ3W7Y5g0S6IPp7en8CJD2Dv

                C:\Users\user\Documents\EOWRVPQCCS.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991989326861488
                Encrypted:false
                SSDEEP:24:fMCw6b5PPaGwVpfOckMn2BxCRyyJVgJH8J3nMduzmkA4MYB57IaizrByU7ZY2MHa:UCz3aGaYfz3pcJ3hz5B5Idy0ZdMHa
                MD5:D3C59330F997F595E0DA04669AA58510
                SHA1:44FF34D43E39DF84F89B2830D3060EECCF69F8CC
                SHA-256:07B68E27BF94005127475F8908B717623485A69B292B304A4F5DC1E2D0588C43
                SHA-512:55F8C54FAAD855C0B5FA688FB6F6F232A56F7716903B516462D1E21FDFB88E6FB08166F1FC2F9A5C3D3F321032565484EB92C8E17DDE55F76BFF3A79D27209EE
                Malicious:false
                Preview:<EncryptedKey>Ko+qIILbwMvxzxiqSo5rgNJJvbdaBd5IyB4I0FRRy3FVCZN4lHyn+cdQP/31IthiOrCWvgXITGZqmZJTwmRj89e/XY7eQTyYRgSuZBXdjuVYsjwcL8yDPPtWiOQ5OQIGC6DIGQ9XO5Zrpc09j0Wjfr6oEt440E2+JvcKBz/YY1A=<EncryptedKey>FDJIrRTCyDSKyv+DmN0ghlVLAml3uDf54rRo8HRfldfWU92JY1Gu0l4GV/1kqlm4yTy2cZ6qrVAddKyIf5FLynq99JR57C5hQZakXphfQ6BGF9yzU17r3ZOqIkIC6R0OPFptRHXgxqq03bDTHRiGic5RGlx4lTLwI0zWxcT41Pmme2v7p0anigvJqA8gpfdDohKv2dtkFidyiJfuB3xWbb9Gc63TijjzIjFCioSGlJqZU+i/lNkACXx9mGwvruQTGTTMQY8UTbsVgCkjYdg2FIbemF1uXBD9sTPGDDsZe5YndUd+nKIkDf46ao/Fu7ZoK2i6C1zImCghyzt0PG+QLs+6ua6ZeRYF4mcrPrTuq7Pp9glQN8f3136wEtudxFA2NKu0Rf+F7g4mUK4mFY8LEb/U7DeDeIMEOrgS48eUS7dXfHNGqu1Onx+b50gxjiq1dMSmx73TJ3cHeMKxQdwyB5fHJPJR5ZWAP31ciKf6bJX0kImdTl9hLsRIvmLXjOARzKuPA7AxVQUPGcGEzTAHWdXQM+tPAzHtsECVAZVvTPsQ6Tl1GDbBpAImf7gElvsOUilIxKrdaiiUqtvYj3b9oF9XYwWs55lXQWY6rsxl8+M/kerKkh2OnE9ygQxJAo/8vdxuWh9tzhKfxSE/qLe2pNGKhUGBuzNYPvi8NeZrRdUXTVmMoS2z7vxpp1fatG9MZz7knrbaEB5EeDjEswEK6Dr++1uEMHXkG1tqBl2I/3YFg8DYNY95erUzYRQKy1rme3ulYdX8nKxqNWNLzHCK8MAaik0sJMn9

                C:\Users\user\Documents\EOWRVPQCCS.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991989326861488
                Encrypted:false
                SSDEEP:24:fMCw6b5PPaGwVpfOckMn2BxCRyyJVgJH8J3nMduzmkA4MYB57IaizrByU7ZY2MHa:UCz3aGaYfz3pcJ3hz5B5Idy0ZdMHa
                MD5:D3C59330F997F595E0DA04669AA58510
                SHA1:44FF34D43E39DF84F89B2830D3060EECCF69F8CC
                SHA-256:07B68E27BF94005127475F8908B717623485A69B292B304A4F5DC1E2D0588C43
                SHA-512:55F8C54FAAD855C0B5FA688FB6F6F232A56F7716903B516462D1E21FDFB88E6FB08166F1FC2F9A5C3D3F321032565484EB92C8E17DDE55F76BFF3A79D27209EE
                Malicious:false
                Preview:<EncryptedKey>Ko+qIILbwMvxzxiqSo5rgNJJvbdaBd5IyB4I0FRRy3FVCZN4lHyn+cdQP/31IthiOrCWvgXITGZqmZJTwmRj89e/XY7eQTyYRgSuZBXdjuVYsjwcL8yDPPtWiOQ5OQIGC6DIGQ9XO5Zrpc09j0Wjfr6oEt440E2+JvcKBz/YY1A=<EncryptedKey>FDJIrRTCyDSKyv+DmN0ghlVLAml3uDf54rRo8HRfldfWU92JY1Gu0l4GV/1kqlm4yTy2cZ6qrVAddKyIf5FLynq99JR57C5hQZakXphfQ6BGF9yzU17r3ZOqIkIC6R0OPFptRHXgxqq03bDTHRiGic5RGlx4lTLwI0zWxcT41Pmme2v7p0anigvJqA8gpfdDohKv2dtkFidyiJfuB3xWbb9Gc63TijjzIjFCioSGlJqZU+i/lNkACXx9mGwvruQTGTTMQY8UTbsVgCkjYdg2FIbemF1uXBD9sTPGDDsZe5YndUd+nKIkDf46ao/Fu7ZoK2i6C1zImCghyzt0PG+QLs+6ua6ZeRYF4mcrPrTuq7Pp9glQN8f3136wEtudxFA2NKu0Rf+F7g4mUK4mFY8LEb/U7DeDeIMEOrgS48eUS7dXfHNGqu1Onx+b50gxjiq1dMSmx73TJ3cHeMKxQdwyB5fHJPJR5ZWAP31ciKf6bJX0kImdTl9hLsRIvmLXjOARzKuPA7AxVQUPGcGEzTAHWdXQM+tPAzHtsECVAZVvTPsQ6Tl1GDbBpAImf7gElvsOUilIxKrdaiiUqtvYj3b9oF9XYwWs55lXQWY6rsxl8+M/kerKkh2OnE9ygQxJAo/8vdxuWh9tzhKfxSE/qLe2pNGKhUGBuzNYPvi8NeZrRdUXTVmMoS2z7vxpp1fatG9MZz7knrbaEB5EeDjEswEK6Dr++1uEMHXkG1tqBl2I/3YFg8DYNY95erUzYRQKy1rme3ulYdX8nKxqNWNLzHCK8MAaik0sJMn9

                C:\Users\user\Documents\GIGIYTFFYT.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.994224839095972
                Encrypted:false
                SSDEEP:48:UlMp2jS6mYet1G5p665Sz+mckXv64G/3UCV5Fx:UlMRYetwVSzTvuBV5L
                MD5:C11E4F0F9271DC64666BAEE7CE1DE7C3
                SHA1:95308C940A914E4FAE8D27B9FB9CA05941897A08
                SHA-256:4BACFDEF45B15001C21D92D6E795878D3A1053055633E287FD3A5BC2371CA699
                SHA-512:D346AA4E193EF37A6D08C1BCD01DA652451469EECBF16412E81D21E62E8EEF7AD2FE4A03A1AA9D1394B0715E45D981112636F217E3D1701BCAAAE50D8CC7E519
                Malicious:false
                Preview:<EncryptedKey>CKu+brjQ7sI7tInpp+p/x5rQ8sKlJz0Bqy3zIy+Ig+8vHTtzdneIyYOrxpn5XyMEbRC17LkVFVYKR63tf2s7Mq8ZCzq5FXZqy1xg4UaK++algwTon6EkOadaSs4HIZ5dGmiesSdwNbeYbex5e1vyJGOeZjdZhPdYXWVrRLF+E6w=<EncryptedKey>mz/WvYKAdFmwCHN9HD9IUiwVdHe47+5rtuD8bZrodpK4X9I96IDodJnQ6WDEUawOfD2U75EHzbfhu9SmCHAyYjpGPeH8GW16Kh0jQy5yvV1vbMttUUzU6U/7HA58gpNYjJs2nlhtIxfr5lIh/9ilsAyLh0abvcdrGFC4a/0DX0PgkOwSNtNpzDcEAkeR5eFf8ZPiDUM5qq5glbb9bI+gLVIonfoKBcOBknSQCzOjDWaSsq7/tQJpA2RpcJW35Gcr1LTC+ODHph7E3+mxuT/7SxiS8TZSQ8v/ryLWVNYa6PvYsP6JFAR/GjS7tm9qRejqTVXLnvoNcaVNK+W2TRAIG9ornBmjboZwn2zHYCzqx8S5ybUDugB0RSA0ysUTiL4bldVMwBK4va+W17w6hcLTvjgRZKtrideyShV3x7Hh6fgANZK9rgnSMNgM+pLxzpV/geth0wR5NTytf++RvvpF9xykYD3GFSXqduEa97734Jjek6ikNWjuQLUOL8ceB4+7dAXnJ/CgVvVCFIIAktUVcq+Pa8bcpnCBsAgjLTV+z8WIYjJpQwFOLZy629ou2IR1+1w9ye9gFe9d1mnWliLRUGWPgcnAAI+prFXfgfw9ZTwActvUAlOaXNkdWJW/Z32h4OgcweChAAAc1KwGllyVSfE+4dGsEvcaqALoQuNRnsW2IP6bmJzQUTkN+m9t4AhCpHoVNxSpP7DCNF5AdkRYgyhNuvAt9kSp457MTL1+6CmGuG1AovVmGaXuKPmtnC5kFmUc1So2UTPcInqnhM159gaVsygLRH6E

                C:\Users\user\Documents\GIGIYTFFYT.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.994224839095972
                Encrypted:false
                SSDEEP:48:UlMp2jS6mYet1G5p665Sz+mckXv64G/3UCV5Fx:UlMRYetwVSzTvuBV5L
                MD5:C11E4F0F9271DC64666BAEE7CE1DE7C3
                SHA1:95308C940A914E4FAE8D27B9FB9CA05941897A08
                SHA-256:4BACFDEF45B15001C21D92D6E795878D3A1053055633E287FD3A5BC2371CA699
                SHA-512:D346AA4E193EF37A6D08C1BCD01DA652451469EECBF16412E81D21E62E8EEF7AD2FE4A03A1AA9D1394B0715E45D981112636F217E3D1701BCAAAE50D8CC7E519
                Malicious:false
                Preview:<EncryptedKey>CKu+brjQ7sI7tInpp+p/x5rQ8sKlJz0Bqy3zIy+Ig+8vHTtzdneIyYOrxpn5XyMEbRC17LkVFVYKR63tf2s7Mq8ZCzq5FXZqy1xg4UaK++algwTon6EkOadaSs4HIZ5dGmiesSdwNbeYbex5e1vyJGOeZjdZhPdYXWVrRLF+E6w=<EncryptedKey>mz/WvYKAdFmwCHN9HD9IUiwVdHe47+5rtuD8bZrodpK4X9I96IDodJnQ6WDEUawOfD2U75EHzbfhu9SmCHAyYjpGPeH8GW16Kh0jQy5yvV1vbMttUUzU6U/7HA58gpNYjJs2nlhtIxfr5lIh/9ilsAyLh0abvcdrGFC4a/0DX0PgkOwSNtNpzDcEAkeR5eFf8ZPiDUM5qq5glbb9bI+gLVIonfoKBcOBknSQCzOjDWaSsq7/tQJpA2RpcJW35Gcr1LTC+ODHph7E3+mxuT/7SxiS8TZSQ8v/ryLWVNYa6PvYsP6JFAR/GjS7tm9qRejqTVXLnvoNcaVNK+W2TRAIG9ornBmjboZwn2zHYCzqx8S5ybUDugB0RSA0ysUTiL4bldVMwBK4va+W17w6hcLTvjgRZKtrideyShV3x7Hh6fgANZK9rgnSMNgM+pLxzpV/geth0wR5NTytf++RvvpF9xykYD3GFSXqduEa97734Jjek6ikNWjuQLUOL8ceB4+7dAXnJ/CgVvVCFIIAktUVcq+Pa8bcpnCBsAgjLTV+z8WIYjJpQwFOLZy629ou2IR1+1w9ye9gFe9d1mnWliLRUGWPgcnAAI+prFXfgfw9ZTwActvUAlOaXNkdWJW/Z32h4OgcweChAAAc1KwGllyVSfE+4dGsEvcaqALoQuNRnsW2IP6bmJzQUTkN+m9t4AhCpHoVNxSpP7DCNF5AdkRYgyhNuvAt9kSp457MTL1+6CmGuG1AovVmGaXuKPmtnC5kFmUc1So2UTPcInqnhM159gaVsygLRH6E

                C:\Users\user\Documents\GRXZDKKVDB.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.992386403513974
                Encrypted:false
                SSDEEP:48:UwJflMNSsspb/2m0gtw1L3yzi+FlB9lUl0POKo:UwKSzpb/2mztsyeaHiUOH
                MD5:4A68FE101056604924CFF24FADC51654
                SHA1:66B54341F301C423A911D0225E49135EF5FB3BC1
                SHA-256:62DF59FDED278BBC81527B9F375DD983A964FB9D72DB745D5ADD1F530BE2BEF9
                SHA-512:A236B806B09CA402DC9CC5CD83B0E0EF34395ECB325AC69A9E090F139656E8AC133F5EC0D3F6F1702A07025F12C9D2D4AEABDC330422ECDFCA1E8FC1E777A459
                Malicious:false
                Preview:<EncryptedKey>q5Jqc2QhasCSKhavcjqBYmso7fXB5R3fNpVjP+uIdBpEJeiaufdHw0PrguH3ntw6KGGjjpRnf+q2BkaNm9MQOpJnTmnm+w/3wVAZTGpb4CvWI0YXCH1+mcOWb2hKlAj/nG1S/lCRe4LerPUwFK9+JOSG3zemHo5h7wRaf7FUxa0=<EncryptedKey>1uZGYSKE70S7UJA1QoW4cNrK4e4ThnxmPQn0/Lj9EvOxPv4//LVz4YQQJrBZM6JRuX56eAeVOfmEyXR1Q9LTkVND+a1aX1FNnPKvh4Q8UdjpmsRnHd/UejNzPPV6N5QMCtpGCKEyRvFWxNHGE4lZB+HBHjc41MYUildQBP8hn0Mc5B9me6YY28Uev4mmdY+YWfV3R4745N+Xn7Msnnmfwk95CzMWmFNxQ0srnv2gW+I3ILAuN6HIFEw3vHzacoww+JXVvaMMO9j97TalxkEkybpUfydvaRg1hK6zxk33VmibIqhHLUOQzBq9mzkvR9hR5CyjtKO33DrwtUHtDXZ2qiJ3jGbRCZLQy1PpoALSogERm7F8e5ahQRzpFPOexCSOi9xw2Q2ZOPY4Tu8RZQOg5/zDpvH16kNtCixCjSLqmv8Fl0Fxss7YHxjPEPLHbf6IWf/TL4oSYxcLH3dbaDBSEbRwqgFf2+qZJ7RB/qqvwrMpX8lEDypNZVQ3eGehMcLo8VW/T1olw8RQSuDMMmxG7eKgl3pEBszSWbrd/qrZ2emZC+VyqOTe89T8dxD0fa+wqpkcBKlrudWQ4C+/WOwaD/VV2DfP1Fl4MCrZyXxsoYmJXL9kfFiqxyma9w4aNprEKgEkkkmsKLeO3qdNeQqZb6CltHi/cY/XTq/tb5M8bC0EI8TJW2ZQnxNKI/xI+AIukV2NJ6Is2FLQILvWyGcv39OC69GgwILW0Qqdc8K9vTjJbYWwvZIC0MvK7w56uENS3hPEHViHo5CRowzSpHp0hwr3QPDj7iGU

                C:\Users\user\Documents\GRXZDKKVDB.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.992386403513974
                Encrypted:false
                SSDEEP:48:UwJflMNSsspb/2m0gtw1L3yzi+FlB9lUl0POKo:UwKSzpb/2mztsyeaHiUOH
                MD5:4A68FE101056604924CFF24FADC51654
                SHA1:66B54341F301C423A911D0225E49135EF5FB3BC1
                SHA-256:62DF59FDED278BBC81527B9F375DD983A964FB9D72DB745D5ADD1F530BE2BEF9
                SHA-512:A236B806B09CA402DC9CC5CD83B0E0EF34395ECB325AC69A9E090F139656E8AC133F5EC0D3F6F1702A07025F12C9D2D4AEABDC330422ECDFCA1E8FC1E777A459
                Malicious:false
                Preview:<EncryptedKey>q5Jqc2QhasCSKhavcjqBYmso7fXB5R3fNpVjP+uIdBpEJeiaufdHw0PrguH3ntw6KGGjjpRnf+q2BkaNm9MQOpJnTmnm+w/3wVAZTGpb4CvWI0YXCH1+mcOWb2hKlAj/nG1S/lCRe4LerPUwFK9+JOSG3zemHo5h7wRaf7FUxa0=<EncryptedKey>1uZGYSKE70S7UJA1QoW4cNrK4e4ThnxmPQn0/Lj9EvOxPv4//LVz4YQQJrBZM6JRuX56eAeVOfmEyXR1Q9LTkVND+a1aX1FNnPKvh4Q8UdjpmsRnHd/UejNzPPV6N5QMCtpGCKEyRvFWxNHGE4lZB+HBHjc41MYUildQBP8hn0Mc5B9me6YY28Uev4mmdY+YWfV3R4745N+Xn7Msnnmfwk95CzMWmFNxQ0srnv2gW+I3ILAuN6HIFEw3vHzacoww+JXVvaMMO9j97TalxkEkybpUfydvaRg1hK6zxk33VmibIqhHLUOQzBq9mzkvR9hR5CyjtKO33DrwtUHtDXZ2qiJ3jGbRCZLQy1PpoALSogERm7F8e5ahQRzpFPOexCSOi9xw2Q2ZOPY4Tu8RZQOg5/zDpvH16kNtCixCjSLqmv8Fl0Fxss7YHxjPEPLHbf6IWf/TL4oSYxcLH3dbaDBSEbRwqgFf2+qZJ7RB/qqvwrMpX8lEDypNZVQ3eGehMcLo8VW/T1olw8RQSuDMMmxG7eKgl3pEBszSWbrd/qrZ2emZC+VyqOTe89T8dxD0fa+wqpkcBKlrudWQ4C+/WOwaD/VV2DfP1Fl4MCrZyXxsoYmJXL9kfFiqxyma9w4aNprEKgEkkkmsKLeO3qdNeQqZb6CltHi/cY/XTq/tb5M8bC0EI8TJW2ZQnxNKI/xI+AIukV2NJ6Is2FLQILvWyGcv39OC69GgwILW0Qqdc8K9vTjJbYWwvZIC0MvK7w56uENS3hPEHViHo5CRowzSpHp0hwr3QPDj7iGU

                C:\Users\user\Documents\GRXZDKKVDB.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.990224108267597
                Encrypted:false
                SSDEEP:48:UqipeI6Pa2vGtTi0yjVYHAjyV3Hp3z9gMk:Uqiph6Pa2kopYHAjyV53Q
                MD5:CEE57FC8CF4D422BB019CA82D04CF546
                SHA1:FA30A9128F519B452BACAE4762C73F70DE1BE1AA
                SHA-256:B0FDEA6F2B1BB6EA0B99F19B43523837B1D8BC4CD48DDDF81188C1A0BA334A9A
                SHA-512:A8410A33DA122EA1AB2AD0973062E00199313D22C1C76424DD473704CC4E5204C62759783CF57858EDCC3A0B5B824E1478D4FC4B915340241FE13C6C536EC03E
                Malicious:false
                Preview:<EncryptedKey>Nb+PWrzqaCupNt2kpIrftySXzBFD4PSAlStFYm3ySRh+Dg3SWRCEICX2Pl+0q4XX/zqgVRrRMsmD/F1jZ+PKeTyR1kynCYLkWkvacUFnr5VPKtrDmTCLmZ50HQn98l6HCA79BNLulJy7D5HhEf7ecydvnPAbAczawcr+mPNh5+g=<EncryptedKey>lQ64N4BCb2AMhwzUlfThrWY5Awe/x2lR8XhUmC0autPfjRuheT2Hgb/bwNnQmbfZ3W7e6iM9uBK61ormD4XTdrJluarWYjOD2dmyNyZctBq8oLCY74roIklw4BqJV8Tf/oUZ+nBFsvDWSKE1Y0SWrTCodV6CqYvwtPCEH/Xy/SdbZZuvho/of+PtbXp5RejCyWTLeh5+aWM2X5/4QgjxH8Cu/DwsIC1HXgpBZS1TTZiq+ZheoCfVlGeS9iZHQw/UGPTu6wqT0GMEpwR/JANMkTicLJYESvHJEGWTD0MWIrwgIZEEMxAnbyo5AUH9psnPEgwjRz9+aaucnrhdvRt1iOP3jvULt/LOTvGJgjPDP/oUramF8uX5bYSp9CHENDNK5D2bDm/4to6r48Cke2QaeqedT6zBHZGKsW2kwOOJ76uQViJIIUDAw8j8rzqGvClLMVwQWNgr6r1K+TbZ3SnEOXXQ/CnfwtfwbJ6tCJjo96Gux69pq4UQfkFHjX12i+vA/ws53eFruBSuguY+kaaT3OtxQCrAsMUvbAASRSmsMzh5I+0cv7GpSWtQA3y9KDQcW/eJEhNwdtkr508Tb+KUeeFRujlGYY/xxx3jU3WMMg472OGhL+0xz8XFZL4snTkmTyxMVGcJBv6vazj3XkbsCUFd0w4kFYmgGMfRDGtLznZGi72gJqE9NQ8tVeX2daSJEnc3XmqACxrpSy2UCg5LRffFeOu4C4viFpv1CpoFoVKUKYqaO2NVPq/Nc/1vJr4GEnxvLyAPcuUGWkLJqFPFVJYwFjXXCy4/

                C:\Users\user\Documents\GRXZDKKVDB.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.990224108267597
                Encrypted:false
                SSDEEP:48:UqipeI6Pa2vGtTi0yjVYHAjyV3Hp3z9gMk:Uqiph6Pa2kopYHAjyV53Q
                MD5:CEE57FC8CF4D422BB019CA82D04CF546
                SHA1:FA30A9128F519B452BACAE4762C73F70DE1BE1AA
                SHA-256:B0FDEA6F2B1BB6EA0B99F19B43523837B1D8BC4CD48DDDF81188C1A0BA334A9A
                SHA-512:A8410A33DA122EA1AB2AD0973062E00199313D22C1C76424DD473704CC4E5204C62759783CF57858EDCC3A0B5B824E1478D4FC4B915340241FE13C6C536EC03E
                Malicious:false
                Preview:<EncryptedKey>Nb+PWrzqaCupNt2kpIrftySXzBFD4PSAlStFYm3ySRh+Dg3SWRCEICX2Pl+0q4XX/zqgVRrRMsmD/F1jZ+PKeTyR1kynCYLkWkvacUFnr5VPKtrDmTCLmZ50HQn98l6HCA79BNLulJy7D5HhEf7ecydvnPAbAczawcr+mPNh5+g=<EncryptedKey>lQ64N4BCb2AMhwzUlfThrWY5Awe/x2lR8XhUmC0autPfjRuheT2Hgb/bwNnQmbfZ3W7e6iM9uBK61ormD4XTdrJluarWYjOD2dmyNyZctBq8oLCY74roIklw4BqJV8Tf/oUZ+nBFsvDWSKE1Y0SWrTCodV6CqYvwtPCEH/Xy/SdbZZuvho/of+PtbXp5RejCyWTLeh5+aWM2X5/4QgjxH8Cu/DwsIC1HXgpBZS1TTZiq+ZheoCfVlGeS9iZHQw/UGPTu6wqT0GMEpwR/JANMkTicLJYESvHJEGWTD0MWIrwgIZEEMxAnbyo5AUH9psnPEgwjRz9+aaucnrhdvRt1iOP3jvULt/LOTvGJgjPDP/oUramF8uX5bYSp9CHENDNK5D2bDm/4to6r48Cke2QaeqedT6zBHZGKsW2kwOOJ76uQViJIIUDAw8j8rzqGvClLMVwQWNgr6r1K+TbZ3SnEOXXQ/CnfwtfwbJ6tCJjo96Gux69pq4UQfkFHjX12i+vA/ws53eFruBSuguY+kaaT3OtxQCrAsMUvbAASRSmsMzh5I+0cv7GpSWtQA3y9KDQcW/eJEhNwdtkr508Tb+KUeeFRujlGYY/xxx3jU3WMMg472OGhL+0xz8XFZL4snTkmTyxMVGcJBv6vazj3XkbsCUFd0w4kFYmgGMfRDGtLznZGi72gJqE9NQ8tVeX2daSJEnc3XmqACxrpSy2UCg5LRffFeOu4C4viFpv1CpoFoVKUKYqaO2NVPq/Nc/1vJr4GEnxvLyAPcuUGWkLJqFPFVJYwFjXXCy4/

                C:\Users\user\Documents\GRXZDKKVDB.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.997437442581198
                Encrypted:false
                SSDEEP:24:fMsMGuDfLbjf6LrBOUf+5QqsIwr0UvhaqiMtLMsXI+5IEaAPwTdQYui6JQv8WSyO:U9fLbwBOo+5QqsIw4U5atuLe+1Y/OV82
                MD5:132FF87815C5A5AFC9949E6D1EEF8D4A
                SHA1:30EAC942E567FC20706F439544787A80E905CFFA
                SHA-256:9B54D4413EA53F19D5E7A2B9721A62F218834D734C2F98E8B7D22F5BCC378889
                SHA-512:A1A3814560BFD1441BF875C1BE3400FFB1C43EB80518533662820929DF3FD169437BDA5919B84C46AB01755F31B0E39FB515108716EA531EFE507F5CEF4455A0
                Malicious:false
                Preview:<EncryptedKey>OsQ6VLjflrErrLcenUSjlkKvlqCutM/MGXWv/lMtMjbSmsN9uFwda4wzDMCanpoi5/rxO81iC7QZofgo3Mqf6NBxyL+VxzuyM3pJusZAOF0Zm8LU/2IRgVAu6uIJnX4KT89SkdoFMk9NDWVV/0eMzGYVhvcbog7vSFX5JADGbic=<EncryptedKey>zKTOcdKa9zHzepCESAARiqYC/BO/YSulet9/Zea4r2q7a1sLC+qV2UqGA+DCEO3Y59XXCUQFQsCkTMd4Zqv+rFLGung/Kl7L80PugrFkn5TA9viKSRYctkB0e7xCAKwNS22x37OmvJmAAfUO6yq2tJVRORFivsEGEIAVKvQXV9rPmGS4BgXKcbTrI1v7mR0tIJz5NDtKBs+4Pvlp98KFPKhREvf8qp4gmYub2injU72tOeawHIM5jpVbdWyZlVMCsyFlyTZU1XMkWqMyuCRoUKZhfKukcQaFCQylwhBEsr2XG2Ga1QYP2cGG/sllVJxMnQdGmuy6k4oqA9qqvxfZAGdqzjz8vc/dCT8YdROQ2Aq4vaWWYULjcQ4OEkXlA9MpvNnvpu9yDqqjoW95NfystnAeXVp4Tx0F5UBSSfUXBhD9U6GOAzCbQvsWSnGXsvU8yTgM1KYZyoz8w9Gplbo0xAFtNzyQAkPE/P2L/5Vl9rmmJ2xURpoyvV1Hzaz/GZRwCp1MoFkuCw/ql5uCJZz0FEw1WANT2qZF3Vm8kmrI2sYqllwu6DB+60nA5vkxGBRoTTIF58tRyeTEAJd6iJftkytZWHgneevTYbmGz+d+9yCEuWMvgLlu7VcL9WP8DOxQ37JMUbuZsjoecT4/v7sL2OMtiB9TurY7sU33kOf9P84iSA7Pw5+6oFRHcmwkVfFULBpjpAqhWTiH4J6YoiUjia2uipvZz8FobbciY4oNadXXy0KqEPV7r+VmCYEpwkrKgjp8udpc6SO0kSLyVWJKthD+gf07NkCG

                C:\Users\user\Documents\GRXZDKKVDB.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.997437442581198
                Encrypted:false
                SSDEEP:24:fMsMGuDfLbjf6LrBOUf+5QqsIwr0UvhaqiMtLMsXI+5IEaAPwTdQYui6JQv8WSyO:U9fLbwBOo+5QqsIw4U5atuLe+1Y/OV82
                MD5:132FF87815C5A5AFC9949E6D1EEF8D4A
                SHA1:30EAC942E567FC20706F439544787A80E905CFFA
                SHA-256:9B54D4413EA53F19D5E7A2B9721A62F218834D734C2F98E8B7D22F5BCC378889
                SHA-512:A1A3814560BFD1441BF875C1BE3400FFB1C43EB80518533662820929DF3FD169437BDA5919B84C46AB01755F31B0E39FB515108716EA531EFE507F5CEF4455A0
                Malicious:false
                Preview:<EncryptedKey>OsQ6VLjflrErrLcenUSjlkKvlqCutM/MGXWv/lMtMjbSmsN9uFwda4wzDMCanpoi5/rxO81iC7QZofgo3Mqf6NBxyL+VxzuyM3pJusZAOF0Zm8LU/2IRgVAu6uIJnX4KT89SkdoFMk9NDWVV/0eMzGYVhvcbog7vSFX5JADGbic=<EncryptedKey>zKTOcdKa9zHzepCESAARiqYC/BO/YSulet9/Zea4r2q7a1sLC+qV2UqGA+DCEO3Y59XXCUQFQsCkTMd4Zqv+rFLGung/Kl7L80PugrFkn5TA9viKSRYctkB0e7xCAKwNS22x37OmvJmAAfUO6yq2tJVRORFivsEGEIAVKvQXV9rPmGS4BgXKcbTrI1v7mR0tIJz5NDtKBs+4Pvlp98KFPKhREvf8qp4gmYub2injU72tOeawHIM5jpVbdWyZlVMCsyFlyTZU1XMkWqMyuCRoUKZhfKukcQaFCQylwhBEsr2XG2Ga1QYP2cGG/sllVJxMnQdGmuy6k4oqA9qqvxfZAGdqzjz8vc/dCT8YdROQ2Aq4vaWWYULjcQ4OEkXlA9MpvNnvpu9yDqqjoW95NfystnAeXVp4Tx0F5UBSSfUXBhD9U6GOAzCbQvsWSnGXsvU8yTgM1KYZyoz8w9Gplbo0xAFtNzyQAkPE/P2L/5Vl9rmmJ2xURpoyvV1Hzaz/GZRwCp1MoFkuCw/ql5uCJZz0FEw1WANT2qZF3Vm8kmrI2sYqllwu6DB+60nA5vkxGBRoTTIF58tRyeTEAJd6iJftkytZWHgneevTYbmGz+d+9yCEuWMvgLlu7VcL9WP8DOxQ37JMUbuZsjoecT4/v7sL2OMtiB9TurY7sU33kOf9P84iSA7Pw5+6oFRHcmwkVfFULBpjpAqhWTiH4J6YoiUjia2uipvZz8FobbciY4oNadXXy0KqEPV7r+VmCYEpwkrKgjp8udpc6SO0kSLyVWJKthD+gf07NkCG

                C:\Users\user\Documents\GRXZDKKVDB\DUUDTUBZFW.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995569294602348
                Encrypted:false
                SSDEEP:24:fMAyfK36rs3P3jR4e0f/FEC9AUgd9szcO9d7C59+23g0cBkdeQJEnMP:UA76M3dF0FvAUW0f7YzzIkdTEMP
                MD5:3F2069EF294A1FF004E7E7FF35A071B1
                SHA1:4A9A33E9A772AC14C5A3F8CC2CCD07F45718AE59
                SHA-256:6AC29172371A779E6E8E766C62A803790168790DECED2F637EA866052977C1FB
                SHA-512:388B1C17B64A3CDCB69349DA7A837A2500FC541FC61729AF0EECA8248BE67F152F894A5E0E4912A68A776B9BD600668CDD22115D0EB36B065B30BF93D8835725
                Malicious:false
                Preview:<EncryptedKey>alwsO/1vniuKIS3qWPhaF7RkeYpPQ/T+ootdkqNAFy4k/f1IMwyFDmW7ileMcnAd1tZID4C7Fh1MCB7hHzLrv3hdyH0ajhdJ+v9ZEmnHAASH498Uc2XMHC+kOE3X46obsP+v7KlP9LykY+DDps+Bp0NnJDK64HyRFLgo4qERSr0=<EncryptedKey>K9OHR1fNhwviIDGRuAC+SGQoOEpGX0P3NeJwSaIY6ELiH8rSOSX7V4HTcG6BvdkLEbRqHTn1ABRslAV4giUsT1IurT4E0DHUoKexdb621G4WojM4kmyLoB8yYMCgyyNP0LnAD53eLMB6uN8wGtTrvdwf9tSf1CW/z3D/1dRvixI+JJPIx3vA8nRiwG9tUpMZqkQ1V7q32CcbdCeemY39lUtZwqYedEM3SJZjDShg6ODE+U3I0ijkvs08INyCv+tCBtVLZPyY4FpDMTW1E21+Hvo5YvusPosRxDF+QiGxdhWB3RWfUnGCDxjSicdqZzo2fYzMEQKaQH5JEtM/ZzGiiUObN2CzD5bD5L7yDZbb8B3ZxwOvjxjt2oJrYBjC7I8U5en/wsJSmUiGrblq/F4Xp8ggI9Jy3XFiuJumfP2q1mVLpGDRE3kao3gNSva/DqJImL7yzHDBzdrU6r9FgUQU38R4/gNo7eR4xTmfec5jxqYGF+W3MK7tbPllVDX9txVKbltlW8/GB1/RV3YOHtaTJdiZpvqq3K7iuG1zGC/sGgO85uG8S2TrSDxq1DE6I17wII9fMmW+/OfLOx9XVZd1HxYOV6AHIZOhIlNUvUAbnISIXnht1AweAdiTJH7BvEYIjQZFSdyaCwcMrKtESwffwxxq+D516aSxGXzpHDUgs9q14romJ85YNcn+Ge/JN6xoXZlq6+1KlAJhMmegk/uZudQbmYh1R+UJtd5pcGJf+W5O+ejylLNIID80Y+Wk/8SM4xW3cBVRAOyqsR7U5yivqx1wTsTAWgOK

                C:\Users\user\Documents\GRXZDKKVDB\DUUDTUBZFW.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995569294602348
                Encrypted:false
                SSDEEP:24:fMAyfK36rs3P3jR4e0f/FEC9AUgd9szcO9d7C59+23g0cBkdeQJEnMP:UA76M3dF0FvAUW0f7YzzIkdTEMP
                MD5:3F2069EF294A1FF004E7E7FF35A071B1
                SHA1:4A9A33E9A772AC14C5A3F8CC2CCD07F45718AE59
                SHA-256:6AC29172371A779E6E8E766C62A803790168790DECED2F637EA866052977C1FB
                SHA-512:388B1C17B64A3CDCB69349DA7A837A2500FC541FC61729AF0EECA8248BE67F152F894A5E0E4912A68A776B9BD600668CDD22115D0EB36B065B30BF93D8835725
                Malicious:false
                Preview:<EncryptedKey>alwsO/1vniuKIS3qWPhaF7RkeYpPQ/T+ootdkqNAFy4k/f1IMwyFDmW7ileMcnAd1tZID4C7Fh1MCB7hHzLrv3hdyH0ajhdJ+v9ZEmnHAASH498Uc2XMHC+kOE3X46obsP+v7KlP9LykY+DDps+Bp0NnJDK64HyRFLgo4qERSr0=<EncryptedKey>K9OHR1fNhwviIDGRuAC+SGQoOEpGX0P3NeJwSaIY6ELiH8rSOSX7V4HTcG6BvdkLEbRqHTn1ABRslAV4giUsT1IurT4E0DHUoKexdb621G4WojM4kmyLoB8yYMCgyyNP0LnAD53eLMB6uN8wGtTrvdwf9tSf1CW/z3D/1dRvixI+JJPIx3vA8nRiwG9tUpMZqkQ1V7q32CcbdCeemY39lUtZwqYedEM3SJZjDShg6ODE+U3I0ijkvs08INyCv+tCBtVLZPyY4FpDMTW1E21+Hvo5YvusPosRxDF+QiGxdhWB3RWfUnGCDxjSicdqZzo2fYzMEQKaQH5JEtM/ZzGiiUObN2CzD5bD5L7yDZbb8B3ZxwOvjxjt2oJrYBjC7I8U5en/wsJSmUiGrblq/F4Xp8ggI9Jy3XFiuJumfP2q1mVLpGDRE3kao3gNSva/DqJImL7yzHDBzdrU6r9FgUQU38R4/gNo7eR4xTmfec5jxqYGF+W3MK7tbPllVDX9txVKbltlW8/GB1/RV3YOHtaTJdiZpvqq3K7iuG1zGC/sGgO85uG8S2TrSDxq1DE6I17wII9fMmW+/OfLOx9XVZd1HxYOV6AHIZOhIlNUvUAbnISIXnht1AweAdiTJH7BvEYIjQZFSdyaCwcMrKtESwffwxxq+D516aSxGXzpHDUgs9q14romJ85YNcn+Ge/JN6xoXZlq6+1KlAJhMmegk/uZudQbmYh1R+UJtd5pcGJf+W5O+ejylLNIID80Y+Wk/8SM4xW3cBVRAOyqsR7U5yivqx1wTsTAWgOK

                C:\Users\user\Documents\GRXZDKKVDB\EIVQSAOTAQ.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.996153781006369
                Encrypted:false
                SSDEEP:24:fMY18PFRCinj9Du3q7Z4h5E+8EtbkkmZ/zEbT16/KFDptfSgkZ+iomR6AAk:UYW59Dua94KwgtEIufShcPmR6AAk
                MD5:112FD474910945BB455BF347A6B28634
                SHA1:C0C3E046087898F12E9284E358FED7A75BA5D29D
                SHA-256:DC00B961821BA0D51A0E32ED24D2625B512BC18F45F0C4FF4CB0D87FB514FBD3
                SHA-512:9D1297129FAD69161519E92F49D64352142B4E87EEAEDE7DDAE097E1E91FEA7FB638711F516D496EAAEEAB87BFEDAFF9DF77ED1D80931D7DE15D62E2740C5240
                Malicious:false
                Preview:<EncryptedKey>HQk5xIFKu/oZufJKja71QKE8MtqPOS0UCThNpWRtCzlaWl8d7f3Daaw1SNALabv/HcfmxDGiUT7ryUUJtOvgwTWWqmfFNhKSrrCRGHeyWWxd7DT5wLLiw0YHUXv73MZ8Mk7fPSgtX9YKYde7TozEo6K6eMa1Fn/TBjebyygFR7k=<EncryptedKey>loIwsYIsZ4V5rtppptPSda0jojH2p/g1vWdeIOgMw4g4ary2La8S8gv1Qqyd0y0qN0b1MtRoxrSlQPT7vPLi063i8PAcu2bR3mdp3FWLO4zr2Y1KUkD1QYG4dPlb4m70zuUYdnRqGxhaBAKJV4aW1US3VBNa+9OlvoCrvgj9BXF9rhLr1xCoYlvuLpI490mf31w099fvzeOx3ViAFgM8VkHOGPjFdR3duGp8t6yfQt35TlZnmZtfTo2MBchZ7iEW+ANbWTpDPHte8VRnkQegiev270ChOwqzdkROikSWZDtKbXAvE0TV3+zKm6YxYwX3RaMpqYlQYrrtFYgfJJwGe5w8OObleMvkAvx2vKIVgnSY8iHLAA2ATWqJTfQcmmFhaJ5UE2aU/CH7zKg0zVryq3TUbUKuBKQX762FPXotfyrScHRSpv3QgsX2XJYZw8D+ScKsj5Sk59es0MBIW31cG4wvnCZkv7cY/ucUPkcFWgbDfP9Gcs+1DciWObgLPy3X9stLpSqbmg54xzhD2lK1/ioEMhtRQdMgJc1ln/vgG1/AXzMOWc7/sYdZ1R5Ht2AZNRPnUwCg04lT8OI6lpvgz10OpF6yYBpiiIQ5DV3LYg5DmQRS99k99w8fqlwcGBkZS87CXYBdrk1m0fl2kTPr/wAuAhNL8I99hCH/uO5E9CAYFTsjgTu2mElR/YCJFbafXnNxfhf7jQiy2d9VBzejdxmJ08kE8iWlrYfIKGRyxKCzPJjpZQT+xq9e+ms6P3SEtBXR0v1sqKC5gqPfO6UznQYRba6CFyDV

                C:\Users\user\Documents\GRXZDKKVDB\EIVQSAOTAQ.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.996153781006369
                Encrypted:false
                SSDEEP:24:fMY18PFRCinj9Du3q7Z4h5E+8EtbkkmZ/zEbT16/KFDptfSgkZ+iomR6AAk:UYW59Dua94KwgtEIufShcPmR6AAk
                MD5:112FD474910945BB455BF347A6B28634
                SHA1:C0C3E046087898F12E9284E358FED7A75BA5D29D
                SHA-256:DC00B961821BA0D51A0E32ED24D2625B512BC18F45F0C4FF4CB0D87FB514FBD3
                SHA-512:9D1297129FAD69161519E92F49D64352142B4E87EEAEDE7DDAE097E1E91FEA7FB638711F516D496EAAEEAB87BFEDAFF9DF77ED1D80931D7DE15D62E2740C5240
                Malicious:false
                Preview:<EncryptedKey>HQk5xIFKu/oZufJKja71QKE8MtqPOS0UCThNpWRtCzlaWl8d7f3Daaw1SNALabv/HcfmxDGiUT7ryUUJtOvgwTWWqmfFNhKSrrCRGHeyWWxd7DT5wLLiw0YHUXv73MZ8Mk7fPSgtX9YKYde7TozEo6K6eMa1Fn/TBjebyygFR7k=<EncryptedKey>loIwsYIsZ4V5rtppptPSda0jojH2p/g1vWdeIOgMw4g4ary2La8S8gv1Qqyd0y0qN0b1MtRoxrSlQPT7vPLi063i8PAcu2bR3mdp3FWLO4zr2Y1KUkD1QYG4dPlb4m70zuUYdnRqGxhaBAKJV4aW1US3VBNa+9OlvoCrvgj9BXF9rhLr1xCoYlvuLpI490mf31w099fvzeOx3ViAFgM8VkHOGPjFdR3duGp8t6yfQt35TlZnmZtfTo2MBchZ7iEW+ANbWTpDPHte8VRnkQegiev270ChOwqzdkROikSWZDtKbXAvE0TV3+zKm6YxYwX3RaMpqYlQYrrtFYgfJJwGe5w8OObleMvkAvx2vKIVgnSY8iHLAA2ATWqJTfQcmmFhaJ5UE2aU/CH7zKg0zVryq3TUbUKuBKQX762FPXotfyrScHRSpv3QgsX2XJYZw8D+ScKsj5Sk59es0MBIW31cG4wvnCZkv7cY/ucUPkcFWgbDfP9Gcs+1DciWObgLPy3X9stLpSqbmg54xzhD2lK1/ioEMhtRQdMgJc1ln/vgG1/AXzMOWc7/sYdZ1R5Ht2AZNRPnUwCg04lT8OI6lpvgz10OpF6yYBpiiIQ5DV3LYg5DmQRS99k99w8fqlwcGBkZS87CXYBdrk1m0fl2kTPr/wAuAhNL8I99hCH/uO5E9CAYFTsjgTu2mElR/YCJFbafXnNxfhf7jQiy2d9VBzejdxmJ08kE8iWlrYfIKGRyxKCzPJjpZQT+xq9e+ms6P3SEtBXR0v1sqKC5gqPfO6UznQYRba6CFyDV

                C:\Users\user\Documents\GRXZDKKVDB\GRXZDKKVDB.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991304943244919
                Encrypted:false
                SSDEEP:48:UB5v/UFc5tlPFk5s72WXQwljVvxW4PSEwlIswrHCAobRSH:UBt/UFY0yayQ8VYsShOfmAo6
                MD5:983EE7CD5B26DA270A07ACD9FCA233AA
                SHA1:ACCAD7B0A0EC126F7B0B57E205E3A0AC64CF7063
                SHA-256:FD247C86ADE522222914DEEFE88FF093657E9C68799F188FD3C25BA4408A8EAE
                SHA-512:D3CF12A815AC03EA1DD41A40EA4C934F7918E76A9D1395AEC78D73FDE1B699BB42E7D279CE50FA1DAC50AFB2B4974081686A7D259254A942CF1435EA2E77A880
                Malicious:false
                Preview:<EncryptedKey>AmiwcON6ldttfD5nBM6lqF9aOlJ3tNBxz46UIYCKhJpQhjKgiqADGjrw8I6FFncaMlY8ihqNfzGrECeTbdmAFFqqE3Ftv6mqxrM4vCtrIbVUy1tLOQXJ1At/8oQ1rKGrK3RJZqNSNTJQdyvrFNg/cQcBEDVbBsoSeEuqaLICxv0=<EncryptedKey>N8u7TQcJ3Vzc5VnexaluyDyrma+SoKQSP9EMtL2VCmsZR/H7BD1HKL840c5P5j19tk6eT4MU0fLU80B7iJRL/0v/V9tATsuQKLfAI75FqV8GCv8mcCmSF35xE6LJLAF3eiPUOF/sxpg8C4uGhCxwFb+y8tNEFyRdLy+u3tJ234Hv2pW584PwyyeuqZw4o+ChoVdTuuraTv8zXDnKHS5Ic1Ggta8pcewdbi9tLwIYfZKBO5SmLd0FotbLn3HifXUEXSqwgfz0t4rKgaRHOOR0dPdTBz5pqZPFS8p4uO47Fa8ovX8BrYfmwDGoTvzcK6/3wGReTvzG54O0YBlUl7tvNIwiMHGjCWfYf7QfE9Kk/oBzE62/rZ4/I12bpbku8/MqQ45dIixphsEyuEjUDYwq8uVkEsCtfrMK0fEZ7QIOU5lNlo3fYbGCXB11FW8Mg+mhRKe/QuD8K2mcUVuZHvlu2F05ivZVEiNd0EGzPNNjgMtZHoi9oT4HgFdfbP3SGUEfXw2yfRM4V1itH/IOEZ9lZ0vdI+aFHM7ZrFD99Kvwtz2r4l9bddW+sohO+XO/JjMMgMsPO2TQIcX6nblxdmVYoo6XQ75nwfyAo4QUe0OKq94MuBRIDyi2io8mYGT6lnZQuDxyKnvz6N9hkP1vRERGh/DCr3ZrRhhYYs8Oxoj3OslMo20Y9VHYQvdZYSQyZan3Iv844cvx9aS34wTKjkSErVQZDUXbuuWcSQRVz4GOSCUBZ7Q2F8gbqR9g4HxrpGaa51GbeiudgBJV0Ual26aFt0Y7vXul97ez

                C:\Users\user\Documents\GRXZDKKVDB\GRXZDKKVDB.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991304943244919
                Encrypted:false
                SSDEEP:48:UB5v/UFc5tlPFk5s72WXQwljVvxW4PSEwlIswrHCAobRSH:UBt/UFY0yayQ8VYsShOfmAo6
                MD5:983EE7CD5B26DA270A07ACD9FCA233AA
                SHA1:ACCAD7B0A0EC126F7B0B57E205E3A0AC64CF7063
                SHA-256:FD247C86ADE522222914DEEFE88FF093657E9C68799F188FD3C25BA4408A8EAE
                SHA-512:D3CF12A815AC03EA1DD41A40EA4C934F7918E76A9D1395AEC78D73FDE1B699BB42E7D279CE50FA1DAC50AFB2B4974081686A7D259254A942CF1435EA2E77A880
                Malicious:false
                Preview:<EncryptedKey>AmiwcON6ldttfD5nBM6lqF9aOlJ3tNBxz46UIYCKhJpQhjKgiqADGjrw8I6FFncaMlY8ihqNfzGrECeTbdmAFFqqE3Ftv6mqxrM4vCtrIbVUy1tLOQXJ1At/8oQ1rKGrK3RJZqNSNTJQdyvrFNg/cQcBEDVbBsoSeEuqaLICxv0=<EncryptedKey>N8u7TQcJ3Vzc5VnexaluyDyrma+SoKQSP9EMtL2VCmsZR/H7BD1HKL840c5P5j19tk6eT4MU0fLU80B7iJRL/0v/V9tATsuQKLfAI75FqV8GCv8mcCmSF35xE6LJLAF3eiPUOF/sxpg8C4uGhCxwFb+y8tNEFyRdLy+u3tJ234Hv2pW584PwyyeuqZw4o+ChoVdTuuraTv8zXDnKHS5Ic1Ggta8pcewdbi9tLwIYfZKBO5SmLd0FotbLn3HifXUEXSqwgfz0t4rKgaRHOOR0dPdTBz5pqZPFS8p4uO47Fa8ovX8BrYfmwDGoTvzcK6/3wGReTvzG54O0YBlUl7tvNIwiMHGjCWfYf7QfE9Kk/oBzE62/rZ4/I12bpbku8/MqQ45dIixphsEyuEjUDYwq8uVkEsCtfrMK0fEZ7QIOU5lNlo3fYbGCXB11FW8Mg+mhRKe/QuD8K2mcUVuZHvlu2F05ivZVEiNd0EGzPNNjgMtZHoi9oT4HgFdfbP3SGUEfXw2yfRM4V1itH/IOEZ9lZ0vdI+aFHM7ZrFD99Kvwtz2r4l9bddW+sohO+XO/JjMMgMsPO2TQIcX6nblxdmVYoo6XQ75nwfyAo4QUe0OKq94MuBRIDyi2io8mYGT6lnZQuDxyKnvz6N9hkP1vRERGh/DCr3ZrRhhYYs8Oxoj3OslMo20Y9VHYQvdZYSQyZan3Iv844cvx9aS34wTKjkSErVQZDUXbuuWcSQRVz4GOSCUBZ7Q2F8gbqR9g4HxrpGaa51GbeiudgBJV0Ual26aFt0Y7vXul97ez

                C:\Users\user\Documents\GRXZDKKVDB\KLIZUSIQEN.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.998680722983435
                Encrypted:false
                SSDEEP:48:UvD/mAiMTJI9c0irxFQ8rQVYAun7jgYKifLcHJtT:Ur/QMTJAc/LBrQVYAun7jgLHPT
                MD5:D4B9A410D915EF70592E82757D16FCFB
                SHA1:6A1842220FA76E4A45EA69857B8CCA247CE1C5DE
                SHA-256:D867324FD39616C7E2564EFFAD3069B574A905BAD33ACC7DEE294C135FD0D74D
                SHA-512:7222B98270FD64D314FB4CD60C94C4A570F662C6906EAC1165AFC0D0B72B301721491B744D5E179463F8E05E2E5E75DBE6A5F96B6821E6442CE7C09D910FEAA5
                Malicious:false
                Preview:<EncryptedKey>MgRQF/f6+QvMHADDrsgXYFjPed/eDg5WCw1eLWNHFFQsr8XjDCF5WKH3t1PN+lG8kuexcIAosR0dGFlMHqLoHzK0EBy7UMbpVMn1xSRl3WMoftUqaXNCM+4m/GH+lz9xNhVt2Htz6klUAPhFB7NYxIVHTLwg/cuyym3Q6ecaGow=<EncryptedKey>tM/Nl5J5zeQRz9mI1vj8brLGLVAhTdd6STIiU1SKgkL/Xzq1TsE3XXCanr8Ffr1j+hlegq3R1y7o0DENsn9Xc0lqqg1Bx4PRVqaieSffthNs+aiAPVjIvPqeV4Yf+3D6AmQuZaok3BLjqvhjzAabMwOXRipsoPgU09WZl7MuU1+C8CM/x2Xp9GjmuWtR7GetND4R/aVcKiPV4V1ufCN54n1p8BMojV5bjw9pVRtkqhX3kMZte/8HepxUfvYB37XDhyLDBHylh1vHCzlQZ76wAw0PsYLr6kG7sbq5yPyxpXlMWt8LiL4WEoHE0g8pQHvFN5qIQNreXFgxSi1XRGOqxZd3Is8hWdWYP1/s3Bt2Ps/bgWo9f8EAS8XSJGvluGrT2g4uF/VHL3fpwpkaSLgzgwUDSWbWbHLeqAtj6j138ZFKaUazOmn/5GBv5edl8uT437IcUAQQSNQPbSNSYU0PQulxSbXgSFjuxPBG7JOOqBTbAAtX3A6hQj5bnrOiSYuA4MuEG1xzYjVjCyUPz/LIlPX0EVXn+TqOf61np78a2VDjKMBvNOHGiRO32Jim8hXsKPrqDybF9P3Cg/bbsTKnl5v7A4/GV9Dho+n7OqZCnEPSsnBHDNRRND7y6u/hIRt11GaaiNmQs3dcVPmxUVF+1VjLJFZiQOvgFgwdOEYayEu27Z+fnZSoUrPsxJ/WKhYHU/dCndeWBQoiS5pJH8N4XrJm5T1q5TlYmLRi1cIirujDXkfWoYng5rKbFx65ye2XsS5yceupjEoySa6xWi1i8v7w0lxIh5kz

                C:\Users\user\Documents\GRXZDKKVDB\KLIZUSIQEN.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.998680722983435
                Encrypted:false
                SSDEEP:48:UvD/mAiMTJI9c0irxFQ8rQVYAun7jgYKifLcHJtT:Ur/QMTJAc/LBrQVYAun7jgLHPT
                MD5:D4B9A410D915EF70592E82757D16FCFB
                SHA1:6A1842220FA76E4A45EA69857B8CCA247CE1C5DE
                SHA-256:D867324FD39616C7E2564EFFAD3069B574A905BAD33ACC7DEE294C135FD0D74D
                SHA-512:7222B98270FD64D314FB4CD60C94C4A570F662C6906EAC1165AFC0D0B72B301721491B744D5E179463F8E05E2E5E75DBE6A5F96B6821E6442CE7C09D910FEAA5
                Malicious:false
                Preview:<EncryptedKey>MgRQF/f6+QvMHADDrsgXYFjPed/eDg5WCw1eLWNHFFQsr8XjDCF5WKH3t1PN+lG8kuexcIAosR0dGFlMHqLoHzK0EBy7UMbpVMn1xSRl3WMoftUqaXNCM+4m/GH+lz9xNhVt2Htz6klUAPhFB7NYxIVHTLwg/cuyym3Q6ecaGow=<EncryptedKey>tM/Nl5J5zeQRz9mI1vj8brLGLVAhTdd6STIiU1SKgkL/Xzq1TsE3XXCanr8Ffr1j+hlegq3R1y7o0DENsn9Xc0lqqg1Bx4PRVqaieSffthNs+aiAPVjIvPqeV4Yf+3D6AmQuZaok3BLjqvhjzAabMwOXRipsoPgU09WZl7MuU1+C8CM/x2Xp9GjmuWtR7GetND4R/aVcKiPV4V1ufCN54n1p8BMojV5bjw9pVRtkqhX3kMZte/8HepxUfvYB37XDhyLDBHylh1vHCzlQZ76wAw0PsYLr6kG7sbq5yPyxpXlMWt8LiL4WEoHE0g8pQHvFN5qIQNreXFgxSi1XRGOqxZd3Is8hWdWYP1/s3Bt2Ps/bgWo9f8EAS8XSJGvluGrT2g4uF/VHL3fpwpkaSLgzgwUDSWbWbHLeqAtj6j138ZFKaUazOmn/5GBv5edl8uT437IcUAQQSNQPbSNSYU0PQulxSbXgSFjuxPBG7JOOqBTbAAtX3A6hQj5bnrOiSYuA4MuEG1xzYjVjCyUPz/LIlPX0EVXn+TqOf61np78a2VDjKMBvNOHGiRO32Jim8hXsKPrqDybF9P3Cg/bbsTKnl5v7A4/GV9Dho+n7OqZCnEPSsnBHDNRRND7y6u/hIRt11GaaiNmQs3dcVPmxUVF+1VjLJFZiQOvgFgwdOEYayEu27Z+fnZSoUrPsxJ/WKhYHU/dCndeWBQoiS5pJH8N4XrJm5T1q5TlYmLRi1cIirujDXkfWoYng5rKbFx65ye2XsS5yceupjEoySa6xWi1i8v7w0lxIh5kz

                C:\Users\user\Documents\GRXZDKKVDB\NWCXBPIUYI.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.99945012212378
                Encrypted:false
                SSDEEP:24:fMK3Ry1a0O9WO2Wm6cbXt59lt7FlMixsoojlcYDLY7/MgSnx9JZmCl:UKE1VHwcL7Ofom+0rP1l
                MD5:E16BC34EFE06A0B7C28FDACD7C6EEFCD
                SHA1:077AEAC220BFD516BC519AC2224356E59AC50A59
                SHA-256:44165BE26C9DD52EDF7A3734EC18BA5FEC279E20F2BC4169EBE4DC8CFD044B18
                SHA-512:43B10E7299D3F2B7212DD40AA9B25C71918711D23DF76F855459A64AC6C8C7E1F582BACA5B1B47D9C0456EED2068710CDFC05E097FD20C52F77BBCF33A14A4CA
                Malicious:false
                Preview:<EncryptedKey>gP+fsjfMQY6hZUA/JiWoJr4KgAd/zcgyYQwn7GTCjNeOd9nZugWPKyAuMZgx4hTd9wMosmsfntD8wVb0PpvNpqcPY062TwQnFn/sQClgcspCIvCEAhCSaTvlRXAErOUskUZU6I9vYWFbW/8DiZQF3FZ7ywkuzmVVPRi7EYkqNK0=<EncryptedKey>j6364Kj1NzHJm6oi9FC1iTyEfHDzo/2sBY0CSiYh0TPX4ztNUDr11PbaXu918N6IOV0iEaVoWR8/Vrf8jLI1zyiDC1W+4k2UMglUNAR2EpwCtC2Np2z2WDxdoVVEdkIgjP9M+6wXYTZgkDmqxDInVkBBPLWzxC4WCOY1Py0RPbq6VOhrlEjrNi5YID8D9WUcdu9XYagunbFQJUAgBuzTj+aj53XzJstoHoFVglV4YGZFbVLG/8W1F2w5/+2+orBOw0JXbGdcdjDDbEzAj4uvv4WrHquaSoVBrfXemI2zZ5SQ/3BQcO4d3UWtc0M+jtA4FB+a+1qh7M1iMwoGlSSbebGfdJxuDwlindCM5MuHUzkgRvASJU6HyBwhEViDJoDH0ySbDYk1J90Xm7FlcjvsDl0yrvNWdhvSNvCIvLmWqRJl6AChlP3TqtKOCx7iDyMvtsCdL8DMu4POR+3zJRk7848fO/ZMlUy8RXgQs8W3r5mzFD3LO0pusv8XsYyvU2XorjNH6D3KNYuTkr1WwxXd1thcs9B5FHXiP/x6E75pmW9eXFJOXsFpj1I5gvah/S+w9zgY3kDEM++0PqjR6DviKgfHpfXxclwbgbTMe3bm/3LHrLNHDqpc3EQbl2iGtx/8icrwMb8y+FybZ5fGdqb6LEUWHsksc00K7CJloRupOGvEeRHYAs/FqZhH3yQdlJ/p6D7pAiAAw2f3LH+hnUZjTziekvQ3nYzygL2C4ENrtMfi1L+qGc7pKzJZW6vO2+9kDEhFKgYwA31yrxgbknxNi//MY7UvFZVp

                C:\Users\user\Documents\GRXZDKKVDB\NWCXBPIUYI.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.99945012212378
                Encrypted:false
                SSDEEP:24:fMK3Ry1a0O9WO2Wm6cbXt59lt7FlMixsoojlcYDLY7/MgSnx9JZmCl:UKE1VHwcL7Ofom+0rP1l
                MD5:E16BC34EFE06A0B7C28FDACD7C6EEFCD
                SHA1:077AEAC220BFD516BC519AC2224356E59AC50A59
                SHA-256:44165BE26C9DD52EDF7A3734EC18BA5FEC279E20F2BC4169EBE4DC8CFD044B18
                SHA-512:43B10E7299D3F2B7212DD40AA9B25C71918711D23DF76F855459A64AC6C8C7E1F582BACA5B1B47D9C0456EED2068710CDFC05E097FD20C52F77BBCF33A14A4CA
                Malicious:false
                Preview:<EncryptedKey>gP+fsjfMQY6hZUA/JiWoJr4KgAd/zcgyYQwn7GTCjNeOd9nZugWPKyAuMZgx4hTd9wMosmsfntD8wVb0PpvNpqcPY062TwQnFn/sQClgcspCIvCEAhCSaTvlRXAErOUskUZU6I9vYWFbW/8DiZQF3FZ7ywkuzmVVPRi7EYkqNK0=<EncryptedKey>j6364Kj1NzHJm6oi9FC1iTyEfHDzo/2sBY0CSiYh0TPX4ztNUDr11PbaXu918N6IOV0iEaVoWR8/Vrf8jLI1zyiDC1W+4k2UMglUNAR2EpwCtC2Np2z2WDxdoVVEdkIgjP9M+6wXYTZgkDmqxDInVkBBPLWzxC4WCOY1Py0RPbq6VOhrlEjrNi5YID8D9WUcdu9XYagunbFQJUAgBuzTj+aj53XzJstoHoFVglV4YGZFbVLG/8W1F2w5/+2+orBOw0JXbGdcdjDDbEzAj4uvv4WrHquaSoVBrfXemI2zZ5SQ/3BQcO4d3UWtc0M+jtA4FB+a+1qh7M1iMwoGlSSbebGfdJxuDwlindCM5MuHUzkgRvASJU6HyBwhEViDJoDH0ySbDYk1J90Xm7FlcjvsDl0yrvNWdhvSNvCIvLmWqRJl6AChlP3TqtKOCx7iDyMvtsCdL8DMu4POR+3zJRk7848fO/ZMlUy8RXgQs8W3r5mzFD3LO0pusv8XsYyvU2XorjNH6D3KNYuTkr1WwxXd1thcs9B5FHXiP/x6E75pmW9eXFJOXsFpj1I5gvah/S+w9zgY3kDEM++0PqjR6DviKgfHpfXxclwbgbTMe3bm/3LHrLNHDqpc3EQbl2iGtx/8icrwMb8y+FybZ5fGdqb6LEUWHsksc00K7CJloRupOGvEeRHYAs/FqZhH3yQdlJ/p6D7pAiAAw2f3LH+hnUZjTziekvQ3nYzygL2C4ENrtMfi1L+qGc7pKzJZW6vO2+9kDEhFKgYwA31yrxgbknxNi//MY7UvFZVp

                C:\Users\user\Documents\GRXZDKKVDB\QCOILOQIKC.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991722741407416
                Encrypted:false
                SSDEEP:48:UW9NAPh8JBtvMtIkNDb0XCgQxrlGYlldYwotlVy6:Uyue3MtjN6C/nGQcB
                MD5:7950C260201119E9C659D2AD2911F671
                SHA1:6F681DB6177108465A85CD8B9955E79CE4544E1A
                SHA-256:3C39872394668637FAC8BFFDCD513DA59E9A828C080B6E8916EB6C1F67508600
                SHA-512:5037780ACD75187448C0F15F9CF0C888913E974C1E9FF64017B0B95538E889FB1A2B9E5087AD8FB0036A05C226D119789E473B959B1D2D2ABEEE3C55B498CE8B
                Malicious:false
                Preview:<EncryptedKey>Wo3pnbycHMGp4HL2OpAkchdvURhLvde9xJ0tky3+SW4V/QBhUNdl5VxVNgmHtNg1WqjCia6acONHnIPlw6XXZ7vMlLO+qEe657XFChk5xt6zJu4xblY6zOEUokIKtiKxP9Rtn5DgIkrtU32NYr83hzb4c/EQdoCcJiJPdsN8Kj4=<EncryptedKey>YnVRSd0EPAJ9o44OvQcQVv9g2El1Yomij4y8MCLeCwl5M9Ssb8ZGMfGTFMbMaYsPm1zObyVQE0J012+zxB0Be/4VA9fu7Tx2/lGVsz+Ju8PLhGt34ka8t5ieecFAMRNL1ndlBS0BrGPJxHXLsjQMz/iIeJFtTodR+Vifth/yDEsn6eeHCh7+kXLDQSAxIBV9nRs5i9zJenKjQ8eJ+xXXvG2SthTu/98dxAMYIycypfFesMDGeNEUL5SCXM/F6WgMeJKa+WFSiZxt53Sdeb0Jpbg8FkFK1oXWBbORdjk05iVpp5DFNinyYUq9oh/1HHQA7lFfJtIPEQjLPZRBA9csDxX53BY6BNZuKK7QnzvQsJG27rxCu46hVXSRHtoT1jnaZGK9qh7tN6XEBoKPSi+KZLpBmyhiDxdfnlhjm5BXORded03PraDVCT4e4OlgafzLMSIHMLUugRZzdbk6xh/kbv4TkRKV9MPINPj2oITRGpJVYsFI3aHs1LSicmResW1l3MEy6AcVYS8ZPfNaIhOiiup4OS+E2iVN055EqYOdU2Mdv4nWr6Hdg5hhcO3ptLoP2UpLhZwLt76m+2njASzCBJpzf9FIsbARhT44EA+nvOp0x1tvdsUtduym0Ei7+TM93GTDwHnqGMYR27g3IwK6BkYdNWI5GRm9ywKyoeUD1urFgsa8WNKWMALJL9VrGoWvOkXtZSg7RrP57kfiN3WcW6SeHjET+xXnJtMrW6iTAdkHJHi4jtmoBrO4v29HNFI6H/ZLZr3WZLigIMA7wBTPw/dunJ4IHziU

                C:\Users\user\Documents\GRXZDKKVDB\QCOILOQIKC.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991722741407416
                Encrypted:false
                SSDEEP:48:UW9NAPh8JBtvMtIkNDb0XCgQxrlGYlldYwotlVy6:Uyue3MtjN6C/nGQcB
                MD5:7950C260201119E9C659D2AD2911F671
                SHA1:6F681DB6177108465A85CD8B9955E79CE4544E1A
                SHA-256:3C39872394668637FAC8BFFDCD513DA59E9A828C080B6E8916EB6C1F67508600
                SHA-512:5037780ACD75187448C0F15F9CF0C888913E974C1E9FF64017B0B95538E889FB1A2B9E5087AD8FB0036A05C226D119789E473B959B1D2D2ABEEE3C55B498CE8B
                Malicious:false
                Preview:<EncryptedKey>Wo3pnbycHMGp4HL2OpAkchdvURhLvde9xJ0tky3+SW4V/QBhUNdl5VxVNgmHtNg1WqjCia6acONHnIPlw6XXZ7vMlLO+qEe657XFChk5xt6zJu4xblY6zOEUokIKtiKxP9Rtn5DgIkrtU32NYr83hzb4c/EQdoCcJiJPdsN8Kj4=<EncryptedKey>YnVRSd0EPAJ9o44OvQcQVv9g2El1Yomij4y8MCLeCwl5M9Ssb8ZGMfGTFMbMaYsPm1zObyVQE0J012+zxB0Be/4VA9fu7Tx2/lGVsz+Ju8PLhGt34ka8t5ieecFAMRNL1ndlBS0BrGPJxHXLsjQMz/iIeJFtTodR+Vifth/yDEsn6eeHCh7+kXLDQSAxIBV9nRs5i9zJenKjQ8eJ+xXXvG2SthTu/98dxAMYIycypfFesMDGeNEUL5SCXM/F6WgMeJKa+WFSiZxt53Sdeb0Jpbg8FkFK1oXWBbORdjk05iVpp5DFNinyYUq9oh/1HHQA7lFfJtIPEQjLPZRBA9csDxX53BY6BNZuKK7QnzvQsJG27rxCu46hVXSRHtoT1jnaZGK9qh7tN6XEBoKPSi+KZLpBmyhiDxdfnlhjm5BXORded03PraDVCT4e4OlgafzLMSIHMLUugRZzdbk6xh/kbv4TkRKV9MPINPj2oITRGpJVYsFI3aHs1LSicmResW1l3MEy6AcVYS8ZPfNaIhOiiup4OS+E2iVN055EqYOdU2Mdv4nWr6Hdg5hhcO3ptLoP2UpLhZwLt76m+2njASzCBJpzf9FIsbARhT44EA+nvOp0x1tvdsUtduym0Ei7+TM93GTDwHnqGMYR27g3IwK6BkYdNWI5GRm9ywKyoeUD1urFgsa8WNKWMALJL9VrGoWvOkXtZSg7RrP57kfiN3WcW6SeHjET+xXnJtMrW6iTAdkHJHi4jtmoBrO4v29HNFI6H/ZLZr3WZLigIMA7wBTPw/dunJ4IHziU

                C:\Users\user\Documents\GRXZDKKVDB\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Documents\KLIZUSIQEN.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.990378388753505
                Encrypted:false
                SSDEEP:48:UY67culzSarvh5UKKB0k0i12OuyjeuSdf:UYIN5UKK/0q2jOSf
                MD5:754DAE930062B1532A92A951B2320E7E
                SHA1:38D52BB1627D5E98F65377D69E68A356A0C16505
                SHA-256:458CC70967F49FB455038A747BDA20374AAD8F89412FD5E0B570DC9EAD755AD6
                SHA-512:8F3EA6244081333E2086F7267FAF7909965B58608593250CC841A3E9F856E7527C13CC4C81A17A02A20522BEA27174FE8E0AC7FCA974782A4F0C2DDAEF6D476E
                Malicious:false
                Preview:<EncryptedKey>c2U9HZg/eX8+0S7a+qZGSJvsR8JXOrdZUhA1zRjrO9FocdHaUJXfJ8i9yIPfGxMD54LMKtTEznfDa3BUEbixE0Vji0eMvcEv08CiZ9sVB8+3pcGc0cmzJfCEKfEP1dnuD/D1RVbEIsdGFkfnLlzA5A3dNO08b/Gj0L4Nyrx+Zjw=<EncryptedKey>1qhxB0hvKD1nBNjVxn7jtyixYu7BwJ6RmksDoFA5IOswnyG/3vhHVeyMmoBQUmEOeyxtzWDu0czCx1hx0uHPOsVD4+n/tvuukcJ+HLZsMapAaAKXHMqZynKtNZjUGxM+oTp612fO8mAUnSFjfLLzyaqWGc1RMzHe0EzbEJl3TkRAyJeiP2I3iLczcYwTPmqcmG9XwYfX2QsUMDWFR/K677EwJIgA0JhdIyH7YixT5nvokOMln2B3JCfgGY/cPAWF6kMlyMgF0w4xOvp7e+nLM8tWGL+IuoP5zsABOwzXNMS6bXNf+6p/rPE19igBjQu93DRC1P2G7pQ2GBelOPiezywzXy4kwPyydduFari20XMSoAc1rXGUsTiDLU5mxaE78j1uM1GMF1UrwWcSqovbNmpNkfm7wX+ZcQA2IIiOCArNwVLnRwliRr47NMxgz3WGer/4IG7PyQi1NJOcGg+/Te0Zj4pCFHLxHM84Z9ZQIiWFlk1c1GL/859hbAiWlVKa2yEoerVqg1OA7lZr6Imum62rS9QWwsx+kJlFhWi7vBCPwXcL/j+SBCwanHdyhREZLK6KbdA3Bg935mAQliLu6Ctwc3OT/L/ZaJCiX0+YTULDUEfTLTGsy7aO6expfEkU6d72EJoPd6pv5DF/ThsmtQ2hy3BrdigteHtTZp/UggD66nZV4hWzjKKlbld0Pa3C0ZgQX2zdzRlJqN6+TQb3uHGZJfDJzBIfrv68fu9Hwsz09U1THznSbd1+kJ9ArA61eUcd9i2d8XUvwHBYtWT9hN90VPE/ajFT

                C:\Users\user\Documents\KLIZUSIQEN.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.990378388753505
                Encrypted:false
                SSDEEP:48:UY67culzSarvh5UKKB0k0i12OuyjeuSdf:UYIN5UKK/0q2jOSf
                MD5:754DAE930062B1532A92A951B2320E7E
                SHA1:38D52BB1627D5E98F65377D69E68A356A0C16505
                SHA-256:458CC70967F49FB455038A747BDA20374AAD8F89412FD5E0B570DC9EAD755AD6
                SHA-512:8F3EA6244081333E2086F7267FAF7909965B58608593250CC841A3E9F856E7527C13CC4C81A17A02A20522BEA27174FE8E0AC7FCA974782A4F0C2DDAEF6D476E
                Malicious:false
                Preview:<EncryptedKey>c2U9HZg/eX8+0S7a+qZGSJvsR8JXOrdZUhA1zRjrO9FocdHaUJXfJ8i9yIPfGxMD54LMKtTEznfDa3BUEbixE0Vji0eMvcEv08CiZ9sVB8+3pcGc0cmzJfCEKfEP1dnuD/D1RVbEIsdGFkfnLlzA5A3dNO08b/Gj0L4Nyrx+Zjw=<EncryptedKey>1qhxB0hvKD1nBNjVxn7jtyixYu7BwJ6RmksDoFA5IOswnyG/3vhHVeyMmoBQUmEOeyxtzWDu0czCx1hx0uHPOsVD4+n/tvuukcJ+HLZsMapAaAKXHMqZynKtNZjUGxM+oTp612fO8mAUnSFjfLLzyaqWGc1RMzHe0EzbEJl3TkRAyJeiP2I3iLczcYwTPmqcmG9XwYfX2QsUMDWFR/K677EwJIgA0JhdIyH7YixT5nvokOMln2B3JCfgGY/cPAWF6kMlyMgF0w4xOvp7e+nLM8tWGL+IuoP5zsABOwzXNMS6bXNf+6p/rPE19igBjQu93DRC1P2G7pQ2GBelOPiezywzXy4kwPyydduFari20XMSoAc1rXGUsTiDLU5mxaE78j1uM1GMF1UrwWcSqovbNmpNkfm7wX+ZcQA2IIiOCArNwVLnRwliRr47NMxgz3WGer/4IG7PyQi1NJOcGg+/Te0Zj4pCFHLxHM84Z9ZQIiWFlk1c1GL/859hbAiWlVKa2yEoerVqg1OA7lZr6Imum62rS9QWwsx+kJlFhWi7vBCPwXcL/j+SBCwanHdyhREZLK6KbdA3Bg935mAQliLu6Ctwc3OT/L/ZaJCiX0+YTULDUEfTLTGsy7aO6expfEkU6d72EJoPd6pv5DF/ThsmtQ2hy3BrdigteHtTZp/UggD66nZV4hWzjKKlbld0Pa3C0ZgQX2zdzRlJqN6+TQb3uHGZJfDJzBIfrv68fu9Hwsz09U1THznSbd1+kJ9ArA61eUcd9i2d8XUvwHBYtWT9hN90VPE/ajFT

                C:\Users\user\Documents\My Music\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):884
                Entropy (8bit):5.985086907692752
                Encrypted:false
                SSDEEP:24:fMVLOZcxNX4W5fUF6gvmDMXp7pamtuGgZyLUS92Ut0Wff:UViZcxmW5MF6gv0MXp02upyL6TYf
                MD5:5E8C34429360B7C5393581AF6ACB0A5B
                SHA1:09AAFDFCB6BBEBB0AF1F34DFD33C072C972A549A
                SHA-256:0E05D48CF245A469AA12E6618D82E114DEC362D33EA2E983F8F4AA75D7E7B49E
                SHA-512:62B2983D2BA7637E208C9A1731D4EB34818BB6F2F4401871C5E244A8C7ED4FD7BCBA4B50AB770EE7FEA666A4A5FF4C973AA0DD1A11D7D83162A938DBDDC7D1D6
                Malicious:false
                Preview:<EncryptedKey>KBwWqU5//kOpmYv1cwVgXIUvFoJiET8oFTwon8kG+aYpP9UG+noRsr/mTUGSHJItfyJHXlowUxusMUgjJoDtjbVilzlW2OeK4QUeAOh42pqlQvon0UUmSJGFyTcVxCMj3M3rn4bb0oKdkJjlD+qAA8i5M1ssY3AImqL1aL/qoSQ=<EncryptedKey>BOF/dDS7NrH3bSqStTM8l5ZmLG/62CqL2IuotwT61ULcbXGojbRCV5bhtamZkDFc7Xja1fuviNbgjgP5r74zMS/BZ0tZjWOoiguU5XVIUb9YXmuiXDv0hbSTqwkmmGmjYva1V5jkHKm3ZiJ9VrFZa8jYy/5w8Ow5DqnE6ALuGH+mJtmnjb4hJZYmwuqVCn4Rflq2PyICn05QpwOT/wh9AwnkZp3XCo1oSlTMXJAkMvutHw3ywElxNx2iooj2hJLCfIQ7LcEdx8QzZonS1nTalBL8qHYQJDugTWQabTM4YGQGRx/nnKMMFpvLr1iERwg6R36z088nR1PMyvoWhGPEE4YrGzOF/qFw0FRhDFoJqSzdgyqD22D1u428qfQZ+D7irK05v97D0AicEDH/u3X5d8U1NugTyjlxRPuaobQNhzoKo5q2gGAyvvfKIQuREL1qNqSmelSUHtGx4wERsjfUmNjug1sF2Wma0TrN58Jd1Rb7JYVw1cWYEFaZ+g+WMzP8lgEiqaS1QItFCwshAeY/w869EQ3j0HpnWQOpRkzh6sfN0OG0LYxDa40BpVjGKlVd6qizhAdSbvOG7PKcL0CfSWnVkhoBug27PR+v2yPJtDWY1LuI37Cc+mAimhcpKgEei6Ya49hyGcCKpX4aV6pNHzxGb/Ydye+yIpvfVSP2JY8=

                C:\Users\user\Documents\My Pictures\Camera Roll\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):456
                Entropy (8bit):5.938663759955112
                Encrypted:false
                SSDEEP:12:fMEhgFiIMrZiKPsa8V5SdDcpzOfbI7gEQrMfNrpOxhN6mgN:fMbiIMr45xmchOfskuKT61N
                MD5:FB7A58FF875AECAE64B6B65A045A559A
                SHA1:11B5C8AE7C78E1C685E87A64BB8148F98B045723
                SHA-256:CE489EDE1B007689B8BE89164DEC64DF5B9B718CC3D42868288826C432C0AE44
                SHA-512:26C51E33A0413F4DF4D8C5F1AD185873401006B3786BF9DE2B8A7D468DD74D8C04C5597D1613D37210F8CA64CCA6285A7CEC912B4820311C9DCECB97D21202A8
                Malicious:false
                Preview:<EncryptedKey>LqyWxMi5d7V+fg94Gb5gw6G1P6jN4+5v4AEf07KynYaY4zq1SjfbLckvOFH9oGjH84H+jB7iw/37OecOOD/DHkTMtMd9e+ry2GjjG7B+IAeKLcwcjs0FvARXQLorfPhnw2tdzwWjoPiVSHj2c1v+8olztRwJZQNfad1QIHRzN1I=<EncryptedKey>AaCsSZd6r8fa8oSNS74pfxXxFthZPrqI6kyoZ5dNrFVc+9XNALUKM1zPLIABNcQcGRvpTH1XwVYABSgWUnpDu0h1Gz/dstmwHXpECI4tPHH+EHoEEtRGTgp3lpCQUCf9yLYrqRD21jTnijfSwFPxmor5IBfp/HiPplldU3FcZnJBErIwEuut/vpwDiBcSgwe6b/fMUgnM9JxTQJZYVZ2Jq5uWCnNg1vWtUQ1j7n6EEmAtdqalHQhJD/xvkGO2EcH

                C:\Users\user\Documents\My Pictures\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):884
                Entropy (8bit):5.977286160840752
                Encrypted:false
                SSDEEP:24:fMJRxbQD7i5Otur1ng9vTR+eOkR4M+WX9Ch50HRGe1h2do:UfGviAgr1SV7R4Ajvh22
                MD5:0A12C999DE82F06692F85ECD6CB1E17E
                SHA1:6F06C49C354A0524086B5C8634BEB6B9318618A5
                SHA-256:363D679F0FF22B3D4C09C82EABC6D115DEDEB00FB53EDE3D47414832A7E75F94
                SHA-512:88BC1DC2C4E5BBF4C5D4CBFE9504B1521AF847D5B9579E491A0614E593BE94608B608FAFC59319A9C350E746FA105A7BC41FF7E77619CBD09E3C55BC274E04F7
                Malicious:false
                Preview:<EncryptedKey>fRgbhGHLtZAmlTJ6a7BvRObJIepW2jNxBI6Rhi3wv/adKyupfzX5imsv2boWQBvHCPHvJBkcNsXOWvaBHhumQSCDQxbh/Eja8Ms7852vXN+NGOJBzxX4y9ZD9AM7WaQnCQUPouqDPhQE30HV1FRvJorLy5SktFGIPEjXLATybf0=<EncryptedKey>v3+1b5uE8kbiPrXTWrORJxX/d7PNT7djsY64wQssLTAtQ6jFA141RIsQwKw2VBOHBw5udf1GtgG6cRB8nDZQZzXHrjgIMMGFi8lsMQMwXSajDqFv9BcrNaDO/24+DdERXNr5/VRXSDj9Pd5Q0sgRlN9eQ5c5ifYF08RO9iJ71cVo9fP0J5mZJmV4FsrY8dj/ovXJyliOT7Kwn8/L/4H8ALsFb2HVFRsLdYNyRjYwkObC6Dbv97YvBzWaTUu/35W03IKrxQlMkRuQd7d4wXKcl6HObkxkT9gX7+XcI1n85xiPWAQZZqAdbp0DUbHieXwdpToYezC3e+/INTyNm6lWFr9a0Eir87oW6EWgNnHA5B847J4vmJ0ljN8pYL16Td4Cqww8PhhSCyKrsJIKX/lLN93m18c3GXgg6iBYbmqS2VwwhNrxlPUfh1SCECA0Ztk2BEPnQu16B32KlDvEOQ+jP/Z2RnoQwPiHtpSQC76iF/b5mY5qDVZOwz1tOWVaemu7bUTqqPPaPAgQApxO+79Lxa7TV8NXeHiKvmCYQ+v5rYi/tX5P2QLa0H+r+KLOZZYfsxZxG10PiVQ1XPBuQFktEJgtMzh7b18ppA6I96TJL4BWC4JAZdDTQKYetTfazzLakA+wieI4tN6gB+76FAnQltIAPH3sFZRY+bxaq2UOx7E=

                C:\Users\user\Documents\My Videos\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):884
                Entropy (8bit):5.969829924813065
                Encrypted:false
                SSDEEP:24:fMBDH7SotI7JG6WfCbkAZsOMetJAgHAjIqAp:UBfTIlG6JKetJ1g3Ap
                MD5:BBD4524E07AE9903FB639A2723B0D682
                SHA1:AAF81484832A23B5BAB6893B8B9636276576E5DB
                SHA-256:92386FFCEF2B32096A569C3AA1326E00A0262987416F26B8E033FBA8F6DC059B
                SHA-512:96DCDDBE78A80738D5D74D2C2A3A9517BAAE6A503B339CF954C63EA63B77A3F5A70E00C7FCBAAB64E7F56E6BCF645C450D610C0E18B3C3DFFED3635C68342648
                Malicious:false
                Preview:<EncryptedKey>YgBhzws5SInHuC62VihFvUi5/dSVAGUJYjuCHmlnklLW9F8ufLSVmQSytcCTwdEDKnJX+/bv/uR3Fw6SyAlodroZcaKwxCAZkT07U/mZTl9GyVbYLPhtt0rvO5yALmp2lIYZnQz/oQ4qqQ+X1EaQJDGGMmCkWn/SKCYDcq5QvF4=<EncryptedKey>AXC7Gmr7ou7zCKmlsDUUtpKEfPECE/ysKBNOE1GT7M7qjiTtErZjw60Js3/5vbR3i4tUBxMMyiEv6T6yPU8GEAEy7AaZzGkcbRa9yzlYKHt130eAypWIBdkhmsV6udSab4Ewrnc3EqA0ShudhiiXxEG0ZoLY4yb1IkI8/twxxClWQCqUXDhJvhokjNYL3gZSyCqCMtc9huCj9PDI4plix+3AG2vyCeqOVi6mcDJNvLf7/SqMJYhSlKjvAd/uYvmfVS77vJZgK4ECtaYF3rhkr2WOAYnGN5Du3PBd9uXmzEaUpYvDh2wh7rtloNWHHBT83VV651+X3KdavLaNbhnOOjwnJb6ftIldck1I+5wofnzqnY4Znk43/DoV5Pe/eac3vYOh4NfwiayxBJXmFnAdsKotZmagoFuW3ITUlHC+0b9O9A4SylkyRnAYCCAYgpSnAj8/DAHeiQN0cDV89+meg1GyDJpuBF2NNER+KpOfBqkHP98XPMqGCJdJcVj//NynraL5oLQihX0+/4YvwghaMzhH7K4oWaD8hLM2Zu8jehVYMQ3VFInA2LNzjsJQ4vgf7WsHiTgThnaEvWc+MI+Nth3/iP/zcCpGq8rV5DBHZn4nrn13RY3TsUEKaw29rs9n6OIcL++W7a39w6nLl5sDFTAEQ4ZA7KfBU2NZ37Gy5Ps=

                C:\Users\user\Documents\NVWZAPQSQL.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987938634379059
                Encrypted:false
                SSDEEP:24:fMDUUP9R5ajJJrM4KtoBGXxNXwPcaqSBXFpT4yDFKLK1XE7SbGXsOojFHwchNQCW:UDVGMJoBS/aqG1pT4/LK1m5s1ZQchs
                MD5:96D6F7FA0EF1FF1D6679247940507E85
                SHA1:4FBE6F67E274A18239C74656D6224684D688582B
                SHA-256:306E17AAEDB7FE6CEA3EBED5DB45A494CF4D55EFF29DB61CC180620675438512
                SHA-512:30A0D2275DAADCA78133508079D281DBC38AD2FCFE76F553BDE6DFC993715CBB44E660822B309457280B58555075D75C151578DA63A4DF726BB53DD4EC8D662D
                Malicious:false
                Preview:<EncryptedKey>WTuQSl1KPOlvpjmwtjdNmKX70buOt6lTjjX4FauX15520tJ76vtlnzyNSbCA669gVousA9uTQGPAE2EgD8RNLwbpn0KQFRWCO8XfHuDLvqfICdPWGIxX6tI8P7UqpTYed7qhRK78eZzbdiqewwEULfCKNMsdGp1K2zHUocD8dZ0=<EncryptedKey>dWfPlU0o/bxXhd5nZ0+efvK9ArO9Xt9I3CsmWLplZmlA0Ua3MGF3pgb8QQK38U7XX1hdvYH3woHGWE6BUQH8zKGzrPLlxzav2E0OIkgshSiR7XhM9VwceaiOAI4h9h5f1uZFocgzuaetjAMec/UUNye/X3Dj3/BJl50VLPGsVlOrcPBxmVN1+SAOcItHtDhsuuyf5qQ66JLG3yEUITsE50o9p897b/fMZHsKWqNa1z+OuUNAVccZNhDYmWIeKDJkyRRoGYcQLTP2ofvJfZEHs4NbG73clvX+ZYaFdHLjNYQeB9Qf9e9J2LReggXcfq0E2DyYMMeXKG5OsxIkqAcFJlZ6Cz03PCfZ6YQ3fd/zIYy6vzicYguinuPbjqGYAvLRWKJsZqdtqIp8s+FNYns1kHhfGY3EhsLvYt0408z4dZqK7uaTNDDmIAx+nyjVtw1fNdnI9Ji9j7t/8wXY2I9XRzoT8RRa3wpziR47KUitEJRAmKkAUqDKOFQhlbTglSJREh9YEKaZMPisB/y0hHqKSyjQDr/WWJSwHVzJy3QQz5toghFRP2eQXutMlyWmOuK9uiHmPCVCfxa5h/lVKGuMUhcc2Nf5M7r1iGoab1qsBAtYtzjTDGbjoG9GyoLCX64RP+ZM2f2BGD9Z0w/9U6FpL61Hovh+H11h1qjtkoIHMYYb0amedATuvHOrtnJSVac0BIlPB5datUcjk57MlVxtRsrVCCiuG31MtEVPFcCBOO/BmDhtMPaG4OKbH7Q+BNBx63bSSGwJpGAGeUDmvA58PWNFBZcQ9XkV

                C:\Users\user\Documents\NVWZAPQSQL.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987938634379059
                Encrypted:false
                SSDEEP:24:fMDUUP9R5ajJJrM4KtoBGXxNXwPcaqSBXFpT4yDFKLK1XE7SbGXsOojFHwchNQCW:UDVGMJoBS/aqG1pT4/LK1m5s1ZQchs
                MD5:96D6F7FA0EF1FF1D6679247940507E85
                SHA1:4FBE6F67E274A18239C74656D6224684D688582B
                SHA-256:306E17AAEDB7FE6CEA3EBED5DB45A494CF4D55EFF29DB61CC180620675438512
                SHA-512:30A0D2275DAADCA78133508079D281DBC38AD2FCFE76F553BDE6DFC993715CBB44E660822B309457280B58555075D75C151578DA63A4DF726BB53DD4EC8D662D
                Malicious:false
                Preview:<EncryptedKey>WTuQSl1KPOlvpjmwtjdNmKX70buOt6lTjjX4FauX15520tJ76vtlnzyNSbCA669gVousA9uTQGPAE2EgD8RNLwbpn0KQFRWCO8XfHuDLvqfICdPWGIxX6tI8P7UqpTYed7qhRK78eZzbdiqewwEULfCKNMsdGp1K2zHUocD8dZ0=<EncryptedKey>dWfPlU0o/bxXhd5nZ0+efvK9ArO9Xt9I3CsmWLplZmlA0Ua3MGF3pgb8QQK38U7XX1hdvYH3woHGWE6BUQH8zKGzrPLlxzav2E0OIkgshSiR7XhM9VwceaiOAI4h9h5f1uZFocgzuaetjAMec/UUNye/X3Dj3/BJl50VLPGsVlOrcPBxmVN1+SAOcItHtDhsuuyf5qQ66JLG3yEUITsE50o9p897b/fMZHsKWqNa1z+OuUNAVccZNhDYmWIeKDJkyRRoGYcQLTP2ofvJfZEHs4NbG73clvX+ZYaFdHLjNYQeB9Qf9e9J2LReggXcfq0E2DyYMMeXKG5OsxIkqAcFJlZ6Cz03PCfZ6YQ3fd/zIYy6vzicYguinuPbjqGYAvLRWKJsZqdtqIp8s+FNYns1kHhfGY3EhsLvYt0408z4dZqK7uaTNDDmIAx+nyjVtw1fNdnI9Ji9j7t/8wXY2I9XRzoT8RRa3wpziR47KUitEJRAmKkAUqDKOFQhlbTglSJREh9YEKaZMPisB/y0hHqKSyjQDr/WWJSwHVzJy3QQz5toghFRP2eQXutMlyWmOuK9uiHmPCVCfxa5h/lVKGuMUhcc2Nf5M7r1iGoab1qsBAtYtzjTDGbjoG9GyoLCX64RP+ZM2f2BGD9Z0w/9U6FpL61Hovh+H11h1qjtkoIHMYYb0amedATuvHOrtnJSVac0BIlPB5datUcjk57MlVxtRsrVCCiuG31MtEVPFcCBOO/BmDhtMPaG4OKbH7Q+BNBx63bSSGwJpGAGeUDmvA58PWNFBZcQ9XkV

                C:\Users\user\Documents\NVWZAPQSQL.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.98244671728485
                Encrypted:false
                SSDEEP:48:UwO4mVORadrvN0Q5578aqCBMplM7tiBBy9t:UeCORaz0k78aqCB+StaBy
                MD5:F177F131433B569476D0EADE30E3BD97
                SHA1:324AFB1BD7BE37DD67DAB4C3059581AAFDB98013
                SHA-256:AA908ED58639D43BEA3754A2D639F736E927099AF9DFB3D008CCE25B4CF58DD5
                SHA-512:B02758962694A3EB18B7E5C7795E9FFC56102A4D2512A719B8B4648F28ECA6841666726C6E8734CAAA2C9E5B8915F6912B0AF4A4DEDF59D432C514A65D9F048D
                Malicious:false
                Preview:<EncryptedKey>NaFpVkyqhjIKLbdcvnenfFAW8xRm6tabXunbQqSapcNTYsYxJa7u3EInggLoladQBgjpR1qkywIcCNMfsGMYFuO2UxkB5L6ItGM/rhyyJh0FdTt5J3mIUZ8EujVzaINIVzA4i/wJwZVcPu9bZiYmr4hTmMXWsRJWYxXJTDPb9h4=<EncryptedKey>F5ZbyWT/gTuQR9pi7FSAtWHHl1FabvkAr9WVtUAEgy1ZOZYs2p1gHWMFOUsrls4BL9VXVzpOXby9Zxm5BlvnTfkFkx48oDturlADSGwGwC4XEQ0sAs5CROAw/sxtwbtvHLhvVT0AHS2lNH8ge0IiWk6s3Zskc3ZWCI3xNoUmunViZEGJmZh3+cVVxRgS1hvzmiFXA336VZE2hv8USGskAF79fYyuFeUR5AzKOfO2+y5nmjq3wxEM/oPQ5KafMpuRfj608a01WfTc9VWjuc7pTpLfmPneqCbtoP1kWuLzcjSibfPFg/irFtFzMUw85PtkUiUPX9cDT3gLg5QMb8ubuh31PXShbRFgQEPWZBxjwSgpvbbOKGcygcOCWN1q9FyLqo3gaFFUMS5Cg+mbM16qhHF1eMJP+TfJ7vVu5Rp+JeSzPiJwyFXd07UCLZBBCGZYcDXtpMZZnVZSsWI28ZIB43MTCcJSsF2BrqxpRb5q+WBUl3QRAPOkkSALGK+5fCWT57WNiWXa9p/JKGhQ2KF0/t9AcugFZ8iZ9/RK5zhDmuEQBa21SpQtn/D5awzUUoRcxt3ZcIr2Aa0xiPYiKwsWvCzYx+1Tg/mDhgDehxSLkSzTE+8WjQL5JG/FkIcMR9HXH2jgoPK8r51RTeeetagLRpHZvixTQPlcIzU5plapn5NEX6GvttpfR2Ppd6fs4sCH3SN6sU2Cb/sT2JhE6vctdPdvvVbedVADyrjIqbOZNvvpw9zvvhWs8aRjWf6KeGuK3lDnkGVEsxAQoHpk56DYNFxi6ZCC9f5Q

                C:\Users\user\Documents\NVWZAPQSQL.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.98244671728485
                Encrypted:false
                SSDEEP:48:UwO4mVORadrvN0Q5578aqCBMplM7tiBBy9t:UeCORaz0k78aqCB+StaBy
                MD5:F177F131433B569476D0EADE30E3BD97
                SHA1:324AFB1BD7BE37DD67DAB4C3059581AAFDB98013
                SHA-256:AA908ED58639D43BEA3754A2D639F736E927099AF9DFB3D008CCE25B4CF58DD5
                SHA-512:B02758962694A3EB18B7E5C7795E9FFC56102A4D2512A719B8B4648F28ECA6841666726C6E8734CAAA2C9E5B8915F6912B0AF4A4DEDF59D432C514A65D9F048D
                Malicious:false
                Preview:<EncryptedKey>NaFpVkyqhjIKLbdcvnenfFAW8xRm6tabXunbQqSapcNTYsYxJa7u3EInggLoladQBgjpR1qkywIcCNMfsGMYFuO2UxkB5L6ItGM/rhyyJh0FdTt5J3mIUZ8EujVzaINIVzA4i/wJwZVcPu9bZiYmr4hTmMXWsRJWYxXJTDPb9h4=<EncryptedKey>F5ZbyWT/gTuQR9pi7FSAtWHHl1FabvkAr9WVtUAEgy1ZOZYs2p1gHWMFOUsrls4BL9VXVzpOXby9Zxm5BlvnTfkFkx48oDturlADSGwGwC4XEQ0sAs5CROAw/sxtwbtvHLhvVT0AHS2lNH8ge0IiWk6s3Zskc3ZWCI3xNoUmunViZEGJmZh3+cVVxRgS1hvzmiFXA336VZE2hv8USGskAF79fYyuFeUR5AzKOfO2+y5nmjq3wxEM/oPQ5KafMpuRfj608a01WfTc9VWjuc7pTpLfmPneqCbtoP1kWuLzcjSibfPFg/irFtFzMUw85PtkUiUPX9cDT3gLg5QMb8ubuh31PXShbRFgQEPWZBxjwSgpvbbOKGcygcOCWN1q9FyLqo3gaFFUMS5Cg+mbM16qhHF1eMJP+TfJ7vVu5Rp+JeSzPiJwyFXd07UCLZBBCGZYcDXtpMZZnVZSsWI28ZIB43MTCcJSsF2BrqxpRb5q+WBUl3QRAPOkkSALGK+5fCWT57WNiWXa9p/JKGhQ2KF0/t9AcugFZ8iZ9/RK5zhDmuEQBa21SpQtn/D5awzUUoRcxt3ZcIr2Aa0xiPYiKwsWvCzYx+1Tg/mDhgDehxSLkSzTE+8WjQL5JG/FkIcMR9HXH2jgoPK8r51RTeeetagLRpHZvixTQPlcIzU5plapn5NEX6GvttpfR2Ppd6fs4sCH3SN6sU2Cb/sT2JhE6vctdPdvvVbedVADyrjIqbOZNvvpw9zvvhWs8aRjWf6KeGuK3lDnkGVEsxAQoHpk56DYNFxi6ZCC9f5Q

                C:\Users\user\Documents\NVWZAPQSQL\EIVQSAOTAQ.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.981571506791566
                Encrypted:false
                SSDEEP:48:UZX8FBYIAtAPxr76XoKeL4MgHn9f7JBH+fs:UZ0BCApr76XYEMG9f7nKs
                MD5:C68490EFEE3A39A784C96512BBAAFE44
                SHA1:6E764B228A7D743CA1719CE97EDFBD480158D6B9
                SHA-256:EF706D2417912D1C4100B159D90B6D1B9B8C8CD26D6B74AE1C59A31D73015B75
                SHA-512:B4CD2C8D329A038F871281D049DA693BF96EBA59186FC7C0112C989586269D875A3857FD03A251B3F92B99D5C9CA2D0D661E88CED34A52480C202881519DD2BF
                Malicious:false
                Preview:<EncryptedKey>IzGyKT+ECQkPGr0CM7Qedfqh8vdN46hxcIzsE70MrRBTmOovJwsKXJghfYM6HcJiPR9KJg4pTXpUIW9mmcVlI5hcLz+x7eMRAbIS0HmUMIgB5tyjY79hZHuazy4wJhnkVEt9sH3al4qXGB4U+m9vNDZnV3D8LFOrcrJtk/On2IM=<EncryptedKey>cwIsgPi/0wMSG2fKwMAOvX1RfNVpN0/ePZ3hEle9UD/Hx/DRiaeWUEXvP9jAdt8YFvX3+hwYPz9rycRof5PQoyB27WfT041fNnlaNtrr+zIrcO1JdE/6NG4pvTCILxjMM5EhNi8U8OFkWhrlNKbTbiVNtSkS9azJ+Gc6cp9Uj2TfRDz2DEfoNRVeFo4M85+f9x/50dwyTphez5IS4MUOM5ilLNZO0f2TITt0LFrrrU5h+dzlRl5y1gjtMh+CrchI+Mp8GIRiA2NXcb+ZBEB/KFGWqtzCj/pWdg4rsMfu1lyICQnX9MF99kIo6TRWXyAOiHD1H8TEc9Sb6bXObeyhv4Y++x1LG+RNQxtNK+tsXOMkbDHIuZHt4DXxG2x79EXUwPD1ZcTVoWiFlc0ixUEICvTd1cTFDM2/nT5g1C+tRXFpe3/k2esb9vwVxoSEaoRUIuSQwFXR+vnxTbMNRMEChrEE6BQQug0fEMlcDx6D1DnqzqwlZsGCrl9JZH1hhTwntTRpU1Cz1W8rAPD/E+uCHk4tX1l4U875v3d3HqCVn9LubLJWmVORMrpdpiGQybgWl6OInGdoDOFvmwZKGtZhXa/1qhs1+2EY0r2A1e8ybBL2Sqg2VmD6EI8kS/itbMc8x4L3TcdUizolihO9mMED3smDNECQc4Di6zy+ME1kGyw2ItWDEtHyfP5cspLVyxoFsHGs6C36RjpvwepQITq5V1Y3SMmvHe0FU97xSBrq704bxZYpoQQAWnolD2GBe2L6KnfY4RkC6q7AlGHEuH6w4In5as4mntzl

                C:\Users\user\Documents\NVWZAPQSQL\EIVQSAOTAQ.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.981571506791566
                Encrypted:false
                SSDEEP:48:UZX8FBYIAtAPxr76XoKeL4MgHn9f7JBH+fs:UZ0BCApr76XYEMG9f7nKs
                MD5:C68490EFEE3A39A784C96512BBAAFE44
                SHA1:6E764B228A7D743CA1719CE97EDFBD480158D6B9
                SHA-256:EF706D2417912D1C4100B159D90B6D1B9B8C8CD26D6B74AE1C59A31D73015B75
                SHA-512:B4CD2C8D329A038F871281D049DA693BF96EBA59186FC7C0112C989586269D875A3857FD03A251B3F92B99D5C9CA2D0D661E88CED34A52480C202881519DD2BF
                Malicious:false
                Preview:<EncryptedKey>IzGyKT+ECQkPGr0CM7Qedfqh8vdN46hxcIzsE70MrRBTmOovJwsKXJghfYM6HcJiPR9KJg4pTXpUIW9mmcVlI5hcLz+x7eMRAbIS0HmUMIgB5tyjY79hZHuazy4wJhnkVEt9sH3al4qXGB4U+m9vNDZnV3D8LFOrcrJtk/On2IM=<EncryptedKey>cwIsgPi/0wMSG2fKwMAOvX1RfNVpN0/ePZ3hEle9UD/Hx/DRiaeWUEXvP9jAdt8YFvX3+hwYPz9rycRof5PQoyB27WfT041fNnlaNtrr+zIrcO1JdE/6NG4pvTCILxjMM5EhNi8U8OFkWhrlNKbTbiVNtSkS9azJ+Gc6cp9Uj2TfRDz2DEfoNRVeFo4M85+f9x/50dwyTphez5IS4MUOM5ilLNZO0f2TITt0LFrrrU5h+dzlRl5y1gjtMh+CrchI+Mp8GIRiA2NXcb+ZBEB/KFGWqtzCj/pWdg4rsMfu1lyICQnX9MF99kIo6TRWXyAOiHD1H8TEc9Sb6bXObeyhv4Y++x1LG+RNQxtNK+tsXOMkbDHIuZHt4DXxG2x79EXUwPD1ZcTVoWiFlc0ixUEICvTd1cTFDM2/nT5g1C+tRXFpe3/k2esb9vwVxoSEaoRUIuSQwFXR+vnxTbMNRMEChrEE6BQQug0fEMlcDx6D1DnqzqwlZsGCrl9JZH1hhTwntTRpU1Cz1W8rAPD/E+uCHk4tX1l4U875v3d3HqCVn9LubLJWmVORMrpdpiGQybgWl6OInGdoDOFvmwZKGtZhXa/1qhs1+2EY0r2A1e8ybBL2Sqg2VmD6EI8kS/itbMc8x4L3TcdUizolihO9mMED3smDNECQc4Di6zy+ME1kGyw2ItWDEtHyfP5cspLVyxoFsHGs6C36RjpvwepQITq5V1Y3SMmvHe0FU97xSBrq704bxZYpoQQAWnolD2GBe2L6KnfY4RkC6q7AlGHEuH6w4In5as4mntzl

                C:\Users\user\Documents\NVWZAPQSQL\EOWRVPQCCS.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.9868559237866545
                Encrypted:false
                SSDEEP:24:fMLUFQUO0OzVdla7dZKp7S7BAyd42DMMYrdTy4vadX+AJzQbG85VPIU/+dgb8Pry:UgFtwzVi7D42bYhu4vadX+AMjjQPen
                MD5:FD46136A93928775FF03E15008E69A79
                SHA1:11E70A635EC69D04D24041C8128591536823B4C7
                SHA-256:C899E463564E7006995C49E0093513AD49873E1E934A883B56860B16268ACEBE
                SHA-512:6659B960803C596F3057AA9257DAE40554F6CEFCCAB2B34F2E63106107529CCA8BFB933357325C3603B9D6F3B171E461A1AF4FED7568929B9720C4C2784ADD27
                Malicious:false
                Preview:<EncryptedKey>EAUdMoyG2JQfa7e0v3UDz/xcAUsM5sO02Iz5Z5Kfhul/p5IsGfq/5SK0+HGmJnzwMNKu7RXZPNG1GT1BsHEVfYbcUGRhO+JZ1FEolKvj+AItIZudBiwdDKA9s2ff76WIsAENLvAZKwlKMa+H7qa4bXbveb4elMnvD1tPm32Ay4k=<EncryptedKey>6/thFWD/eiEyvnmFuovltAsM0euLx8IsVmRB8iqKZF+ze18adum4/tI6UvNtgmi4sRzzg11QDislJM2Tu5/ajO6cMhF3laprkFScLBBMJwOO8ReFJQhPOBYeKfxuX8t0bY1+VAOxISe8wvQoUHtht17Z5JoYhHe980S8i3venUpXlTsruy7s9AHVkruT+IvQT8D3Z/CytFpCDZ/BmnHUcPJcf1QKytzVbt5dikZBsxaMsYBxLSUwNQEdocuEMqd6S0uUWHhcXg8lDoIBCZTrsMhpFhvi43Rm76SQ/k5jXOM2HN/pP6oTtvCllQxwmUKBi1stJNCLzGHFdmFGk7SkE8uNxV4+sMIA39ikmn2aVYoouMiOnNzC4sZAIrTyimytx5jru8DXPS00KGkkX7fpRmZsxSkXFgg0X5wnjP0uM8RhJFOeqt2qFypXSHzItISpM5zbHrRxbQmaNtppkDf7qMOXoEwwyH9nEwm/DJsKFU65tPSlFfLwLKUjWi0W+i4hnoZpcIBKIqZQSIyu5Y5+7lhTJBJcixIkMHZ4DEM4CaNyEaC0ei0o3kCm99YCeFB37B0eLUopvqvFjWgSI7owYXNnPUUfPJdsapJAMMOJdpIGES7WS2ndptQJm/2atLLx6P6+LzwBt96grz2gZ9jSJF0A5Y4ySjd8lY0FN+iCjKgE8D5k5qKvS6dNptA6MknF+ANvt3FSBpvBfs5skhbcEaYsUaU/KoucOIx6qS2oFg+9NR8SGmmHKcqnBqj788X8P/r5e50VCRgIIfrEwNvsy5QXRZSpR9UA

                C:\Users\user\Documents\NVWZAPQSQL\EOWRVPQCCS.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.9868559237866545
                Encrypted:false
                SSDEEP:24:fMLUFQUO0OzVdla7dZKp7S7BAyd42DMMYrdTy4vadX+AJzQbG85VPIU/+dgb8Pry:UgFtwzVi7D42bYhu4vadX+AMjjQPen
                MD5:FD46136A93928775FF03E15008E69A79
                SHA1:11E70A635EC69D04D24041C8128591536823B4C7
                SHA-256:C899E463564E7006995C49E0093513AD49873E1E934A883B56860B16268ACEBE
                SHA-512:6659B960803C596F3057AA9257DAE40554F6CEFCCAB2B34F2E63106107529CCA8BFB933357325C3603B9D6F3B171E461A1AF4FED7568929B9720C4C2784ADD27
                Malicious:false
                Preview:<EncryptedKey>EAUdMoyG2JQfa7e0v3UDz/xcAUsM5sO02Iz5Z5Kfhul/p5IsGfq/5SK0+HGmJnzwMNKu7RXZPNG1GT1BsHEVfYbcUGRhO+JZ1FEolKvj+AItIZudBiwdDKA9s2ff76WIsAENLvAZKwlKMa+H7qa4bXbveb4elMnvD1tPm32Ay4k=<EncryptedKey>6/thFWD/eiEyvnmFuovltAsM0euLx8IsVmRB8iqKZF+ze18adum4/tI6UvNtgmi4sRzzg11QDislJM2Tu5/ajO6cMhF3laprkFScLBBMJwOO8ReFJQhPOBYeKfxuX8t0bY1+VAOxISe8wvQoUHtht17Z5JoYhHe980S8i3venUpXlTsruy7s9AHVkruT+IvQT8D3Z/CytFpCDZ/BmnHUcPJcf1QKytzVbt5dikZBsxaMsYBxLSUwNQEdocuEMqd6S0uUWHhcXg8lDoIBCZTrsMhpFhvi43Rm76SQ/k5jXOM2HN/pP6oTtvCllQxwmUKBi1stJNCLzGHFdmFGk7SkE8uNxV4+sMIA39ikmn2aVYoouMiOnNzC4sZAIrTyimytx5jru8DXPS00KGkkX7fpRmZsxSkXFgg0X5wnjP0uM8RhJFOeqt2qFypXSHzItISpM5zbHrRxbQmaNtppkDf7qMOXoEwwyH9nEwm/DJsKFU65tPSlFfLwLKUjWi0W+i4hnoZpcIBKIqZQSIyu5Y5+7lhTJBJcixIkMHZ4DEM4CaNyEaC0ei0o3kCm99YCeFB37B0eLUopvqvFjWgSI7owYXNnPUUfPJdsapJAMMOJdpIGES7WS2ndptQJm/2atLLx6P6+LzwBt96grz2gZ9jSJF0A5Y4ySjd8lY0FN+iCjKgE8D5k5qKvS6dNptA6MknF+ANvt3FSBpvBfs5skhbcEaYsUaU/KoucOIx6qS2oFg+9NR8SGmmHKcqnBqj788X8P/r5e50VCRgIIfrEwNvsy5QXRZSpR9UA

                C:\Users\user\Documents\NVWZAPQSQL\GIGIYTFFYT.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.98574996389499
                Encrypted:false
                SSDEEP:48:ULfUPUa8QaU8R2WUXimfGtBI2S4v8DTVx8wNL:ULfha80fWU7GtrahL
                MD5:901EA31F7B007B7DFCCE9CA7674EADE3
                SHA1:7F3009DBAE36F0FC0206C48E237605559C4D12B6
                SHA-256:EF9E699631DB1EA40747FD6E389F26DC6CDDB45D8815D5ABBC790B6EAA39CF4B
                SHA-512:580DBA729774DC9B88847D405178557C8CFF8B932A43BED590ED9BA67618A2A4E165E8BE456CF13DC9D55DC8AF59D66FA1785EF49C44ED091F935C7ABD61F081
                Malicious:false
                Preview:<EncryptedKey>RETS0B3cYiEDYdtdSPvZzwFp6DnmCZWnKKtd3HQK3Hoamr6RpFX8tMkfGSZ4Vejf9ioH3zGjXDAp5ik5Pt+klEejohEii7Jt1OoA9sGIleOA/89ioXk8OUzSe5U8ND266Dfvondftd3tPMEKABFIpn+mhTwNbAq4LMveGB5Z8ig=<EncryptedKey>CPadUbpkBeXq4NyN4Fm5ryScQydB5/XAbePAG4JTbMH5HBbCMDh9UI4jPaTE3eOyFBp/1cUCND/68g2HTi5dOxSgVT6tKbaltkjysYlJfFscksgYhBdLPuVTiBwGF3HOqPA1y8PpWFmU9v+fGoyGp+3IrwQS63BE0FvfGKvaRaIw163Ed1qgaCevr6BGfFC6gJjuEb+MGZrnI9wysy8+a4E/wAE1+vj8yhAbMTMCoHPL/QrDXXlGv4n0W4qse9R5pFchNhMetFvuZVuJ/dczbEJbGl610brbCDOUcTOkKaLcZ5nWiY7BDkHfvb3KjxnY+zVGn452ASal+T/YGakBUuxIG6G2Y2AESDVRO8rszEuY4RB6C/hoHg1V7P4ocNFLLBOiRwQnye4aEHQtB4Y2dDd4KGVnlZ7fP95mhthLeNT/d+23TZJ2ALxy94dsSqvZnBi8J/PVuyFyDfuVJQjoC/dm76WVthcOHysz1Uo35+zJUuIuRwa+3avGsv2QDPmOVY6xax10ESrzm62j5rACvTdB1pGvmAkE6rj6Ef/GxisP0umcF6WYcTGCdHnuhwoxBBPKw6DV9pbTHCQwkGsLMbwlPtWsHrcJJmjW51sb38nKPREeyTB2xhaYi0aYGE2WWTSSIRHCg2qThCjGph2DPv+gMo4GDp/c482ot+u9jr5JYjzbsqDI6UKw+QjOdtUk+PkHYeE2z3ArCVxdR591FlHtebnMh6nO1AnuGLT54EyNu6zLxMNsuMkg2kMK0h1TyePRpkvw2gIkf3rfsOSCbkEEIXsyGv5X

                C:\Users\user\Documents\NVWZAPQSQL\GIGIYTFFYT.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.98574996389499
                Encrypted:false
                SSDEEP:48:ULfUPUa8QaU8R2WUXimfGtBI2S4v8DTVx8wNL:ULfha80fWU7GtrahL
                MD5:901EA31F7B007B7DFCCE9CA7674EADE3
                SHA1:7F3009DBAE36F0FC0206C48E237605559C4D12B6
                SHA-256:EF9E699631DB1EA40747FD6E389F26DC6CDDB45D8815D5ABBC790B6EAA39CF4B
                SHA-512:580DBA729774DC9B88847D405178557C8CFF8B932A43BED590ED9BA67618A2A4E165E8BE456CF13DC9D55DC8AF59D66FA1785EF49C44ED091F935C7ABD61F081
                Malicious:false
                Preview:<EncryptedKey>RETS0B3cYiEDYdtdSPvZzwFp6DnmCZWnKKtd3HQK3Hoamr6RpFX8tMkfGSZ4Vejf9ioH3zGjXDAp5ik5Pt+klEejohEii7Jt1OoA9sGIleOA/89ioXk8OUzSe5U8ND266Dfvondftd3tPMEKABFIpn+mhTwNbAq4LMveGB5Z8ig=<EncryptedKey>CPadUbpkBeXq4NyN4Fm5ryScQydB5/XAbePAG4JTbMH5HBbCMDh9UI4jPaTE3eOyFBp/1cUCND/68g2HTi5dOxSgVT6tKbaltkjysYlJfFscksgYhBdLPuVTiBwGF3HOqPA1y8PpWFmU9v+fGoyGp+3IrwQS63BE0FvfGKvaRaIw163Ed1qgaCevr6BGfFC6gJjuEb+MGZrnI9wysy8+a4E/wAE1+vj8yhAbMTMCoHPL/QrDXXlGv4n0W4qse9R5pFchNhMetFvuZVuJ/dczbEJbGl610brbCDOUcTOkKaLcZ5nWiY7BDkHfvb3KjxnY+zVGn452ASal+T/YGakBUuxIG6G2Y2AESDVRO8rszEuY4RB6C/hoHg1V7P4ocNFLLBOiRwQnye4aEHQtB4Y2dDd4KGVnlZ7fP95mhthLeNT/d+23TZJ2ALxy94dsSqvZnBi8J/PVuyFyDfuVJQjoC/dm76WVthcOHysz1Uo35+zJUuIuRwa+3avGsv2QDPmOVY6xax10ESrzm62j5rACvTdB1pGvmAkE6rj6Ef/GxisP0umcF6WYcTGCdHnuhwoxBBPKw6DV9pbTHCQwkGsLMbwlPtWsHrcJJmjW51sb38nKPREeyTB2xhaYi0aYGE2WWTSSIRHCg2qThCjGph2DPv+gMo4GDp/c482ot+u9jr5JYjzbsqDI6UKw+QjOdtUk+PkHYeE2z3ArCVxdR591FlHtebnMh6nO1AnuGLT54EyNu6zLxMNsuMkg2kMK0h1TyePRpkvw2gIkf3rfsOSCbkEEIXsyGv5X

                C:\Users\user\Documents\NVWZAPQSQL\GRXZDKKVDB.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.9931641516661065
                Encrypted:false
                SSDEEP:24:fM+1wVXDO1/1nihxo3gclWb01CGrhs2TQod6+wMz9zkYx21ul0CqmBqjDv5ZapfU:UrVq1dr3jrrh7d55zp/81uQmQ5ZapGp
                MD5:73E4421E5CFF88BA503CC3D36028434C
                SHA1:38FD9188721A1BF4E83CA3440F336005389E0D66
                SHA-256:FAD6F829C25AE4F23AB39C4F9ACE511773375ACC62DBC5954E800534F877FDDF
                SHA-512:D9D5A4E9295C7C0DA3213E5BB4144EEAF8C69A968F2258AE7DA53AE122807BD5964022D9F4F2C30A8AA1E1A30D5E049B164E8ECC98A3710168D3FE51802FA03D
                Malicious:false
                Preview:<EncryptedKey>LxIAVvqmUOCMOYMdRLeyxKJ011PbMjTB2vB1N4imS5mZHjzGOH2zex2eDEzlNvpZ8nWFVYmDs/4XLFTIGNKVVcAPiP8+a8K/dXCTV48y0fjXq+hlt37ziz+wXlsIffsNBA/xwQ+XPFD8Ms4n0bexbCF3STinhUIYN0yvmrVd/lU=<EncryptedKey>jWBz8WYN8jhxB85ijzRyNu3tan2/EtIROjoPyItqlltY6OkG9rsdDQQ+L9GQrDtafsGzcT5WJvj9F0IN7W2L139WiOE9Dp0z93rpKURI+CEiCH1ymbkn2ORzGz2wvrgo18DS1MCXdGTuCQkJ6JCw4eIMn3cG/Tj4/QJ6q6R3ZBpo+uI9pIzcYmRahwJHI+zl380S3hTOdcU2/0dk5ZvTqc3e2nx+VId2azGLW7yTgAyznjUwFQ50eKW8u2NoVUZ9Wx2Z2yXrQiM5xCQ/opVoVwih/634+dJtZKsJcZ2VyvWOqPiiAcPXWpu3ulj84Ce8FuTzheJtZGfm5sAjpId5BcRDl/V2S9xb+fQJY4jvZJ1uVbgFy6YtmsnD4vtJ2PyOcK7j/J0v3xXp9285/uLchjh2+OBhECJLnxNSNDea2ZAwXe3Yi07P7/LTXAYBAOggJoocdrNOAmkC8WqaKSMojuw4bBhrgVzaEysjqjw0TbzUbEOSTe+P7+owUQ2UWxdUPH+9aupVCcbdDPuq07cqaKfhIdoEl4To8xyhstIEGpu393FKCxPccUJnL4dvdMC0pikafr48325rwwgRGvK5YgnX9jDOjt+J4ivrPXHGmbbu7IuWZ9vEyB9veIFzlH6k+psPypoK8OwalcMco4+8pIMwJfHkDZ/MggTbkRQF4dMGGB7gEHVZFFiGhZjiczv8vknzBatToNVbPgOsuqELo5djm933PUx/HuWcN0wnrb4EC6DzGho5lauXJvgTED273RYKKweDNVPI8FSt6gM1XOl7WYUJE+j3

                C:\Users\user\Documents\NVWZAPQSQL\GRXZDKKVDB.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.9931641516661065
                Encrypted:false
                SSDEEP:24:fM+1wVXDO1/1nihxo3gclWb01CGrhs2TQod6+wMz9zkYx21ul0CqmBqjDv5ZapfU:UrVq1dr3jrrh7d55zp/81uQmQ5ZapGp
                MD5:73E4421E5CFF88BA503CC3D36028434C
                SHA1:38FD9188721A1BF4E83CA3440F336005389E0D66
                SHA-256:FAD6F829C25AE4F23AB39C4F9ACE511773375ACC62DBC5954E800534F877FDDF
                SHA-512:D9D5A4E9295C7C0DA3213E5BB4144EEAF8C69A968F2258AE7DA53AE122807BD5964022D9F4F2C30A8AA1E1A30D5E049B164E8ECC98A3710168D3FE51802FA03D
                Malicious:false
                Preview:<EncryptedKey>LxIAVvqmUOCMOYMdRLeyxKJ011PbMjTB2vB1N4imS5mZHjzGOH2zex2eDEzlNvpZ8nWFVYmDs/4XLFTIGNKVVcAPiP8+a8K/dXCTV48y0fjXq+hlt37ziz+wXlsIffsNBA/xwQ+XPFD8Ms4n0bexbCF3STinhUIYN0yvmrVd/lU=<EncryptedKey>jWBz8WYN8jhxB85ijzRyNu3tan2/EtIROjoPyItqlltY6OkG9rsdDQQ+L9GQrDtafsGzcT5WJvj9F0IN7W2L139WiOE9Dp0z93rpKURI+CEiCH1ymbkn2ORzGz2wvrgo18DS1MCXdGTuCQkJ6JCw4eIMn3cG/Tj4/QJ6q6R3ZBpo+uI9pIzcYmRahwJHI+zl380S3hTOdcU2/0dk5ZvTqc3e2nx+VId2azGLW7yTgAyznjUwFQ50eKW8u2NoVUZ9Wx2Z2yXrQiM5xCQ/opVoVwih/634+dJtZKsJcZ2VyvWOqPiiAcPXWpu3ulj84Ce8FuTzheJtZGfm5sAjpId5BcRDl/V2S9xb+fQJY4jvZJ1uVbgFy6YtmsnD4vtJ2PyOcK7j/J0v3xXp9285/uLchjh2+OBhECJLnxNSNDea2ZAwXe3Yi07P7/LTXAYBAOggJoocdrNOAmkC8WqaKSMojuw4bBhrgVzaEysjqjw0TbzUbEOSTe+P7+owUQ2UWxdUPH+9aupVCcbdDPuq07cqaKfhIdoEl4To8xyhstIEGpu393FKCxPccUJnL4dvdMC0pikafr48325rwwgRGvK5YgnX9jDOjt+J4ivrPXHGmbbu7IuWZ9vEyB9veIFzlH6k+psPypoK8OwalcMco4+8pIMwJfHkDZ/MggTbkRQF4dMGGB7gEHVZFFiGhZjiczv8vknzBatToNVbPgOsuqELo5djm933PUx/HuWcN0wnrb4EC6DzGho5lauXJvgTED273RYKKweDNVPI8FSt6gM1XOl7WYUJE+j3

                C:\Users\user\Documents\NVWZAPQSQL\NVWZAPQSQL.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987529022741285
                Encrypted:false
                SSDEEP:48:UCE9hO1gh9CUTmGlWkLweVaLKY30aQIEH3Y:UCEq1g3CUTtlWkjkn3yIMI
                MD5:6FE28C3CDC397C6BF4901E8AF9556FB1
                SHA1:F6FEAE9BE34A80BEB7EF2850B57B51FF449F295C
                SHA-256:DFCFBE8318080AF190D0ECF8290C0DFEFC1E1BCAB975BB194843E1AB31354E62
                SHA-512:24EF7EA6B68174880099D1C4A7D8490A98A3B19A4FF17629A57083694EF17F963F7894E4B1DFB5402654C81136A8CC8739274BB3DC7C8837B333DD4823EF8CB2
                Malicious:false
                Preview:<EncryptedKey>XbPA6670KSgcEkD0VfmYxEUkJaaXP1Mg+t1QMT5xar0LbPD5w9T2ygXFZrFzh5822aTiYVtLsoFYzcbPJn/CteW3DHPIHb6g3aijeg0JeUB9wgvDzgPdnepjc1vd/MXVakb1CfYvj0YX7VLoZWDSOfLgFde5QZKMK9MJp6ZAePA=<EncryptedKey>e0vmOPeS6F84bOlmmPxY8JgHzzYCZU99wgVpaC1qlhylPGeTvINrDCNhFpAI3k1nrjzcaCp2/virR2MQan4PxvW5lyjSm6tRH8hPB814b3NqF+WC06pikv59aH15OW8tNBljgd77HbbjdPVaoI0s4RfFaCqifrRyF49FpcbwTsN98DYqgVX1U+Tgjc9csm5g1w2v6HI+Ax3+Fy1SVCtg4X3mKr2UsuDFzRv5gJdba7bTrbX6mZXPBUlyK0mclOlNjA3d1hrwh+/NFB6rNwbjf+YxHBX2aoqDYp/mmShrO63tIV02nfOeqoGo3pn8LZ+BvS+anUKijd60CFY0f2sQVoivUOxgg9oejcJHS1oxUXa3Q+sm48tgrQ+NVVB1WfxrrRBIwSU6b772XhQD1IAcTohzixg78Cn6vWMSUqc7+E6cNwflnPWp8lG2EqgKLK/TgtX5EM8a+0EPetG+pkSiXV6mUyqOAv+BI4F28J2LlPKPtJn/4ITQIw6cTOGKrWCU+lMbWrXT1Qlu3YJ1Yu88Xkhk87AMC3Ms6/LlNqWwIDcBDx23CAx1CZOrA2ff6wzF7bjB8VhOz5Hy4TuL6oz4Th8gZMJNa4IgmV+r0V0Ny91sp2+Y3gIgp0ATA5nn/ALwgqEQpfqdd5tOHewIXl3FV5Q+CmdxivX07FgXd7ECYirklAQa1KVBjZQ3TuZvW79pEeEHuqmmAR3SdcsSLfzpyAdvSbuWzmH867mvce9bYX+18DSHpHV84VrVMahHAQiEoo/aU7MMM4RXTsZpsUpHsy04clXV+Zbz

                C:\Users\user\Documents\NVWZAPQSQL\NVWZAPQSQL.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987529022741285
                Encrypted:false
                SSDEEP:48:UCE9hO1gh9CUTmGlWkLweVaLKY30aQIEH3Y:UCEq1g3CUTtlWkjkn3yIMI
                MD5:6FE28C3CDC397C6BF4901E8AF9556FB1
                SHA1:F6FEAE9BE34A80BEB7EF2850B57B51FF449F295C
                SHA-256:DFCFBE8318080AF190D0ECF8290C0DFEFC1E1BCAB975BB194843E1AB31354E62
                SHA-512:24EF7EA6B68174880099D1C4A7D8490A98A3B19A4FF17629A57083694EF17F963F7894E4B1DFB5402654C81136A8CC8739274BB3DC7C8837B333DD4823EF8CB2
                Malicious:false
                Preview:<EncryptedKey>XbPA6670KSgcEkD0VfmYxEUkJaaXP1Mg+t1QMT5xar0LbPD5w9T2ygXFZrFzh5822aTiYVtLsoFYzcbPJn/CteW3DHPIHb6g3aijeg0JeUB9wgvDzgPdnepjc1vd/MXVakb1CfYvj0YX7VLoZWDSOfLgFde5QZKMK9MJp6ZAePA=<EncryptedKey>e0vmOPeS6F84bOlmmPxY8JgHzzYCZU99wgVpaC1qlhylPGeTvINrDCNhFpAI3k1nrjzcaCp2/virR2MQan4PxvW5lyjSm6tRH8hPB814b3NqF+WC06pikv59aH15OW8tNBljgd77HbbjdPVaoI0s4RfFaCqifrRyF49FpcbwTsN98DYqgVX1U+Tgjc9csm5g1w2v6HI+Ax3+Fy1SVCtg4X3mKr2UsuDFzRv5gJdba7bTrbX6mZXPBUlyK0mclOlNjA3d1hrwh+/NFB6rNwbjf+YxHBX2aoqDYp/mmShrO63tIV02nfOeqoGo3pn8LZ+BvS+anUKijd60CFY0f2sQVoivUOxgg9oejcJHS1oxUXa3Q+sm48tgrQ+NVVB1WfxrrRBIwSU6b772XhQD1IAcTohzixg78Cn6vWMSUqc7+E6cNwflnPWp8lG2EqgKLK/TgtX5EM8a+0EPetG+pkSiXV6mUyqOAv+BI4F28J2LlPKPtJn/4ITQIw6cTOGKrWCU+lMbWrXT1Qlu3YJ1Yu88Xkhk87AMC3Ms6/LlNqWwIDcBDx23CAx1CZOrA2ff6wzF7bjB8VhOz5Hy4TuL6oz4Th8gZMJNa4IgmV+r0V0Ny91sp2+Y3gIgp0ATA5nn/ALwgqEQpfqdd5tOHewIXl3FV5Q+CmdxivX07FgXd7ECYirklAQa1KVBjZQ3TuZvW79pEeEHuqmmAR3SdcsSLfzpyAdvSbuWzmH867mvce9bYX+18DSHpHV84VrVMahHAQiEoo/aU7MMM4RXTsZpsUpHsy04clXV+Zbz

                C:\Users\user\Documents\NVWZAPQSQL\PALRGUCVEH.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.984907863242767
                Encrypted:false
                SSDEEP:24:fMokNYe8iZOyxFFlLZiUdhLUKNZkGUhiWGd6u8KC02WIRPh9IzlIG:UzNYetZOyx/xZikhnNZkPqtZV24zlIG
                MD5:98438D2BF68A92D46EC7459A5AA3943D
                SHA1:40F04EE98E556D4C13FD4BA16A9559EFC2E590B5
                SHA-256:B212E868FA733A825CEBAAE463B810E737FEF52FF8630F5032B4782FCAB5B2ED
                SHA-512:A60D165D6E090303B3D5EB12A825FBFF2C90CE14061C0168E30E7BA1D252129ECBC2ECA0063BB480189D21695CC7D023675522138B48E59A8AB72FE3D71CFCEF
                Malicious:false
                Preview:<EncryptedKey>defGMtywgMq0AbV3y6/AYOfU7a2r2YYtgKv0uy5GqNACQNH2Sz5pVNTkpQxeGRUF1QGhV6R3U9YwtozcLjtYmPkWAakLTJG4jYKc4/178+vBlFRbIHl28nbw88EBEptVRr841NRRozNpxlpWATmj7PNEl1/BJeehI52pMBhdWvo=<EncryptedKey>VFCwTFZ7DaojtcQgEjOJ/PoVIGvVyzl8VCzKroxrhRIv/v2tZvKg/vpnbDtmHGEkhiQf/uL9BuiIj+OvpZHY0oIbHOeiibAlaMehzVwMuaFJLWWVc6+KHK56qL2BCVAn/XfK0YSn63Q06UoiH8reUSaLGt/UvJCXOeQSOx16kC1FlJ+rjt5pcWHh051AAjgnpeSm7nEwS8d/gxwU8eGZDxyZRqP8eemCqlKxvaeJuu5Mypw1wJqJ7eB6QllPaFvF3VrPBbPwfxo8LwPXpWsGXz16g+symt2h3hSXJgRauyAQhXb/JkDAi2Ke2zRVUG8TybgjCvDLThskv8JrlP0LlH2heqmt19rqJAvPScjhDOllRPqIxBDwrnwSGzx5y112rMc8gcdA6qL6f9bawvU2Y2R5/+k0Gijdpu8Neax06HikCbcZXYBo6ghvtwBznnxgMvekt2dpj4oijR1GF9+Riqgk8bAXVaLxCyP2i5T5DjuCO5UCHASr94Mh5SjC7RAgoIgY0DOqEDdE941frDVlUpjX5pkLcq/SAwm4PCTdMShopid6gCxB2Sb6a8wFegvuThH5MBNG23BvFewabaUJaSD2p6a3h9LVr5I45w3UqX4GdTAy9e3PXsyX6VHNXed8XdPqlWqwSjxlzto2mxBNhNrCjuPM83hqQ2cTadwsDEjXAhEt0UdOMNlObmhCSpaGqxaxQpTto0BfIau6tfNsqoe1zLh1Osm5dtpq5cU8YKd71z2XOLrQrwWJJFEjVE1pXtV0KvU9V4axvselcozPDpX+Use6wdAc

                C:\Users\user\Documents\NVWZAPQSQL\PALRGUCVEH.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.984907863242767
                Encrypted:false
                SSDEEP:24:fMokNYe8iZOyxFFlLZiUdhLUKNZkGUhiWGd6u8KC02WIRPh9IzlIG:UzNYetZOyx/xZikhnNZkPqtZV24zlIG
                MD5:98438D2BF68A92D46EC7459A5AA3943D
                SHA1:40F04EE98E556D4C13FD4BA16A9559EFC2E590B5
                SHA-256:B212E868FA733A825CEBAAE463B810E737FEF52FF8630F5032B4782FCAB5B2ED
                SHA-512:A60D165D6E090303B3D5EB12A825FBFF2C90CE14061C0168E30E7BA1D252129ECBC2ECA0063BB480189D21695CC7D023675522138B48E59A8AB72FE3D71CFCEF
                Malicious:false
                Preview:<EncryptedKey>defGMtywgMq0AbV3y6/AYOfU7a2r2YYtgKv0uy5GqNACQNH2Sz5pVNTkpQxeGRUF1QGhV6R3U9YwtozcLjtYmPkWAakLTJG4jYKc4/178+vBlFRbIHl28nbw88EBEptVRr841NRRozNpxlpWATmj7PNEl1/BJeehI52pMBhdWvo=<EncryptedKey>VFCwTFZ7DaojtcQgEjOJ/PoVIGvVyzl8VCzKroxrhRIv/v2tZvKg/vpnbDtmHGEkhiQf/uL9BuiIj+OvpZHY0oIbHOeiibAlaMehzVwMuaFJLWWVc6+KHK56qL2BCVAn/XfK0YSn63Q06UoiH8reUSaLGt/UvJCXOeQSOx16kC1FlJ+rjt5pcWHh051AAjgnpeSm7nEwS8d/gxwU8eGZDxyZRqP8eemCqlKxvaeJuu5Mypw1wJqJ7eB6QllPaFvF3VrPBbPwfxo8LwPXpWsGXz16g+symt2h3hSXJgRauyAQhXb/JkDAi2Ke2zRVUG8TybgjCvDLThskv8JrlP0LlH2heqmt19rqJAvPScjhDOllRPqIxBDwrnwSGzx5y112rMc8gcdA6qL6f9bawvU2Y2R5/+k0Gijdpu8Neax06HikCbcZXYBo6ghvtwBznnxgMvekt2dpj4oijR1GF9+Riqgk8bAXVaLxCyP2i5T5DjuCO5UCHASr94Mh5SjC7RAgoIgY0DOqEDdE941frDVlUpjX5pkLcq/SAwm4PCTdMShopid6gCxB2Sb6a8wFegvuThH5MBNG23BvFewabaUJaSD2p6a3h9LVr5I45w3UqX4GdTAy9e3PXsyX6VHNXed8XdPqlWqwSjxlzto2mxBNhNrCjuPM83hqQ2cTadwsDEjXAhEt0UdOMNlObmhCSpaGqxaxQpTto0BfIau6tfNsqoe1zLh1Osm5dtpq5cU8YKd71z2XOLrQrwWJJFEjVE1pXtV0KvU9V4axvselcozPDpX+Use6wdAc

                C:\Users\user\Documents\NVWZAPQSQL\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Documents\NWCXBPIUYI.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.982556215118503
                Encrypted:false
                SSDEEP:24:fMiImsGsXEmQwfJ60x9hEf6xNao4ICxgWaWirQ0Vr74bpie5Bei43xE:UizsXEmQws+hEf6sTxLHiMG74lHBv
                MD5:8328028D68FACE1094A6DEAC12B0E8A3
                SHA1:1F55CECF674E79C370B9F196F5E0C04A126F827B
                SHA-256:7B54178A37796C1A802D3F43DE4FC7746D752050E4A5C464196331CB676C779D
                SHA-512:F5FDED6CEAA408DB5930786F6A295E6056FBE1CD176A03A0ACF6CD6CC9042C83F3C442095FD37371349EEF177E2C719A18DCCC61CD71F199914CD5143332B79E
                Malicious:false
                Preview:<EncryptedKey>aV8RMiLibBNsS155Qufoz/lTbR6TwgYHrd2nYcPJnHN9XxAHNwQ9zpOUd+P5s3gjaT5uoxPYxwaNVrK1NFcP6aVRykQ54zCALJT641jU8KI/dC3ARUny5cqvIWCPl5s6NHuGpsgFrn8Y0upp8xk7/nBOw9NGL4nYFKi8j8brC+o=<EncryptedKey>qrv5PSpq/v2KlDurkLTjwqrvXUfwvdubaEZBmJQ9InCQXQjay3cFfpNCKxPP0iqZCBhp8hY5GSCc22pzwzk574iZi/qXEfLeFPkpBHOXACzTx4rrZuoMm8jzSzti7y9GrTqLNyX2VzV9xnBGjQ5G9xOcj5fsvvwldEc9SqV3iChy839gSwqt+7U74NI13EtCdR88bBXXYKW1bQnqmpwvPHfTm9ojPybRnMgaIKFowvh59aBpNSWipoaOIuCJHNlPqBrFmwVR4EL1aeiwZ5l/R/1RSYBaIK2qh/loxfl7Mq+3FKFdjPMefNrbIQWcfWAxz8MN++1CvErdYLs1jWVs3PGMOePY1dbwpGWQQ7lyI7H8lwIFVtiy54GD/XXSdfIdALVVC7M3s3Dy5mnC90rA5XX26i2PaobLskY0eV6ANRw/ef5DTgSf6Q5kjALmDth0UErztdZ27yaeYhMZu4VOVYGs825ri8C5pn6XIYWNCVBa0eZT2lTnJqZZmt1ARzHBeNcTrD5p04u9xT4y856z1vnvxCvN03Bm1p+DnpTBwg4X1lcQ0ZkCvBMZhNmU14RHcvYKK5LPeSSMWCWu+a2ilZDYAv4DXz62OF0YBH7pgj1qodV7fXMKEuCVwzWdvn7IKlLzgCr96EqkEf4x0uLzD4eFos+g9J9gHQPoFMAOQ/WjJpn5doqlNJcGhhBGsjs0C/1xqgEej4vybpU0DTTaKLoyDO9YqMr6h69uilPCAF8KVCu77PL3TYVXujiPBBrZlMJb6Qxf5GwEyoTzjjDPMTottQdXfLtv

                C:\Users\user\Documents\NWCXBPIUYI.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.982556215118503
                Encrypted:false
                SSDEEP:24:fMiImsGsXEmQwfJ60x9hEf6xNao4ICxgWaWirQ0Vr74bpie5Bei43xE:UizsXEmQws+hEf6sTxLHiMG74lHBv
                MD5:8328028D68FACE1094A6DEAC12B0E8A3
                SHA1:1F55CECF674E79C370B9F196F5E0C04A126F827B
                SHA-256:7B54178A37796C1A802D3F43DE4FC7746D752050E4A5C464196331CB676C779D
                SHA-512:F5FDED6CEAA408DB5930786F6A295E6056FBE1CD176A03A0ACF6CD6CC9042C83F3C442095FD37371349EEF177E2C719A18DCCC61CD71F199914CD5143332B79E
                Malicious:false
                Preview:<EncryptedKey>aV8RMiLibBNsS155Qufoz/lTbR6TwgYHrd2nYcPJnHN9XxAHNwQ9zpOUd+P5s3gjaT5uoxPYxwaNVrK1NFcP6aVRykQ54zCALJT641jU8KI/dC3ARUny5cqvIWCPl5s6NHuGpsgFrn8Y0upp8xk7/nBOw9NGL4nYFKi8j8brC+o=<EncryptedKey>qrv5PSpq/v2KlDurkLTjwqrvXUfwvdubaEZBmJQ9InCQXQjay3cFfpNCKxPP0iqZCBhp8hY5GSCc22pzwzk574iZi/qXEfLeFPkpBHOXACzTx4rrZuoMm8jzSzti7y9GrTqLNyX2VzV9xnBGjQ5G9xOcj5fsvvwldEc9SqV3iChy839gSwqt+7U74NI13EtCdR88bBXXYKW1bQnqmpwvPHfTm9ojPybRnMgaIKFowvh59aBpNSWipoaOIuCJHNlPqBrFmwVR4EL1aeiwZ5l/R/1RSYBaIK2qh/loxfl7Mq+3FKFdjPMefNrbIQWcfWAxz8MN++1CvErdYLs1jWVs3PGMOePY1dbwpGWQQ7lyI7H8lwIFVtiy54GD/XXSdfIdALVVC7M3s3Dy5mnC90rA5XX26i2PaobLskY0eV6ANRw/ef5DTgSf6Q5kjALmDth0UErztdZ27yaeYhMZu4VOVYGs825ri8C5pn6XIYWNCVBa0eZT2lTnJqZZmt1ARzHBeNcTrD5p04u9xT4y856z1vnvxCvN03Bm1p+DnpTBwg4X1lcQ0ZkCvBMZhNmU14RHcvYKK5LPeSSMWCWu+a2ilZDYAv4DXz62OF0YBH7pgj1qodV7fXMKEuCVwzWdvn7IKlLzgCr96EqkEf4x0uLzD4eFos+g9J9gHQPoFMAOQ/WjJpn5doqlNJcGhhBGsjs0C/1xqgEej4vybpU0DTTaKLoyDO9YqMr6h69uilPCAF8KVCu77PL3TYVXujiPBBrZlMJb6Qxf5GwEyoTzjjDPMTottQdXfLtv

                C:\Users\user\Documents\PALRGUCVEH.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.993951787379274
                Encrypted:false
                SSDEEP:48:U8xlb+1n0y4WGI3UDt/IXSj0/gNnYQOxjhyW:U8XK1nIWjA04nwIW
                MD5:FAE6A5D141A6908797B71C2AC57A56D7
                SHA1:34D75139DEED524D4E889BEA1E997821CEAEEE53
                SHA-256:AF59541B06D553BDAF01474F8C7E9796F44E1F238AB60CF3F3D0D54F19585B09
                SHA-512:E4A5AFBDBF66BCC2E95A7CE01BDFD4603D5E9E0390057D4D837EDD980A7E0CD319BCBADEE59EED8CACB23F25CB6D654E37101E0A13D94EE2396E15C9D19E2A51
                Malicious:false
                Preview:<EncryptedKey>JFnTeLf+12XG5uKedppV4XWNp8PQikTlBj9CCY46iLa02eTcPq4t7Wy2FiQSYkI91yHf1dt6497auzI1ChfPLncw12oUtgWoa/8kWwfiETkZK8ERpjMw3gNw+RUckPUjs4Hvj039Jo4K9JomRyA3KUvafaQDHUlogUb8DDix8LE=<EncryptedKey>qGNdHk0FwXNau4GNHH/wDSII+hqXA0VcXqLCec3ztvVDztHplB7x0eHxDK1tvn+Y2aR3PLgNWTALlihriOkdGsGcd4dVqmOPt0VscA4pGDBa1oyIcQdyrED3OVjXe5ceuyzE3AY1sJmyTQlEIrHTg9SSEdhyObsw/02RwRs7XiZOnynfxbD1mEVkgGMPuYRZPZx4ZGDCXMF2L8/H7rUzMx1qNNUv1vJrvYssW4Z2f2T7IcMrVsrGMzGQ4Y1BoCi352G87xBtnWP/DeXPazCTyouzZMbu75+6C1yPWxAOhugGMfnWQpXM3ItSEOjGSmAK3LhQVYCym/i44O93ZuXO0B5uBp7XsiOb38Ysur9iA2xScOabyWg5i8FlpacOu6wYRZGQuvTuzVHk354WVKZ6muPGEFkXT1UUs4UGyI87gkYhSdz9h/Rq8lfiNbC/thFDXmgVQ2YmP8pGft7lWIvcH2pUbXxRnihv4id5SDUVMVjC5Ij85YNMxeenaeP0fTg1c7qJUafmDVpnGo7+zv2fV4CXECmkNHbxwCjwXXsTwxVhy3eZ3tvvDsZ/wbs9pqVNB9IDdcYb/2YjlMAqbjRnVKVHIRol2BpLixv0ttZl+vB2MfIja4G9pGIQEAyjJjU1P87R4FRhUZ0dECEQfokIkwAneY8MPfApSaTPzJXIxBVzAXC7EGZr/NRM8HM/rqD+mSowv1Zb2qdGAE2oTC01K/45IbKX8i1QO39uHhn+JYjU1Hbmm8hZYPfm5aBc43UVocd0o5F8sqV8Uzn47M8a3YaNQ13BS9/1

                C:\Users\user\Documents\PALRGUCVEH.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.993951787379274
                Encrypted:false
                SSDEEP:48:U8xlb+1n0y4WGI3UDt/IXSj0/gNnYQOxjhyW:U8XK1nIWjA04nwIW
                MD5:FAE6A5D141A6908797B71C2AC57A56D7
                SHA1:34D75139DEED524D4E889BEA1E997821CEAEEE53
                SHA-256:AF59541B06D553BDAF01474F8C7E9796F44E1F238AB60CF3F3D0D54F19585B09
                SHA-512:E4A5AFBDBF66BCC2E95A7CE01BDFD4603D5E9E0390057D4D837EDD980A7E0CD319BCBADEE59EED8CACB23F25CB6D654E37101E0A13D94EE2396E15C9D19E2A51
                Malicious:false
                Preview:<EncryptedKey>JFnTeLf+12XG5uKedppV4XWNp8PQikTlBj9CCY46iLa02eTcPq4t7Wy2FiQSYkI91yHf1dt6497auzI1ChfPLncw12oUtgWoa/8kWwfiETkZK8ERpjMw3gNw+RUckPUjs4Hvj039Jo4K9JomRyA3KUvafaQDHUlogUb8DDix8LE=<EncryptedKey>qGNdHk0FwXNau4GNHH/wDSII+hqXA0VcXqLCec3ztvVDztHplB7x0eHxDK1tvn+Y2aR3PLgNWTALlihriOkdGsGcd4dVqmOPt0VscA4pGDBa1oyIcQdyrED3OVjXe5ceuyzE3AY1sJmyTQlEIrHTg9SSEdhyObsw/02RwRs7XiZOnynfxbD1mEVkgGMPuYRZPZx4ZGDCXMF2L8/H7rUzMx1qNNUv1vJrvYssW4Z2f2T7IcMrVsrGMzGQ4Y1BoCi352G87xBtnWP/DeXPazCTyouzZMbu75+6C1yPWxAOhugGMfnWQpXM3ItSEOjGSmAK3LhQVYCym/i44O93ZuXO0B5uBp7XsiOb38Ysur9iA2xScOabyWg5i8FlpacOu6wYRZGQuvTuzVHk354WVKZ6muPGEFkXT1UUs4UGyI87gkYhSdz9h/Rq8lfiNbC/thFDXmgVQ2YmP8pGft7lWIvcH2pUbXxRnihv4id5SDUVMVjC5Ij85YNMxeenaeP0fTg1c7qJUafmDVpnGo7+zv2fV4CXECmkNHbxwCjwXXsTwxVhy3eZ3tvvDsZ/wbs9pqVNB9IDdcYb/2YjlMAqbjRnVKVHIRol2BpLixv0ttZl+vB2MfIja4G9pGIQEAyjJjU1P87R4FRhUZ0dECEQfokIkwAneY8MPfApSaTPzJXIxBVzAXC7EGZr/NRM8HM/rqD+mSowv1Zb2qdGAE2oTC01K/45IbKX8i1QO39uHhn+JYjU1Hbmm8hZYPfm5aBc43UVocd0o5F8sqV8Uzn47M8a3YaNQ13BS9/1

                C:\Users\user\Documents\PALRGUCVEH.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.998406254157067
                Encrypted:false
                SSDEEP:48:UN8dZ5KAIA7e7hx0dwFLL3C54X7NI8gYPk:UNROK0L54XtgL
                MD5:9D9EE5275FB22A2BB968EE3CA5344116
                SHA1:D469A6E154D8599395E25420FF9CF7E10BC0A891
                SHA-256:3BD30E032BE599A439AEAC21F348C71D72BD75A627B97587BA571B36C9202002
                SHA-512:FB49DC0FED72876D167851D7E3C8F084BD86D81DC90098DAD217FD5FE6E66A6DE21C6BBCB5AED4AE8ABE2F4C723AF898F0A55A09D59F44BDCE78F9E8517048D0
                Malicious:false
                Preview:<EncryptedKey>DO9ykQqGKmv5D7FMIHJxj1lYpgepm5hly/xzxVoDF8Aea8xtzsZHtWyyiuvNX8cejoBemw/IMlS28xmONFLIXSu9LAwaN0NsqapGE2G3XrRRKera12VGWKNeJ5/Q3xzFEgjBmu6fuQ70NHZV34cnUSG336be6oUUZStOsGANfso=<EncryptedKey>s/dB8XFYW6rAbLF6BXRQgVAYc7K9ZkhuPJCYhrnDfXws8lvAFpWj8JF24E0ARA7lDzYe9qvBUuT6wwClSDSwJNcrMatjiBIusCFm9JvKhkkEIXsAMzZ6aLkio+jPdLTPM23rL5pViZPnGxBzIsZ/ZYIqxkHo65JrnM31gTFoBQUTZTvH6y1CU+5G4KGSq+Cg8W3q/QH4NAW6oprK8gknYpzMM31hCVaYkfL1rUKQ+ujgWXbQrCXfqT4RAZqWC6ArKZCJd0LHxj2ZDCftCFmXTWWCJe40iudgQTXbY2ED0Efse8npdR4QUuiDf3Nk34sNdBji7nc98LwIKWPIaMU/2Hs0holfxoZrBCM06cL478GtThne8B8omeN5B3LC44Ksi9eqnOxUyOMwvzcMnM7X/Q+Mnk2b/JE8h+MPrgAK8ElZBHI9xyzbmwwnhO5uU4A0S3QXZSfCkciM+CJzAnOtk6BuREhIFvrbx4TtNrewp4OooFY/B+7g1i1LyDn27WQE52N5Dfc6Augi7OzPStqeMa/rpqwvftyFQKt29G6HUhinq4gdgsYHZFOt0prqScvcrJYzgmcWmfG/cA0DLUxuyrBcpM6JsEiPiN8fWpIwHDCs91H9zKCMJa9ewD28fDRYOclSqSEZlu8ERE7z8J1L/VmsU679tO8aOOAU9prcLlF+kuvh5uOODkMGAjUlWuPmE/L30B2LmUjpFBoWj0Q4L184npEOf1TlZxeNhZPULGwep7JIJYhogTRXbd7F3yTR4FIzvLPmvXKWOQK0GBQaf7thXf75EcPw

                C:\Users\user\Documents\PALRGUCVEH.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.998406254157067
                Encrypted:false
                SSDEEP:48:UN8dZ5KAIA7e7hx0dwFLL3C54X7NI8gYPk:UNROK0L54XtgL
                MD5:9D9EE5275FB22A2BB968EE3CA5344116
                SHA1:D469A6E154D8599395E25420FF9CF7E10BC0A891
                SHA-256:3BD30E032BE599A439AEAC21F348C71D72BD75A627B97587BA571B36C9202002
                SHA-512:FB49DC0FED72876D167851D7E3C8F084BD86D81DC90098DAD217FD5FE6E66A6DE21C6BBCB5AED4AE8ABE2F4C723AF898F0A55A09D59F44BDCE78F9E8517048D0
                Malicious:false
                Preview:<EncryptedKey>DO9ykQqGKmv5D7FMIHJxj1lYpgepm5hly/xzxVoDF8Aea8xtzsZHtWyyiuvNX8cejoBemw/IMlS28xmONFLIXSu9LAwaN0NsqapGE2G3XrRRKera12VGWKNeJ5/Q3xzFEgjBmu6fuQ70NHZV34cnUSG336be6oUUZStOsGANfso=<EncryptedKey>s/dB8XFYW6rAbLF6BXRQgVAYc7K9ZkhuPJCYhrnDfXws8lvAFpWj8JF24E0ARA7lDzYe9qvBUuT6wwClSDSwJNcrMatjiBIusCFm9JvKhkkEIXsAMzZ6aLkio+jPdLTPM23rL5pViZPnGxBzIsZ/ZYIqxkHo65JrnM31gTFoBQUTZTvH6y1CU+5G4KGSq+Cg8W3q/QH4NAW6oprK8gknYpzMM31hCVaYkfL1rUKQ+ujgWXbQrCXfqT4RAZqWC6ArKZCJd0LHxj2ZDCftCFmXTWWCJe40iudgQTXbY2ED0Efse8npdR4QUuiDf3Nk34sNdBji7nc98LwIKWPIaMU/2Hs0holfxoZrBCM06cL478GtThne8B8omeN5B3LC44Ksi9eqnOxUyOMwvzcMnM7X/Q+Mnk2b/JE8h+MPrgAK8ElZBHI9xyzbmwwnhO5uU4A0S3QXZSfCkciM+CJzAnOtk6BuREhIFvrbx4TtNrewp4OooFY/B+7g1i1LyDn27WQE52N5Dfc6Augi7OzPStqeMa/rpqwvftyFQKt29G6HUhinq4gdgsYHZFOt0prqScvcrJYzgmcWmfG/cA0DLUxuyrBcpM6JsEiPiN8fWpIwHDCs91H9zKCMJa9ewD28fDRYOclSqSEZlu8ERE7z8J1L/VmsU679tO8aOOAU9prcLlF+kuvh5uOODkMGAjUlWuPmE/L30B2LmUjpFBoWj0Q4L184npEOf1TlZxeNhZPULGwep7JIJYhogTRXbd7F3yTR4FIzvLPmvXKWOQK0GBQaf7thXf75EcPw

                C:\Users\user\Documents\QCOILOQIKC.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.99119468954527
                Encrypted:false
                SSDEEP:48:UOtYOudylWWTELo8sPQbRBXQPRUIg2A8O:U0udXQCsPQbRBXfI48O
                MD5:720D8614B90D99866FB84859B91E2F46
                SHA1:6C02C1A6C48CEF51D39F4FD690189E118955D036
                SHA-256:66E01FE61E1DCF8EB4F56629AD7D6643E0F1EE550609A51BE8D13DED336EDFD7
                SHA-512:FB99180771A704260090F013B2CC5AC1F1C834EDF84A6C4E5CC7BB4EE2E6B3F2AAA668445A59484794E3A4CF6246FAB577F5D084BDB11F8959F1DE048881CE43
                Malicious:false
                Preview:<EncryptedKey>tuJj7j9Qh5pvvDb7KPHKeXV88GQ+wGFqeCSXlogaiw+wyV/H4foHCQlJ9VM7aZwjGgmQb9mH2YfH8jDSz499aYTNagSgeWxVW+l7DcWpnjdj29xAOr2j24VAuc4SBxLORNB4gHASpy/MtXiSHW0Zlm3yKg6s7oVD+fKoF2VUUlM=<EncryptedKey>4L/B0RAleUUPQumtRsQpW1dOCueezh80vODYefvqXtXaEgDzWRDKYfwr409hc4lkyUmuuf2yL/AfJODsyD2gos6igVzvi8Hi25bk/cxsmpXg0F2oMTlUGfdjJiVOIcJqFyFFc/JEPCVftcmAr7E02xY8HQ89DAyxhHoqSphVnkCVhcgH6wZb6W/7zGWkbHRIwJ5cUdlnhxSmwP9vstTTzJdDmyXEQVwdxvur7AYIHFltH2RH1U52vjsoU9wYuHCSqQ2y9iizlv7tZtLPyM0yex2cQNOYXGUu+rYL2wdLlzAilgdGbTRw2WKtgraCewRdL5oAB6fa+nytiCXsP5wh+qwegXmuOd6vSXVJJd+qnDOZ5L6nZiNXmPYabCPdPngIEZOEwbOG4BchaTmbBtctiO17/abVJzL5cO9EMW82fReon5j7kJaWpujWJoAPEHLOeg0r0+jUWtXCjRFGmh2ZDUFAibC004XH8E6GkTgnEo9Mn4hOcvgNDvOoAgy7z0xdF7pA5Leb+Y8QRgplyI+LFDmpMhZTlWtVgiUb2HUD5qHMeir8RHjvGLXR39SZI1I7LALHnNpFOKnjX0Q1kRnGY8t7ik8jBidQmlVBlzjz1cMguxCQ4YbpeX5c36SNAops5SG5WJvmuzuYI4OJ8ED7AyF6f8JX9zUp+iF/AvvFNDPBnZHFtMW4gGxN31M9XvoEdNonOnMgeROuFhqoFVCHTLaQb92NnbFARq43mfFSClg6iJ6bFwyz/Mn10BF93A3F1dfdARd7kRYJGh58K5Zg0K8x2d2z6mw1

                C:\Users\user\Documents\QCOILOQIKC.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.99119468954527
                Encrypted:false
                SSDEEP:48:UOtYOudylWWTELo8sPQbRBXQPRUIg2A8O:U0udXQCsPQbRBXfI48O
                MD5:720D8614B90D99866FB84859B91E2F46
                SHA1:6C02C1A6C48CEF51D39F4FD690189E118955D036
                SHA-256:66E01FE61E1DCF8EB4F56629AD7D6643E0F1EE550609A51BE8D13DED336EDFD7
                SHA-512:FB99180771A704260090F013B2CC5AC1F1C834EDF84A6C4E5CC7BB4EE2E6B3F2AAA668445A59484794E3A4CF6246FAB577F5D084BDB11F8959F1DE048881CE43
                Malicious:false
                Preview:<EncryptedKey>tuJj7j9Qh5pvvDb7KPHKeXV88GQ+wGFqeCSXlogaiw+wyV/H4foHCQlJ9VM7aZwjGgmQb9mH2YfH8jDSz499aYTNagSgeWxVW+l7DcWpnjdj29xAOr2j24VAuc4SBxLORNB4gHASpy/MtXiSHW0Zlm3yKg6s7oVD+fKoF2VUUlM=<EncryptedKey>4L/B0RAleUUPQumtRsQpW1dOCueezh80vODYefvqXtXaEgDzWRDKYfwr409hc4lkyUmuuf2yL/AfJODsyD2gos6igVzvi8Hi25bk/cxsmpXg0F2oMTlUGfdjJiVOIcJqFyFFc/JEPCVftcmAr7E02xY8HQ89DAyxhHoqSphVnkCVhcgH6wZb6W/7zGWkbHRIwJ5cUdlnhxSmwP9vstTTzJdDmyXEQVwdxvur7AYIHFltH2RH1U52vjsoU9wYuHCSqQ2y9iizlv7tZtLPyM0yex2cQNOYXGUu+rYL2wdLlzAilgdGbTRw2WKtgraCewRdL5oAB6fa+nytiCXsP5wh+qwegXmuOd6vSXVJJd+qnDOZ5L6nZiNXmPYabCPdPngIEZOEwbOG4BchaTmbBtctiO17/abVJzL5cO9EMW82fReon5j7kJaWpujWJoAPEHLOeg0r0+jUWtXCjRFGmh2ZDUFAibC004XH8E6GkTgnEo9Mn4hOcvgNDvOoAgy7z0xdF7pA5Leb+Y8QRgplyI+LFDmpMhZTlWtVgiUb2HUD5qHMeir8RHjvGLXR39SZI1I7LALHnNpFOKnjX0Q1kRnGY8t7ik8jBidQmlVBlzjz1cMguxCQ4YbpeX5c36SNAops5SG5WJvmuzuYI4OJ8ED7AyF6f8JX9zUp+iF/AvvFNDPBnZHFtMW4gGxN31M9XvoEdNonOnMgeROuFhqoFVCHTLaQb92NnbFARq43mfFSClg6iJ6bFwyz/Mn10BF93A3F1dfdARd7kRYJGh58K5Zg0K8x2d2z6mw1

                C:\Users\user\Documents\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):756
                Entropy (8bit):5.935826055303669
                Encrypted:false
                SSDEEP:12:fMEkOolWXI6WDu1vQfqoHprXW63NEMRRkeLi+9Br8HXlOn+9sDbS4hnZCS+clTqX:fMpwtWiefq8rXt9EMRRkPQR6Xc+9ETh+
                MD5:5C2C7E8BE1933E7C3D359E5AE37301FC
                SHA1:08FF200D0465B6074492C22ECD764A2D867B06EF
                SHA-256:38C0F66F692D32E73697F61332EAA26918FD2BEC496A179B8C83A17DECB9F50A
                SHA-512:E9EE0C7089F3AC0C987F385D7C69C7F42088E2254F3B181EF01554ACAA669AC106EACF79DE30717DC31822D1AF58521BB7FD54B8E7332EC2BD3A476245E056D2
                Malicious:false
                Preview:<EncryptedKey>QOAAbuQw5SzsWqcA5w+rX5WEiabT5Sd/6YaXXObKQ+2UVQJQU8Y43C3ig/AtibUukzXJgw2B/5CczGKlLRsK6DII1pYop0GBIrWFaeSjA/xuS/qzfu4KyNsyWOGRHyQu4+1pko1oaoZMkUWP2llrCmWdtAo6kbUimWPSa3LdvzQ=<EncryptedKey>wxN084AxClIG85b3UOU6qdUYnsQNW3yw3Zsrcss3eSJaAtcY0TzlAPB9ExmjESnkrBlKj1bpdSoDs1uBmEQMbFYiMOFTDh3wlaqIrWOekpXIhAHY2jxd0llTfXeyq588VV2e0rSFciMmwyfjIuPSNz31Yc5O7w3az+bOaX4BQw2cxmdc0uSjyl2oLqXs6VueUragyxrcn8ynmwW3QCdnDuvpa0PfEcZF4TvfgnFYFXIi7E+o4KdotSAFoFUzHM4edZpT+JK+mYD2pTPIdUf4odNoclEbzmunEHGQsd7rUNyxkt0nmWeICe2lJ6maa5Kn+h1qVP42MPwjjbSa0IgpXwH0ft2AFNAl+sQWvGIkn9yHz/HV22Qs+DCkg5vvAbN8TcXv5locDjwC0iG8Jw6emuz24os5GLIO+TJd/lztjJrxP0TNeGAJxn1tzh4F4oIxacFOST77Das4q5KjE0agJ+4XwwuuwHuBgFVS+Ordl+/vQLmcOsOwuzMnx7hyusAA+FvteisAxY1Dq1Flda/5jZq3jbE58cm5agQ5eQbWMKM=

                C:\Users\user\Documents\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):756
                Entropy (8bit):5.935826055303669
                Encrypted:false
                SSDEEP:12:fMEkOolWXI6WDu1vQfqoHprXW63NEMRRkeLi+9Br8HXlOn+9sDbS4hnZCS+clTqX:fMpwtWiefq8rXt9EMRRkPQR6Xc+9ETh+
                MD5:5C2C7E8BE1933E7C3D359E5AE37301FC
                SHA1:08FF200D0465B6074492C22ECD764A2D867B06EF
                SHA-256:38C0F66F692D32E73697F61332EAA26918FD2BEC496A179B8C83A17DECB9F50A
                SHA-512:E9EE0C7089F3AC0C987F385D7C69C7F42088E2254F3B181EF01554ACAA669AC106EACF79DE30717DC31822D1AF58521BB7FD54B8E7332EC2BD3A476245E056D2
                Malicious:false
                Preview:<EncryptedKey>QOAAbuQw5SzsWqcA5w+rX5WEiabT5Sd/6YaXXObKQ+2UVQJQU8Y43C3ig/AtibUukzXJgw2B/5CczGKlLRsK6DII1pYop0GBIrWFaeSjA/xuS/qzfu4KyNsyWOGRHyQu4+1pko1oaoZMkUWP2llrCmWdtAo6kbUimWPSa3LdvzQ=<EncryptedKey>wxN084AxClIG85b3UOU6qdUYnsQNW3yw3Zsrcss3eSJaAtcY0TzlAPB9ExmjESnkrBlKj1bpdSoDs1uBmEQMbFYiMOFTDh3wlaqIrWOekpXIhAHY2jxd0llTfXeyq588VV2e0rSFciMmwyfjIuPSNz31Yc5O7w3az+bOaX4BQw2cxmdc0uSjyl2oLqXs6VueUragyxrcn8ynmwW3QCdnDuvpa0PfEcZF4TvfgnFYFXIi7E+o4KdotSAFoFUzHM4edZpT+JK+mYD2pTPIdUf4odNoclEbzmunEHGQsd7rUNyxkt0nmWeICe2lJ6maa5Kn+h1qVP42MPwjjbSa0IgpXwH0ft2AFNAl+sQWvGIkn9yHz/HV22Qs+DCkg5vvAbN8TcXv5locDjwC0iG8Jw6emuz24os5GLIO+TJd/lztjJrxP0TNeGAJxn1tzh4F4oIxacFOST77Das4q5KjE0agJ+4XwwuuwHuBgFVS+Ordl+/vQLmcOsOwuzMnx7hyusAA+FvteisAxY1Dq1Flda/5jZq3jbE58cm5agQ5eQbWMKM=

                C:\Users\user\Documents\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Downloads\BJZFPPWAPT.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987595571892047
                Encrypted:false
                SSDEEP:24:fMH/cZrXYxM9wmzgt/1J9dH+UDoGd49g7HnUsVXlg+MB8V2Bv9Tzo8:U2rXGMwSUDoGd4S7nU6Xhsz9Tc8
                MD5:A9ED1A2326D9E9458DB456928DB14496
                SHA1:3E0C762875E31D1E13266F824605F9710791899C
                SHA-256:CD7941AA9C3A061296501934FD448C41C5502EA40650B3C51DECA5CEDD553437
                SHA-512:3E902FC7C20CCDBA5744A855E7E7AF3EFB6E55646604AEE837F80B215466E177F20C471AF2894A24EAA938BF5366626FBF1648ED7BC749C39F3B8C9E9E506115
                Malicious:false
                Preview:<EncryptedKey>UzEyK3afxggNaWsYCzpV+LNh0tUBfwVmnHZ/dl2U14kDnOYAUUy1RfCAVl47uRcKqOfE75vAdpNZFL9jqqduTzavatiSp8+RKYKBWE1IBfChxbUcjGwG2l42HKXuRUS8GV4D++GhnmpcFpXgKaLknzyaNRlMvymmEELY4OZlKV8=<EncryptedKey>dNUd5Eg+wxcgjNgBtyCsV8zoYcBiGZnjSmQFRMGSn69qBnkzmxb3g+XD1hdlkNZl27ps3rBUptM2sMSgyXpEjdSIQK89Z4d1XGxs7dz6kvxpRfbp1npD9/16VLW/hI81jsxr3Atzgjl8noAe2Jg2uLpi0GrpO8vE3c2VS8qAXp3BfdMpUgm2WZT38HOPlBBkCptfpp2aPbSdKBbdfoVGgY/yOWKn2fbMDYJ5Unlvb+RjClRQsteG7Fx+Cg3jfICpqm/iQAVHSlE/42CMjSTe4QBt6qxDMFqZea68XLA05U42Zsy7QegIPzY2y1kTfX+6BauWg7xgnklvKw2eybXmlAx0lzymqbOFnHGP0C88gm1L4dGX7gk9hlR6n1IjMscz1a+5qErJ5LkxO3E8OhZ1VB7bsYYMt+pqwUIcqJT8MIFA+jWyXZKRAjAPu56Cm2yeDRAz+ACoqUKCx6LJMIofhbrhW3a2uIj/zLrJUti7qulI5toIj8BET9RTT/fPF4Q2zWi3Zh2YBwQpu+CEiarIhs5cVmur/dsaw5xFEc0CKKw0UHW1Jd3Jv/nAFCFvFypKZro4NcpCja9XGiw/WX3UkPMI+ldMmsmsJMBsvCvpk3yr+9klRZGUmxnMnq5D+LmpCjtYCtpR5fY7P2mlJwqgbS5Xz/xnTL+fxSS9FhojjCSEN93+m/hLkUHsYeBJuz3aTikIpoWJ9xrQVEajH28MdteCn4TeHf6rq+n6DqxQo8H3CpJJZqC+PHSX36by5ajvARgusi2ey7ZG7McAknYYMpWzfJ1CkYe6

                C:\Users\user\Downloads\BJZFPPWAPT.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987595571892047
                Encrypted:false
                SSDEEP:24:fMH/cZrXYxM9wmzgt/1J9dH+UDoGd49g7HnUsVXlg+MB8V2Bv9Tzo8:U2rXGMwSUDoGd4S7nU6Xhsz9Tc8
                MD5:A9ED1A2326D9E9458DB456928DB14496
                SHA1:3E0C762875E31D1E13266F824605F9710791899C
                SHA-256:CD7941AA9C3A061296501934FD448C41C5502EA40650B3C51DECA5CEDD553437
                SHA-512:3E902FC7C20CCDBA5744A855E7E7AF3EFB6E55646604AEE837F80B215466E177F20C471AF2894A24EAA938BF5366626FBF1648ED7BC749C39F3B8C9E9E506115
                Malicious:false
                Preview:<EncryptedKey>UzEyK3afxggNaWsYCzpV+LNh0tUBfwVmnHZ/dl2U14kDnOYAUUy1RfCAVl47uRcKqOfE75vAdpNZFL9jqqduTzavatiSp8+RKYKBWE1IBfChxbUcjGwG2l42HKXuRUS8GV4D++GhnmpcFpXgKaLknzyaNRlMvymmEELY4OZlKV8=<EncryptedKey>dNUd5Eg+wxcgjNgBtyCsV8zoYcBiGZnjSmQFRMGSn69qBnkzmxb3g+XD1hdlkNZl27ps3rBUptM2sMSgyXpEjdSIQK89Z4d1XGxs7dz6kvxpRfbp1npD9/16VLW/hI81jsxr3Atzgjl8noAe2Jg2uLpi0GrpO8vE3c2VS8qAXp3BfdMpUgm2WZT38HOPlBBkCptfpp2aPbSdKBbdfoVGgY/yOWKn2fbMDYJ5Unlvb+RjClRQsteG7Fx+Cg3jfICpqm/iQAVHSlE/42CMjSTe4QBt6qxDMFqZea68XLA05U42Zsy7QegIPzY2y1kTfX+6BauWg7xgnklvKw2eybXmlAx0lzymqbOFnHGP0C88gm1L4dGX7gk9hlR6n1IjMscz1a+5qErJ5LkxO3E8OhZ1VB7bsYYMt+pqwUIcqJT8MIFA+jWyXZKRAjAPu56Cm2yeDRAz+ACoqUKCx6LJMIofhbrhW3a2uIj/zLrJUti7qulI5toIj8BET9RTT/fPF4Q2zWi3Zh2YBwQpu+CEiarIhs5cVmur/dsaw5xFEc0CKKw0UHW1Jd3Jv/nAFCFvFypKZro4NcpCja9XGiw/WX3UkPMI+ldMmsmsJMBsvCvpk3yr+9klRZGUmxnMnq5D+LmpCjtYCtpR5fY7P2mlJwqgbS5Xz/xnTL+fxSS9FhojjCSEN93+m/hLkUHsYeBJuz3aTikIpoWJ9xrQVEajH28MdteCn4TeHf6rq+n6DqxQo8H3CpJJZqC+PHSX36by5ajvARgusi2ey7ZG7McAknYYMpWzfJ1CkYe6

                C:\Users\user\Downloads\DUUDTUBZFW.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.9918619926582615
                Encrypted:false
                SSDEEP:48:U45oAkzmlvz2JeHp/ysdA5AThy6GZw43VNbaU:UcQ8vyJUI0A+hmzHbH
                MD5:CEEB405C3FE2AB9596769190F6354967
                SHA1:527C6A86C8D2A5D336A269E5957D9A05FCBE4733
                SHA-256:B5BEDB7043E776636BD4074A674224C8DA72E2BE4E706D06007341F8F8CD26CD
                SHA-512:F5297DB889CCD8C1EFB1C0CBBCBA54BCD2E3D3D20CB0EDC2BB18872A11E898D966E3D2635085F9A838A7B5DED9106C6330D2BBCC3C530E5D3A17DC246036D37D
                Malicious:false
                Preview:<EncryptedKey>a5EVUJ/sqqhI2/iMfSLkfVIcGN71lHq/ZLADAJzKOUrEQJMcgkHr2nqztY3OA+kP082BkL7j/c3QPw5XMxYYfKvpdnR2nGs87Dfo1euJof7emWLJb8owHdu2NPwzKh9wtu5AdVHnFKbH76Uzw3ZNky0AYf1LEKmkBF0Cmhlca+w=<EncryptedKey>+o3SSMRRbh68FtedoqfJANSHBUXaG06/5YTLdY4yBUG7dUbiL8MCjgfRX/ioJmA4SmdH7JVnJ+S567uZru2w+Dlj+VQxGpiR9AI7yB+NLvDxaJQNSPCMacMtxCZXEA4xaDsrhelB/5PC4Pr1D0yr4cKWNa5Mf8tiCGX8Mtd53FfZ1YLJERMdayGVuE1aZEH3o/QqgTzIJhoLOHuuC0ciIGdBsn1MJTc9eEJKkKykgNQdn+Fd1hjXUj3fy07Y2icamOiTOTV7Ndo4I4sE9DZv3t1JZ7Fpbu1XITybir+bcg6Z7Bd2fDf6YZhfCCuOupoLrLFDDBm8cnMZMB+TdhBJSlC+TQE2zDJBzxuaMngIaKcbYmIY79I3lqzlS9HXj1L3ap5mmXag6XxeKjU5rz2on5QwJay47knKuiyzIXIqrIgdbBixu+SR6Sonf2Bejy2cIthdw9RgfbcTo4cnQ1pQQSBjjax1mmoCiUrb0RwXkZxQFRyiwa+In77+9o40Ivvc9XYaWQScPtpaDvr1TTTn+OcrSw6vKmWvkOVp1HI8hvJJkTz3b1zLO8BWDVHqQ/vmho1gg8qjpzlLGBK7TmdCD5iqybj4dKngUYthLw2RuRdhaUYx7wi8foY/5tqHptc/FAUmRtQRl4VEtBFkRLFOXjBmeUUKGhYWgY3sqf6ANf7qgbvxCh//iF2j5DQWfbu2cLqX23nguXRMsbfbdg9ThpVH0RZu9eNM9XE0YNfbT1Y7NyDWZGV4SgxvR0+eNOa12AZSSwcw60Hoz6fj6HWr0dfYprw4RyO+

                C:\Users\user\Downloads\DUUDTUBZFW.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.9918619926582615
                Encrypted:false
                SSDEEP:48:U45oAkzmlvz2JeHp/ysdA5AThy6GZw43VNbaU:UcQ8vyJUI0A+hmzHbH
                MD5:CEEB405C3FE2AB9596769190F6354967
                SHA1:527C6A86C8D2A5D336A269E5957D9A05FCBE4733
                SHA-256:B5BEDB7043E776636BD4074A674224C8DA72E2BE4E706D06007341F8F8CD26CD
                SHA-512:F5297DB889CCD8C1EFB1C0CBBCBA54BCD2E3D3D20CB0EDC2BB18872A11E898D966E3D2635085F9A838A7B5DED9106C6330D2BBCC3C530E5D3A17DC246036D37D
                Malicious:false
                Preview:<EncryptedKey>a5EVUJ/sqqhI2/iMfSLkfVIcGN71lHq/ZLADAJzKOUrEQJMcgkHr2nqztY3OA+kP082BkL7j/c3QPw5XMxYYfKvpdnR2nGs87Dfo1euJof7emWLJb8owHdu2NPwzKh9wtu5AdVHnFKbH76Uzw3ZNky0AYf1LEKmkBF0Cmhlca+w=<EncryptedKey>+o3SSMRRbh68FtedoqfJANSHBUXaG06/5YTLdY4yBUG7dUbiL8MCjgfRX/ioJmA4SmdH7JVnJ+S567uZru2w+Dlj+VQxGpiR9AI7yB+NLvDxaJQNSPCMacMtxCZXEA4xaDsrhelB/5PC4Pr1D0yr4cKWNa5Mf8tiCGX8Mtd53FfZ1YLJERMdayGVuE1aZEH3o/QqgTzIJhoLOHuuC0ciIGdBsn1MJTc9eEJKkKykgNQdn+Fd1hjXUj3fy07Y2icamOiTOTV7Ndo4I4sE9DZv3t1JZ7Fpbu1XITybir+bcg6Z7Bd2fDf6YZhfCCuOupoLrLFDDBm8cnMZMB+TdhBJSlC+TQE2zDJBzxuaMngIaKcbYmIY79I3lqzlS9HXj1L3ap5mmXag6XxeKjU5rz2on5QwJay47knKuiyzIXIqrIgdbBixu+SR6Sonf2Bejy2cIthdw9RgfbcTo4cnQ1pQQSBjjax1mmoCiUrb0RwXkZxQFRyiwa+In77+9o40Ivvc9XYaWQScPtpaDvr1TTTn+OcrSw6vKmWvkOVp1HI8hvJJkTz3b1zLO8BWDVHqQ/vmho1gg8qjpzlLGBK7TmdCD5iqybj4dKngUYthLw2RuRdhaUYx7wi8foY/5tqHptc/FAUmRtQRl4VEtBFkRLFOXjBmeUUKGhYWgY3sqf6ANf7qgbvxCh//iF2j5DQWfbu2cLqX23nguXRMsbfbdg9ThpVH0RZu9eNM9XE0YNfbT1Y7NyDWZGV4SgxvR0+eNOa12AZSSwcw60Hoz6fj6HWr0dfYprw4RyO+

                C:\Users\user\Downloads\EEGWXUHVUG.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995286663705964
                Encrypted:false
                SSDEEP:24:fMklG4d/AC2WHw5Y7HVXxvYeGj8psRYdAJfpBScYyxRbtuzFhqch:UklG4cWHsY7HZsnO+HSc3Tux
                MD5:D0C5BA20DA52C9E51B7633734F50DD90
                SHA1:01AC944B2AE3328966AFC57262652587034CC2D0
                SHA-256:AFF456E22E5381F999FDEFF9901A385B98738744699747B8D28830CBC6538A51
                SHA-512:EE1D3D97E4181B9FC1EB8CDCE92FD79064981401C9E41794BF3C4DBECCCA186A915FC6546697DDA925250079DA9EE4260B53F2C34F6AE6D9C747A63338189AE1
                Malicious:false
                Preview:<EncryptedKey>qWUIBuHhJSt6BimJypNf9lYr3INw9S7OBF2OIAZcGl4nPY8PebbFEhtPt+b9RIt7gXG6/UbH6O1XqTPOW42SaVvvrGowC1P4rte4sEQGWEnfJ5GsqFcjhfwvKvhQPBzNA2I6ylg4ixXVfTMC7QByRxCEe+j69j/aiSjhwZrl1Lw=<EncryptedKey>tCDWZlHZWWCz700vZ3lIbch9AsDxT2dxkehd5eQb9eTgw2zfEBJZwoGW0F9VS0jS88pCqHFgQrRlYGo0iw97osWp0FftwoBVG5RzxwuthnJsxCDEem81KSNkU0EThPMtvtufU7hm636aredWKK09a3kFdz22/rGrW5zbuvptTNzUHn0mGRoqgCocLqnTiyAYTpYjmOFSR6bsL3DSnh3tSwzhWDwrvdZm4uqHFpXGCztoLhx1SBZ/MQsCigYYRa/KCO3KP8psgIKf+DrA7bwqGFIdG8Kz4duLjKTL/SVTu77Qg6rvtqg72nvrTA5nIXXp3SMuuBhCb7biEbzl+Yhyv0ZLrf7mDnwZB52YqUd7LFW+TNIJLmPR7+XYhSnViMeId0ot5pE9Gr/tmTjRfpGBpwKolAR2o/0rt9g/Vpi9vLl3BOQY/iXLP88K74f5VNClmfgurgycNGqqyAQlJ6+Qwd0S2JkIOCoGtsqKSVfeBHmpo/pRGSMyY8FWXiuJjRo7xgEmxYBbB2XWdT+Er5DdFd+pzxr9siPgbZOw8VY2triOF5vVGnoqlAoB1JhexWhBPHY2nlHX1731MLmXlA/Jk4CXTKgFgn/Dp1PmnR2z33mwynijA49FsCkVcGNCgWoS2c+AULBNThO4KCJqWUT1Z+XTOUl/Vgv7ypUNjo5/mHRQvVmbhCnRIo7ze1eytEiYEngLAdTouWJX0qXqsMTavT9coLa1/lADqvDgQLakzqDnxMOO9rDiOGRH8KbTWQqeMbT4QsofoSI5rLFEvuullIVGVTSYRCpQ

                C:\Users\user\Downloads\EEGWXUHVUG.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995286663705964
                Encrypted:false
                SSDEEP:24:fMklG4d/AC2WHw5Y7HVXxvYeGj8psRYdAJfpBScYyxRbtuzFhqch:UklG4cWHsY7HZsnO+HSc3Tux
                MD5:D0C5BA20DA52C9E51B7633734F50DD90
                SHA1:01AC944B2AE3328966AFC57262652587034CC2D0
                SHA-256:AFF456E22E5381F999FDEFF9901A385B98738744699747B8D28830CBC6538A51
                SHA-512:EE1D3D97E4181B9FC1EB8CDCE92FD79064981401C9E41794BF3C4DBECCCA186A915FC6546697DDA925250079DA9EE4260B53F2C34F6AE6D9C747A63338189AE1
                Malicious:false
                Preview:<EncryptedKey>qWUIBuHhJSt6BimJypNf9lYr3INw9S7OBF2OIAZcGl4nPY8PebbFEhtPt+b9RIt7gXG6/UbH6O1XqTPOW42SaVvvrGowC1P4rte4sEQGWEnfJ5GsqFcjhfwvKvhQPBzNA2I6ylg4ixXVfTMC7QByRxCEe+j69j/aiSjhwZrl1Lw=<EncryptedKey>tCDWZlHZWWCz700vZ3lIbch9AsDxT2dxkehd5eQb9eTgw2zfEBJZwoGW0F9VS0jS88pCqHFgQrRlYGo0iw97osWp0FftwoBVG5RzxwuthnJsxCDEem81KSNkU0EThPMtvtufU7hm636aredWKK09a3kFdz22/rGrW5zbuvptTNzUHn0mGRoqgCocLqnTiyAYTpYjmOFSR6bsL3DSnh3tSwzhWDwrvdZm4uqHFpXGCztoLhx1SBZ/MQsCigYYRa/KCO3KP8psgIKf+DrA7bwqGFIdG8Kz4duLjKTL/SVTu77Qg6rvtqg72nvrTA5nIXXp3SMuuBhCb7biEbzl+Yhyv0ZLrf7mDnwZB52YqUd7LFW+TNIJLmPR7+XYhSnViMeId0ot5pE9Gr/tmTjRfpGBpwKolAR2o/0rt9g/Vpi9vLl3BOQY/iXLP88K74f5VNClmfgurgycNGqqyAQlJ6+Qwd0S2JkIOCoGtsqKSVfeBHmpo/pRGSMyY8FWXiuJjRo7xgEmxYBbB2XWdT+Er5DdFd+pzxr9siPgbZOw8VY2triOF5vVGnoqlAoB1JhexWhBPHY2nlHX1731MLmXlA/Jk4CXTKgFgn/Dp1PmnR2z33mwynijA49FsCkVcGNCgWoS2c+AULBNThO4KCJqWUT1Z+XTOUl/Vgv7ypUNjo5/mHRQvVmbhCnRIo7ze1eytEiYEngLAdTouWJX0qXqsMTavT9coLa1/lADqvDgQLakzqDnxMOO9rDiOGRH8KbTWQqeMbT4QsofoSI5rLFEvuullIVGVTSYRCpQ

                C:\Users\user\Downloads\EFOYFBOLXA.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.9831901075473715
                Encrypted:false
                SSDEEP:48:UC6SmeKlz9gxiB21CSv/ZUke4Q6MXMeGe3QLHXhp:UHSmeKIxiBwZXZUkMXBJQLHxp
                MD5:E62ED9DA25A06A4F1AE8147A9487EF6D
                SHA1:792E9B7E0A18475B60CEB139FD3B5122EB5C431E
                SHA-256:15785D71B68F2F7C7AD362244235A2E304E45F183DF0BC77A9ED002C48ACB135
                SHA-512:B05AC57D4EB6201F3E200DC3140A1F374627070FD765352A09A053FFE4B779789F9EB7FA8CDE1A9B1D9C1AB177A5D9F60C4E851116E2C2371B8FE9B6D9E54733
                Malicious:false
                Preview:<EncryptedKey>B948WOORW7hGvZ9gSV300v8QQeKw2FDqxZYHExs7LLYeBcXUBUygvDynRCkIDqfDFKqxTpnezFagAXihRjVEAQa1WV8tjTILuYaln5LibJEhuBXWYDR2Sh8VQiRWww/IvxDElkMCRRbGcuAL+XPAb/VkmkqLhucMiXeNZV3C/70=<EncryptedKey>TPYzzUqLbZFKHIZUzcgANhzppOZeKxxw8ILMvwdy1OebxBw4tnpziDDrABfeI8wpO1Jgx/KNp+eq9nU2bw5Hc0UrkiTPZPwkXhYOt7nk5r9XIJTniggOYnNJ98UTLmrxymM6sfKuFoZyY87J+p4M7UCqVVVus7L7C19dTzdB5ryenbl9qAapSnC1rHCkyt9VXrWA1nyjwFPLJ+YPL7ECNIdzUMlLqxNO8KgVTbwyxKiMndVg998kOzjBxh7GQDf/UT/jcLs1Gg0448Ax73qSoGrNHXcgxSISR12+4VGLuYYhWVwBNlL29O6Z/V5Mf7/hHIaNpEq2F2xi3kvPoP2ifUB1v5e2On9f+bmAsAzRPXx3Bnk9+fHnGIK5IDGFD9BoC7xKcTLmddycyphMkDmnAIal4a7DQk4yDYnkS/81d5IiKy7uGIRotKtiWzjS5zJ/aIp9zbGDtfhByWr72SzegnlOe8w1pIDuooFBMHtuGpkYoSuiularjjB57cknD6C0vz0R6ZZtbRgNxdND3r/bLj/l4pXRs9Y29lsGEBdA2TR+kIKuRJqqrc902dC9KrfrtaPFg+k9ZaEt7812Z6V7blNE/FzV3pPQP1AJkP5KXK4Z0A3zJWIWDxRkMAAy7WqU1M3XDGhX4TAqYgM3Egu7EEqlr5U9gVmkKBtVSaKfcijkgnY4fEVNknuaxaAxHwDFrjcaw8wZ8AZ+p3DtC8VOmhJynqNdZzMwnEUdkiiU2JByqZMYxUtMFFp67DccxRRPUBjjAqAq00ZxUGrFp8u/hhJec9skhMGB

                C:\Users\user\Downloads\EFOYFBOLXA.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.9831901075473715
                Encrypted:false
                SSDEEP:48:UC6SmeKlz9gxiB21CSv/ZUke4Q6MXMeGe3QLHXhp:UHSmeKIxiBwZXZUkMXBJQLHxp
                MD5:E62ED9DA25A06A4F1AE8147A9487EF6D
                SHA1:792E9B7E0A18475B60CEB139FD3B5122EB5C431E
                SHA-256:15785D71B68F2F7C7AD362244235A2E304E45F183DF0BC77A9ED002C48ACB135
                SHA-512:B05AC57D4EB6201F3E200DC3140A1F374627070FD765352A09A053FFE4B779789F9EB7FA8CDE1A9B1D9C1AB177A5D9F60C4E851116E2C2371B8FE9B6D9E54733
                Malicious:false
                Preview:<EncryptedKey>B948WOORW7hGvZ9gSV300v8QQeKw2FDqxZYHExs7LLYeBcXUBUygvDynRCkIDqfDFKqxTpnezFagAXihRjVEAQa1WV8tjTILuYaln5LibJEhuBXWYDR2Sh8VQiRWww/IvxDElkMCRRbGcuAL+XPAb/VkmkqLhucMiXeNZV3C/70=<EncryptedKey>TPYzzUqLbZFKHIZUzcgANhzppOZeKxxw8ILMvwdy1OebxBw4tnpziDDrABfeI8wpO1Jgx/KNp+eq9nU2bw5Hc0UrkiTPZPwkXhYOt7nk5r9XIJTniggOYnNJ98UTLmrxymM6sfKuFoZyY87J+p4M7UCqVVVus7L7C19dTzdB5ryenbl9qAapSnC1rHCkyt9VXrWA1nyjwFPLJ+YPL7ECNIdzUMlLqxNO8KgVTbwyxKiMndVg998kOzjBxh7GQDf/UT/jcLs1Gg0448Ax73qSoGrNHXcgxSISR12+4VGLuYYhWVwBNlL29O6Z/V5Mf7/hHIaNpEq2F2xi3kvPoP2ifUB1v5e2On9f+bmAsAzRPXx3Bnk9+fHnGIK5IDGFD9BoC7xKcTLmddycyphMkDmnAIal4a7DQk4yDYnkS/81d5IiKy7uGIRotKtiWzjS5zJ/aIp9zbGDtfhByWr72SzegnlOe8w1pIDuooFBMHtuGpkYoSuiularjjB57cknD6C0vz0R6ZZtbRgNxdND3r/bLj/l4pXRs9Y29lsGEBdA2TR+kIKuRJqqrc902dC9KrfrtaPFg+k9ZaEt7812Z6V7blNE/FzV3pPQP1AJkP5KXK4Z0A3zJWIWDxRkMAAy7WqU1M3XDGhX4TAqYgM3Egu7EEqlr5U9gVmkKBtVSaKfcijkgnY4fEVNknuaxaAxHwDFrjcaw8wZ8AZ+p3DtC8VOmhJynqNdZzMwnEUdkiiU2JByqZMYxUtMFFp67DccxRRPUBjjAqAq00ZxUGrFp8u/hhJec9skhMGB

                C:\Users\user\Downloads\EIVQSAOTAQ.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991234803831091
                Encrypted:false
                SSDEEP:24:fM7iHZOhxgco5wUOYUWeipX2SGh1+SNWDpeUj0pAEdfSdv/7PzP45xFbU:UeSxgZ2UOjWeiub+S8DpVg1dfSdvzbOU
                MD5:D0E8F2D1326796564C18CF11563D9193
                SHA1:C6A397449085B9D61D4796562EE85AACA2B3ECC0
                SHA-256:2F7AABFF212BB09646D3AFBC62119DF0542F5AC607ABB81B485B7E753CC9DE04
                SHA-512:3E74F796500852207DDA8D571DA1185C966423C89E5371906B09BE29DEC16F3CD9BF1615A215FCC3EAC23DFD78FF183E85621BE42069549C2A8607D6857B074F
                Malicious:false
                Preview:<EncryptedKey>MjqdM85dOyg4mEJj3nvH1bk295fO4Ov/fGU3AMwK3gs0ZmY4InNCVnwM6coDwDJKaAS5SaBiiNyZOSrJjFOeFeTmjPKD4CinYe2hUhZP9rk+5wfKaqWsr/vdVsV2v7vWHHDHRD8NwBrzKfea4UwfE8ReR2epOY+eeRUXmlYYW6g=<EncryptedKey>XfdePlCyamLx0vJ/cc9fMHDBROQC3DrlS4ZWA5T7wAPTUNStONWEPbgFR9QYiIRMbrzT2jecGEjFJ2xAMWIYqoPkMv6v4wNCPiViftq1PxgwAxd2u8vYqfiCi/dtYTwETDysjof9ISNf2kqO6NZlaKrKOe/ot+yM1m0gP6yWBJ2ZENwS5Czwlw/fZ2qriCuQjnwSl+Mcoa/MYzJaBiq9j4rFYStthRLjTuJCt3I/VnBFdoWfeKXSapprsSboqg4mm+EAE9hgadkN4z7wOz1wL+OUqhGNS6kCZvDZ97fGWgV5ff0l6fBWXTy4nhwbTtnT3hqKfI7a89PdeE6g6og2FP4G4VD8aMry1gF2MSynWUmhY2SZwSUYeqX5R8h2e3bu/s/qdCWCee+NgBgKq7SCDOph0ZQmvPunfytHN7QZU7gAfys4JGulHI5vcXqmo+Q1C7Jrz787EnL7E5MEV3B99XpwrmRG6dgxk6uj9QBYzT4cGXv2WhQcDNvhtIYCLPu1ohlbusTbL4W3sTQH7d5q9ZXeicx/0nSuLfuVDGgXBJxqnuUEV1LpAvs7Y0BUeo8RDjZsbk+dsZVLM2oyeK8adAWSCt9apCkiu0RlCOTb+XCnt7mnyYDVIaeKe7uArOREKYEbxn6dHmf5ZVpiqxr/QrCLal5FnLb0O7bRfFm78q0qXaDBk4tOQqAuOWAJdDXMKn/0S5KoIDukQyCfrs44ThXTDvPdTzqIGDOWsx13xfbd7kpB48eNIy1MMkg1H/UrnCo82Q8KWm/15J9jyS7m3moYT0f+OiDz

                C:\Users\user\Downloads\EIVQSAOTAQ.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991234803831091
                Encrypted:false
                SSDEEP:24:fM7iHZOhxgco5wUOYUWeipX2SGh1+SNWDpeUj0pAEdfSdv/7PzP45xFbU:UeSxgZ2UOjWeiub+S8DpVg1dfSdvzbOU
                MD5:D0E8F2D1326796564C18CF11563D9193
                SHA1:C6A397449085B9D61D4796562EE85AACA2B3ECC0
                SHA-256:2F7AABFF212BB09646D3AFBC62119DF0542F5AC607ABB81B485B7E753CC9DE04
                SHA-512:3E74F796500852207DDA8D571DA1185C966423C89E5371906B09BE29DEC16F3CD9BF1615A215FCC3EAC23DFD78FF183E85621BE42069549C2A8607D6857B074F
                Malicious:false
                Preview:<EncryptedKey>MjqdM85dOyg4mEJj3nvH1bk295fO4Ov/fGU3AMwK3gs0ZmY4InNCVnwM6coDwDJKaAS5SaBiiNyZOSrJjFOeFeTmjPKD4CinYe2hUhZP9rk+5wfKaqWsr/vdVsV2v7vWHHDHRD8NwBrzKfea4UwfE8ReR2epOY+eeRUXmlYYW6g=<EncryptedKey>XfdePlCyamLx0vJ/cc9fMHDBROQC3DrlS4ZWA5T7wAPTUNStONWEPbgFR9QYiIRMbrzT2jecGEjFJ2xAMWIYqoPkMv6v4wNCPiViftq1PxgwAxd2u8vYqfiCi/dtYTwETDysjof9ISNf2kqO6NZlaKrKOe/ot+yM1m0gP6yWBJ2ZENwS5Czwlw/fZ2qriCuQjnwSl+Mcoa/MYzJaBiq9j4rFYStthRLjTuJCt3I/VnBFdoWfeKXSapprsSboqg4mm+EAE9hgadkN4z7wOz1wL+OUqhGNS6kCZvDZ97fGWgV5ff0l6fBWXTy4nhwbTtnT3hqKfI7a89PdeE6g6og2FP4G4VD8aMry1gF2MSynWUmhY2SZwSUYeqX5R8h2e3bu/s/qdCWCee+NgBgKq7SCDOph0ZQmvPunfytHN7QZU7gAfys4JGulHI5vcXqmo+Q1C7Jrz787EnL7E5MEV3B99XpwrmRG6dgxk6uj9QBYzT4cGXv2WhQcDNvhtIYCLPu1ohlbusTbL4W3sTQH7d5q9ZXeicx/0nSuLfuVDGgXBJxqnuUEV1LpAvs7Y0BUeo8RDjZsbk+dsZVLM2oyeK8adAWSCt9apCkiu0RlCOTb+XCnt7mnyYDVIaeKe7uArOREKYEbxn6dHmf5ZVpiqxr/QrCLal5FnLb0O7bRfFm78q0qXaDBk4tOQqAuOWAJdDXMKn/0S5KoIDukQyCfrs44ThXTDvPdTzqIGDOWsx13xfbd7kpB48eNIy1MMkg1H/UrnCo82Q8KWm/15J9jyS7m3moYT0f+OiDz

                C:\Users\user\Downloads\EIVQSAOTAQ.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995401458776847
                Encrypted:false
                SSDEEP:48:UoUYgOFYP/CZgHhGKtUAyE9VpfCB0OQX4oStZl:UfYgOACZgHgW3JVVCfQod1
                MD5:47ABD297A669D81BB7F6D7EC32FC6976
                SHA1:BF3A36F8EA32FBD050BFE3181FE6ED1F4D23C21C
                SHA-256:6CD6A7C18205DFE85E71F7B26F6DB29F41C0663542B8096663A08C3E3B59D771
                SHA-512:002034083D8051B03F84B79BB0023D6E19B5800E1E09A2956483B6DF2D62C7FEF88931E36376FD5363C4153CDEFBA35D20892C45499D6D8D3F3F02116CC609BC
                Malicious:false
                Preview:<EncryptedKey>vSkm75vE0uK3MIgzphBjBi1k38nxwLmpllILQqTNVxRIW4uiVc7qXVrI8oaT+aXnajWqZEiLyhdonUxVmlLG+8w8dxrtdid8c+icoWj7pWeFYw6zGGX9jR3NAMw4iGkfq3sotj6EvgR3AWx5wARqWwfSSHzOymV9I/3oxY2ZLHU=<EncryptedKey>KWZoY2JpN4N3DH340rKWGe3vPGyZohwvHSElxLI63d0QWxtl09ItQHGcyWfofZ0G4lrOCr3pTpmj2cCgY2Hq3/UjKOWJJqGsgpBRfU/Lx9pJHZAvQI+uTfrIQgagPJdWf6hmsu1rk7Lad0DbAwYHh9VMNk+dMxBRUC0NiIasOIikVldFg15NCxwXCYhjUwCzt9/A6rCZD79fQTOIu7jHDVq5Bmv8YZIoL8oSwMGGqP1hXu9En5zO36JuiOGNjM0xRCgkZbZsvJ1Da9YUoR3HYR0eyyG2fEKmujFDIhCQ3RcRS5xKvjgkQqi7PfoC/rZgi9riSjM2bn2w+1c16nyzDJTLRFbKqRMKhWwl0x3/t5KXvrsQZfhaU/bl3ZKKWb5O5f06LsBvdIliS5aY++G9ZzT4BwsTY41rRExNIFTPyJnp3vOByp4dONu091p5ZtuqsxUBBHhc0pJdK8UI8c4IEHnVrlb7CEPGJgXKvbhKylxusEpPbU2BrTGVzL7F3cbqqxCmWiQE/n6lav5AgfUHRX85hz9XRXK1I6vgoGHynSqApsXTvtuNL1YLNEWhwm7ppMcYbd2TCNKYh9iESTCpveUMovdC70/g1Pagt8YFr5ZWhtKDQaxEmfE98BlG4eHyc5mRpBXUyQ3eF6fR9gExjb221BbLhMG5tk6H+0PW+mSBgKGRwoDFj/AnTCkzCgFMG5tJquxpu5Vbf41Kq9kNWdMzTtPsK7GiR5FcQi+6v1SHi4RAY9RZGA+eieVWh33pmF2pp64dSldyNJnjJb9vg3PbmAa5HKHA

                C:\Users\user\Downloads\EIVQSAOTAQ.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.995401458776847
                Encrypted:false
                SSDEEP:48:UoUYgOFYP/CZgHhGKtUAyE9VpfCB0OQX4oStZl:UfYgOACZgHgW3JVVCfQod1
                MD5:47ABD297A669D81BB7F6D7EC32FC6976
                SHA1:BF3A36F8EA32FBD050BFE3181FE6ED1F4D23C21C
                SHA-256:6CD6A7C18205DFE85E71F7B26F6DB29F41C0663542B8096663A08C3E3B59D771
                SHA-512:002034083D8051B03F84B79BB0023D6E19B5800E1E09A2956483B6DF2D62C7FEF88931E36376FD5363C4153CDEFBA35D20892C45499D6D8D3F3F02116CC609BC
                Malicious:false
                Preview:<EncryptedKey>vSkm75vE0uK3MIgzphBjBi1k38nxwLmpllILQqTNVxRIW4uiVc7qXVrI8oaT+aXnajWqZEiLyhdonUxVmlLG+8w8dxrtdid8c+icoWj7pWeFYw6zGGX9jR3NAMw4iGkfq3sotj6EvgR3AWx5wARqWwfSSHzOymV9I/3oxY2ZLHU=<EncryptedKey>KWZoY2JpN4N3DH340rKWGe3vPGyZohwvHSElxLI63d0QWxtl09ItQHGcyWfofZ0G4lrOCr3pTpmj2cCgY2Hq3/UjKOWJJqGsgpBRfU/Lx9pJHZAvQI+uTfrIQgagPJdWf6hmsu1rk7Lad0DbAwYHh9VMNk+dMxBRUC0NiIasOIikVldFg15NCxwXCYhjUwCzt9/A6rCZD79fQTOIu7jHDVq5Bmv8YZIoL8oSwMGGqP1hXu9En5zO36JuiOGNjM0xRCgkZbZsvJ1Da9YUoR3HYR0eyyG2fEKmujFDIhCQ3RcRS5xKvjgkQqi7PfoC/rZgi9riSjM2bn2w+1c16nyzDJTLRFbKqRMKhWwl0x3/t5KXvrsQZfhaU/bl3ZKKWb5O5f06LsBvdIliS5aY++G9ZzT4BwsTY41rRExNIFTPyJnp3vOByp4dONu091p5ZtuqsxUBBHhc0pJdK8UI8c4IEHnVrlb7CEPGJgXKvbhKylxusEpPbU2BrTGVzL7F3cbqqxCmWiQE/n6lav5AgfUHRX85hz9XRXK1I6vgoGHynSqApsXTvtuNL1YLNEWhwm7ppMcYbd2TCNKYh9iESTCpveUMovdC70/g1Pagt8YFr5ZWhtKDQaxEmfE98BlG4eHyc5mRpBXUyQ3eF6fR9gExjb221BbLhMG5tk6H+0PW+mSBgKGRwoDFj/AnTCkzCgFMG5tJquxpu5Vbf41Kq9kNWdMzTtPsK7GiR5FcQi+6v1SHi4RAY9RZGA+eieVWh33pmF2pp64dSldyNJnjJb9vg3PbmAa5HKHA

                C:\Users\user\Downloads\EOWRVPQCCS.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.996024216293643
                Encrypted:false
                SSDEEP:24:fMJw8W1T5hLH+2T+csiPg7Z3/EMWP+HrYLtpbsLxDEUQTOzOUcfvRnSDbsHDzfm1:UGTbLtCtiIV3/oN8wKKFfp8bWzOcR4
                MD5:8A7A6E9239B283D0D3045AC5C1A45EFC
                SHA1:AFB88158CFF249D388F8012F38D1716D75C8C51B
                SHA-256:215E9B43466F4EB3A531107B7A04A8CEB107B1E5D0EF1437F6103E585657713D
                SHA-512:914F4C3567703E2A36F26A4A9D20B8113564313A7D5E917C046531C17A786D6AB21BC66AEB9465B04B9497CB1E10816D6F38F47EEE09E0D77A84197F7EA1BD10
                Malicious:false
                Preview:<EncryptedKey>d1wqQs6S4Cyc8eO+k35XZuhD1CiqfrfI4LVRzay9k93tnGq3TZSI+Zh2UwQmlBYH/WSxEu3kgfv3J+U084grg8N4fGkZmBw0llvrlS+I3W++V5OkT7bQ6GWUpzasdvrhPCIY1f6uBFt+IgQNV6rZGwhDaOMmMiBUF9DbvOHy4Rw=<EncryptedKey>qlzGFJ4qevJ2P8MCUnDUITjOVmtOCjldMIkIfq7e8caOPEGx+e9eJAljsEPZ5oOq7mP83vvxtcD+XRTmIUP32hvsHadD2yX8inSD0XVSHuaYG09VIgrz7KfOPO3hiC7BoCU1kmzY9bTEE8Zg/QQ4N6M8g4YLEMDzMZvtGwpF7wXafdP37Tsj7UmJf2FzjAVaeaL/TpKzdV0zSTUc5Gld5nHNGEV9wjHBmt0Ei9lVieZM2BDkkVIiDxH/OzIpr/3o7ImZuZR+FTVw3Iucx6Ht1SnhlVk7Th68HYJ9LVx1YKYEcsM3yLPmZRhyuxauqQs4bEySz+Y/LCLDYQG9y1lisrBPgYHqKWPHMlLF4QyKXZKS9r+fOuNLLEW4T4J/+LJ9+yMV9ydwZFyq9b7HVffzhq36uIRM1EW/wmJBObMh1YW6ZDiHQZIgvH9hKx3MrTdrM6ouLRGr9EhR8s19dbbrlsIOWFP5VT569X3aE+0x1OPyX3V7EFCh2l285PAaQqOX54qt9B5NHaKP4iXGaA0RFmgUz9g0zlM5B/jzVD5OLhtdjHLXRNAgwEZPvR7FusGPQHFGjy9i2aaAgp1I3bpN4ENtxhQ5r2TFc4aypTocLBM+rpRZV/yJ2NhkWeFfJZXRQuy7pbL8LgWiPwzLyv/gEtRg7JogtjCDpohabhFDGkmFyppVI4hfVoCeeaUR79YgF+HIvem3enpozl2SbMDACGgRXKOtxmA92ZVeeE91zgHGkTbOcud9bcsCFG7dEjC7xAjWiScpRcYfQQ1qBDLooJavmKymn1By

                C:\Users\user\Downloads\EOWRVPQCCS.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.996024216293643
                Encrypted:false
                SSDEEP:24:fMJw8W1T5hLH+2T+csiPg7Z3/EMWP+HrYLtpbsLxDEUQTOzOUcfvRnSDbsHDzfm1:UGTbLtCtiIV3/oN8wKKFfp8bWzOcR4
                MD5:8A7A6E9239B283D0D3045AC5C1A45EFC
                SHA1:AFB88158CFF249D388F8012F38D1716D75C8C51B
                SHA-256:215E9B43466F4EB3A531107B7A04A8CEB107B1E5D0EF1437F6103E585657713D
                SHA-512:914F4C3567703E2A36F26A4A9D20B8113564313A7D5E917C046531C17A786D6AB21BC66AEB9465B04B9497CB1E10816D6F38F47EEE09E0D77A84197F7EA1BD10
                Malicious:false
                Preview:<EncryptedKey>d1wqQs6S4Cyc8eO+k35XZuhD1CiqfrfI4LVRzay9k93tnGq3TZSI+Zh2UwQmlBYH/WSxEu3kgfv3J+U084grg8N4fGkZmBw0llvrlS+I3W++V5OkT7bQ6GWUpzasdvrhPCIY1f6uBFt+IgQNV6rZGwhDaOMmMiBUF9DbvOHy4Rw=<EncryptedKey>qlzGFJ4qevJ2P8MCUnDUITjOVmtOCjldMIkIfq7e8caOPEGx+e9eJAljsEPZ5oOq7mP83vvxtcD+XRTmIUP32hvsHadD2yX8inSD0XVSHuaYG09VIgrz7KfOPO3hiC7BoCU1kmzY9bTEE8Zg/QQ4N6M8g4YLEMDzMZvtGwpF7wXafdP37Tsj7UmJf2FzjAVaeaL/TpKzdV0zSTUc5Gld5nHNGEV9wjHBmt0Ei9lVieZM2BDkkVIiDxH/OzIpr/3o7ImZuZR+FTVw3Iucx6Ht1SnhlVk7Th68HYJ9LVx1YKYEcsM3yLPmZRhyuxauqQs4bEySz+Y/LCLDYQG9y1lisrBPgYHqKWPHMlLF4QyKXZKS9r+fOuNLLEW4T4J/+LJ9+yMV9ydwZFyq9b7HVffzhq36uIRM1EW/wmJBObMh1YW6ZDiHQZIgvH9hKx3MrTdrM6ouLRGr9EhR8s19dbbrlsIOWFP5VT569X3aE+0x1OPyX3V7EFCh2l285PAaQqOX54qt9B5NHaKP4iXGaA0RFmgUz9g0zlM5B/jzVD5OLhtdjHLXRNAgwEZPvR7FusGPQHFGjy9i2aaAgp1I3bpN4ENtxhQ5r2TFc4aypTocLBM+rpRZV/yJ2NhkWeFfJZXRQuy7pbL8LgWiPwzLyv/gEtRg7JogtjCDpohabhFDGkmFyppVI4hfVoCeeaUR79YgF+HIvem3enpozl2SbMDACGgRXKOtxmA92ZVeeE91zgHGkTbOcud9bcsCFG7dEjC7xAjWiScpRcYfQQ1qBDLooJavmKymn1By

                C:\Users\user\Downloads\GIGIYTFFYT.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.993648353037835
                Encrypted:false
                SSDEEP:48:UH9+U/5QjukG8VgTiPR/9haWJxC9QerUFv6oepK7sU:UF/OuEschH0yeq69K7d
                MD5:EE01D7A1F2EC9F212FDFC0388A1E4DB7
                SHA1:F29105B6929BEE3E07C1609F9DCDC8558171954D
                SHA-256:6C5CD535A2EC6A4453C893AA5DCF2C2AEB3185F066F8FC2BC769B54B0ECA3EB9
                SHA-512:8110CA28CDA622C5C5E64B25D91019B8C9B7D80864C0963D92A68A000C78B53B8B84FABE426BD7DE051E4B032DDFCF3E1A4EC456F69C5F4CA1508F1184265559
                Malicious:false
                Preview:<EncryptedKey>XlPVGQqL20MGx8NUi6TPbQ9i5Rvrw2nXe+KniIF5cLy4xwIrOyDp1ZXkEtv+l+QN2I1Ve8OZPHikIkTesXHMkfBzWeI4w5fKaurFcgQrL0gRHmMG5oHC1caV2Ksl/4jfJUO6zGn0rUOumYGIp3Jc86fDak7HuQHi+Fy/kfxgdo4=<EncryptedKey>kgqpF1dsUuJerKvIPwEuVXpEIEqHVB64fI8G6pdnqhlMmYeT+dXG4GeV0XAcWAmfg9r+cC3zrv2FjxMwreYn3N9MrkhWV8PTeWzYZuTCiHwoz0jKWA8GgR09Fvwx+vYHVUN6bUdZzrQ3GufKXF9G28BnOUMa1XaBeOlfydrONpxZnSZ1gpQg6shui0/aYkfFq8OiJCYt8yFHHzxCc9UGV5Mb1H8fsIziru/vZ8oaTVPWfZT/mzyWdPZ38z9M3mhXJq20kSUbO9lQ6gwg3gQlMP+AsSWQ7vEkjg1wq2dit3HfSCMyUeNLzOPJpcc4PUk46YXGQhuBNrRfWaNj6Unh6CRK4tTN2B4idt8xpfxZ6/dWcp1NxhaDU3Rnx4OjQRTykO7a42H/KrpZDycHyuZsI/uAxUTWjJ+GaHkMLP2VcmFKBvJdMaBVZ1o+43HSJG+sv+fHBkJH731kOHeVf+HY0LZuUZ/vOkkPivaXDU6TaHCcl82bigEOaPPQqpxI3AI+HtT74TaTXuKJAcTsP2s4fHZMTyqY0vzAt2O8xUAbp/q3TbORZGqOZW4CPCzDgrlD16KazR1Oo62f/ibFbEz5Ak63ONPHBK8lC6nLuCMJxVkM0/gynSaL8WQiIGHaChSDLRnMofDwxNSSiDDfJ5vbxqBn734K0Lgx+uE80ieqVxMPQ0hCrH39cbH1T0IX1MWi/KvAFmmh5KxcJVq4fIdoJv/1XG8RsyEje9AN1Jf2LWU4+u+zujMaq8rh45ikF8xoQ92tTEMxELhqk3M8aPp1MpKa4BWa/ORW

                C:\Users\user\Downloads\GIGIYTFFYT.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.993648353037835
                Encrypted:false
                SSDEEP:48:UH9+U/5QjukG8VgTiPR/9haWJxC9QerUFv6oepK7sU:UF/OuEschH0yeq69K7d
                MD5:EE01D7A1F2EC9F212FDFC0388A1E4DB7
                SHA1:F29105B6929BEE3E07C1609F9DCDC8558171954D
                SHA-256:6C5CD535A2EC6A4453C893AA5DCF2C2AEB3185F066F8FC2BC769B54B0ECA3EB9
                SHA-512:8110CA28CDA622C5C5E64B25D91019B8C9B7D80864C0963D92A68A000C78B53B8B84FABE426BD7DE051E4B032DDFCF3E1A4EC456F69C5F4CA1508F1184265559
                Malicious:false
                Preview:<EncryptedKey>XlPVGQqL20MGx8NUi6TPbQ9i5Rvrw2nXe+KniIF5cLy4xwIrOyDp1ZXkEtv+l+QN2I1Ve8OZPHikIkTesXHMkfBzWeI4w5fKaurFcgQrL0gRHmMG5oHC1caV2Ksl/4jfJUO6zGn0rUOumYGIp3Jc86fDak7HuQHi+Fy/kfxgdo4=<EncryptedKey>kgqpF1dsUuJerKvIPwEuVXpEIEqHVB64fI8G6pdnqhlMmYeT+dXG4GeV0XAcWAmfg9r+cC3zrv2FjxMwreYn3N9MrkhWV8PTeWzYZuTCiHwoz0jKWA8GgR09Fvwx+vYHVUN6bUdZzrQ3GufKXF9G28BnOUMa1XaBeOlfydrONpxZnSZ1gpQg6shui0/aYkfFq8OiJCYt8yFHHzxCc9UGV5Mb1H8fsIziru/vZ8oaTVPWfZT/mzyWdPZ38z9M3mhXJq20kSUbO9lQ6gwg3gQlMP+AsSWQ7vEkjg1wq2dit3HfSCMyUeNLzOPJpcc4PUk46YXGQhuBNrRfWaNj6Unh6CRK4tTN2B4idt8xpfxZ6/dWcp1NxhaDU3Rnx4OjQRTykO7a42H/KrpZDycHyuZsI/uAxUTWjJ+GaHkMLP2VcmFKBvJdMaBVZ1o+43HSJG+sv+fHBkJH731kOHeVf+HY0LZuUZ/vOkkPivaXDU6TaHCcl82bigEOaPPQqpxI3AI+HtT74TaTXuKJAcTsP2s4fHZMTyqY0vzAt2O8xUAbp/q3TbORZGqOZW4CPCzDgrlD16KazR1Oo62f/ibFbEz5Ak63ONPHBK8lC6nLuCMJxVkM0/gynSaL8WQiIGHaChSDLRnMofDwxNSSiDDfJ5vbxqBn734K0Lgx+uE80ieqVxMPQ0hCrH39cbH1T0IX1MWi/KvAFmmh5KxcJVq4fIdoJv/1XG8RsyEje9AN1Jf2LWU4+u+zujMaq8rh45ikF8xoQ92tTEMxELhqk3M8aPp1MpKa4BWa/ORW

                C:\Users\user\Downloads\GRXZDKKVDB.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.9831334870017026
                Encrypted:false
                SSDEEP:24:fMPGUHrWKgdKzkszraFYsZQa3kuKhJrYaBxVD4nD3p27o6jl253JU1iHHUrV:UP5HWBEuYsZQawDDyDgljlc3JU1iH0rV
                MD5:7931A8B252A03BEE8539E82F35FAF872
                SHA1:6132DF7E789C4F08611803C49FE6C2B5EAD4588A
                SHA-256:925AEFFFB64C231C5C54B1AD7F980D8A8E08670973F01984C505F9C69A00A161
                SHA-512:2CF5848B52B3EB96452546006E360DCCD85E348EDA5391F890DEDA17BBFD8A545A4643ED17F2A1555A29D03F35ACD066B6B7FA3E450810789C8BCF365A0C589D
                Malicious:false
                Preview:<EncryptedKey>VfXBLYHevztvHrpF3TLE2oGFm6O+1v4wcaNlunDKwMESgHQZslbJpIxr5foCnrt0jUpuF2akLnl1ATVbJ9AIgTkP/udLY2/9KkgZgwg/y3VEGC5kG5YfkVqCtuttdjXqMZdXxpOPenk00DwD1Fkq88jHB2IjjhtlXfuFOAi99R4=<EncryptedKey>mRoia3ssP6ebPDlp5rRyIBxMVMZqMe0o56kPIiZVPiEmv3K1PRO3RH1hWYcQyB57xm+Q4VTcV+R9Eo3ThAG/q1vu75okkadr8bsOFncvH/K6OcKw84rAox3ODyOOFG5zetEJC89l1q1cOGgvnG7ah0geBeoq96gfC7REnHwFlg3Yeq2eXJ6IA1+nAEWmr2OF0vLCFaTdsaiNLxqpI23d6tqVtKrRMjk60YvN1k4BKf+Io+ZYdz9Yvir0hyrES39MCeZ+F5V8IK3knOBK4fkalvNr/0l12qsn9IILyJhoGA4uw6pMpvSndfwW4vSraMsXQj74/SRUQn5fU8N1M5dyIfkaWvfT9nNQLdZTJRYSRN4jjK3+fhC/+juEoEDg3IDI6WiBpYDTI0l8dNoP/OVf+x6y55kAHp1jfTfOVC0WG4PtLmlR/QUEpp/ZcvYKJWzyItDeCr8jYTc5LEgDPrgss5A/0wmqYodKt3Mbv+dAvqd/DtVPoFpByzgJYDPD/HCMf7/mfjwTZmFek6ZPkLgsz0/ixkbpasZW1knZiNW2zd0WjoFrRYOLRTuWA3ICq4ofIrnvubkHyeX8MJGmdYLFkyohnWHNFZTKbQw00gtUdKh+/HoEljwj53ccjbOtfvchwQpuBgef6Ef5WJo+h4xkYtIBGllFODbtn0IJpuIdlT2mb8E/gL1wKFhQ1jQjLKoNc/JMxXJdyzcDNDfH/7bGcprXqpxHu9JBW1zr6O/qiOTpzKn0UmIUqyG7lAgoZffvawaKzD1Gme+XpKNno4JczoecP6Awp1Ib

                C:\Users\user\Downloads\GRXZDKKVDB.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.9831334870017026
                Encrypted:false
                SSDEEP:24:fMPGUHrWKgdKzkszraFYsZQa3kuKhJrYaBxVD4nD3p27o6jl253JU1iHHUrV:UP5HWBEuYsZQawDDyDgljlc3JU1iH0rV
                MD5:7931A8B252A03BEE8539E82F35FAF872
                SHA1:6132DF7E789C4F08611803C49FE6C2B5EAD4588A
                SHA-256:925AEFFFB64C231C5C54B1AD7F980D8A8E08670973F01984C505F9C69A00A161
                SHA-512:2CF5848B52B3EB96452546006E360DCCD85E348EDA5391F890DEDA17BBFD8A545A4643ED17F2A1555A29D03F35ACD066B6B7FA3E450810789C8BCF365A0C589D
                Malicious:false
                Preview:<EncryptedKey>VfXBLYHevztvHrpF3TLE2oGFm6O+1v4wcaNlunDKwMESgHQZslbJpIxr5foCnrt0jUpuF2akLnl1ATVbJ9AIgTkP/udLY2/9KkgZgwg/y3VEGC5kG5YfkVqCtuttdjXqMZdXxpOPenk00DwD1Fkq88jHB2IjjhtlXfuFOAi99R4=<EncryptedKey>mRoia3ssP6ebPDlp5rRyIBxMVMZqMe0o56kPIiZVPiEmv3K1PRO3RH1hWYcQyB57xm+Q4VTcV+R9Eo3ThAG/q1vu75okkadr8bsOFncvH/K6OcKw84rAox3ODyOOFG5zetEJC89l1q1cOGgvnG7ah0geBeoq96gfC7REnHwFlg3Yeq2eXJ6IA1+nAEWmr2OF0vLCFaTdsaiNLxqpI23d6tqVtKrRMjk60YvN1k4BKf+Io+ZYdz9Yvir0hyrES39MCeZ+F5V8IK3knOBK4fkalvNr/0l12qsn9IILyJhoGA4uw6pMpvSndfwW4vSraMsXQj74/SRUQn5fU8N1M5dyIfkaWvfT9nNQLdZTJRYSRN4jjK3+fhC/+juEoEDg3IDI6WiBpYDTI0l8dNoP/OVf+x6y55kAHp1jfTfOVC0WG4PtLmlR/QUEpp/ZcvYKJWzyItDeCr8jYTc5LEgDPrgss5A/0wmqYodKt3Mbv+dAvqd/DtVPoFpByzgJYDPD/HCMf7/mfjwTZmFek6ZPkLgsz0/ixkbpasZW1knZiNW2zd0WjoFrRYOLRTuWA3ICq4ofIrnvubkHyeX8MJGmdYLFkyohnWHNFZTKbQw00gtUdKh+/HoEljwj53ccjbOtfvchwQpuBgef6Ef5WJo+h4xkYtIBGllFODbtn0IJpuIdlT2mb8E/gL1wKFhQ1jQjLKoNc/JMxXJdyzcDNDfH/7bGcprXqpxHu9JBW1zr6O/qiOTpzKn0UmIUqyG7lAgoZffvawaKzD1Gme+XpKNno4JczoecP6Awp1Ib

                C:\Users\user\Downloads\GRXZDKKVDB.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.989996445755217
                Encrypted:false
                SSDEEP:24:fMW6RwN9dvUWGKNlw+/5EIiUSLUTEhVd4qXHMLIfCLdpcclLYWmA5t0nuxGEdS:UW6Adv51/eIi9NVFXH5QDcclGQ0n2GB
                MD5:3AD88D02F1259F708267870037CCF40F
                SHA1:9993586B85B52DEC15F33C2B0C07BB1D0D647C5A
                SHA-256:E6992580B4BAE23FCE10EB1C902327E12C1675016447AE6326F001B3199C5112
                SHA-512:0F999474BDDEDA22163F1CB768C656ABD5B9B114B26B3B4391A7CDB8BE06A4FAC1BF62769B12069C954FC62EB8E908B2716D3BFDABB9A69AC3495F677A0759D3
                Malicious:false
                Preview:<EncryptedKey>Ymgs5ch1BNhrb/XlRF2UMUxW6rFkZczwjkQ9iDTyOz9ly4QcHv102DFO08Sqgerq6LRgjc9d05ByJkkrh4eoCivPuHm4JNxkCjdpemp6cZ0Kv+PB8+E/e5kwpUbDKBhE/NRZqXB6Xh133NW0amJmPoq1dNG1KHkwhg+ccdctMSE=<EncryptedKey>OdDFUz/cXrUb0FSdfJcHlS2AEcc9EfQ4zsoFLu2WwuEfHJYIiFLMlNFiEUpQXvq3q35uNboQKZwRZAWVR19XMCUJQo93WJGwhRYOpRduR2BwP4bsTQ+bFwbRRNkqFkz+iiMPmkQskhEa9VXuNEzqQKcGelIRoYcW26Thr0C3GRwg3W3H3cdgbJq1Hkx+nnKsajb7ACVKQ/0h8Jma3rWSYzSIaX1BZ1CRiZlozwbDCQt50leT7T+aqiAEFU3vHOKsQilcHodukIT66gHmZjSykGCGifNA0uRNA2RyYMRzi4M8aCRVgDicIGCqAkIN0opFVp1PMYY+uTWsx1MT/2z/ZacYhiUALzocZnb0BS8SkklaQgjDp69lkh7gpQ9APShD9cv7dTZQxqnDvuxug9qETOCGDB4+i9haG8nvNsvarUYpU3GXgblDjED1aUobnrjyRhieCdjhal+EU6SFiqlh2TSr39lNTMCKKf+LBevbjrvBk4zCp1BYOGSyY57n8tgq+OVxQ5H2d1qoCE3a0pcMqDs73A8clO5LImqWw1Ai01IiKhm7VSVOah2H9d6SsnNS7h37nDIuznFI5WuqhQQHKQa3vEYX8Aqd2efbI2tP6My1/B8cdJ+UIYmjInEcXAdfasbUuEGbz+3J1iX1Pa9hORYeFuXpgnkgw4OMapzE89OaEqINw7OUEummN6lWnV+DmXwt1NtdZIYb4jjI9L61wtb8eyG6A49Yl5f9szcG+Zg2yC66JfE+zEwtL7+axFWfu12MQG9mZH54fPzpoLHDqTeTtTjTKtat

                C:\Users\user\Downloads\GRXZDKKVDB.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.989996445755217
                Encrypted:false
                SSDEEP:24:fMW6RwN9dvUWGKNlw+/5EIiUSLUTEhVd4qXHMLIfCLdpcclLYWmA5t0nuxGEdS:UW6Adv51/eIi9NVFXH5QDcclGQ0n2GB
                MD5:3AD88D02F1259F708267870037CCF40F
                SHA1:9993586B85B52DEC15F33C2B0C07BB1D0D647C5A
                SHA-256:E6992580B4BAE23FCE10EB1C902327E12C1675016447AE6326F001B3199C5112
                SHA-512:0F999474BDDEDA22163F1CB768C656ABD5B9B114B26B3B4391A7CDB8BE06A4FAC1BF62769B12069C954FC62EB8E908B2716D3BFDABB9A69AC3495F677A0759D3
                Malicious:false
                Preview:<EncryptedKey>Ymgs5ch1BNhrb/XlRF2UMUxW6rFkZczwjkQ9iDTyOz9ly4QcHv102DFO08Sqgerq6LRgjc9d05ByJkkrh4eoCivPuHm4JNxkCjdpemp6cZ0Kv+PB8+E/e5kwpUbDKBhE/NRZqXB6Xh133NW0amJmPoq1dNG1KHkwhg+ccdctMSE=<EncryptedKey>OdDFUz/cXrUb0FSdfJcHlS2AEcc9EfQ4zsoFLu2WwuEfHJYIiFLMlNFiEUpQXvq3q35uNboQKZwRZAWVR19XMCUJQo93WJGwhRYOpRduR2BwP4bsTQ+bFwbRRNkqFkz+iiMPmkQskhEa9VXuNEzqQKcGelIRoYcW26Thr0C3GRwg3W3H3cdgbJq1Hkx+nnKsajb7ACVKQ/0h8Jma3rWSYzSIaX1BZ1CRiZlozwbDCQt50leT7T+aqiAEFU3vHOKsQilcHodukIT66gHmZjSykGCGifNA0uRNA2RyYMRzi4M8aCRVgDicIGCqAkIN0opFVp1PMYY+uTWsx1MT/2z/ZacYhiUALzocZnb0BS8SkklaQgjDp69lkh7gpQ9APShD9cv7dTZQxqnDvuxug9qETOCGDB4+i9haG8nvNsvarUYpU3GXgblDjED1aUobnrjyRhieCdjhal+EU6SFiqlh2TSr39lNTMCKKf+LBevbjrvBk4zCp1BYOGSyY57n8tgq+OVxQ5H2d1qoCE3a0pcMqDs73A8clO5LImqWw1Ai01IiKhm7VSVOah2H9d6SsnNS7h37nDIuznFI5WuqhQQHKQa3vEYX8Aqd2efbI2tP6My1/B8cdJ+UIYmjInEcXAdfasbUuEGbz+3J1iX1Pa9hORYeFuXpgnkgw4OMapzE89OaEqINw7OUEummN6lWnV+DmXwt1NtdZIYb4jjI9L61wtb8eyG6A49Yl5f9szcG+Zg2yC66JfE+zEwtL7+axFWfu12MQG9mZH54fPzpoLHDqTeTtTjTKtat

                C:\Users\user\Downloads\GRXZDKKVDB.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.989643969352278
                Encrypted:false
                SSDEEP:48:U0iscoUcgyu5D0ALluRz80zSi705A8RcLLXP:U0iby9cKzNSo05NOLbP
                MD5:6B105C70195BBBEE2957BE5AC0DAE92A
                SHA1:1DA758A78D5615E77DD537F3D09E1E10B4834847
                SHA-256:FBF06A413EB91F0AA73AA82E7565E7B5117C6C85542DFE79F19DE0653DAEA137
                SHA-512:A04565EB5BD6CAE89DF07D1085DB14EAF52CAA4D2740A2CC941560F9A5A2A179B0FAFB156C326A808445CF0464A577293F7C282696BDA58E1B9FA4EC6CB65E8D
                Malicious:false
                Preview:<EncryptedKey>oaIZtfysXYEz+MTQWcwB6JZ+wvMutIi2/ocepZw3AfH027dom2wZNwaMbcUK/cr1T7ohJ+2xDZn3FrPG/wB8JCSO/GWTc6yOd67O/Rgh1/e4Vd34mcR3pX0tR+71QGpZgfPEbYIeoVk2UsKRqmaBmuVUtn6ecNX2onn3gMYvaB8=<EncryptedKey>dYGU2zHaFn7oj8U1IV8bJK6gtKh5SLB99DdJUqMgrO+G9hyu2ySp/+wUcnI7TvbTp/2UPlNxMPQeMrJL8oPWv5FBGp9mVvsrv5dseige8DPLnT1hFF2SWFQcawm4b6C8BdAOgn6/WEMeTEjMP5PdQPGsQIDdWBmSI14QXzn0JOuLB1hB4dMlRQd8U38xuTsJ+ybsbNUy8ouR4BEhxw3Sn2M2FEQIZqO/vEd43p1R0R7KyZ4K5eM/ef7pDi8dXl/b2WVFQ/d9ZMoqkrEw+9KEWuuqFqRgH+A76EhSOWDE6/NT+Vhnmgjxs6HH7T6ICCIEabIhSLuJhWK/kTp9PnCJ/A1oOGGhDRxa7qJnNjqVkpA7OrNuF9dMhSRBU3/pX6cx1CNZF7EOIn9Dp8EHGkgxwTgELV28yq+qbvAHjKLHYO1fkMGBnN+0GF7tsUvtRQ2DQOeClspKYw2kkU/zGH2bjvm9wYH4h8M9J56CvuuzOJ4c2mNsrWmTiMdnAwEzkZX3ozVd9MCPvod7fl0OnGRdYLAHfYC/bzckAOsC9xrSc6DJO7nEosLFcARxk5r8R9iFPP5ZdiWVQ1njkpZ/PtlPkT5AoURU25S5DdAdD+ScdvtVk/9IIwGRQN/yNyRrY+qXMwbfTEKvvNdUj3xS9D5fAu8YisbFYESwdJdotOO0PqMHpS32Obwy80YN5g8mnOb//VKkJycmWjIw0zaN38aUmFyEJ1FgWRKGptoKjPsNatSvv/RE1VJ71B5PJrJRLWfbSt75z0VrXdvFds1UjE8jisGYXKSg0tQg

                C:\Users\user\Downloads\GRXZDKKVDB.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.989643969352278
                Encrypted:false
                SSDEEP:48:U0iscoUcgyu5D0ALluRz80zSi705A8RcLLXP:U0iby9cKzNSo05NOLbP
                MD5:6B105C70195BBBEE2957BE5AC0DAE92A
                SHA1:1DA758A78D5615E77DD537F3D09E1E10B4834847
                SHA-256:FBF06A413EB91F0AA73AA82E7565E7B5117C6C85542DFE79F19DE0653DAEA137
                SHA-512:A04565EB5BD6CAE89DF07D1085DB14EAF52CAA4D2740A2CC941560F9A5A2A179B0FAFB156C326A808445CF0464A577293F7C282696BDA58E1B9FA4EC6CB65E8D
                Malicious:false
                Preview:<EncryptedKey>oaIZtfysXYEz+MTQWcwB6JZ+wvMutIi2/ocepZw3AfH027dom2wZNwaMbcUK/cr1T7ohJ+2xDZn3FrPG/wB8JCSO/GWTc6yOd67O/Rgh1/e4Vd34mcR3pX0tR+71QGpZgfPEbYIeoVk2UsKRqmaBmuVUtn6ecNX2onn3gMYvaB8=<EncryptedKey>dYGU2zHaFn7oj8U1IV8bJK6gtKh5SLB99DdJUqMgrO+G9hyu2ySp/+wUcnI7TvbTp/2UPlNxMPQeMrJL8oPWv5FBGp9mVvsrv5dseige8DPLnT1hFF2SWFQcawm4b6C8BdAOgn6/WEMeTEjMP5PdQPGsQIDdWBmSI14QXzn0JOuLB1hB4dMlRQd8U38xuTsJ+ybsbNUy8ouR4BEhxw3Sn2M2FEQIZqO/vEd43p1R0R7KyZ4K5eM/ef7pDi8dXl/b2WVFQ/d9ZMoqkrEw+9KEWuuqFqRgH+A76EhSOWDE6/NT+Vhnmgjxs6HH7T6ICCIEabIhSLuJhWK/kTp9PnCJ/A1oOGGhDRxa7qJnNjqVkpA7OrNuF9dMhSRBU3/pX6cx1CNZF7EOIn9Dp8EHGkgxwTgELV28yq+qbvAHjKLHYO1fkMGBnN+0GF7tsUvtRQ2DQOeClspKYw2kkU/zGH2bjvm9wYH4h8M9J56CvuuzOJ4c2mNsrWmTiMdnAwEzkZX3ozVd9MCPvod7fl0OnGRdYLAHfYC/bzckAOsC9xrSc6DJO7nEosLFcARxk5r8R9iFPP5ZdiWVQ1njkpZ/PtlPkT5AoURU25S5DdAdD+ScdvtVk/9IIwGRQN/yNyRrY+qXMwbfTEKvvNdUj3xS9D5fAu8YisbFYESwdJdotOO0PqMHpS32Obwy80YN5g8mnOb//VKkJycmWjIw0zaN38aUmFyEJ1FgWRKGptoKjPsNatSvv/RE1VJ71B5PJrJRLWfbSt75z0VrXdvFds1UjE8jisGYXKSg0tQg

                C:\Users\user\Downloads\KLIZUSIQEN.jpg

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.980102730534176
                Encrypted:false
                SSDEEP:48:U+iUeRTkDAbg61bS5rLji/Y84p29QTmipeE7eO:U+i3RXbg2Y+Ygamipe4
                MD5:8A61A5B217FEC240EC90023935B300AE
                SHA1:82F678DAE7BB675152D79ACC812185B5093C0CD2
                SHA-256:FE9F9ADD6AFF44C6530C29EA4E1B8285E19C92875499E3F3DA60805373A3C9A9
                SHA-512:8FDB936AAE19EBB245FAEEE1EBAD6180445396FBDEA33C82852B369FFD75C6EF482B70F39839C518A677D72A1869F94CE7039A2131B011778749C3D779305F0A
                Malicious:false
                Preview:<EncryptedKey>Lpne7DRAXNFDXMbvaHtiBv7jGb8TGVAPD2COa8P+G6pRsMupkLyEPhHOIyPmwZMsE7/CfVzdMo/P3c+M9MI2ghA29/DYGVD+B+SwstZrt9VomA5oCxqTtxdULnlVyZQwunDr813cwdlOeEanIsif4HN644l3zqsrHbsocfDYYdg=<EncryptedKey>Mazz01jqtMysz11vRXpoEh2Dqk/ndwgdDiPsbN8XYhWGLEAqSn2Sf97fKcMS8bNKDnij8GX2pBZrFs2sESIlgYqjXJgbqnNHHEIQQ+RD2M5x5XdL7MDzfDT20bmyKqZMyObWSdr6SuVMuJAaCS+cAYSIyNCyN0jIvNW0DKCDtza8MQDVrGoBjNis3+b25/SnD8gRY0WkvR0R1Hu/xqspoNFiv1jniiiaiLJkN7t5Sf2n0e62sz9TctF+JOAAmYBct2FKoRYtdoye9WyOGWXClPEjdINP4Vb3hnPQ5tbJ9vp8G4LPmZueLBfrLvzeNhjkW39d2KCECEJuM1IcZp2BBKb0fDf9+CHoVpVPU/M8wk6bXpd+BWk3MVVC0QL6rr0seTAaPC8E8SbLvSDzruavzW5GeWYHu30g49pq5/+QxqPbVoaSykUDDd6SxBV2aQe0Yr4H7Z7HBcPwGDtTzI7ZMVjFC12acIUuoiqGbTDOkHe8Ii1LpJC2+/WbnrxibuXlO7oeUZNgNhfaN1LUwtRYvudbw0or7n0hnbtq5aV6DtEJD8fwwzcf1B4RCYVcc7AtaEDEfJrvcayDU02UxQ1sByKf20iZvjzS3Ayi42SDXHL4EAb20TxSNg13Yee7OA6ryTj6bBxNzr+ful+0/KvqXetLC/silxK/hGgt2aMwuEnhKrRHPIVgESBQu4cN+isW7gJzTzCDNELxvhVrRe7utx7vwmfhcELDjUbKu03uz2d8NjROb4bxGvDk0ZfAJxLLW9UoU4wQCNUf1EbAtG/LkDGvMWDFPwXt

                C:\Users\user\Downloads\KLIZUSIQEN.jpg.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.980102730534176
                Encrypted:false
                SSDEEP:48:U+iUeRTkDAbg61bS5rLji/Y84p29QTmipeE7eO:U+i3RXbg2Y+Ygamipe4
                MD5:8A61A5B217FEC240EC90023935B300AE
                SHA1:82F678DAE7BB675152D79ACC812185B5093C0CD2
                SHA-256:FE9F9ADD6AFF44C6530C29EA4E1B8285E19C92875499E3F3DA60805373A3C9A9
                SHA-512:8FDB936AAE19EBB245FAEEE1EBAD6180445396FBDEA33C82852B369FFD75C6EF482B70F39839C518A677D72A1869F94CE7039A2131B011778749C3D779305F0A
                Malicious:false
                Preview:<EncryptedKey>Lpne7DRAXNFDXMbvaHtiBv7jGb8TGVAPD2COa8P+G6pRsMupkLyEPhHOIyPmwZMsE7/CfVzdMo/P3c+M9MI2ghA29/DYGVD+B+SwstZrt9VomA5oCxqTtxdULnlVyZQwunDr813cwdlOeEanIsif4HN644l3zqsrHbsocfDYYdg=<EncryptedKey>Mazz01jqtMysz11vRXpoEh2Dqk/ndwgdDiPsbN8XYhWGLEAqSn2Sf97fKcMS8bNKDnij8GX2pBZrFs2sESIlgYqjXJgbqnNHHEIQQ+RD2M5x5XdL7MDzfDT20bmyKqZMyObWSdr6SuVMuJAaCS+cAYSIyNCyN0jIvNW0DKCDtza8MQDVrGoBjNis3+b25/SnD8gRY0WkvR0R1Hu/xqspoNFiv1jniiiaiLJkN7t5Sf2n0e62sz9TctF+JOAAmYBct2FKoRYtdoye9WyOGWXClPEjdINP4Vb3hnPQ5tbJ9vp8G4LPmZueLBfrLvzeNhjkW39d2KCECEJuM1IcZp2BBKb0fDf9+CHoVpVPU/M8wk6bXpd+BWk3MVVC0QL6rr0seTAaPC8E8SbLvSDzruavzW5GeWYHu30g49pq5/+QxqPbVoaSykUDDd6SxBV2aQe0Yr4H7Z7HBcPwGDtTzI7ZMVjFC12acIUuoiqGbTDOkHe8Ii1LpJC2+/WbnrxibuXlO7oeUZNgNhfaN1LUwtRYvudbw0or7n0hnbtq5aV6DtEJD8fwwzcf1B4RCYVcc7AtaEDEfJrvcayDU02UxQ1sByKf20iZvjzS3Ayi42SDXHL4EAb20TxSNg13Yee7OA6ryTj6bBxNzr+ful+0/KvqXetLC/silxK/hGgt2aMwuEnhKrRHPIVgESBQu4cN+isW7gJzTzCDNELxvhVrRe7utx7vwmfhcELDjUbKu03uz2d8NjROb4bxGvDk0ZfAJxLLW9UoU4wQCNUf1EbAtG/LkDGvMWDFPwXt

                C:\Users\user\Downloads\NVWZAPQSQL.docx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987422720799878
                Encrypted:false
                SSDEEP:24:fM9vLIxZBhrnC6MDBth80MI8mFkH8cnsDgSvXricHoFy/eN8sOjscL4jGbqTbW5r:UB8XrnkDThMTHBsdrnoF8xjVLFN5OH2
                MD5:67A2D2CAC612E91BF5073867B298E616
                SHA1:553FD4BE81015EFF484ACDD885CF78CEE8CBFC76
                SHA-256:EBA6831622BF4D7E9D122C533F1E87C33FCA9B7B94AE0278902C8F915068D619
                SHA-512:CCE76A78348A062E383183FE8EAFAD5064220D36883776E8BEBB75C5C0EE63E01148EB639C2A0297B8B1CA2C2785A73A61B2F6831BB3772A7233F412183A2264
                Malicious:false
                Preview:<EncryptedKey>K872sMoyPjZ7/HIhzuRP8vDFcK55KBTLbhqyFjPimQwiT6CuVh6c3J9wmTxi3tPLejmhKg1b9jO5W01f5YXOzXaBQkOfmib1R49nfifmRUVYsj2/kfHSGzVZNylC+l+WrrGbJbkBlDXo2mcTm+fwMgLlsJEdDANfnpEcpdwiNMo=<EncryptedKey>Enri0PFEoP6dBnlNOAB7d8nzWfHX7y5cw6iGobjjT3BTFrRWAz6KIgSTWsybXY9sK9w4S6BcG5NbGIy3q+6jAFi5Wo2f8m43jalGutgREC0pMscd88N1vMpHMW+GbssZMECqliEP3Q7PAczaAmAGqq4zp42rv9hTOMUueHK6+jsq0RDToNVgB5BVmY0QB5ciB1DXd47lwcw4OWM/uANn6u9PdT86vA7QvwLFF1oF1j9sLZTn91HTSFHtKB4uRe0pvpTy6dR/s9VRS3mRyfr8RhmrseLQrJVZ/5ZNUae0gPkAof6jNwNX5A9lVor9Ia4by4KEeX4VTO/QQt/FZEbZnm37b83QgdGzBcAx8+0gNdjONKf62BCcM6bmOHKElV0rOy/GW6fH52x3MdhTy9os8ysDOOnUXI8jM5bqXe90k6iOWDnhuwxZukp2hgtERhhXCHwS6L9KT+PgbFAFl5fr71DE4Z8jwFZZhh2bgl9ttwFjxMOpCE0OKUZIigJ+N+a8Ef5iperUEiYbdXbR/ZnpTWp7aEmYX6tB+hlABoTJcOYjEEroNRCXZ/+syc9Kw3L/4tPqV33vW8doYYogumcU0NPuXi16PuxlQAQFkSx8KfxiMhOovnlyGCo12HxRgXfqwcW79q1pjigKmMw2fxAbEAWklFPKbrwIeugh2DvCh8NLdSPfjPC7NMequ1MAc36RmFR6z/V+I4aqtcJRfSa/0/M0d8thHae+ReNdPfg/K0an63B85UVLU9sJiDlsSoOVNB1K+GPKhDdGxnmCPRffdZqCDZcLgvr2

                C:\Users\user\Downloads\NVWZAPQSQL.docx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987422720799878
                Encrypted:false
                SSDEEP:24:fM9vLIxZBhrnC6MDBth80MI8mFkH8cnsDgSvXricHoFy/eN8sOjscL4jGbqTbW5r:UB8XrnkDThMTHBsdrnoF8xjVLFN5OH2
                MD5:67A2D2CAC612E91BF5073867B298E616
                SHA1:553FD4BE81015EFF484ACDD885CF78CEE8CBFC76
                SHA-256:EBA6831622BF4D7E9D122C533F1E87C33FCA9B7B94AE0278902C8F915068D619
                SHA-512:CCE76A78348A062E383183FE8EAFAD5064220D36883776E8BEBB75C5C0EE63E01148EB639C2A0297B8B1CA2C2785A73A61B2F6831BB3772A7233F412183A2264
                Malicious:false
                Preview:<EncryptedKey>K872sMoyPjZ7/HIhzuRP8vDFcK55KBTLbhqyFjPimQwiT6CuVh6c3J9wmTxi3tPLejmhKg1b9jO5W01f5YXOzXaBQkOfmib1R49nfifmRUVYsj2/kfHSGzVZNylC+l+WrrGbJbkBlDXo2mcTm+fwMgLlsJEdDANfnpEcpdwiNMo=<EncryptedKey>Enri0PFEoP6dBnlNOAB7d8nzWfHX7y5cw6iGobjjT3BTFrRWAz6KIgSTWsybXY9sK9w4S6BcG5NbGIy3q+6jAFi5Wo2f8m43jalGutgREC0pMscd88N1vMpHMW+GbssZMECqliEP3Q7PAczaAmAGqq4zp42rv9hTOMUueHK6+jsq0RDToNVgB5BVmY0QB5ciB1DXd47lwcw4OWM/uANn6u9PdT86vA7QvwLFF1oF1j9sLZTn91HTSFHtKB4uRe0pvpTy6dR/s9VRS3mRyfr8RhmrseLQrJVZ/5ZNUae0gPkAof6jNwNX5A9lVor9Ia4by4KEeX4VTO/QQt/FZEbZnm37b83QgdGzBcAx8+0gNdjONKf62BCcM6bmOHKElV0rOy/GW6fH52x3MdhTy9os8ysDOOnUXI8jM5bqXe90k6iOWDnhuwxZukp2hgtERhhXCHwS6L9KT+PgbFAFl5fr71DE4Z8jwFZZhh2bgl9ttwFjxMOpCE0OKUZIigJ+N+a8Ef5iperUEiYbdXbR/ZnpTWp7aEmYX6tB+hlABoTJcOYjEEroNRCXZ/+syc9Kw3L/4tPqV33vW8doYYogumcU0NPuXi16PuxlQAQFkSx8KfxiMhOovnlyGCo12HxRgXfqwcW79q1pjigKmMw2fxAbEAWklFPKbrwIeugh2DvCh8NLdSPfjPC7NMequ1MAc36RmFR6z/V+I4aqtcJRfSa/0/M0d8thHae+ReNdPfg/K0an63B85UVLU9sJiDlsSoOVNB1K+GPKhDdGxnmCPRffdZqCDZcLgvr2

                C:\Users\user\Downloads\NVWZAPQSQL.xlsx

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987753632600366
                Encrypted:false
                SSDEEP:48:Uhx8eFD6TUYUnz4aoRWkhRZHUmDAeo7kwT7V8+:Uh1+Uzz4aook9HFEeakwT7C+
                MD5:5F77E4518EC9CF158052D624DC2F0BAA
                SHA1:1BA7CA8FB7647C7C525881037E4FECC1D5619E3B
                SHA-256:F905E8442489BA4BC3A94ECBE7364CC3F0003E3FDD94269F9B0634CCDD752761
                SHA-512:684C908DCC984C8C68D63ECCEAFBA86A3CF4981322BDE76E4CE3C15DB7745097929DA560443FF2C39AE968F5BBE2A2B266B4A41E9F177124B9CF911818BE08D0
                Malicious:false
                Preview:<EncryptedKey>JM+TVdUyPfF32mI1H0O8FTJ4XIXbgPMex5wQB4pAqy5BwOL6WyltLVYf1B5A4zVwb3SzWBKz5USDpHtSzarKFAsPoVjDNFW5h7aeArbun9KFREbmOP6/RuxK/5PbXwKjlMTXzUGgB+VjT08Azg6/tozslSFT5IwVRS4OlfOi8j8=<EncryptedKey>uyd0dtPDK7na1ukc81ufXZ4muJ5pRfHlHP2Pzrsz7WvTW7vHyyVbvCKOQUugbLYf9fO7LZTwrf5EQw3iwRVgBxiju4eJfGHrRiqAh2igwFhdBWer7p6tvFhXb77gPmpSu/Vw/UyL9tk6MYIzcXAEhEBgMGhkRPXUuaFtx/HMtPBwJ5kKahturHx0GfJHqkraPJsCS1P9VE0YgWSvXqI7msn/2daj8xIj4OxQAkha9LBz6LiA2Vxe2yPRXIfhGOX5wolc7l43D256ieJh7bNg2gRF9NY5rw5UhcJobChMzBaKPX1nhtp7lNvU9Gpw7rBn3pTwC8mcAisnt38i+ugR7enH6tDpB81y1468/hVnlAA8J2a9Gern4uRYsokTa7cLlZ5mW1cZoV0p8ZELBMcOjAWQeXyjpUhmxMGQxdL7H6zihovYt3I43Jz84Ph1wtn6y5SeHD/FwRUOHcYoViA7aOB3dUt+LYU7psT28MaA6kaB2nDDDxFdRuEVzBpWyJGGYxlDxorGtsjYJRgsRkv8USITEPwspyqnrR0Xrf/4Fu9UbVrzpZpJFi6AzavfkpLPaek8BgtW98DHSXZ0SS5jfMJhSyLiOx2NR44ocQb9Qzy9OBNZXxF7xO9t0wKxVmLSzF5ZxGf6OQqNZC656dfumL4Fc2uBUMHfLWkAo7Fg4IZZDAe3tjdjcadVfzQvD8zwzo8hsUyiSmpKDRHVkvmdF5lTHrCXl4xahKMj7Vq9b6A53rGzetxnKuJrmzb4coORKE14+r5eyXW1UQpCImTfbY31gJ52gPvg

                C:\Users\user\Downloads\NVWZAPQSQL.xlsx.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.987753632600366
                Encrypted:false
                SSDEEP:48:Uhx8eFD6TUYUnz4aoRWkhRZHUmDAeo7kwT7V8+:Uh1+Uzz4aook9HFEeakwT7C+
                MD5:5F77E4518EC9CF158052D624DC2F0BAA
                SHA1:1BA7CA8FB7647C7C525881037E4FECC1D5619E3B
                SHA-256:F905E8442489BA4BC3A94ECBE7364CC3F0003E3FDD94269F9B0634CCDD752761
                SHA-512:684C908DCC984C8C68D63ECCEAFBA86A3CF4981322BDE76E4CE3C15DB7745097929DA560443FF2C39AE968F5BBE2A2B266B4A41E9F177124B9CF911818BE08D0
                Malicious:false
                Preview:<EncryptedKey>JM+TVdUyPfF32mI1H0O8FTJ4XIXbgPMex5wQB4pAqy5BwOL6WyltLVYf1B5A4zVwb3SzWBKz5USDpHtSzarKFAsPoVjDNFW5h7aeArbun9KFREbmOP6/RuxK/5PbXwKjlMTXzUGgB+VjT08Azg6/tozslSFT5IwVRS4OlfOi8j8=<EncryptedKey>uyd0dtPDK7na1ukc81ufXZ4muJ5pRfHlHP2Pzrsz7WvTW7vHyyVbvCKOQUugbLYf9fO7LZTwrf5EQw3iwRVgBxiju4eJfGHrRiqAh2igwFhdBWer7p6tvFhXb77gPmpSu/Vw/UyL9tk6MYIzcXAEhEBgMGhkRPXUuaFtx/HMtPBwJ5kKahturHx0GfJHqkraPJsCS1P9VE0YgWSvXqI7msn/2daj8xIj4OxQAkha9LBz6LiA2Vxe2yPRXIfhGOX5wolc7l43D256ieJh7bNg2gRF9NY5rw5UhcJobChMzBaKPX1nhtp7lNvU9Gpw7rBn3pTwC8mcAisnt38i+ugR7enH6tDpB81y1468/hVnlAA8J2a9Gern4uRYsokTa7cLlZ5mW1cZoV0p8ZELBMcOjAWQeXyjpUhmxMGQxdL7H6zihovYt3I43Jz84Ph1wtn6y5SeHD/FwRUOHcYoViA7aOB3dUt+LYU7psT28MaA6kaB2nDDDxFdRuEVzBpWyJGGYxlDxorGtsjYJRgsRkv8USITEPwspyqnrR0Xrf/4Fu9UbVrzpZpJFi6AzavfkpLPaek8BgtW98DHSXZ0SS5jfMJhSyLiOx2NR44ocQb9Qzy9OBNZXxF7xO9t0wKxVmLSzF5ZxGf6OQqNZC656dfumL4Fc2uBUMHfLWkAo7Fg4IZZDAe3tjdjcadVfzQvD8zwzo8hsUyiSmpKDRHVkvmdF5lTHrCXl4xahKMj7Vq9b6A53rGzetxnKuJrmzb4coORKE14+r5eyXW1UQpCImTfbY31gJ52gPvg

                C:\Users\user\Downloads\NWCXBPIUYI.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.9957332365955605
                Encrypted:false
                SSDEEP:24:fMfc5PxG/wT9W7SjRvcUxYqt38RL3Vf4bY6oin/y7Lk910S8U8JUZ4yWFkC38UxC:UIxG/aZRT64bKdg78OZ4yWgUIR
                MD5:A9C02D8B860DEDDB42A59429756CF183
                SHA1:67E5FE41526775C713673F99C158C6BD666902C2
                SHA-256:6621F67CB0F5BC22F8F33D39C510DB1C971F3CF0A820A9FDF66F179AAAE31B21
                SHA-512:5AC95D353ACBCA15A6B758993BB5FFF7E2076F12ED9014DFCFC7F44FB02AD797990BC92B212E70BF9C4EF3FB6902C6F22DB2FCF92D889D0239EA3D0AEB2A856B
                Malicious:false
                Preview:<EncryptedKey>G8OpgXkzpRsWx1aA7z4XemSWTtAxyyBPjftrJg/DT8/zArhm6nfkMs3ax8+Ge0MQS4C9Jn4JSDBN9bq6UU24cbEmdK1Fy6YBLcne7qy/GK/3KGIrApD/LeR5w3PfUANj9gDtznFEIc4hJtUUraXIRPOvGnb4F2n5R5kIoEldHMc=<EncryptedKey>MNuuZCosEN1RJQguMym7SJRR+jda5SSVt0dQ5FIGiceEegJvP7FhqFKr0USq3ci0cLqhGLWODT+g+K19OvTNWaiTMNAMkXdYIsk/f0Yf5edB/7qDC1Aez1zDrH7iJOsDg7Dr79M5LgpFL+K3yosFh/gfISjb+KLoZJ/XsUvXlO6c9D+zp1ABUoC5WjMEqzPQztR6hP062XznHq3S+JvCYGy7yzlTmjD5PGY3mBhf/7BadI+jZjm44BvUIkqAwM82jKWYxXr2Z2o9+MYppLbsOpJEHrjjs40BTpelPMvuPnqYSyz/c80h8aT+uhfNpWBY0Co26d/j+omyPfZSyayc0AbKYssLLjf1ToRCHEAFCEu2+v+Xge/aP+TQ+iVv8zUsWYkO0pBsOi//ZRJDQYm2iY+dWC5glKw5/6qOr9xif59rzzydVe1OOovuHz1c/FqccRZicHyanMRrp3kXalYoaDvrs8FcD+x/XSQnUe/v5A1iVDGfxo+lYBgSK3KyUfhfA3NCBEN1EYEVI2kW4WxND8Y3YqHFtJUQzGNRd0HwHxo97c4xDq3pUXy7YC4ed3D8zhyXtSHpxQE1CF4rCjE+pDJvOP7y4xUhf6IilbFJAoZpnKmAJGErgH1ZxadIjdvbu6IdUZwlmb0y2VTA2B4bkPuN4RUiRrIB/r8xgojA6I+S61x1rYXLQxMHtZL9sLDfOXI32mnAmdS1UqZZiXfDzuRhojuRzIfPQAT3bw7Bq7UlBC12qHqpSzYEPT7RUNr08UnC4d/C3t1+N7hXq5M33hQ4LOrswKus

                C:\Users\user\Downloads\NWCXBPIUYI.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.9957332365955605
                Encrypted:false
                SSDEEP:24:fMfc5PxG/wT9W7SjRvcUxYqt38RL3Vf4bY6oin/y7Lk910S8U8JUZ4yWFkC38UxC:UIxG/aZRT64bKdg78OZ4yWgUIR
                MD5:A9C02D8B860DEDDB42A59429756CF183
                SHA1:67E5FE41526775C713673F99C158C6BD666902C2
                SHA-256:6621F67CB0F5BC22F8F33D39C510DB1C971F3CF0A820A9FDF66F179AAAE31B21
                SHA-512:5AC95D353ACBCA15A6B758993BB5FFF7E2076F12ED9014DFCFC7F44FB02AD797990BC92B212E70BF9C4EF3FB6902C6F22DB2FCF92D889D0239EA3D0AEB2A856B
                Malicious:false
                Preview:<EncryptedKey>G8OpgXkzpRsWx1aA7z4XemSWTtAxyyBPjftrJg/DT8/zArhm6nfkMs3ax8+Ge0MQS4C9Jn4JSDBN9bq6UU24cbEmdK1Fy6YBLcne7qy/GK/3KGIrApD/LeR5w3PfUANj9gDtznFEIc4hJtUUraXIRPOvGnb4F2n5R5kIoEldHMc=<EncryptedKey>MNuuZCosEN1RJQguMym7SJRR+jda5SSVt0dQ5FIGiceEegJvP7FhqFKr0USq3ci0cLqhGLWODT+g+K19OvTNWaiTMNAMkXdYIsk/f0Yf5edB/7qDC1Aez1zDrH7iJOsDg7Dr79M5LgpFL+K3yosFh/gfISjb+KLoZJ/XsUvXlO6c9D+zp1ABUoC5WjMEqzPQztR6hP062XznHq3S+JvCYGy7yzlTmjD5PGY3mBhf/7BadI+jZjm44BvUIkqAwM82jKWYxXr2Z2o9+MYppLbsOpJEHrjjs40BTpelPMvuPnqYSyz/c80h8aT+uhfNpWBY0Co26d/j+omyPfZSyayc0AbKYssLLjf1ToRCHEAFCEu2+v+Xge/aP+TQ+iVv8zUsWYkO0pBsOi//ZRJDQYm2iY+dWC5glKw5/6qOr9xif59rzzydVe1OOovuHz1c/FqccRZicHyanMRrp3kXalYoaDvrs8FcD+x/XSQnUe/v5A1iVDGfxo+lYBgSK3KyUfhfA3NCBEN1EYEVI2kW4WxND8Y3YqHFtJUQzGNRd0HwHxo97c4xDq3pUXy7YC4ed3D8zhyXtSHpxQE1CF4rCjE+pDJvOP7y4xUhf6IilbFJAoZpnKmAJGErgH1ZxadIjdvbu6IdUZwlmb0y2VTA2B4bkPuN4RUiRrIB/r8xgojA6I+S61x1rYXLQxMHtZL9sLDfOXI32mnAmdS1UqZZiXfDzuRhojuRzIfPQAT3bw7Bq7UlBC12qHqpSzYEPT7RUNr08UnC4d/C3t1+N7hXq5M33hQ4LOrswKus

                C:\Users\user\Downloads\PALRGUCVEH.mp3

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.984214998553367
                Encrypted:false
                SSDEEP:48:UChu/rTp5IVbYVGBwLBeBYTFds63ohsrd:Ux/g5iwBSFa6eqd
                MD5:8E3CB43C5C3CE0B6B9EC1F1CC8B004AC
                SHA1:7D76849B9864970BAEB183EBFE8A87D0BA2765D3
                SHA-256:0D0B959D96231615643D11B1056FDE4109F7714BE2476CEF69929E6E5F381AA8
                SHA-512:3A6F64104E5FF1CF85A22C801E1AFE411BD11097E33CF024BEE0093E39CDCCB83BBAB3F276568666DEE9D5559FE088125EA281EEB8B2255741F9E2830EAE9A91
                Malicious:false
                Preview:<EncryptedKey>OBv5bRVG5Vw4NIdyVC04l641u/5mmo6NcSYdZ9Ah35EMPS0fPNUqL7nrfhOX17WHyJ0fYif6lvAmSbyXZWS2ri5QbrpOuZlUCQYv8+5ArD/s9+ud87/YL5vHZU8uc3iFwugxUTxR37jilHTpimurmQrKkKNh+uxOsdzOe8lSo+I=<EncryptedKey>y1z1rV+4N8dXeiYrpUS7hBHk9skAIt0Rr9I4SvR2uSC3LBnzqJc7Mw1rjBFD/A1rrQlHrroCzLKOorf9hFOZzfo85C2O3J7xCH4KimbPLsWXOe657JEyVEfdyGyQQ2lb2LBxGMpWp5VQ53E4E5NmnZuBaLfw6sk8pwoy8B1oG/fuozqcswtAkGvzW5Ag996m7PATCdSYBeunpxeSUaD29N3fWC0fazVV3eQ536toKe50/AHH8Z3QiIwVLOFv0Gme/CAsAK0YpbXK72/HNtLGuHFzgFBd5ZUsEb3yPGkzIdWCVZ08kB12hV2Lg7YhOTaZ8xM+uIli2mw3Wm6DwqYvD50rEtIA1WLHIvxnKuz/1akdX4RHYKTs/WZdI5JWL7DySACAo5e33YayhNZQQv1VYcIMTbgU6Bi9epgH4QfBCmTK7tHwoPUG8knPeyRieeWmxudDcufJksQUkOokccBoi7rot0fx/ql90w1wYvMyCUAuqQ4CtdMGPRulNbbnugibX9ubu80QK/wSrFCu/DB8AwEM8B8LYa5ui8SEhsR1qdTj2jVeDNIi1vzkS5keQhD6NDzkCoTE17BM7V4YgyqQQppivksQGWjiexrD+GngC1ZALqmkUwTmTRCcrbEoImWDY0Jv+jyGaJ9Pryc3hGLYBC7joM0q1W5VfZc70akCoNS33YUrOL2vw2oRbx5+Lhhb0NZsNZQ0Fa8YnR2hemqwWsMTCZ5B2Tkqe2aIpUwOrM+/SswtfA86n2oKMCetUGc2gtu/hBUMaYycrP56tLkWnsTsVmkSyqPg

                C:\Users\user\Downloads\PALRGUCVEH.mp3.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.984214998553367
                Encrypted:false
                SSDEEP:48:UChu/rTp5IVbYVGBwLBeBYTFds63ohsrd:Ux/g5iwBSFa6eqd
                MD5:8E3CB43C5C3CE0B6B9EC1F1CC8B004AC
                SHA1:7D76849B9864970BAEB183EBFE8A87D0BA2765D3
                SHA-256:0D0B959D96231615643D11B1056FDE4109F7714BE2476CEF69929E6E5F381AA8
                SHA-512:3A6F64104E5FF1CF85A22C801E1AFE411BD11097E33CF024BEE0093E39CDCCB83BBAB3F276568666DEE9D5559FE088125EA281EEB8B2255741F9E2830EAE9A91
                Malicious:false
                Preview:<EncryptedKey>OBv5bRVG5Vw4NIdyVC04l641u/5mmo6NcSYdZ9Ah35EMPS0fPNUqL7nrfhOX17WHyJ0fYif6lvAmSbyXZWS2ri5QbrpOuZlUCQYv8+5ArD/s9+ud87/YL5vHZU8uc3iFwugxUTxR37jilHTpimurmQrKkKNh+uxOsdzOe8lSo+I=<EncryptedKey>y1z1rV+4N8dXeiYrpUS7hBHk9skAIt0Rr9I4SvR2uSC3LBnzqJc7Mw1rjBFD/A1rrQlHrroCzLKOorf9hFOZzfo85C2O3J7xCH4KimbPLsWXOe657JEyVEfdyGyQQ2lb2LBxGMpWp5VQ53E4E5NmnZuBaLfw6sk8pwoy8B1oG/fuozqcswtAkGvzW5Ag996m7PATCdSYBeunpxeSUaD29N3fWC0fazVV3eQ536toKe50/AHH8Z3QiIwVLOFv0Gme/CAsAK0YpbXK72/HNtLGuHFzgFBd5ZUsEb3yPGkzIdWCVZ08kB12hV2Lg7YhOTaZ8xM+uIli2mw3Wm6DwqYvD50rEtIA1WLHIvxnKuz/1akdX4RHYKTs/WZdI5JWL7DySACAo5e33YayhNZQQv1VYcIMTbgU6Bi9epgH4QfBCmTK7tHwoPUG8knPeyRieeWmxudDcufJksQUkOokccBoi7rot0fx/ql90w1wYvMyCUAuqQ4CtdMGPRulNbbnugibX9ubu80QK/wSrFCu/DB8AwEM8B8LYa5ui8SEhsR1qdTj2jVeDNIi1vzkS5keQhD6NDzkCoTE17BM7V4YgyqQQppivksQGWjiexrD+GngC1ZALqmkUwTmTRCcrbEoImWDY0Jv+jyGaJ9Pryc3hGLYBC7joM0q1W5VfZc70akCoNS33YUrOL2vw2oRbx5+Lhhb0NZsNZQ0Fa8YnR2hemqwWsMTCZ5B2Tkqe2aIpUwOrM+/SswtfA86n2oKMCetUGc2gtu/hBUMaYycrP56tLkWnsTsVmkSyqPg

                C:\Users\user\Downloads\PALRGUCVEH.pdf

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991362833452445
                Encrypted:false
                SSDEEP:24:fM8oM4hXAKZHUbUrxYxndnE4+VYkAM0wTmagdZP79xVLJjUr/Os9cJ:U8khXh0pxFE4+53Tmxxx5BQ2sQ
                MD5:6FCF0F08CC8A9C933E9798F8F4C13E94
                SHA1:87745E4ED73D52E5FC635CA4F467A040D4E574B9
                SHA-256:0C0845DC7FC0BE3435FA1CD02F65DD506C587CC250C00E0FACE73EBF320BE96F
                SHA-512:4C304DC42AE17B713DF147CDB987A72FE21DFCE1B29F5E9CD382B3369E6CA67423D0ECEC2B5233A35CAE7E1F68684FC701328EE3E36BC52283B3328B6D74D6CD
                Malicious:false
                Preview:<EncryptedKey>iT0ZTQt8avK9Ae7Ly07qpYJpaD76ABu5LNK1OxVZ+f1RYxPQpqcZi+GV5yXqBwxWzBwwqXieWuQ0ispvzxWl2yltwvRAevRjffm9BndfmzDinLQRg0X2BJvNmrIKKKF6laC/bKdYR7iW+n6M+eMC2Nhqy5ECw2peMfxLsCV55gk=<EncryptedKey>xSjpzOjHrXn3tHUBqlZNMOfouilpYfvWIL6bZsu5GqmXlRBT64GPHEJsAvNNhAv6DwwmHSv6PtPDBn4nLYyVEAzfvtn0sllHAm84VeYZ5QRZ6n8yS2M4CgE6MUevzuVlSRZHEi31Y7otiZV0FzqEWatmiThECeU0dCsXvLb/KCjowTVoPQjnnwcDzaw3fXFOf7rdGj24HweiuCNwioy+zSieq7QLhntsK1P9qxCpyo9qt4+/Rh/kNRytL4YEOP3ryyry6Zh8Mba5sfG6+1DHti71t7EqRVQpeFqadVflGt3n/66qB8TwTTySlF6FjY18vt8v8uqxkaOYtWYMwcYxCTSfrbCI1+xD2F9+/n/HXq8XgQclPC560+rzL5ma0yT14R1toiuOdzjEqqGWjqLyXU8MRZn6Wbc6IWt4JRkpJcnqAkC97N8oWhDrzzKnr75F8s9xQEuerQlpw+eLcbqrKn8Rx2rSJjF+mVarBgV3Tb2fiGrUxR+Y3aEVLJ1XV+0F/xvNFGdd19hj2QF1F9XK9zkQOvvJmG3u23RhtDmxWHi5pmG9TXT1/4QdQwLKB3/nY+hpk4GcBq3SEGyV87vMWSPqtZIxYga8sukS5SFNAZ0/IWalWF3EeQrTUhIzP614rC6mGs3CBmiEZj5XRizjJ1QkT2mZIjHSMKyPm99PJ9l2SaUB27hAY2JFN0QXO7M73ddfD0IWX804xRTyI3moZ17BtFib8/v2mtwpqapXXpMCdRaUiQmUjtV01PNMDt7AQ4hNTleVNiscCqKz/EXD9qOFxcDy8SCB

                C:\Users\user\Downloads\PALRGUCVEH.pdf.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.991362833452445
                Encrypted:false
                SSDEEP:24:fM8oM4hXAKZHUbUrxYxndnE4+VYkAM0wTmagdZP79xVLJjUr/Os9cJ:U8khXh0pxFE4+53Tmxxx5BQ2sQ
                MD5:6FCF0F08CC8A9C933E9798F8F4C13E94
                SHA1:87745E4ED73D52E5FC635CA4F467A040D4E574B9
                SHA-256:0C0845DC7FC0BE3435FA1CD02F65DD506C587CC250C00E0FACE73EBF320BE96F
                SHA-512:4C304DC42AE17B713DF147CDB987A72FE21DFCE1B29F5E9CD382B3369E6CA67423D0ECEC2B5233A35CAE7E1F68684FC701328EE3E36BC52283B3328B6D74D6CD
                Malicious:false
                Preview:<EncryptedKey>iT0ZTQt8avK9Ae7Ly07qpYJpaD76ABu5LNK1OxVZ+f1RYxPQpqcZi+GV5yXqBwxWzBwwqXieWuQ0ispvzxWl2yltwvRAevRjffm9BndfmzDinLQRg0X2BJvNmrIKKKF6laC/bKdYR7iW+n6M+eMC2Nhqy5ECw2peMfxLsCV55gk=<EncryptedKey>xSjpzOjHrXn3tHUBqlZNMOfouilpYfvWIL6bZsu5GqmXlRBT64GPHEJsAvNNhAv6DwwmHSv6PtPDBn4nLYyVEAzfvtn0sllHAm84VeYZ5QRZ6n8yS2M4CgE6MUevzuVlSRZHEi31Y7otiZV0FzqEWatmiThECeU0dCsXvLb/KCjowTVoPQjnnwcDzaw3fXFOf7rdGj24HweiuCNwioy+zSieq7QLhntsK1P9qxCpyo9qt4+/Rh/kNRytL4YEOP3ryyry6Zh8Mba5sfG6+1DHti71t7EqRVQpeFqadVflGt3n/66qB8TwTTySlF6FjY18vt8v8uqxkaOYtWYMwcYxCTSfrbCI1+xD2F9+/n/HXq8XgQclPC560+rzL5ma0yT14R1toiuOdzjEqqGWjqLyXU8MRZn6Wbc6IWt4JRkpJcnqAkC97N8oWhDrzzKnr75F8s9xQEuerQlpw+eLcbqrKn8Rx2rSJjF+mVarBgV3Tb2fiGrUxR+Y3aEVLJ1XV+0F/xvNFGdd19hj2QF1F9XK9zkQOvvJmG3u23RhtDmxWHi5pmG9TXT1/4QdQwLKB3/nY+hpk4GcBq3SEGyV87vMWSPqtZIxYga8sukS5SFNAZ0/IWalWF3EeQrTUhIzP614rC6mGs3CBmiEZj5XRizjJ1QkT2mZIjHSMKyPm99PJ9l2SaUB27hAY2JFN0QXO7M73ddfD0IWX804xRTyI3moZ17BtFib8/v2mtwpqapXXpMCdRaUiQmUjtV01PNMDt7AQ4hNTleVNiscCqKz/EXD9qOFxcDy8SCB

                C:\Users\user\Downloads\QCOILOQIKC.png

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.989524779698276
                Encrypted:false
                SSDEEP:48:UP+LIXBJCpSPk4oF4XEWX2R/C0/ke/Aoo5U6pwkn:UP+LIxJ0SPk4f32J7ke/noRphn
                MD5:EA5EE9D87BA70B55B486154875F7E396
                SHA1:BB157BE55CE695519CBB5D45AB8B882B7C70CE82
                SHA-256:857D674A3B3066BFF8F1436C593FF6A12A9D14762FF67A946C4A48CA243C8025
                SHA-512:E51AA4A435266E1A3753CAAAB88BA836B4961BF8FF860FD3CDC5B44A1611D42EACBD44408A475B1918953766EE5DDB0A8356AFF39964A1E7D07192812F16A132
                Malicious:false
                Preview:<EncryptedKey>vUoOeQLxfI3CWFoyLhCF9nHFVR3UIpWvc21JO2luK/6cqmWw4BEhjQwttSVnhtWHRJvDwN6yoCkwy/VvKzPtBLnCxADPimwfuJpLQdPXT57VJs5y5iFGi7J+HfWjndXyS9tgInoHjwebzi7gK1CrAh5BYJyidDhUholYKnpRwsA=<EncryptedKey>xo1cseBk2laZhIhjsfVRpZfV8yp/K2K7ADJHu+DqJ03HXckzycjVsraH1eypuEq2y7rcXJWX/5OfjKn0HT0eig56pu9/XiNb8AFEX5XKF6uNdPcMxDEOLMiRZaE52XC3tOWUBxSVvwnelfUeTqhM2AnPXS7GpC8i+K7xOxPI62OIHOJqasxXypFKLD5+zfZwWePHH4B5nSHRZ8nxTq/yqcZWe0iiQ+H8MUxSvcO8RW8xg+mMferkBecf4lIdMXdUAphdt2kouL9bgARhqcPd/dszZAoGFi0wz0Obclg+RmnZj4NhFnT541yvUPjoMwgSDjuo+J7m+CLnj8Q86wMASlpLOvyRbgaplK0bbS6Ww6JzcB/YELaHAjMpozdRyXIYMIVR9agcHQDq7QUmvmn4InM+NhCHY/wcLnUEljNey6yTetNp1im22nWbh3HQ9k0N4ALZ7Lq/fAvbpdzwr63+6sI5RYNWuRFIjFg5ellpCgVU9/falJwR+2R7+zHmZ2NMPQ9DSWctIi1aN+EVCE7dNwzl6zsx3Gn0FsDHy5TzrDylqMtKXChUAdpyKNpAMr12C/pm2+8oDkDveCgqXYKgkjE3Y898y364u5JDEh9cy3yhAwKqQSe3eNWt5+/O1fgHIpOnLGp1uHZGqLQUrI9GlOYUTkZNcJLPM+5Sr76YrBl4QC5I+OtVfDHtOIwq/rDb2bmre+LRSQ+8kIfbTMr5dC/nhF+dZ+fSUIFFSBf4RbO1AjJDq6u0wh5gD68wf4/k1O7T09eyTgETMKVZv7IgGICnzzC5o2bH

                C:\Users\user\Downloads\QCOILOQIKC.png.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):1588
                Entropy (8bit):5.989524779698276
                Encrypted:false
                SSDEEP:48:UP+LIXBJCpSPk4oF4XEWX2R/C0/ke/Aoo5U6pwkn:UP+LIxJ0SPk4f32J7ke/noRphn
                MD5:EA5EE9D87BA70B55B486154875F7E396
                SHA1:BB157BE55CE695519CBB5D45AB8B882B7C70CE82
                SHA-256:857D674A3B3066BFF8F1436C593FF6A12A9D14762FF67A946C4A48CA243C8025
                SHA-512:E51AA4A435266E1A3753CAAAB88BA836B4961BF8FF860FD3CDC5B44A1611D42EACBD44408A475B1918953766EE5DDB0A8356AFF39964A1E7D07192812F16A132
                Malicious:false
                Preview:<EncryptedKey>vUoOeQLxfI3CWFoyLhCF9nHFVR3UIpWvc21JO2luK/6cqmWw4BEhjQwttSVnhtWHRJvDwN6yoCkwy/VvKzPtBLnCxADPimwfuJpLQdPXT57VJs5y5iFGi7J+HfWjndXyS9tgInoHjwebzi7gK1CrAh5BYJyidDhUholYKnpRwsA=<EncryptedKey>xo1cseBk2laZhIhjsfVRpZfV8yp/K2K7ADJHu+DqJ03HXckzycjVsraH1eypuEq2y7rcXJWX/5OfjKn0HT0eig56pu9/XiNb8AFEX5XKF6uNdPcMxDEOLMiRZaE52XC3tOWUBxSVvwnelfUeTqhM2AnPXS7GpC8i+K7xOxPI62OIHOJqasxXypFKLD5+zfZwWePHH4B5nSHRZ8nxTq/yqcZWe0iiQ+H8MUxSvcO8RW8xg+mMferkBecf4lIdMXdUAphdt2kouL9bgARhqcPd/dszZAoGFi0wz0Obclg+RmnZj4NhFnT541yvUPjoMwgSDjuo+J7m+CLnj8Q86wMASlpLOvyRbgaplK0bbS6Ww6JzcB/YELaHAjMpozdRyXIYMIVR9agcHQDq7QUmvmn4InM+NhCHY/wcLnUEljNey6yTetNp1im22nWbh3HQ9k0N4ALZ7Lq/fAvbpdzwr63+6sI5RYNWuRFIjFg5ellpCgVU9/falJwR+2R7+zHmZ2NMPQ9DSWctIi1aN+EVCE7dNwzl6zsx3Gn0FsDHy5TzrDylqMtKXChUAdpyKNpAMr12C/pm2+8oDkDveCgqXYKgkjE3Y898y364u5JDEh9cy3yhAwKqQSe3eNWt5+/O1fgHIpOnLGp1uHZGqLQUrI9GlOYUTkZNcJLPM+5Sr76YrBl4QC5I+OtVfDHtOIwq/rDb2bmre+LRSQ+8kIfbTMr5dC/nhF+dZ+fSUIFFSBf4RbO1AjJDq6u0wh5gD68wf4/k1O7T09eyTgETMKVZv7IgGICnzzC5o2bH

                C:\Users\user\Downloads\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):584
                Entropy (8bit):5.950330116098538
                Encrypted:false
                SSDEEP:12:fMEJtMXsxu4QR7JrCzuGIHGTGMY+aa5EYANBaYfLQoeDeWDJlsfdq1:fMguXMu4U7JrqNSG/bdEtfUoexD0s1
                MD5:580CDDC9494163E3016B7958C84C2061
                SHA1:F0C0F704BBE7A1014BDBCD649B90997A2DF68826
                SHA-256:880BC908498958C38F4315952102713DE914D37F6C8C38C2317DB73F5E628A18
                SHA-512:ACBF159EA53044200196E79C7138B302B32D333A858E1B85B543544C017CCF993868B10727A6AD203495C58B501BBFA523EF2A7A83548B46670B0A8E8EAEE504
                Malicious:false
                Preview:<EncryptedKey>RyC/DlP5PEN3/IiF5AlAo2GBvS/6gCeOxysy2BRiF4bXaGvFM950KuDuvGhqTm+10AwUGdZ6ei36WWLqCgeS3opLgEaIsuHqs62W9XjiNk1prB48GVfeuVOGpxGIK5DvR+TkcI/teFGkBywOZEiQG8KuRagt6+VpVUSFKZzTj2E=<EncryptedKey>VUbJmiWuVxzPgNiqUgPdyFVvqKuoi7k7iTxjLcy7wkNsZhqljebC8cKGpMMxhBdWJIFuWOhOS2PYhR1JWeXLCWjgp8prkhYTKSUo27EO31TK/JhDlAwA9+C3Pg3dziIPLmok3yw6Or17PU4BpaK/YsYiviPXaFxt2izoY6I8KDMqJ9msHHVDkgZRZPs4xFzQEco6MlSNy9k7uUbzU11yt5kQtEVylUF+qd3VCEIgVlki54ewjMfUzIMNbonOOchq/qR6AWZfs8N8iKyElBCIJVd1eedX1zHPexhuad0T03GjHPbyvlxvlhgVKASEdQhnY4HVNf96u3NNB+a8jq5hPOWM9AMOXkqP1hbOs1pj0xIWGfq2aFlo8e/W44NxETkV

                C:\Users\user\Downloads\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):584
                Entropy (8bit):5.950330116098538
                Encrypted:false
                SSDEEP:12:fMEJtMXsxu4QR7JrCzuGIHGTGMY+aa5EYANBaYfLQoeDeWDJlsfdq1:fMguXMu4U7JrqNSG/bdEtfUoexD0s1
                MD5:580CDDC9494163E3016B7958C84C2061
                SHA1:F0C0F704BBE7A1014BDBCD649B90997A2DF68826
                SHA-256:880BC908498958C38F4315952102713DE914D37F6C8C38C2317DB73F5E628A18
                SHA-512:ACBF159EA53044200196E79C7138B302B32D333A858E1B85B543544C017CCF993868B10727A6AD203495C58B501BBFA523EF2A7A83548B46670B0A8E8EAEE504
                Malicious:false
                Preview:<EncryptedKey>RyC/DlP5PEN3/IiF5AlAo2GBvS/6gCeOxysy2BRiF4bXaGvFM950KuDuvGhqTm+10AwUGdZ6ei36WWLqCgeS3opLgEaIsuHqs62W9XjiNk1prB48GVfeuVOGpxGIK5DvR+TkcI/teFGkBywOZEiQG8KuRagt6+VpVUSFKZzTj2E=<EncryptedKey>VUbJmiWuVxzPgNiqUgPdyFVvqKuoi7k7iTxjLcy7wkNsZhqljebC8cKGpMMxhBdWJIFuWOhOS2PYhR1JWeXLCWjgp8prkhYTKSUo27EO31TK/JhDlAwA9+C3Pg3dziIPLmok3yw6Or17PU4BpaK/YsYiviPXaFxt2izoY6I8KDMqJ9msHHVDkgZRZPs4xFzQEco6MlSNy9k7uUbzU11yt5kQtEVylUF+qd3VCEIgVlki54ewjMfUzIMNbonOOchq/qR6AWZfs8N8iKyElBCIJVd1eedX1zHPexhuad0T03GjHPbyvlxvlhgVKASEdQhnY4HVNf96u3NNB+a8jq5hPOWM9AMOXkqP1hbOs1pj0xIWGfq2aFlo8e/W44NxETkV

                C:\Users\user\Downloads\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Favorites\Amazon.url

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):352
                Entropy (8bit):5.911728188492877
                Encrypted:false
                SSDEEP:6:UGMEUq8jucKOoAwWMPt9mgUJe5n1XzuWlg+Q4tUwDUPqXrak7R21uio494NHMHlZ:fMEn8qcqAwWOtwJIhf69ifWq7FYoKAkn
                MD5:A266D0F37CF0ED8EFA498B31B70E93B0
                SHA1:CEFEFE81860D785D1C032E628B198C16FE38F9AF
                SHA-256:625B0D33F7B5C30178FFF6917B69A8851E7FE97F63359E450D41524E0D344DB4
                SHA-512:88727F8DB6FEAA0B5D260F0E33308704D1A40854AD37EBE360776125E0B9BF10290615F69A723DA61660279D518A218FC982671B9F3CC8F489DAE995349298E3
                Malicious:false
                Preview:<EncryptedKey>bxRq04tHKxPXIsxo8FqwCaixofgtGnVICJYssos4MPj4ycitfFtSlRMARTAEXoH89lzQVABe1YWYJuLWKzSi4FsYO54/3cXddJMhx0EfoBinOygNzZgEpBi5vJPHr6qdw/riYN/qdqpcy0rzlZliVmES98bwW7gOfTzFBJTCY0I=<EncryptedKey>XwFUvKdqjdbIpg/N1Xp9Z5cOjZMUKJU7VH6O3RScTPBoMOoE1lOXL6RYDcAhjaJZ+cvXzt1vI1IFNGEyvLI0W0KN2LIKXlojQT2/wN3VMntfYCWlrRXbveBgoPhlNE3XnjvRAhaki8z+Wi7KOoh8nw==

                C:\Users\user\Favorites\Amazon.url.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):352
                Entropy (8bit):5.911728188492877
                Encrypted:false
                SSDEEP:6:UGMEUq8jucKOoAwWMPt9mgUJe5n1XzuWlg+Q4tUwDUPqXrak7R21uio494NHMHlZ:fMEn8qcqAwWOtwJIhf69ifWq7FYoKAkn
                MD5:A266D0F37CF0ED8EFA498B31B70E93B0
                SHA1:CEFEFE81860D785D1C032E628B198C16FE38F9AF
                SHA-256:625B0D33F7B5C30178FFF6917B69A8851E7FE97F63359E450D41524E0D344DB4
                SHA-512:88727F8DB6FEAA0B5D260F0E33308704D1A40854AD37EBE360776125E0B9BF10290615F69A723DA61660279D518A218FC982671B9F3CC8F489DAE995349298E3
                Malicious:false
                Preview:<EncryptedKey>bxRq04tHKxPXIsxo8FqwCaixofgtGnVICJYssos4MPj4ycitfFtSlRMARTAEXoH89lzQVABe1YWYJuLWKzSi4FsYO54/3cXddJMhx0EfoBinOygNzZgEpBi5vJPHr6qdw/riYN/qdqpcy0rzlZliVmES98bwW7gOfTzFBJTCY0I=<EncryptedKey>XwFUvKdqjdbIpg/N1Xp9Z5cOjZMUKJU7VH6O3RScTPBoMOoE1lOXL6RYDcAhjaJZ+cvXzt1vI1IFNGEyvLI0W0KN2LIKXlojQT2/wN3VMntfYCWlrRXbveBgoPhlNE3XnjvRAhaki8z+Wi7KOoh8nw==

                C:\Users\user\Favorites\Bing.url

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):500
                Entropy (8bit):5.954271207629541
                Encrypted:false
                SSDEEP:12:fMEgB40dAmMob88NYOaqCxlJAs+f9wTnU3VtbzAsLlsTpcpzaR:fMNNdlt3lp3LJsdR
                MD5:F586E2C6DF1B7A1ADF7EDD09140B975F
                SHA1:E44904F8870C5799382871D8EE718D77D3F6B6FC
                SHA-256:5D43CA5EEAC637345FC3798B1096748B682372CBFD32E0A71DF890B1DD6BCC89
                SHA-512:9970F43633B906137B6C273576DB2D3E4514B859E94772DEAC164F955CBAF7BC42242F23DB06D1573EFF88DADF2C30EF59EC7FE0880CCE9D00224F902C5BA32F
                Malicious:false
                Preview:<EncryptedKey>IrEfE7eMXxquTj/FFGjdRts9eMImQ5uW1xHtO+qzKHiNnwu5J73sKw02DFD9BiI89dOCssS0Qa+DPwqy0DYaZhaly4NhGC3gVFwWc+7k26VbOJkEZTRZThVTfJht2n9xsxV0HOaEUigJ0Tt/3YylmdFn7jij/y01LaWDNXdXb1M=<EncryptedKey>2DPhvl/fdn+K6jlVCrRg6piq/GFkvwDUvnv69HNFx/fDKzSDF4iQCXdyL6I4vBmqkH6lK8gjMiGU+oLdiV+xgoMzuMuFgfGfPkJZgNlg3PYfcOSXfVh1qwRZ1Gf7icYvAK18t265iuuJu6hXKT3SIjROgGTFOjYvjnS0uDgRLnx9kMIRGhp1yDC0Yc1fl9Ssx4I28X0ZbLNVp3bMJpoHYa1cTcFRkZHJLS7WNWBchKFCp1vOg2YMw6xghYxA1UI2nDJ7J9Oh5W94okg+dOgIyZQZMRcpSKAgq6hvXtYXmn4=

                C:\Users\user\Favorites\Bing.url.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):500
                Entropy (8bit):5.954271207629541
                Encrypted:false
                SSDEEP:12:fMEgB40dAmMob88NYOaqCxlJAs+f9wTnU3VtbzAsLlsTpcpzaR:fMNNdlt3lp3LJsdR
                MD5:F586E2C6DF1B7A1ADF7EDD09140B975F
                SHA1:E44904F8870C5799382871D8EE718D77D3F6B6FC
                SHA-256:5D43CA5EEAC637345FC3798B1096748B682372CBFD32E0A71DF890B1DD6BCC89
                SHA-512:9970F43633B906137B6C273576DB2D3E4514B859E94772DEAC164F955CBAF7BC42242F23DB06D1573EFF88DADF2C30EF59EC7FE0880CCE9D00224F902C5BA32F
                Malicious:false
                Preview:<EncryptedKey>IrEfE7eMXxquTj/FFGjdRts9eMImQ5uW1xHtO+qzKHiNnwu5J73sKw02DFD9BiI89dOCssS0Qa+DPwqy0DYaZhaly4NhGC3gVFwWc+7k26VbOJkEZTRZThVTfJht2n9xsxV0HOaEUigJ0Tt/3YylmdFn7jij/y01LaWDNXdXb1M=<EncryptedKey>2DPhvl/fdn+K6jlVCrRg6piq/GFkvwDUvnv69HNFx/fDKzSDF4iQCXdyL6I4vBmqkH6lK8gjMiGU+oLdiV+xgoMzuMuFgfGfPkJZgNlg3PYfcOSXfVh1qwRZ1Gf7icYvAK18t265iuuJu6hXKT3SIjROgGTFOjYvjnS0uDgRLnx9kMIRGhp1yDC0Yc1fl9Ssx4I28X0ZbLNVp3bMJpoHYa1cTcFRkZHJLS7WNWBchKFCp1vOg2YMw6xghYxA1UI2nDJ7J9Oh5W94okg+dOgIyZQZMRcpSKAgq6hvXtYXmn4=

                C:\Users\user\Favorites\Facebook.url

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):372
                Entropy (8bit):5.904112275445664
                Encrypted:false
                SSDEEP:6:UGMEUnVI09gCq+cG59f/q9M9vrczCvqGuuhUkTWTVAdlSNtTnLitEycZ6ku3vhTZ:fMEGVPgCtcG/q+1rczCdblTWFitEycEf
                MD5:AD1472B2A113DD65D63363AE3BD679C5
                SHA1:90D8857B6A3AB39A4177266C3CCAE154B0BE03F3
                SHA-256:6C64E655BD0BF5A11F5F792BD6519FC547320A446F142A1BECB117DDA44B04DC
                SHA-512:A5D5B728EB9B42C4067C367A75B1420103F4D2F31E92EE5BEA1A0BB050125368B4C208117F1FBEEE23F5AB7C4884FCC83E82315810D001FFE721EE98209EF520
                Malicious:false
                Preview:<EncryptedKey>sGhttoVmRuhdR6uJKW5TI+4PR7KSrROg/oFHHC2/L8UYwUX0Ie6dTwFIGy5uzxcsCF6+eUmVWoAFTYUDsf1Y5+8rKLdNUZtVnoClwT3IDEPdSIHkoATBgpUHgwvBDFvHJXm68OcSU0Ba+uYMHPk4Qfm5miSkgFRRVoeNIUPykEw=<EncryptedKey>K/+chGl63vcnaWYvxCSUdG4ewmdR0WEOIEr3OLIgRytfwhiI8hxqYBi/GPw2bMBCu2qWP3QbOjfzws3gKVXL+BHERXIQG8+IE548UdDlvD9iJP45O5pGiMuOLpIJrJLnEKN04DZKyulxrldJsw6NIaKTzMv5cNex6rRkGYMr10w=

                C:\Users\user\Favorites\Facebook.url.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):372
                Entropy (8bit):5.904112275445664
                Encrypted:false
                SSDEEP:6:UGMEUnVI09gCq+cG59f/q9M9vrczCvqGuuhUkTWTVAdlSNtTnLitEycZ6ku3vhTZ:fMEGVPgCtcG/q+1rczCdblTWFitEycEf
                MD5:AD1472B2A113DD65D63363AE3BD679C5
                SHA1:90D8857B6A3AB39A4177266C3CCAE154B0BE03F3
                SHA-256:6C64E655BD0BF5A11F5F792BD6519FC547320A446F142A1BECB117DDA44B04DC
                SHA-512:A5D5B728EB9B42C4067C367A75B1420103F4D2F31E92EE5BEA1A0BB050125368B4C208117F1FBEEE23F5AB7C4884FCC83E82315810D001FFE721EE98209EF520
                Malicious:false
                Preview:<EncryptedKey>sGhttoVmRuhdR6uJKW5TI+4PR7KSrROg/oFHHC2/L8UYwUX0Ie6dTwFIGy5uzxcsCF6+eUmVWoAFTYUDsf1Y5+8rKLdNUZtVnoClwT3IDEPdSIHkoATBgpUHgwvBDFvHJXm68OcSU0Ba+uYMHPk4Qfm5miSkgFRRVoeNIUPykEw=<EncryptedKey>K/+chGl63vcnaWYvxCSUdG4ewmdR0WEOIEr3OLIgRytfwhiI8hxqYBi/GPw2bMBCu2qWP3QbOjfzws3gKVXL+BHERXIQG8+IE548UdDlvD9iJP45O5pGiMuOLpIJrJLnEKN04DZKyulxrldJsw6NIaKTzMv5cNex6rRkGYMr10w=

                C:\Users\user\Favorites\Google.url

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):352
                Entropy (8bit):5.942861568137837
                Encrypted:false
                SSDEEP:6:UGMEUNuVhxcIKI9Jy9J+3e/0Bjr0Bnn/9UoxEfu8VpxUnwyCw553GnlwUWUP1zEZ:fMEAahxcIKI/y9J+Lgd/9DxObxe3w2UO
                MD5:2272516BC3F5A00264BAA185085D78BE
                SHA1:B5E11C880F878FB8523AAB76FF296DF1D59E2E35
                SHA-256:E0E22834278764BD3686E4365F1F2D2469A5FC555A1846BA0D367BF76AFD93EE
                SHA-512:DC19E09E181BA9F88C712546A05E58202B4669342B6DF58F6CC8B0EB9BF1AC341D9484031DF11570EFB5CAFAD93CC6E32B323E2E2BAAFCD3DEDB58A0F251573F
                Malicious:false
                Preview:<EncryptedKey>XVN1vlmjP/Z0DDB/bmvcnjgoIh55THXHXm7tA0yW2p2lpP3RLpztgDwN8iz+Fdjy5u6AvDFMykE/bHOh+SRKrS3+0co9JbRvqTFcIJonTUxJ+dTDmQznjB3KwNq9dXSCQxD2HpAU1R/B9SabnQb/b2pzVgIrOoFmZq1XvFwiMF4=<EncryptedKey>AmQH+KIot6BhkAs7aLn2h4mk608NIGSvOdFMt4rUmIAy0u1s/a2ZOhVwA5hGfESO7ndsoGE0jitZ1yJxCQX/VT69blGPByUVBfvP0sQip8Ubbjf7tRO9aRZM0gZVvc7be+4Qp9fI0DzSCR37uRaG2w==

                C:\Users\user\Favorites\Google.url.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):352
                Entropy (8bit):5.942861568137837
                Encrypted:false
                SSDEEP:6:UGMEUNuVhxcIKI9Jy9J+3e/0Bjr0Bnn/9UoxEfu8VpxUnwyCw553GnlwUWUP1zEZ:fMEAahxcIKI/y9J+Lgd/9DxObxe3w2UO
                MD5:2272516BC3F5A00264BAA185085D78BE
                SHA1:B5E11C880F878FB8523AAB76FF296DF1D59E2E35
                SHA-256:E0E22834278764BD3686E4365F1F2D2469A5FC555A1846BA0D367BF76AFD93EE
                SHA-512:DC19E09E181BA9F88C712546A05E58202B4669342B6DF58F6CC8B0EB9BF1AC341D9484031DF11570EFB5CAFAD93CC6E32B323E2E2BAAFCD3DEDB58A0F251573F
                Malicious:false
                Preview:<EncryptedKey>XVN1vlmjP/Z0DDB/bmvcnjgoIh55THXHXm7tA0yW2p2lpP3RLpztgDwN8iz+Fdjy5u6AvDFMykE/bHOh+SRKrS3+0co9JbRvqTFcIJonTUxJ+dTDmQznjB3KwNq9dXSCQxD2HpAU1R/B9SabnQb/b2pzVgIrOoFmZq1XvFwiMF4=<EncryptedKey>AmQH+KIot6BhkAs7aLn2h4mk608NIGSvOdFMt4rUmIAy0u1s/a2ZOhVwA5hGfESO7ndsoGE0jitZ1yJxCQX/VT69blGPByUVBfvP0sQip8Ubbjf7tRO9aRZM0gZVvc7be+4Qp9fI0DzSCR37uRaG2w==

                C:\Users\user\Favorites\Links\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):328
                Entropy (8bit):5.9233613712980375
                Encrypted:false
                SSDEEP:6:UGMEUfHDRuY3PfcDVtob+JDv+6WdxUOEELsEtchIsnnOEmiSFP:fME8HDRh3PSVto+oXdxxEELJIIsn8iW
                MD5:A58FA4CFDDB4F972F86F54B30846E68A
                SHA1:BEB3795FA7BE987945B2309C0F0380F87FE05071
                SHA-256:28FA1218DD57B714CD75E013746313E3BD75EE50342FB79D21A74FA51C543AE4
                SHA-512:E96794646CA6B2F583EDF9366FA9FB231298A052FA9E7D75B8EF63CEB9CC9B69A56CD3A8322366061F8D6FACB4054BC0669BD57C239A7349BF44303577D75266
                Malicious:false
                Preview:<EncryptedKey>gXhuhufsq3nKxImSk5/DMlnfpI+7vcScrv77XMFJ2zR2dnxSrup7WlsBBWfkmanJd4nsoTsrloJlIA6dQ03ynHLEBCw+JUObvJNDohs9a2QNFJPbtaIaCVQfhQvf1oyga4Oj4IFBGqBDIgx7r0ibakazO75bMKK1j3DVXNbSKtw=<EncryptedKey>KdjK8WV/atREBscvw31rN4jBoSHm+bFYUAcGtYoWH+VtBAZEDAT5J1/fDwfsHXSEVx0qt1ZkAmpRSu3qcL6rLkkKChThoCvNMqfCNXOZi1cbeGZo+TXpP/NUr3w+757n

                C:\Users\user\Favorites\Links\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):328
                Entropy (8bit):5.9233613712980375
                Encrypted:false
                SSDEEP:6:UGMEUfHDRuY3PfcDVtob+JDv+6WdxUOEELsEtchIsnnOEmiSFP:fME8HDRh3PSVto+oXdxxEELJIIsn8iW
                MD5:A58FA4CFDDB4F972F86F54B30846E68A
                SHA1:BEB3795FA7BE987945B2309C0F0380F87FE05071
                SHA-256:28FA1218DD57B714CD75E013746313E3BD75EE50342FB79D21A74FA51C543AE4
                SHA-512:E96794646CA6B2F583EDF9366FA9FB231298A052FA9E7D75B8EF63CEB9CC9B69A56CD3A8322366061F8D6FACB4054BC0669BD57C239A7349BF44303577D75266
                Malicious:false
                Preview:<EncryptedKey>gXhuhufsq3nKxImSk5/DMlnfpI+7vcScrv77XMFJ2zR2dnxSrup7WlsBBWfkmanJd4nsoTsrloJlIA6dQ03ynHLEBCw+JUObvJNDohs9a2QNFJPbtaIaCVQfhQvf1oyga4Oj4IFBGqBDIgx7r0ibakazO75bMKK1j3DVXNbSKtw=<EncryptedKey>KdjK8WV/atREBscvw31rN4jBoSHm+bFYUAcGtYoWH+VtBAZEDAT5J1/fDwfsHXSEVx0qt1ZkAmpRSu3qcL6rLkkKChThoCvNMqfCNXOZi1cbeGZo+TXpP/NUr3w+757n

                C:\Users\user\Favorites\Links\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Favorites\Live.url

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):352
                Entropy (8bit):5.856565192484483
                Encrypted:false
                SSDEEP:6:UGMEUtYmstcSJ48YhcA9emnLXVnZ1VyZUibIa/2vpIQGCpVkW62qiz+uQCT6BN+:fMEDtcSJSmwLT1VK5b0vm+Vk94QCTQN+
                MD5:75627D5774D7913AC71AF758C9B9248F
                SHA1:EC7A571D9C6ADCC6F973EF717E4C5BECF08B6979
                SHA-256:3F694829392742FA29654C6BD3666F7D83F197F84D66AFD5BDEA7377BB2F4BEB
                SHA-512:E1193AA8A7319ABCD77AB84833B400EB8DD0B2B92FC7CD343AC1409A4E2704D2CB7BBA61C3F2AA12F79C505CED950BAD52C848A83FE3F1AB1F07CD53547CEA97
                Malicious:false
                Preview:<EncryptedKey>iShH8RnIn2GEphi1lQKuzi+CVH9wU8U2CHjsQkmYVpJOLNzB3D3QYs5s4Z62ttigBXvUYHsueWQKSGZ5Xlu8mXxp5kLUv3mRUlNf4N/YAJwDwmVwAnTOKTX9tE7fEmHnECWuRn9/xucGCxG/jsDyle/wwT9Z07vRxLa2BxGVns4=<EncryptedKey>uR82OnkfvckBcKTJ5/mb7cUgs4NugSWttSRXLm5xkELz3S4KhOxTKLKOLSKK4LXZ2QHXH3pxzwP5v+DAk1cXHSm4n5VkYyv7I7yl9nrw7bsgH8OZJ4N0lHWMI3Y0J18sga+GvmqCwh5zLrlSVxYWSA==

                C:\Users\user\Favorites\Live.url.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):352
                Entropy (8bit):5.856565192484483
                Encrypted:false
                SSDEEP:6:UGMEUtYmstcSJ48YhcA9emnLXVnZ1VyZUibIa/2vpIQGCpVkW62qiz+uQCT6BN+:fMEDtcSJSmwLT1VK5b0vm+Vk94QCTQN+
                MD5:75627D5774D7913AC71AF758C9B9248F
                SHA1:EC7A571D9C6ADCC6F973EF717E4C5BECF08B6979
                SHA-256:3F694829392742FA29654C6BD3666F7D83F197F84D66AFD5BDEA7377BB2F4BEB
                SHA-512:E1193AA8A7319ABCD77AB84833B400EB8DD0B2B92FC7CD343AC1409A4E2704D2CB7BBA61C3F2AA12F79C505CED950BAD52C848A83FE3F1AB1F07CD53547CEA97
                Malicious:false
                Preview:<EncryptedKey>iShH8RnIn2GEphi1lQKuzi+CVH9wU8U2CHjsQkmYVpJOLNzB3D3QYs5s4Z62ttigBXvUYHsueWQKSGZ5Xlu8mXxp5kLUv3mRUlNf4N/YAJwDwmVwAnTOKTX9tE7fEmHnECWuRn9/xucGCxG/jsDyle/wwT9Z07vRxLa2BxGVns4=<EncryptedKey>uR82OnkfvckBcKTJ5/mb7cUgs4NugSWttSRXLm5xkELz3S4KhOxTKLKOLSKK4LXZ2QHXH3pxzwP5v+DAk1cXHSm4n5VkYyv7I7yl9nrw7bsgH8OZJ4N0lHWMI3Y0J18sga+GvmqCwh5zLrlSVxYWSA==

                C:\Users\user\Favorites\NYTimes.url

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):372
                Entropy (8bit):5.925524853673415
                Encrypted:false
                SSDEEP:6:UGMEUSVtU5dWZUNgWdj4ylJERNefT9FqdA0CHruWdJZrtUQSpGJcBVFg5ObiwE33:fMEltUiqyWdcKyRsFqdA0CHqWHpJcLFe
                MD5:FEBD9A1973A701828BC130E13614782D
                SHA1:EBD167292E4950471F1B6B1D789DCA9AC9108666
                SHA-256:774D2F5F0C595ED6188955A55151870688EAD9AAF870175A61F0665A435DDD8D
                SHA-512:06325B289FFDC2AA8F7906B39E72E564DF5225A2DA15EDC0E29763B73FBB58170793378CF665B8E85C05A07A753EF4CE209B0488E9AF5DD75D1291F75B6E36A3
                Malicious:false
                Preview:<EncryptedKey>XhzuBe/azQtH5do8KW3W6Af33LLVDL0OP7s4ITQjGmQ4oObRGqE3wCUOnHLbatuem44OAd+hLxLtDXQAnbTrh7HrjUczvAqIIAJtSveDAmyNHFFX1a/cV5EDUVT4T9dQ271YMpzeuYDSxKs6WzfFgF3mvtInQhW8sVvW/FWUqtI=<EncryptedKey>x7EMEukhe7SgBe6+7kuAnY+hfz/L7LPbl2vxmWoDRFEkU8h597a/oR6Sx5+oMKK7RfYgviR6rdzknF0nxpysNGmF7HUkM8l/LSli8jvbNT0xd2DlVasBdYb95jA0Eq6CLOGwRyq19bhpWPw7G5WF++ts10lAQeVrg5Yud//Lf+g=

                C:\Users\user\Favorites\NYTimes.url.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):372
                Entropy (8bit):5.925524853673415
                Encrypted:false
                SSDEEP:6:UGMEUSVtU5dWZUNgWdj4ylJERNefT9FqdA0CHruWdJZrtUQSpGJcBVFg5ObiwE33:fMEltUiqyWdcKyRsFqdA0CHqWHpJcLFe
                MD5:FEBD9A1973A701828BC130E13614782D
                SHA1:EBD167292E4950471F1B6B1D789DCA9AC9108666
                SHA-256:774D2F5F0C595ED6188955A55151870688EAD9AAF870175A61F0665A435DDD8D
                SHA-512:06325B289FFDC2AA8F7906B39E72E564DF5225A2DA15EDC0E29763B73FBB58170793378CF665B8E85C05A07A753EF4CE209B0488E9AF5DD75D1291F75B6E36A3
                Malicious:false
                Preview:<EncryptedKey>XhzuBe/azQtH5do8KW3W6Af33LLVDL0OP7s4ITQjGmQ4oObRGqE3wCUOnHLbatuem44OAd+hLxLtDXQAnbTrh7HrjUczvAqIIAJtSveDAmyNHFFX1a/cV5EDUVT4T9dQ271YMpzeuYDSxKs6WzfFgF3mvtInQhW8sVvW/FWUqtI=<EncryptedKey>x7EMEukhe7SgBe6+7kuAnY+hfz/L7LPbl2vxmWoDRFEkU8h597a/oR6Sx5+oMKK7RfYgviR6rdzknF0nxpysNGmF7HUkM8l/LSli8jvbNT0xd2DlVasBdYb95jA0Eq6CLOGwRyq19bhpWPw7G5WF++ts10lAQeVrg5Yud//Lf+g=

                C:\Users\user\Favorites\Reddit.url

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):352
                Entropy (8bit):5.889317838373172
                Encrypted:false
                SSDEEP:6:UGMEU+WBQLlPFWHzZRQrTvYWD70ZAKacOdjNaUtCcpunhJPTg79pJ2kGbPx+RSu+:fMEV5hPFWHzZRQrrYWD70ZycOd8O+CAZ
                MD5:4C2A83889B4F320CDF126EBFA30BE61C
                SHA1:7B643CA2F4F23F4A8E7EC497C852889A1B9C1149
                SHA-256:85F83A20A158FDC5C39EB42E21552153BF4CD4000F8C27C0ED5ACA99F162836A
                SHA-512:7BC60A94215836C1F25F5D13B19CD468E062A89014A56D2BBB2D5DD262EB5213CCE53ED44405B19D852CD98569921B5CA64E0960DA3AD8EFF1A0B66909D17E98
                Malicious:false
                Preview:<EncryptedKey>pqXtOddGVmzWYXcZ3Czbpc5fonuOtCd61753sWd0UXeCE76dX0WIoHtcpScc6IhtKh6mICnOUfip1cPUrRbloTFCGhKGZmvKsrLKhfmcGN+9WEOkwEnecLO+L9RfNasnoYE+Wg4+TNdVAbnEj89tXVbateolqfc2kxMviiB1r9w=<EncryptedKey>xDg7cNvyF0exK7BkkVRHjxmKi26JUVCPHFIhyUTQnOMvMJRSJWJOXWaTPAa9GThc3vo7BQAo8q+fmZzFQLXfxVm5zkxTLzKWy6FKzDHA+1Sk5XXsMwrqdu+eRSKobiMjQyQmkSrrxGoOLr6F6gpNTg==

                C:\Users\user\Favorites\Reddit.url.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):352
                Entropy (8bit):5.889317838373172
                Encrypted:false
                SSDEEP:6:UGMEU+WBQLlPFWHzZRQrTvYWD70ZAKacOdjNaUtCcpunhJPTg79pJ2kGbPx+RSu+:fMEV5hPFWHzZRQrrYWD70ZycOd8O+CAZ
                MD5:4C2A83889B4F320CDF126EBFA30BE61C
                SHA1:7B643CA2F4F23F4A8E7EC497C852889A1B9C1149
                SHA-256:85F83A20A158FDC5C39EB42E21552153BF4CD4000F8C27C0ED5ACA99F162836A
                SHA-512:7BC60A94215836C1F25F5D13B19CD468E062A89014A56D2BBB2D5DD262EB5213CCE53ED44405B19D852CD98569921B5CA64E0960DA3AD8EFF1A0B66909D17E98
                Malicious:false
                Preview:<EncryptedKey>pqXtOddGVmzWYXcZ3Czbpc5fonuOtCd61753sWd0UXeCE76dX0WIoHtcpScc6IhtKh6mICnOUfip1cPUrRbloTFCGhKGZmvKsrLKhfmcGN+9WEOkwEnecLO+L9RfNasnoYE+Wg4+TNdVAbnEj89tXVbateolqfc2kxMviiB1r9w=<EncryptedKey>xDg7cNvyF0exK7BkkVRHjxmKi26JUVCPHFIhyUTQnOMvMJRSJWJOXWaTPAa9GThc3vo7BQAo8q+fmZzFQLXfxVm5zkxTLzKWy6FKzDHA+1Sk5XXsMwrqdu+eRSKobiMjQyQmkSrrxGoOLr6F6gpNTg==

                C:\Users\user\Favorites\Twitter.url

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):372
                Entropy (8bit):5.9156290277562675
                Encrypted:false
                SSDEEP:6:UGMEU7XW/3iqzaz2BXkG2G43pT1Ch4SZQAYVUKPvVgik1VH/REbAw8A/48qsmSZb:fMESe3LUVpBEpZCVZPvVgHbH/ubgyZZb
                MD5:BE9CAEFD35C96391FB68017B024EAAFF
                SHA1:369A1EC4D81041520E376459709D1DE2B741BFA2
                SHA-256:6D3A8B81C9F4932E6984291BC41B6C47542BF0E2FDEC36ECF7BFA737BC321B66
                SHA-512:35EB3155210BF7FF87FCE6430A0141313ABC721E09E358D080BCA80CDFF48EE86CBA485B5AB7F6D0C8D0B35D666DF02D7474468C3120F7B745EC2A2092AB2AE7
                Malicious:false
                Preview:<EncryptedKey>p0G7p+LOg6u5dmMDC8KPFFAuQvlbO+OCrS5eKpCwB+WOFLlXLXcRX47FqZzEqcp9piwm0Yivc9JfC5QzJ8MwZeXVLhI+LYuQ0g9IJKVeZxeCcr6y+xyPXC/1cKRAohdUV3QQbLDnF3+bPj/WokRtmjrD0TlnH1gt/g5ajQWkZLs=<EncryptedKey>jAJ0jauCGCeA6l3MQxbDWSSSNFjkyIIRShNhUAsWJ1B71/CjobZp0QIV89O+5kgfBzTFLHy+5ATSWBo0yZWiiYx5CN38WO2yHyNrsM3msMA/znwICf8WKGULtPk3M7J+yoM0Q2kk7mh29F/QpuZzSbo9jvWCI7TQpc3IpcTdMyE=

                C:\Users\user\Favorites\Twitter.url.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):372
                Entropy (8bit):5.9156290277562675
                Encrypted:false
                SSDEEP:6:UGMEU7XW/3iqzaz2BXkG2G43pT1Ch4SZQAYVUKPvVgik1VH/REbAw8A/48qsmSZb:fMESe3LUVpBEpZCVZPvVgHbH/ubgyZZb
                MD5:BE9CAEFD35C96391FB68017B024EAAFF
                SHA1:369A1EC4D81041520E376459709D1DE2B741BFA2
                SHA-256:6D3A8B81C9F4932E6984291BC41B6C47542BF0E2FDEC36ECF7BFA737BC321B66
                SHA-512:35EB3155210BF7FF87FCE6430A0141313ABC721E09E358D080BCA80CDFF48EE86CBA485B5AB7F6D0C8D0B35D666DF02D7474468C3120F7B745EC2A2092AB2AE7
                Malicious:false
                Preview:<EncryptedKey>p0G7p+LOg6u5dmMDC8KPFFAuQvlbO+OCrS5eKpCwB+WOFLlXLXcRX47FqZzEqcp9piwm0Yivc9JfC5QzJ8MwZeXVLhI+LYuQ0g9IJKVeZxeCcr6y+xyPXC/1cKRAohdUV3QQbLDnF3+bPj/WokRtmjrD0TlnH1gt/g5ajQWkZLs=<EncryptedKey>jAJ0jauCGCeA6l3MQxbDWSSSNFjkyIIRShNhUAsWJ1B71/CjobZp0QIV89O+5kgfBzTFLHy+5ATSWBo0yZWiiYx5CN38WO2yHyNrsM3msMA/znwICf8WKGULtPk3M7J+yoM0Q2kk7mh29F/QpuZzSbo9jvWCI7TQpc3IpcTdMyE=

                C:\Users\user\Favorites\Wikipedia.url

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):372
                Entropy (8bit):5.948103473934465
                Encrypted:false
                SSDEEP:6:UGMEUz5JzYGs99KVgcX5Aqj6mosstUthrc0ez3Sec95QjVaXqGcUYH4tRI:fMEu5JMv99yR5xj6ieSrhez37czCG9c/
                MD5:AC2C9D3F1E46A9D8322A13404A5FEAFA
                SHA1:F9D5824485ADF4B5BE67576B696B98E590374091
                SHA-256:B55E074929974EA56EF13C34CA88A651114CE1866823613A7D938737452F0CD1
                SHA-512:C18DAB311136797C0CF79D13C8ABBBE1640ADB071123D7CD0A400F8BD8E2B45FAB3E018A025414DC7EBB6E394807F47202DF5C102CEBDF86C87A803F3EF4A0BB
                Malicious:false
                Preview:<EncryptedKey>s3z/+x09GdWdEA2yHoYjI7rmcij5/XLvGDuEUpoC2bXliREgoT/1nUdwX/a5UoJYJzSFPe88JZZr7JuZg28fV+Sf3CZAdgIKEfR13NTirSIm+b3nY7TMAikkGyxBp/Xgg1kpaJmHOBlYuD43m3sIcMps6K+zWdxW3sIGAoRNo8w=<EncryptedKey>sLwIo2Djvve8MS9CdFOOtsePHAcm32RX8sq4zPLPSu7lyfnkVXxFmBQYdaXIQw5egy3xSa/08hNFdTqrKFPkJJj2ICAt2Cnxh9c3xZ4zBtIlI66g/sf1ChAnc4bFZFhu4HeZvGqvonXUW5cb3roMxNgMaOerFExqTjUCoRRyk7A=

                C:\Users\user\Favorites\Wikipedia.url.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):372
                Entropy (8bit):5.948103473934465
                Encrypted:false
                SSDEEP:6:UGMEUz5JzYGs99KVgcX5Aqj6mosstUthrc0ez3Sec95QjVaXqGcUYH4tRI:fMEu5JMv99yR5xj6ieSrhez37czCG9c/
                MD5:AC2C9D3F1E46A9D8322A13404A5FEAFA
                SHA1:F9D5824485ADF4B5BE67576B696B98E590374091
                SHA-256:B55E074929974EA56EF13C34CA88A651114CE1866823613A7D938737452F0CD1
                SHA-512:C18DAB311136797C0CF79D13C8ABBBE1640ADB071123D7CD0A400F8BD8E2B45FAB3E018A025414DC7EBB6E394807F47202DF5C102CEBDF86C87A803F3EF4A0BB
                Malicious:false
                Preview:<EncryptedKey>s3z/+x09GdWdEA2yHoYjI7rmcij5/XLvGDuEUpoC2bXliREgoT/1nUdwX/a5UoJYJzSFPe88JZZr7JuZg28fV+Sf3CZAdgIKEfR13NTirSIm+b3nY7TMAikkGyxBp/Xgg1kpaJmHOBlYuD43m3sIcMps6K+zWdxW3sIGAoRNo8w=<EncryptedKey>sLwIo2Djvve8MS9CdFOOtsePHAcm32RX8sq4zPLPSu7lyfnkVXxFmBQYdaXIQw5egy3xSa/08hNFdTqrKFPkJJj2ICAt2Cnxh9c3xZ4zBtIlI66g/sf1ChAnc4bFZFhu4HeZvGqvonXUW5cb3roMxNgMaOerFExqTjUCoRRyk7A=

                C:\Users\user\Favorites\Youtube.url

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):372
                Entropy (8bit):5.925755869120164
                Encrypted:false
                SSDEEP:6:UGMEUwSUZ2cAVQ7qIQE12+48qhOwHkUidQnOQC+NGQKuH6kwdSJdKZY:fME/SUZ5klE1T3wERdQOMKuakwdTY
                MD5:F25F5AFB3D93161D152C4CCD5BFE68BA
                SHA1:1C30C2B5C05475C61E10222F5B726E96FA36FD10
                SHA-256:EF0A174CECB5F56295FCE635330A9318C0919B3B103480FDE667C141965B6E38
                SHA-512:BF424B2B31DD8BF3B63920CF7469C055C9D3E6BD9190EBCDE4EE75EF5962912DFC707AD6D79F8523468D5C4A79018EDCA122E7211ABAD3C7CD1A27F246B4DEA8
                Malicious:false
                Preview:<EncryptedKey>NQy+71WfiBd+kDtsdhByC41YrHTxcnPKiwh/ZZfRiFlNJUo9SZ61DObriwXknsrqMRZUESxGCRCRBQljEciqgDBfyg5B4AYI2s3aOhwR8yagG7AITUhxtsYWZ7l+QMXcQ+qHvShZszWOIhBv6hCDtZ4YhcaZp6O83BmbYre1NTM=<EncryptedKey>OVK70lQSzpz48uz8cGOXFDGBbvSJwSN8aaugrU+osh8tKL0rgVEPKdnZwoOXaLUpJT1IpGH8OOmBeyXODJiruNQ2nF62MW1jFDo6XYINqwTCSsebF8EbvZ8yR5Y3I0Gns8sLpoZa92Xn2W1yCJPd9PH39QX1hKVtzX5FmykhKwo=

                C:\Users\user\Favorites\Youtube.url.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):372
                Entropy (8bit):5.925755869120164
                Encrypted:false
                SSDEEP:6:UGMEUwSUZ2cAVQ7qIQE12+48qhOwHkUidQnOQC+NGQKuH6kwdSJdKZY:fME/SUZ5klE1T3wERdQOMKuakwdTY
                MD5:F25F5AFB3D93161D152C4CCD5BFE68BA
                SHA1:1C30C2B5C05475C61E10222F5B726E96FA36FD10
                SHA-256:EF0A174CECB5F56295FCE635330A9318C0919B3B103480FDE667C141965B6E38
                SHA-512:BF424B2B31DD8BF3B63920CF7469C055C9D3E6BD9190EBCDE4EE75EF5962912DFC707AD6D79F8523468D5C4A79018EDCA122E7211ABAD3C7CD1A27F246B4DEA8
                Malicious:false
                Preview:<EncryptedKey>NQy+71WfiBd+kDtsdhByC41YrHTxcnPKiwh/ZZfRiFlNJUo9SZ61DObriwXknsrqMRZUESxGCRCRBQljEciqgDBfyg5B4AYI2s3aOhwR8yagG7AITUhxtsYWZ7l+QMXcQ+qHvShZszWOIhBv6hCDtZ4YhcaZp6O83BmbYre1NTM=<EncryptedKey>OVK70lQSzpz48uz8cGOXFDGBbvSJwSN8aaugrU+osh8tKL0rgVEPKdnZwoOXaLUpJT1IpGH8OOmBeyXODJiruNQ2nF62MW1jFDo6XYINqwTCSsebF8EbvZ8yR5Y3I0Gns8sLpoZa92Xn2W1yCJPd9PH39QX1hKVtzX5FmykhKwo=

                C:\Users\user\Favorites\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):756
                Entropy (8bit):5.96736644708208
                Encrypted:false
                SSDEEP:12:fME4XUkyXSzy+xQI8gUIo/jvFoLkT9oAqpSAd00Q9Z+TfnOXsWWRmXgUecG+BE:fM3IXSush8F9jvyLyJqgAdO9MfnOXNWv
                MD5:8FDBFED4859C3484FECA8C827651E1D2
                SHA1:C93328DA9F00CC763BC4BFAEC2FD1AE84A4DB6AA
                SHA-256:1229C001CBBA56D56710BE92AFABBF8E31036162DD2A0C597246605C464F60BF
                SHA-512:CBB7623CB8ACAD71BDA5076A59E3FA1FA00985237F33DB466A48CA9F450101FCD6B66D4433A644327C9A661D2E33EFB4E22B5E6D717EA8D67321B5D3E061EAC5
                Malicious:false
                Preview:<EncryptedKey>b9Arbo9UOBjaAfTma/JBhYtk7JP7wMXN69HJmOoiXypr+XCATwtjIRGvmiXMyIP+/+RVG0DcVyQ72QWITuDtSd8BdsW47eARoI8cw1BjLrKHH3V0p8TgG9eWJpalvJTq4K9z/5GO370hEhqGyvQmpHViVeO2JdcoXsgPsFG2gDU=<EncryptedKey>Zam62r3Hi+QjSyR6jW5AwH0+wRf6uxgYk6AETD66tykWR5+EXRmCvb6/CVcUADIHNW5H5KYIGTfwby6433ga5y7UfTKpZCl5s6e69Xl/ytHXpLmHaW1M7nCFsdn4mNOjjiSfAk2wXLOXmkJh7m1hJXdi3slzCnSSekUzk2Q6RC9wgvz2AI2RIyO46OYxJMD2zYaIyizZ3C3fpnNQ9XWU0tR0ZKFXjRjy2v0QqyqkxuhdIXjMGvQnyxt4k2Fe6+o4HN6cAhf1BHSRoC2s+bKc8r5vvHXI8p/IOffTXfpJvKIlz4Y5YmVxkwLF7XN1LzmGeCrx9FaewET8USSJjs1wPwYouzliL8tADRtUkh5SSZ62wpmCAKV6U93naX8OIeQaV28+hd0VnadmkTUqRAP8LdieDWiAN8LmLOIrw853zkgjjvPjrwF8bTKekv+Ucj4nfA7SjcdLZJLl1hAKn/AZ0q1qyqvGR7RsabT39NF3EANsEM+2rWwycAkPgWCrE9GY3a+PcLhhmi5ZAopInzo/pe6doqIDL9y63Lyl4Ki/Mys=

                C:\Users\user\Favorites\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):756
                Entropy (8bit):5.96736644708208
                Encrypted:false
                SSDEEP:12:fME4XUkyXSzy+xQI8gUIo/jvFoLkT9oAqpSAd00Q9Z+TfnOXsWWRmXgUecG+BE:fM3IXSush8F9jvyLyJqgAdO9MfnOXNWv
                MD5:8FDBFED4859C3484FECA8C827651E1D2
                SHA1:C93328DA9F00CC763BC4BFAEC2FD1AE84A4DB6AA
                SHA-256:1229C001CBBA56D56710BE92AFABBF8E31036162DD2A0C597246605C464F60BF
                SHA-512:CBB7623CB8ACAD71BDA5076A59E3FA1FA00985237F33DB466A48CA9F450101FCD6B66D4433A644327C9A661D2E33EFB4E22B5E6D717EA8D67321B5D3E061EAC5
                Malicious:false
                Preview:<EncryptedKey>b9Arbo9UOBjaAfTma/JBhYtk7JP7wMXN69HJmOoiXypr+XCATwtjIRGvmiXMyIP+/+RVG0DcVyQ72QWITuDtSd8BdsW47eARoI8cw1BjLrKHH3V0p8TgG9eWJpalvJTq4K9z/5GO370hEhqGyvQmpHViVeO2JdcoXsgPsFG2gDU=<EncryptedKey>Zam62r3Hi+QjSyR6jW5AwH0+wRf6uxgYk6AETD66tykWR5+EXRmCvb6/CVcUADIHNW5H5KYIGTfwby6433ga5y7UfTKpZCl5s6e69Xl/ytHXpLmHaW1M7nCFsdn4mNOjjiSfAk2wXLOXmkJh7m1hJXdi3slzCnSSekUzk2Q6RC9wgvz2AI2RIyO46OYxJMD2zYaIyizZ3C3fpnNQ9XWU0tR0ZKFXjRjy2v0QqyqkxuhdIXjMGvQnyxt4k2Fe6+o4HN6cAhf1BHSRoC2s+bKc8r5vvHXI8p/IOffTXfpJvKIlz4Y5YmVxkwLF7XN1LzmGeCrx9FaewET8USSJjs1wPwYouzliL8tADRtUkh5SSZ62wpmCAKV6U93naX8OIeQaV28+hd0VnadmkTUqRAP8LdieDWiAN8LmLOIrw853zkgjjvPjrwF8bTKekv+Ucj4nfA7SjcdLZJLl1hAKn/AZ0q1qyqvGR7RsabT39NF3EANsEM+2rWwycAkPgWCrE9GY3a+PcLhhmi5ZAopInzo/pe6doqIDL9y63Lyl4Ki/Mys=

                C:\Users\user\Favorites\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Links\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):884
                Entropy (8bit):5.9825860240323925
                Encrypted:false
                SSDEEP:24:fMqsgpYk4jwF9lB+uDFmjpC40bf/WmAoCxPl:Uq3DR9lB+uDQ8f/Wmlet
                MD5:D7E0C6BAECDA06F3005CFA8DE05AA9A6
                SHA1:F304790C1AD1977A7D9A586B403CE8D36A7F9C19
                SHA-256:E9F7751923660383A2BFB1E553D5EA4B2A4E5EC4E6F45FC7AB0B666AD5F1C520
                SHA-512:D590BC114DAB2688E3B544655E3441FA62FB3CCA3D9A23D8F8023DB7A8792E0012AF0C9C1327022730FBDB77935FDCBBB461201F14AA9DEBA46A6ABBD7809C28
                Malicious:false
                Preview:<EncryptedKey>JGoZ4R/hLmfhziPqqTxn2rqBmParRhvAV36m8snUePS0f5rDJOtD1MKdclBhx/hL3isrqMsLk3IOUtYjqn+4MBm0CAiaD6v3rAyHUCuvYy6wRUPKfMgAFbOdFTC3+JhtpQecPJPOZzd6Zd74OPcrSbCraQAR0gBAIL3UD+t04yc=<EncryptedKey>kK34I11rPeFOTOHmcfOVl4gz92G2G//k8JW2LVWjOk1/ky1WUXentuDMZOVIpoMkf1sTrSoWvkUgLeeWTerwTAIFMYBWuz2HXrGPpuTfJ0+H5j8XP07ZEI/QnC3eFgv1/MA9YB4mNDCT5rVr8DIp307HR9ZbUcf6Xf/HhO5fpYDvs8yrW4vxOjGXyE4958R26bUexajaLo/ne2bCuY3sx/kdDGHw4lz8obZMjzPRTb7mTgrSHgT/7B9hrtMqATSiEd4rCy4DEygcKrC9cUYzmuWfeSYH7fya0yE5IFuAZQmIqQTZ5ggkKpYZ1uuwRjONDB63eWeRUJzmwx9Ai9Xm+nIb2iT73g6CDKP5uNIyAqkfi8kY6fomxTxPX57eK5K5BRcP3cc0i8Egw2JSUy3WMv4+AO1dB4KJBFdDDicn92g41ug9hfyCGVZwkuXmu6NZUl64AdqqiNfSSFnCy0EZ67jkIRN5k4S20P/Uv+m8fA5uY5D7h3FRExEmWogIH/pg8Gdz86w/t7MjY1cCbgMieABQ6fncopXYVp+a1iytKLRnLcFF2cmdYVuZB96L3kHgvaN/q7lxM78YsmrSKnk55SPQ+jM5NMkOr/Jl+56Yx1lpOuI2ZQaC91EHSisZXOHJbHeHxEoZRjNZ01XqFFvL/RHcWZPSq4xGFEFQIU6fD+I=

                C:\Users\user\Links\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):884
                Entropy (8bit):5.9825860240323925
                Encrypted:false
                SSDEEP:24:fMqsgpYk4jwF9lB+uDFmjpC40bf/WmAoCxPl:Uq3DR9lB+uDQ8f/Wmlet
                MD5:D7E0C6BAECDA06F3005CFA8DE05AA9A6
                SHA1:F304790C1AD1977A7D9A586B403CE8D36A7F9C19
                SHA-256:E9F7751923660383A2BFB1E553D5EA4B2A4E5EC4E6F45FC7AB0B666AD5F1C520
                SHA-512:D590BC114DAB2688E3B544655E3441FA62FB3CCA3D9A23D8F8023DB7A8792E0012AF0C9C1327022730FBDB77935FDCBBB461201F14AA9DEBA46A6ABBD7809C28
                Malicious:false
                Preview:<EncryptedKey>JGoZ4R/hLmfhziPqqTxn2rqBmParRhvAV36m8snUePS0f5rDJOtD1MKdclBhx/hL3isrqMsLk3IOUtYjqn+4MBm0CAiaD6v3rAyHUCuvYy6wRUPKfMgAFbOdFTC3+JhtpQecPJPOZzd6Zd74OPcrSbCraQAR0gBAIL3UD+t04yc=<EncryptedKey>kK34I11rPeFOTOHmcfOVl4gz92G2G//k8JW2LVWjOk1/ky1WUXentuDMZOVIpoMkf1sTrSoWvkUgLeeWTerwTAIFMYBWuz2HXrGPpuTfJ0+H5j8XP07ZEI/QnC3eFgv1/MA9YB4mNDCT5rVr8DIp307HR9ZbUcf6Xf/HhO5fpYDvs8yrW4vxOjGXyE4958R26bUexajaLo/ne2bCuY3sx/kdDGHw4lz8obZMjzPRTb7mTgrSHgT/7B9hrtMqATSiEd4rCy4DEygcKrC9cUYzmuWfeSYH7fya0yE5IFuAZQmIqQTZ5ggkKpYZ1uuwRjONDB63eWeRUJzmwx9Ai9Xm+nIb2iT73g6CDKP5uNIyAqkfi8kY6fomxTxPX57eK5K5BRcP3cc0i8Egw2JSUy3WMv4+AO1dB4KJBFdDDicn92g41ug9hfyCGVZwkuXmu6NZUl64AdqqiNfSSFnCy0EZ67jkIRN5k4S20P/Uv+m8fA5uY5D7h3FRExEmWogIH/pg8Gdz86w/t7MjY1cCbgMieABQ6fncopXYVp+a1iytKLRnLcFF2cmdYVuZB96L3kHgvaN/q7lxM78YsmrSKnk55SPQ+jM5NMkOr/Jl+56Yx1lpOuI2ZQaC91EHSisZXOHJbHeHxEoZRjNZ01XqFFvL/RHcWZPSq4xGFEFQIU6fD+I=

                C:\Users\user\Links\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Music\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):884
                Entropy (8bit):5.985086907692752
                Encrypted:false
                SSDEEP:24:fMVLOZcxNX4W5fUF6gvmDMXp7pamtuGgZyLUS92Ut0Wff:UViZcxmW5MF6gv0MXp02upyL6TYf
                MD5:5E8C34429360B7C5393581AF6ACB0A5B
                SHA1:09AAFDFCB6BBEBB0AF1F34DFD33C072C972A549A
                SHA-256:0E05D48CF245A469AA12E6618D82E114DEC362D33EA2E983F8F4AA75D7E7B49E
                SHA-512:62B2983D2BA7637E208C9A1731D4EB34818BB6F2F4401871C5E244A8C7ED4FD7BCBA4B50AB770EE7FEA666A4A5FF4C973AA0DD1A11D7D83162A938DBDDC7D1D6
                Malicious:false
                Preview:<EncryptedKey>KBwWqU5//kOpmYv1cwVgXIUvFoJiET8oFTwon8kG+aYpP9UG+noRsr/mTUGSHJItfyJHXlowUxusMUgjJoDtjbVilzlW2OeK4QUeAOh42pqlQvon0UUmSJGFyTcVxCMj3M3rn4bb0oKdkJjlD+qAA8i5M1ssY3AImqL1aL/qoSQ=<EncryptedKey>BOF/dDS7NrH3bSqStTM8l5ZmLG/62CqL2IuotwT61ULcbXGojbRCV5bhtamZkDFc7Xja1fuviNbgjgP5r74zMS/BZ0tZjWOoiguU5XVIUb9YXmuiXDv0hbSTqwkmmGmjYva1V5jkHKm3ZiJ9VrFZa8jYy/5w8Ow5DqnE6ALuGH+mJtmnjb4hJZYmwuqVCn4Rflq2PyICn05QpwOT/wh9AwnkZp3XCo1oSlTMXJAkMvutHw3ywElxNx2iooj2hJLCfIQ7LcEdx8QzZonS1nTalBL8qHYQJDugTWQabTM4YGQGRx/nnKMMFpvLr1iERwg6R36z088nR1PMyvoWhGPEE4YrGzOF/qFw0FRhDFoJqSzdgyqD22D1u428qfQZ+D7irK05v97D0AicEDH/u3X5d8U1NugTyjlxRPuaobQNhzoKo5q2gGAyvvfKIQuREL1qNqSmelSUHtGx4wERsjfUmNjug1sF2Wma0TrN58Jd1Rb7JYVw1cWYEFaZ+g+WMzP8lgEiqaS1QItFCwshAeY/w869EQ3j0HpnWQOpRkzh6sfN0OG0LYxDa40BpVjGKlVd6qizhAdSbvOG7PKcL0CfSWnVkhoBug27PR+v2yPJtDWY1LuI37Cc+mAimhcpKgEei6Ya49hyGcCKpX4aV6pNHzxGb/Ydye+yIpvfVSP2JY8=

                C:\Users\user\Music\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Pictures\Camera Roll\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):456
                Entropy (8bit):5.938663759955112
                Encrypted:false
                SSDEEP:12:fMEhgFiIMrZiKPsa8V5SdDcpzOfbI7gEQrMfNrpOxhN6mgN:fMbiIMr45xmchOfskuKT61N
                MD5:FB7A58FF875AECAE64B6B65A045A559A
                SHA1:11B5C8AE7C78E1C685E87A64BB8148F98B045723
                SHA-256:CE489EDE1B007689B8BE89164DEC64DF5B9B718CC3D42868288826C432C0AE44
                SHA-512:26C51E33A0413F4DF4D8C5F1AD185873401006B3786BF9DE2B8A7D468DD74D8C04C5597D1613D37210F8CA64CCA6285A7CEC912B4820311C9DCECB97D21202A8
                Malicious:false
                Preview:<EncryptedKey>LqyWxMi5d7V+fg94Gb5gw6G1P6jN4+5v4AEf07KynYaY4zq1SjfbLckvOFH9oGjH84H+jB7iw/37OecOOD/DHkTMtMd9e+ry2GjjG7B+IAeKLcwcjs0FvARXQLorfPhnw2tdzwWjoPiVSHj2c1v+8olztRwJZQNfad1QIHRzN1I=<EncryptedKey>AaCsSZd6r8fa8oSNS74pfxXxFthZPrqI6kyoZ5dNrFVc+9XNALUKM1zPLIABNcQcGRvpTH1XwVYABSgWUnpDu0h1Gz/dstmwHXpECI4tPHH+EHoEEtRGTgp3lpCQUCf9yLYrqRD21jTnijfSwFPxmor5IBfp/HiPplldU3FcZnJBErIwEuut/vpwDiBcSgwe6b/fMUgnM9JxTQJZYVZ2Jq5uWCnNg1vWtUQ1j7n6EEmAtdqalHQhJD/xvkGO2EcH

                C:\Users\user\Pictures\Camera Roll\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Pictures\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):884
                Entropy (8bit):5.977286160840752
                Encrypted:false
                SSDEEP:24:fMJRxbQD7i5Otur1ng9vTR+eOkR4M+WX9Ch50HRGe1h2do:UfGviAgr1SV7R4Ajvh22
                MD5:0A12C999DE82F06692F85ECD6CB1E17E
                SHA1:6F06C49C354A0524086B5C8634BEB6B9318618A5
                SHA-256:363D679F0FF22B3D4C09C82EABC6D115DEDEB00FB53EDE3D47414832A7E75F94
                SHA-512:88BC1DC2C4E5BBF4C5D4CBFE9504B1521AF847D5B9579E491A0614E593BE94608B608FAFC59319A9C350E746FA105A7BC41FF7E77619CBD09E3C55BC274E04F7
                Malicious:false
                Preview:<EncryptedKey>fRgbhGHLtZAmlTJ6a7BvRObJIepW2jNxBI6Rhi3wv/adKyupfzX5imsv2boWQBvHCPHvJBkcNsXOWvaBHhumQSCDQxbh/Eja8Ms7852vXN+NGOJBzxX4y9ZD9AM7WaQnCQUPouqDPhQE30HV1FRvJorLy5SktFGIPEjXLATybf0=<EncryptedKey>v3+1b5uE8kbiPrXTWrORJxX/d7PNT7djsY64wQssLTAtQ6jFA141RIsQwKw2VBOHBw5udf1GtgG6cRB8nDZQZzXHrjgIMMGFi8lsMQMwXSajDqFv9BcrNaDO/24+DdERXNr5/VRXSDj9Pd5Q0sgRlN9eQ5c5ifYF08RO9iJ71cVo9fP0J5mZJmV4FsrY8dj/ovXJyliOT7Kwn8/L/4H8ALsFb2HVFRsLdYNyRjYwkObC6Dbv97YvBzWaTUu/35W03IKrxQlMkRuQd7d4wXKcl6HObkxkT9gX7+XcI1n85xiPWAQZZqAdbp0DUbHieXwdpToYezC3e+/INTyNm6lWFr9a0Eir87oW6EWgNnHA5B847J4vmJ0ljN8pYL16Td4Cqww8PhhSCyKrsJIKX/lLN93m18c3GXgg6iBYbmqS2VwwhNrxlPUfh1SCECA0Ztk2BEPnQu16B32KlDvEOQ+jP/Z2RnoQwPiHtpSQC76iF/b5mY5qDVZOwz1tOWVaemu7bUTqqPPaPAgQApxO+79Lxa7TV8NXeHiKvmCYQ+v5rYi/tX5P2QLa0H+r+KLOZZYfsxZxG10PiVQ1XPBuQFktEJgtMzh7b18ppA6I96TJL4BWC4JAZdDTQKYetTfazzLakA+wieI4tN6gB+76FAnQltIAPH3sFZRY+bxaq2UOx7E=

                C:\Users\user\Pictures\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Saved Games\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):584
                Entropy (8bit):5.938029326404581
                Encrypted:false
                SSDEEP:12:fMEgDrf0CO6IDsYBIAFwBgYVAuaeDVTXBW7guix0Ei4dpTG6pw1:fMX1LYBI8wBgYZakVTXBW7WD/G6ps
                MD5:D61AAB6EFCC63CA1737C455E3C46F018
                SHA1:95B6E189BF45827DF1D1687BD9AA90B5A8E2F90E
                SHA-256:94E83E5F07E317AF5952BCC5694DD432E9CF06E708CE2F33F8071E979E1552E7
                SHA-512:775FD0ACCBE539A4D5EAF5B9F8D2CCE98DF20DD310270D3FDE7919647417771A6266657CB053FC59D935231344A0EB18C9E4DC14322B91481514A71C85CBF113
                Malicious:false
                Preview:<EncryptedKey>L8rjOKFfubnwZyxaCm0ysr6M/R5LxBapmP3njgHzPYxeRMpXK4FYOzqGgbRQqi4WFKbbh5Tm+EsRAp18vF/wrluz3O0YKUZlKEN91MVv3mARFrIP0pIkR7EQhU1XfPErhclh7J8O0urntqGKIrJVS3mGFCqX1/IW9ZJt7+OGLpA=<EncryptedKey>PhD5M5BzIn3+929F3OkKV5RBfFgdxATUA6iiGkeZwnaxG4uMyVtRff2STB2totJ0Sy5sU30aE1rHdZ0YefoOdp/3nfvrFfiCbl2P2fr59K3i/OZvj7c8l347PEFlbNMY+0nzOp3rGnK46W46PhtZk3G0Pqimp9BixXtBcM3O8ID82Has3WabUbSzJZaR8idBpeO4FYcqbpQchjWrCyjH3nSdTaWHBQn2UaEIACbryhEonHiczEUeEJTplSEVs3VKNZxEE0SzqHsudlKmxndIX8BpCD1zh2rAWWkiB+WsELdDQ5TrENBzJOJ+r9P9+Lwx4qGWflE+Sw09QG2NduR7c89cugjql3LOO9WH73wtEcBliumWbIaRPtjTrPvkJJ6d

                C:\Users\user\Saved Games\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):584
                Entropy (8bit):5.938029326404581
                Encrypted:false
                SSDEEP:12:fMEgDrf0CO6IDsYBIAFwBgYVAuaeDVTXBW7guix0Ei4dpTG6pw1:fMX1LYBI8wBgYZakVTXBW7WD/G6ps
                MD5:D61AAB6EFCC63CA1737C455E3C46F018
                SHA1:95B6E189BF45827DF1D1687BD9AA90B5A8E2F90E
                SHA-256:94E83E5F07E317AF5952BCC5694DD432E9CF06E708CE2F33F8071E979E1552E7
                SHA-512:775FD0ACCBE539A4D5EAF5B9F8D2CCE98DF20DD310270D3FDE7919647417771A6266657CB053FC59D935231344A0EB18C9E4DC14322B91481514A71C85CBF113
                Malicious:false
                Preview:<EncryptedKey>L8rjOKFfubnwZyxaCm0ysr6M/R5LxBapmP3njgHzPYxeRMpXK4FYOzqGgbRQqi4WFKbbh5Tm+EsRAp18vF/wrluz3O0YKUZlKEN91MVv3mARFrIP0pIkR7EQhU1XfPErhclh7J8O0urntqGKIrJVS3mGFCqX1/IW9ZJt7+OGLpA=<EncryptedKey>PhD5M5BzIn3+929F3OkKV5RBfFgdxATUA6iiGkeZwnaxG4uMyVtRff2STB2totJ0Sy5sU30aE1rHdZ0YefoOdp/3nfvrFfiCbl2P2fr59K3i/OZvj7c8l347PEFlbNMY+0nzOp3rGnK46W46PhtZk3G0Pqimp9BixXtBcM3O8ID82Has3WabUbSzJZaR8idBpeO4FYcqbpQchjWrCyjH3nSdTaWHBQn2UaEIACbryhEonHiczEUeEJTplSEVs3VKNZxEE0SzqHsudlKmxndIX8BpCD1zh2rAWWkiB+WsELdDQ5TrENBzJOJ+r9P9+Lwx4qGWflE+Sw09QG2NduR7c89cugjql3LOO9WH73wtEcBliumWbIaRPtjTrPvkJJ6d

                C:\Users\user\Saved Games\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Searches\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):904
                Entropy (8bit):5.959352898686485
                Encrypted:false
                SSDEEP:24:fM+jkjkTw8kl9z+AHGQqj/a+LypEWWtx8:U+jkjkTw8kvy6GQ2NypEWWk
                MD5:80D3AA2A344C5EDAAC93CE81AA6318A7
                SHA1:4E0E3B54A23957B2A8DD59F254B641388704A68A
                SHA-256:FCFCF5D9BD9A237E798C7E40401EBF6A9BFD34D0BEB5A7B6B409A0B51E92D80F
                SHA-512:6C22DDCF194C66D52265F42A7C6BA57AD77065D0CF1D1D95692FDA5B46B839E57AD2470EF00CC9B524488B4679DB4149DC3817DC22FBFC9DCCDDF62D2FF5AC96
                Malicious:false
                Preview:<EncryptedKey>SGSdFIm95pGWDUkDKsaq9XbBP6vzwBpzK7+pXTTDVVi0wuVREWqbf6fdvuNndu24VulSZTpH7lMsBfktt1Wksy2DBAfulAM0wVQznSWJlDs+AO/33mzEBQco0vHT1dzdkAv/MM1RaUJG/mq2balKEI6ya1uVsrlZJzOWw619qBA=<EncryptedKey>j6KaRk45Z6o8a8RpId8Azcs0k6edB1oLWzaWHE4w1dhBdXeBTq8fXzmEsSzWTkD61HAAW2ecVwzwtLTogtqU5cX0l4Fns/RqrQzwwymrIGaEEBvAOit/PLcXFwwrgQKoV8NFtKkt63lIhLVAFtjWWrtkWQLAeZnDegWtPg7P46p/BoGegGBy6ywjoy1NKzDXKov8N7Gs2A6Ja8jC7V7on371+Jogc3H+ha5OZZI12xVLUUeO5F1UnhBQvWPgBg7wER/qTpC8dy70K6a0FfTmiuSZjCEPXSHWh/7UR36CrLE4tws/qKkiMhq7TWGunJaQ2JIsXbU42iTF63wHcew6lZ1RST8P5KphQYPIaZ6RH6S6mIuY5Es+VpLc97Y72wY6AFCJDF5zyN26O7S8drLlbTzW678oT/lhA1EwBqcyY5tm+AwZZwzYhb2nY9gCD6me8Vy0ditC0uKJ05UP9FbVA8yGcmJEdSSnZ8+JRYB/H89hSfCAeTBYQW/xMFAc65XDsGfk/7sG4y4vNBfD9Zrt3gqf0YYYPr71L4h7Zxl/8LZI1NPkR6mZT7uyluXfR0IhywCLv/S5VX8s7xY9i6C26+g/IETgv3iPv/TT1DktxQtywnxJu/zxO/+7gso/C8tz40ZwogGHSOPVdggEpQ9gYZ5ggZgp+MfOLfK7kqbvDL+gtBlXS8y57cII3krFo50n

                C:\Users\user\Searches\desktop.ini.ampkcz (copy)

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):904
                Entropy (8bit):5.959352898686485
                Encrypted:false
                SSDEEP:24:fM+jkjkTw8kl9z+AHGQqj/a+LypEWWtx8:U+jkjkTw8kvy6GQ2NypEWWk
                MD5:80D3AA2A344C5EDAAC93CE81AA6318A7
                SHA1:4E0E3B54A23957B2A8DD59F254B641388704A68A
                SHA-256:FCFCF5D9BD9A237E798C7E40401EBF6A9BFD34D0BEB5A7B6B409A0B51E92D80F
                SHA-512:6C22DDCF194C66D52265F42A7C6BA57AD77065D0CF1D1D95692FDA5B46B839E57AD2470EF00CC9B524488B4679DB4149DC3817DC22FBFC9DCCDDF62D2FF5AC96
                Malicious:false
                Preview:<EncryptedKey>SGSdFIm95pGWDUkDKsaq9XbBP6vzwBpzK7+pXTTDVVi0wuVREWqbf6fdvuNndu24VulSZTpH7lMsBfktt1Wksy2DBAfulAM0wVQznSWJlDs+AO/33mzEBQco0vHT1dzdkAv/MM1RaUJG/mq2balKEI6ya1uVsrlZJzOWw619qBA=<EncryptedKey>j6KaRk45Z6o8a8RpId8Azcs0k6edB1oLWzaWHE4w1dhBdXeBTq8fXzmEsSzWTkD61HAAW2ecVwzwtLTogtqU5cX0l4Fns/RqrQzwwymrIGaEEBvAOit/PLcXFwwrgQKoV8NFtKkt63lIhLVAFtjWWrtkWQLAeZnDegWtPg7P46p/BoGegGBy6ywjoy1NKzDXKov8N7Gs2A6Ja8jC7V7on371+Jogc3H+ha5OZZI12xVLUUeO5F1UnhBQvWPgBg7wER/qTpC8dy70K6a0FfTmiuSZjCEPXSHWh/7UR36CrLE4tws/qKkiMhq7TWGunJaQ2JIsXbU42iTF63wHcew6lZ1RST8P5KphQYPIaZ6RH6S6mIuY5Es+VpLc97Y72wY6AFCJDF5zyN26O7S8drLlbTzW678oT/lhA1EwBqcyY5tm+AwZZwzYhb2nY9gCD6me8Vy0ditC0uKJ05UP9FbVA8yGcmJEdSSnZ8+JRYB/H89hSfCAeTBYQW/xMFAc65XDsGfk/7sG4y4vNBfD9Zrt3gqf0YYYPr71L4h7Zxl/8LZI1NPkR6mZT7uyluXfR0IhywCLv/S5VX8s7xY9i6C26+g/IETgv3iPv/TT1DktxQtywnxJu/zxO/+7gso/C8tz40ZwogGHSOPVdggEpQ9gYZ5ggZgp+MfOLfK7kqbvDL+gtBlXS8y57cII3krFo50n

                C:\Users\user\Searches\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                C:\Users\user\Videos\desktop.ini

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with very long lines, with no line terminators
                Category:dropped
                Size (bytes):884
                Entropy (8bit):5.969829924813065
                Encrypted:false
                SSDEEP:24:fMBDH7SotI7JG6WfCbkAZsOMetJAgHAjIqAp:UBfTIlG6JKetJ1g3Ap
                MD5:BBD4524E07AE9903FB639A2723B0D682
                SHA1:AAF81484832A23B5BAB6893B8B9636276576E5DB
                SHA-256:92386FFCEF2B32096A569C3AA1326E00A0262987416F26B8E033FBA8F6DC059B
                SHA-512:96DCDDBE78A80738D5D74D2C2A3A9517BAAE6A503B339CF954C63EA63B77A3F5A70E00C7FCBAAB64E7F56E6BCF645C450D610C0E18B3C3DFFED3635C68342648
                Malicious:false
                Preview:<EncryptedKey>YgBhzws5SInHuC62VihFvUi5/dSVAGUJYjuCHmlnklLW9F8ufLSVmQSytcCTwdEDKnJX+/bv/uR3Fw6SyAlodroZcaKwxCAZkT07U/mZTl9GyVbYLPhtt0rvO5yALmp2lIYZnQz/oQ4qqQ+X1EaQJDGGMmCkWn/SKCYDcq5QvF4=<EncryptedKey>AXC7Gmr7ou7zCKmlsDUUtpKEfPECE/ysKBNOE1GT7M7qjiTtErZjw60Js3/5vbR3i4tUBxMMyiEv6T6yPU8GEAEy7AaZzGkcbRa9yzlYKHt130eAypWIBdkhmsV6udSab4Ewrnc3EqA0ShudhiiXxEG0ZoLY4yb1IkI8/twxxClWQCqUXDhJvhokjNYL3gZSyCqCMtc9huCj9PDI4plix+3AG2vyCeqOVi6mcDJNvLf7/SqMJYhSlKjvAd/uYvmfVS77vJZgK4ECtaYF3rhkr2WOAYnGN5Du3PBd9uXmzEaUpYvDh2wh7rtloNWHHBT83VV651+X3KdavLaNbhnOOjwnJb6ftIldck1I+5wofnzqnY4Znk43/DoV5Pe/eac3vYOh4NfwiayxBJXmFnAdsKotZmagoFuW3ITUlHC+0b9O9A4SylkyRnAYCCAYgpSnAj8/DAHeiQN0cDV89+meg1GyDJpuBF2NNER+KpOfBqkHP98XPMqGCJdJcVj//NynraL5oLQihX0+/4YvwghaMzhH7K4oWaD8hLM2Zu8jehVYMQ3VFInA2LNzjsJQ4vgf7WsHiTgThnaEvWc+MI+Nth3/iP/zcCpGq8rV5DBHZn4nrn13RY3TsUEKaw29rs9n6OIcL++W7a39w6nLl5sDFTAEQ4ZA7KfBU2NZ37Gy5Ps=

                C:\Users\user\Videos\readme.txt

                Download File
                Process:C:\Users\user\AppData\Roaming\svchost.exe
                File Type:ASCII text, with CRLF line terminators
                Category:dropped
                Size (bytes):1734
                Entropy (8bit):4.814853875439005
                Encrypted:false
                SSDEEP:48:DBKWN/BUVEjBmNaGeTtFF8ZH7O965H09ikxdAjpRY7iC:FKmQEj4ze7GZbM6ZYZjA7YuC
                MD5:B402046C86E08EA9C4B10B7557BA3D44
                SHA1:2DB4472BD804E9732801D4B9AAB6FB7ADA46F4E6
                SHA-256:82086DA6A81E6606C29AF9744461CCBDF6735CB1C3899383C83D07253426944F
                SHA-512:ECA57607191FC0BCB39C69F80E8C7601CF7268C596E5D6D5F262E7BBC70DD6E4C8D2D490AF3C4B841D8FB4B94D7C069AB33C345F70A93652F3FFA2E62B9A6E75
                Malicious:false
                Preview:All of your files are currently encrypted by ONYX strain.....As you already know, all of your data has been encrypted by our software. ..It cannot be recovered by any means without contacting our team directly.....DON'T TRY TO RECOVER your data by yourselves. Any attempt to recover your data (including the usage of the additional recovery software) can damage your files. However,..if you want to try - we recommend choosing the data of the lowest value.....DON'T TRY TO IGNORE us. We've downloaded a pack of your internal data and are ready to publish it on our news website if you do not respond. ..So it will be better for both sides if you contact us as soon as possible.....DON'T TRY TO CONTACT feds or any recovery companies. ..We have our informants in these structures, so any of your complaints will be immediately directed to us. ..So if you will hire any recovery company for negotiations or send requests to the FBI, we will consider this as a hostile intent and initiate the publicatio

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):5.040668756488705
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                • Win32 Executable (generic) a (10002005/4) 49.78%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Generic Win/DOS Executable (2004/3) 0.01%
                • DOS Executable Generic (2002/1) 0.01%
                File name:enxV0qANdU.exe
                File size:26624
                MD5:cf6ff9e0403b8d89e42ae54701026c1f
                SHA1:a4f5cb11b9340f80a89022131fb525b888aa8bc6
                SHA256:a7f09cfde433f3d47fc96502bf2b623ae5e7626da85d0a0130dcd19d1679af9b
                SHA512:dca369de908ff4d8a6b095243d8837ad9eb885c78544565586196451f99303e9beb8635e01254514b485f22298b3eaf69afb3666b6032959ae3e9567e78dc575
                SSDEEP:384:Uo3Mg/bqo25M0RHcY5pmyjuwzUHJhr91CHW8wNa9get:UWqo2Zn5pPjKphr9z8wNHet
                TLSH:88C28115A7FA4639FAFB2F7859B111405B75BC53EC39C74C188A505E0C22B8CD9A0B6B
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....._b.................^...........|... ........@.. ....................................@................................

                File Icon

                Icon Hash:00828e8e8686b000

                Static PE Info

                General

                Entrypoint:0x407cfe
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                Time Stamp:0x625F98E9 [Wed Apr 20 05:23:53 2022 UTC]
                TLS Callbacks:
                CLR (.Net) Version:v4.0.30319
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x7ca80x53.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x4c8.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xa0000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x5d040x5e00False0.471700465426data5.20515007181IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                .rsrc0x80000x4c80x600False0.366536458333data3.66828770451IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0xa0000xc0x200False0.041015625data0.0611628522412IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountry
                RT_VERSION0x80a00x234data
                RT_MANIFEST0x82d80x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Version Infos

                DescriptionData
                Translation0x0000 0x04b0
                LegalCopyright
                Assembly Version0.0.0.0
                InternalNameamp.exe
                FileVersion0.0.0.0
                ProductVersion0.0.0.0
                FileDescription
                OriginalFilenameamp.exe

                Network Behavior

                No network behavior found

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                General

                Target ID:0
                Start time:00:18:11
                Start date:26/04/2022
                Path:C:\Users\user\Desktop\enxV0qANdU.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\enxV0qANdU.exe"
                Imagebase:0x140000
                File size:26624 bytes
                MD5 hash:CF6FF9E0403B8D89E42AE54701026C1F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Reputation:low

                General

                Target ID:1
                Start time:00:18:18
                Start date:26/04/2022
                Path:C:\Users\user\AppData\Roaming\svchost.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                Imagebase:0x950000
                File size:26624 bytes
                MD5 hash:CF6FF9E0403B8D89E42AE54701026C1F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Yara matches:
                • Rule: Destructive_Ransomware_Gen1, Description: Detects destructive malware, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: Florian Roth
                • Rule: MALWARE_Win_Chaos, Description: Detects Chaos ransomware, Source: C:\Users\user\AppData\Roaming\svchost.exe, Author: ditekSHen
                Antivirus matches:
                • Detection: 100%, Avira
                • Detection: 100%, Joe Sandbox ML
                • Detection: 59%, Virustotal, Browse
                • Detection: 90%, ReversingLabs
                Reputation:low

                General

                Target ID:11
                Start time:00:18:38
                Start date:26/04/2022
                Path:C:\Users\user\AppData\Roaming\svchost.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\AppData\Roaming\svchost.exe"
                Imagebase:0xc50000
                File size:26624 bytes
                MD5 hash:CF6FF9E0403B8D89E42AE54701026C1F
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:.Net C# or VB.NET
                Reputation:low

                General

                Target ID:21
                Start time:00:19:32
                Start date:26/04/2022
                Path:C:\Windows\System32\OpenWith.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                Imagebase:0x7ff6c63f0000
                File size:111120 bytes
                MD5 hash:D179D03728E95E040A889F760C1FC402
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:22
                Start time:00:19:34
                Start date:26/04/2022
                Path:C:\Windows\System32\notepad.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\readme.txt
                Imagebase:0x7ff601e30000
                File size:245760 bytes
                MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:23
                Start time:00:19:34
                Start date:26/04/2022
                Path:C:\Windows\System32\notepad.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\readme.txt
                Imagebase:0x7ff601e30000
                File size:245760 bytes
                MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:26
                Start time:00:19:40
                Start date:26/04/2022
                Path:C:\Windows\System32\notepad.exe
                Wow64 process (32bit):false
                Commandline:"C:\Windows\system32\NOTEPAD.EXE" C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\readme.txt
                Imagebase:0x7ff601e30000
                File size:245760 bytes
                MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high

                General

                Target ID:29
                Start time:00:19:53
                Start date:26/04/2022
                Path:C:\Windows\System32\OpenWith.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\OpenWith.exe -Embedding
                Imagebase:0x7ff6c63f0000
                File size:111120 bytes
                MD5 hash:D179D03728E95E040A889F760C1FC402
                Has elevated privileges:false
                Has administrator privileges:false
                Programmed in:C, C++ or other language
                Reputation:high

                Disassembly

                Reset < >

                  Executed Functions

                  Function 00007FFC012E0188 Relevance: 2.3, Instructions: 2317COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.271145932.00007FFC012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffc012e0000_enxV0qANdU.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b043e7e1c738f6b8ac4afc66adccd9d789bc68eeec0f331ceb380c51d7977db5
                  • Instruction ID: 2f3e960f4bab14e4c2bc4a02452758534403e4e529bccffd2019ea9c95a7b76b
                  • Opcode Fuzzy Hash: b043e7e1c738f6b8ac4afc66adccd9d789bc68eeec0f331ceb380c51d7977db5
                  • Instruction Fuzzy Hash: 00032174A9CA2A8FEB48E798C4D3AA977E2FB8C710F514574D009937C6CA24FC45C7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012E0238 Relevance: 2.2, Instructions: 2234COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.271145932.00007FFC012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffc012e0000_enxV0qANdU.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e00bffa2320fbe4182c6145fe6c36af72dee78fa6fa72768a66012322223d558
                  • Instruction ID: b253c6a6b726c8e14689ba40b57408ee131f8f717415d4ff5f01df57b1b450a0
                  • Opcode Fuzzy Hash: e00bffa2320fbe4182c6145fe6c36af72dee78fa6fa72768a66012322223d558
                  • Instruction Fuzzy Hash: AAF22174A98A2A8FEB44E758C4D3BA977E2FB9C700F414534D009A37C6CA24FC45CBA1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012E22E5 Relevance: .7, Instructions: 740COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.271145932.00007FFC012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffc012e0000_enxV0qANdU.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 274819a198a2e23fdfa8c834cd69efde215a87a9f60fb05776faa8b24ddc3e87
                  • Instruction ID: 5ab38dfa60a07fc9daacfc41db3e86163adde359a6d4efb0bca965e7138287d5
                  • Opcode Fuzzy Hash: 274819a198a2e23fdfa8c834cd69efde215a87a9f60fb05776faa8b24ddc3e87
                  • Instruction Fuzzy Hash: A5717321A0C96E8FEB99E72884556F9BBE1EF89710F0801B6D04DD72D7CD186C46C7B1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012E2065 Relevance: .1, Instructions: 114COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.271145932.00007FFC012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffc012e0000_enxV0qANdU.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cb591981e6d8e030ba55789eefdea6a10934db60c01b788f8c1e075fb8c11891
                  • Instruction ID: 36779f361a9661f70a70c5283a731d58305c8ee8bd721ba73009bd1ded62900f
                  • Opcode Fuzzy Hash: cb591981e6d8e030ba55789eefdea6a10934db60c01b788f8c1e075fb8c11891
                  • Instruction Fuzzy Hash: 4641E910D0C5BF8EFB99E32488957B4ABD1AF46710F4901B9D04ECA1D3CE9C6887C366
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012E21D9 Relevance: .1, Instructions: 100COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.271145932.00007FFC012E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffc012e0000_enxV0qANdU.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8c23123024fefd80ed40becf9e156ec9196804b74d548fe4a6e7320ed44ca9b2
                  • Instruction ID: 7c0b21092433ebd7d42db8e44b63db9d901d49f87d3ddf06c7afebe3be9657e4
                  • Opcode Fuzzy Hash: 8c23123024fefd80ed40becf9e156ec9196804b74d548fe4a6e7320ed44ca9b2
                  • Instruction Fuzzy Hash: 23318C31A08A2D8FDB85EB6884546FCB7F1FF48301F5800BAD40DE7292DE39A942C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Executed Functions

                  Function 00007FFC012C02B8 Relevance: 2.2, Instructions: 2209COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d64e6fec42914b13647b175ecf6c0404c1a669d20e612c12aa52c29289d2d499
                  • Instruction ID: cf2809cddb289aa4eb418f695fc3d87efea5562f83c01ae46aa17143e325b3fd
                  • Opcode Fuzzy Hash: d64e6fec42914b13647b175ecf6c0404c1a669d20e612c12aa52c29289d2d499
                  • Instruction Fuzzy Hash: B1033174A98A2ACBEB40E758C4D3AF977E2FB9C710F5105B4D109937C6CA28BC45C762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C0298 Relevance: 2.2, Instructions: 2193COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c0a949c95af22381d1e441b50e6137fa9c3218406384943f5d79d17f0bb0d89b
                  • Instruction ID: 2b171b6260ec57f15014a32f36c919ee93414e55bcf73a745e03c3d89a56f79d
                  • Opcode Fuzzy Hash: c0a949c95af22381d1e441b50e6137fa9c3218406384943f5d79d17f0bb0d89b
                  • Instruction Fuzzy Hash: AB032174A98A2ACBEB40E758C4D3AF977E2FB9C710F5105B4D109937C6CA28BC45C762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C02B0 Relevance: 2.2, Instructions: 2170COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9294a88a0389dbd3fab95f0383a6da304654eabf54ddbed901561dba97e090ac
                  • Instruction ID: 4ebeb703d0d51a803532164d084b44947b7330af555debec2455258b06ddc48d
                  • Opcode Fuzzy Hash: 9294a88a0389dbd3fab95f0383a6da304654eabf54ddbed901561dba97e090ac
                  • Instruction Fuzzy Hash: 50032174A98A2ACBEB40E758C4D3AF977E2FB9C710F5105B4D109937C6CA28BC45C762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C0310 Relevance: 2.1, Instructions: 2125COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e40e70897dd41f2bdd6da35458c113dc55efc108770c267f087d259d14c931a0
                  • Instruction ID: df2b54fbefd30ae0be9d490b4c435dbd94e62ffd2502bd77f652b1b239c67ed8
                  • Opcode Fuzzy Hash: e40e70897dd41f2bdd6da35458c113dc55efc108770c267f087d259d14c931a0
                  • Instruction Fuzzy Hash: BFF22174A98A2ACBEB40E758C4D3AF977E2FB9C700F5145A4D10D937C6CA28BC45C762
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3311 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID: jt4_
                  • API String ID: 0-1725544293
                  • Opcode ID: 8ea0023294b6de333bf2422d8015361d93657fd2b8ff7ba30394407b49cd2c03
                  • Instruction ID: 1393c9296067d500f11259a673377f14f22327db032c611da465f09f9230e06c
                  • Opcode Fuzzy Hash: 8ea0023294b6de333bf2422d8015361d93657fd2b8ff7ba30394407b49cd2c03
                  • Instruction Fuzzy Hash: 27912661A1C95E4FEB59E72C98552B9BBE2FF89710F0485BAE00DD3387DD286C42C391
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C2EF1 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID: N
                  • API String ID: 0-2459491761
                  • Opcode ID: eff4809d80ed9fbccc0148ecb53ef732e944b291479c9ff83da7754c04be466a
                  • Instruction ID: d1a234602e353631073bb1f644ce33c8bd7bb8f5695b14f54f3a2be002363a1d
                  • Opcode Fuzzy Hash: eff4809d80ed9fbccc0148ecb53ef732e944b291479c9ff83da7754c04be466a
                  • Instruction Fuzzy Hash: 4B618F31A1892E8FEB88F75CD485ABCB7E2FF98750F150479E10ED3292DD28A846C750
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C22E5 Relevance: .7, Instructions: 741COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: dd30f88295f08df2e0b475d6547124430dbc9282d385e02f6449b2a131d6ca9f
                  • Instruction ID: 439aad21f1cd9fa69827e3595a126a9d9749410f28e418c0e3a49bd875facfef
                  • Opcode Fuzzy Hash: dd30f88295f08df2e0b475d6547124430dbc9282d385e02f6449b2a131d6ca9f
                  • Instruction Fuzzy Hash: 3D91A322A0C9AE8FEB46E72C84556F9BBA1EF86720F1801B6D14DC71D3DD18694BC371
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C2A9A Relevance: .3, Instructions: 267COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 323a45c5e9365b0ff1814a762025a4d05a94845a03fc427c979b0915f76c808c
                  • Instruction ID: 2e23673830664aeb3e3b88c0291cbdd0c6625b1b305b1173b36d6676fc0dad93
                  • Opcode Fuzzy Hash: 323a45c5e9365b0ff1814a762025a4d05a94845a03fc427c979b0915f76c808c
                  • Instruction Fuzzy Hash: CF91B53065C96ECFEB84FB28D4C5A75BBD1FBA9B40B4405B9E20EC3293DD24A846C751
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C00E8 Relevance: .3, Instructions: 264COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b89bf25abac5e3a9d2d4c87d0b6ce66163464b3e3597c9700a5114dac9b7c0b4
                  • Instruction ID: 132e3b14eb73a9ac12ca6ae4993eb387644265366862a3fd7725577549d854aa
                  • Opcode Fuzzy Hash: b89bf25abac5e3a9d2d4c87d0b6ce66163464b3e3597c9700a5114dac9b7c0b4
                  • Instruction Fuzzy Hash: CB717F31B1892E8FEB88F7688455ABDA7E2FF98710F150479E10ED3293DD24AC46C760
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3B4D Relevance: .2, Instructions: 245COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 340b5ec6a69ebcecf9a6d331c703e272811753922dd3aa80410a7c4b9e0e0074
                  • Instruction ID: 1a6c7233b713ed5c5c1ec08ace3b0abf31e2cc2fd4737e23134bd2cfe49b44e6
                  • Opcode Fuzzy Hash: 340b5ec6a69ebcecf9a6d331c703e272811753922dd3aa80410a7c4b9e0e0074
                  • Instruction Fuzzy Hash: E7711730A0C96E8FDB94EB28C4546B9B7E1FF99300F1545BAD44DD7292DE24AC06C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C2926 Relevance: .1, Instructions: 128COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6f582bc7d882c9189d76129a5d129f0f3ca5c65eb6946115f7992bd0762ad6b9
                  • Instruction ID: edfeaa59af198de5c11ed0f35188c915018f7f58976920637a565a76953cc8b5
                  • Opcode Fuzzy Hash: 6f582bc7d882c9189d76129a5d129f0f3ca5c65eb6946115f7992bd0762ad6b9
                  • Instruction Fuzzy Hash: 5F31A221B1896D8FEB85F77888556F9BBE2FF99750B0401BAD04DC72A3DD28A802C751
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C2065 Relevance: .1, Instructions: 114COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e3bc0bbc051ca1c87473698ff0365fcb0822131507c43ebb555b470c0518318a
                  • Instruction ID: 295a5aef36260a7dcb681c379ef6cbf14ce7ba7588a8dda67446dee35a5e376b
                  • Opcode Fuzzy Hash: e3bc0bbc051ca1c87473698ff0365fcb0822131507c43ebb555b470c0518318a
                  • Instruction Fuzzy Hash: DC41C650C4C6ABCEF795E32488957B4BBD1AF96B40F4802B5D24DC61D3DE9D2886C326
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3221 Relevance: .1, Instructions: 110COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d35905cfc322945efdd0f9fc5c702c673c4f868abf4f5a59c092db92c5fc6c2b
                  • Instruction ID: 20ebe8ea2a6e2274bce1ca45969c872afadb4585313b959a317c518bde9676ae
                  • Opcode Fuzzy Hash: d35905cfc322945efdd0f9fc5c702c673c4f868abf4f5a59c092db92c5fc6c2b
                  • Instruction Fuzzy Hash: D221A110B08D6E4FEB88F36C54197B9A6C2EBDD611F1901BAE50DC3393DC68AC46C3A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C2DC6 Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aa95ecc17eef0ce17dcf1390629ff6b1c9281625de7c3de59ceff67c6465659c
                  • Instruction ID: b6bdc774ed1d1f0d2c2eb1fee5c288a645addc8a1f6500ad463923b8bfd58580
                  • Opcode Fuzzy Hash: aa95ecc17eef0ce17dcf1390629ff6b1c9281625de7c3de59ceff67c6465659c
                  • Instruction Fuzzy Hash: AC31F631D1CA5E9FEB49EB18C4459B9BBE1FF59710F0501ADE04DD3293DE24A846CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3C88 Relevance: .1, Instructions: 100COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 80340b49f32feca85ac4a0b128874da6e55e82e787ac423957e4054a39c76c10
                  • Instruction ID: e7ec10ca478a98abed49f702ead5645d51766b00ce8160c6fb9a7b1a4eacc8d9
                  • Opcode Fuzzy Hash: 80340b49f32feca85ac4a0b128874da6e55e82e787ac423957e4054a39c76c10
                  • Instruction Fuzzy Hash: E2316D34A0892E8FDF84EF58C440AFAB7E1FF98340F1445B6D45DE3291DA34A941CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C21D9 Relevance: .1, Instructions: 100COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0f4972be1d145d1868ff938e7ba80e985b3f727cb6eb780833afc3ab8dd43fd8
                  • Instruction ID: 9bbebfeac24955b630d7f6366c000b3376ff76c182c5ce94c52e3cdbcc98d7e8
                  • Opcode Fuzzy Hash: 0f4972be1d145d1868ff938e7ba80e985b3f727cb6eb780833afc3ab8dd43fd8
                  • Instruction Fuzzy Hash: F2316E31A08A2D8FDB85EB6884546FCB7F1FF48311F5800BAD40DE7292DE39A946C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C37A1 Relevance: .1, Instructions: 94COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e40265b4430c90b4d228db24012a6c6013d46739c4d0482d89f45bebae962ae1
                  • Instruction ID: 1d7a4c1babac0a620cea3707e75d1cb21a4ac3244f02206870c9977c26ec7f2c
                  • Opcode Fuzzy Hash: e40265b4430c90b4d228db24012a6c6013d46739c4d0482d89f45bebae962ae1
                  • Instruction Fuzzy Hash: 2C214971A0891D4FEF84EB6C84596EDB7E2FFA8311F550176E40DE3292DE289842C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3D79 Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ab7b1c6911930cf013fa61c2f1b9ef253b99ddb45ccfc2b5290369c9b2788670
                  • Instruction ID: c39467d95b979d3f9b4706cfed64d7facbe62c7174073de6275388c20f0a2bb4
                  • Opcode Fuzzy Hash: ab7b1c6911930cf013fa61c2f1b9ef253b99ddb45ccfc2b5290369c9b2788670
                  • Instruction Fuzzy Hash: FA21083169C96D4FEB41E728A4055F5BBE5FF46314F0802B7E01CC7183DE196916C3A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3A65 Relevance: .1, Instructions: 91COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: fe5ee25e6e84f9f276a45f615997f366ae2b9ed6bda1257af0f90c5da9713f8a
                  • Instruction ID: 8555d055fec232977361f0e9b3d46cc4e52ec4ef6250b65f8cbfdf286d559949
                  • Opcode Fuzzy Hash: fe5ee25e6e84f9f276a45f615997f366ae2b9ed6bda1257af0f90c5da9713f8a
                  • Instruction Fuzzy Hash: 18215110B1C96E4FE788E72C846A7B9A7D2EF99610F4945B6E10DC72D3DC18AC05C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3191 Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 148065fb79ab24b7d9004468c7f04ed9ed560d65ed66bde292fae8a05f069a64
                  • Instruction ID: 23610249998888d782d87296897385c7192672dcf8e6ee607f8f85d0772d783f
                  • Opcode Fuzzy Hash: 148065fb79ab24b7d9004468c7f04ed9ed560d65ed66bde292fae8a05f069a64
                  • Instruction Fuzzy Hash: 2F21606094E7DA5FD357833858245A0BFE1AF9722170E85FBC488CE5A3CA4C594BC3B2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C0238 Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bc4aaf226d35c4f171f5fca49ac8efc37f8b799a742967a9a45edbf17ff705df
                  • Instruction ID: a4065ae9c589787351b3a0ac26e7176a3856cb2e69da61c60642ba314a672df9
                  • Opcode Fuzzy Hash: bc4aaf226d35c4f171f5fca49ac8efc37f8b799a742967a9a45edbf17ff705df
                  • Instruction Fuzzy Hash: 36012F11A0D86A4FE798A32C14151B876D3FFC971075841B6E00DD72CBDD18AC47C3A5
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C000A Relevance: .1, Instructions: 56COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: aa168653e537f6f866629c151f43bbcb91300fd9695fe9a2dbe62b8fc118af27
                  • Instruction ID: 1d8d90b32f4cad8c9e8baa6cad178e2804334e7909f008a1db8e22e202e53dd2
                  • Opcode Fuzzy Hash: aa168653e537f6f866629c151f43bbcb91300fd9695fe9a2dbe62b8fc118af27
                  • Instruction Fuzzy Hash: CD112A9684E7EA9FEB6387740C79060BFB05E13914B1E04EBD5C8CA4E3D44D184AD72A
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3F15 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9123405c51c34ab7796da634823f81bdc82ad29e72d154991d2ce53bae24cba8
                  • Instruction ID: e0a54f678dd57ccde13ab7ddb42ca199bb69d0fd0e0918cfeea91f2e0f192f25
                  • Opcode Fuzzy Hash: 9123405c51c34ab7796da634823f81bdc82ad29e72d154991d2ce53bae24cba8
                  • Instruction Fuzzy Hash: B7F0A95184D6EB0FE75653341C520F57F70DB02610B0A44E7D189C7493D80D2993C3A6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3FC1 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c85bbb076511c236df558b2b431bde57e0ab6ccf9f2e7170f18c74497c76cf60
                  • Instruction ID: b955f6dfb981405789acca0367503d71a048f52acb7a3a3f5a4ea88284b98c79
                  • Opcode Fuzzy Hash: c85bbb076511c236df558b2b431bde57e0ab6ccf9f2e7170f18c74497c76cf60
                  • Instruction Fuzzy Hash: 15F0B451F1D9AE8FEFA9FB2808652B9A691EF59B10B4104F9D10DC31D2DD481C0A8351
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C4151 Relevance: .0, Instructions: 29COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2f4ececc5244531094c46b4696fa34661d8d6bfe6e285aee48df644cf9e16b54
                  • Instruction ID: 81e33bae2b44c240fd9d76ed45f5245adcfca820412b02ccb213dba80104a9f7
                  • Opcode Fuzzy Hash: 2f4ececc5244531094c46b4696fa34661d8d6bfe6e285aee48df644cf9e16b54
                  • Instruction Fuzzy Hash: C4E0D81184D7E90FD762A33950910E3BFA0DF4621070501DAD088CA193E8899886C351
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C4113 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 11f3aa87d43327fb0aa305d6ffbcb77faa26f25805456818549f1ca6f81777d5
                  • Instruction ID: 7028fa6c74af3121c8946729c353702b64ae500872bee7270bca1ac779983872
                  • Opcode Fuzzy Hash: 11f3aa87d43327fb0aa305d6ffbcb77faa26f25805456818549f1ca6f81777d5
                  • Instruction Fuzzy Hash: 24E0860171CC1E0BAA88F66D689127DD2C3EBC93317A44679E01DC63DACD5868499350
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3867 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a5934ba6a8ea3e1fbedbcbbefc28d96f65b84ccf8e34fa4c8a9eb2e1c528b0f2
                  • Instruction ID: 7ae908fc9688240b1c75ecbc60762f63724075c57dc5644993510bbbf01f306c
                  • Opcode Fuzzy Hash: a5934ba6a8ea3e1fbedbcbbefc28d96f65b84ccf8e34fa4c8a9eb2e1c528b0f2
                  • Instruction Fuzzy Hash: 37D02B3194550C5B8700FB679C444D777A8FB8C319F01052AE40CC3100D6265151C360
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C405D Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a8d7d09a340c7239ad57a4ed60a93b7b1e6b185e114b148153e88d7b20525a50
                  • Instruction ID: 3905e4c202b0c81d4517fd69d4de2366f4c23b5a440f6ca6301523a1b236f6f2
                  • Opcode Fuzzy Hash: a8d7d09a340c7239ad57a4ed60a93b7b1e6b185e114b148153e88d7b20525a50
                  • Instruction Fuzzy Hash: 5DE0DF2288D2DD8FDB23A33408610E5BF60FF46200F4902E6D58ACB093EC59192AC3A2
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C4025 Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000001.00000002.536404578.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_1_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c2d3215f810c3479eac832f213807cc20d89de5cc51067f68dbc5e2118f7ec31
                  • Instruction ID: 27df77e8b20e9c820676cd256e4c762df3cb0ba0b75da7b665b3298f836ba9da
                  • Opcode Fuzzy Hash: c2d3215f810c3479eac832f213807cc20d89de5cc51067f68dbc5e2118f7ec31
                  • Instruction Fuzzy Hash: B9D05BA185E7910FD7818725897D6413F51FF56120F5583FBC0858F2A3D62954078B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Executed Functions

                  Function 00007FFC012C02B8 Relevance: 2.2, Instructions: 2209COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 841f6dc9fcab5f8793f674078cc469b633c82270636b3dc97e6adc0b006cd95d
                  • Instruction ID: 568c3a3f2cab59641d7af0873e3956f7202203a5589d973f119905b44030eed8
                  • Opcode Fuzzy Hash: 841f6dc9fcab5f8793f674078cc469b633c82270636b3dc97e6adc0b006cd95d
                  • Instruction Fuzzy Hash: 00031174B5CA2E8BEB44F758D4D3AAAB3E2FB9C310F514164D109937C6CA28BC45C7A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C0298 Relevance: 2.2, Instructions: 2193COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 7565cadcb0f837df0b17bb85a88e8898a55a00651920c2b9a41ad8e283684fb3
                  • Instruction ID: 11b3914426bca657d1eeb4b827bccd6a3f5880f038e8f811b5c4f5f0d9fc259d
                  • Opcode Fuzzy Hash: 7565cadcb0f837df0b17bb85a88e8898a55a00651920c2b9a41ad8e283684fb3
                  • Instruction Fuzzy Hash: 55031178B5CA2E8BEB44F758D4D3AAAB3E2FB9C310F514164D109937C6CA28BC45C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C02B0 Relevance: 2.2, Instructions: 2170COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9092e20443afe94faa30d2c8333d573fa3a7ef96933bea78c9fc8ddeb8a49e1a
                  • Instruction ID: a373e67961a7d0a69df90daaa5111026fe7d6c0bd71686567f84b5743e44f522
                  • Opcode Fuzzy Hash: 9092e20443afe94faa30d2c8333d573fa3a7ef96933bea78c9fc8ddeb8a49e1a
                  • Instruction Fuzzy Hash: 3B031178B5CA2E8BEB44F758D4D3AAAB3E2FB9C310F514164D109937C6CA28BC45C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C0310 Relevance: 2.1, Instructions: 2125COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b9f132a8fcd8eb0599f19b00f6b63536852ec46381016ac2c608de3326531d06
                  • Instruction ID: e5920996791a43aa9c5871dc6fef9bd2b0fa62e1d88dd6035321b3de96c7928a
                  • Opcode Fuzzy Hash: b9f132a8fcd8eb0599f19b00f6b63536852ec46381016ac2c608de3326531d06
                  • Instruction Fuzzy Hash: E9F21174B58A2E8FEB44F758D4D3AAAB3E2FB9C310F514164D109A37C6CA28BC45C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3311 Relevance: 1.6, Strings: 1, Instructions: 320COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID: jt4_
                  • API String ID: 0-1725544293
                  • Opcode ID: fa4c9b449ff244bb20bde9ca765eba8411ea8f59644d89e70e93836ab727efe9
                  • Instruction ID: 98152913c5b5987e691b4b3c7469c8d215df0e9cb167e9fd2e3d35059f4b5294
                  • Opcode Fuzzy Hash: fa4c9b449ff244bb20bde9ca765eba8411ea8f59644d89e70e93836ab727efe9
                  • Instruction Fuzzy Hash: 7B912661A1C95E4FEB59E72C98552B9BBE2FF89710F0485BAE00DD3386DD286C42C391
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C2EF1 Relevance: 1.5, Strings: 1, Instructions: 216COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID: N
                  • API String ID: 0-2459491761
                  • Opcode ID: 01c5b414a667db508a4f5b3f1d6eafaaff1ed886c706d98b03e6668de92f78ff
                  • Instruction ID: 755d0a9214addab3716845de67a05a42e69286bf2bcc0ccf61d443525e8440e1
                  • Opcode Fuzzy Hash: 01c5b414a667db508a4f5b3f1d6eafaaff1ed886c706d98b03e6668de92f78ff
                  • Instruction Fuzzy Hash: C1617231B1892E8FEB88F758D495ABDB3E2FF98750F554479E10ED3292CD28A842C750
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C22E5 Relevance: .7, Instructions: 739COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1d2ba819f891e293758bb28509498df65f6de9334cdf961bc2b4c8f871e8d973
                  • Instruction ID: 38a97c69f3dd982f4f5115f972b055d399fa2782b600ac41954a11e05fd829af
                  • Opcode Fuzzy Hash: 1d2ba819f891e293758bb28509498df65f6de9334cdf961bc2b4c8f871e8d973
                  • Instruction Fuzzy Hash: 6E91C426A0CAAE4FEB46E72C84516F9BBE1EF86610F1801B6D14DC71D3CD18694BC371
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C2A9A Relevance: .3, Instructions: 267COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c48f324a05ae1117fe17e5dfb9da044cd6bc991b44b514c198012200dc44b582
                  • Instruction ID: 5cd907e493831201ed928b4b4ff6110f56235287cd2a3603d9b233c1f4f186a8
                  • Opcode Fuzzy Hash: c48f324a05ae1117fe17e5dfb9da044cd6bc991b44b514c198012200dc44b582
                  • Instruction Fuzzy Hash: 5E918130718D6E9FEB84FB28D4D5A79B3D1FBA9704F480079E14AC3293DE28A842D751
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C00E8 Relevance: .3, Instructions: 264COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b2d380eab8e021935f62a30216659ba13e1564668e1a18355d643e413691237e
                  • Instruction ID: f61fd753becefe398982dbd56f54d7b015f1c21cc32f44f6e590e0b85bd27a9c
                  • Opcode Fuzzy Hash: b2d380eab8e021935f62a30216659ba13e1564668e1a18355d643e413691237e
                  • Instruction Fuzzy Hash: E8716131B1892E8FEB88F7688455AB9B7E2FF98710F150479E10ED3292DD24AC46C760
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3B4D Relevance: .2, Instructions: 245COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: cc4fa5c9e0854c58b499c95ed39670eab7e45f345c2cd69ba9e9e308fb0a14b9
                  • Instruction ID: 14039c18ecd0c68f1aba33a35e5b364223cdc03ed2fa9bdbd990f97db3e01ab2
                  • Opcode Fuzzy Hash: cc4fa5c9e0854c58b499c95ed39670eab7e45f345c2cd69ba9e9e308fb0a14b9
                  • Instruction Fuzzy Hash: 61711830A0C96E8FDB94EB2CC454AB9B7E1FF99300F1445BAD44DD7292DE28AC46C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C2926 Relevance: .1, Instructions: 128COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c1e83fe82365dbb9bfd7c5dbaf330280558fa3c64144fbd0827b69adac0d165f
                  • Instruction ID: f736821858d8fa331a956fff3cb35ffa4a2e348045488c776f5104e49e6fe608
                  • Opcode Fuzzy Hash: c1e83fe82365dbb9bfd7c5dbaf330280558fa3c64144fbd0827b69adac0d165f
                  • Instruction Fuzzy Hash: F031A021B18A6D4FEB85F778D8556F9BBE2FF99710B0401BAD04DC7293DD28A802C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C2065 Relevance: .1, Instructions: 114COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c81f74597336960df2569601695f5a2fd9cb5320231c1aac8d3da754219757eb
                  • Instruction ID: 2849e35d4528be6acf4bec6691eae25272f70f19363bc033029516f7d0537864
                  • Opcode Fuzzy Hash: c81f74597336960df2569601695f5a2fd9cb5320231c1aac8d3da754219757eb
                  • Instruction Fuzzy Hash: B541A31490CAAFCEF795E32488957B4B7D1AF96B04F4801B5D24DC61D3CE9D2886C326
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3221 Relevance: .1, Instructions: 110COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e3a27f3a4ff242207ccf00e473d6286701dc1c336f8d97255ad63905c67cc320
                  • Instruction ID: 3757a6bdfd4d9fb8e2bfdb567d010b4428fa1150a4db16357723a98ae16ce185
                  • Opcode Fuzzy Hash: e3a27f3a4ff242207ccf00e473d6286701dc1c336f8d97255ad63905c67cc320
                  • Instruction Fuzzy Hash: 1C219F10B08D6E4FEB88F36C54197B9A6C2EBD9611F1900BAE50DC3393DC68AC46C3A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C2DC6 Relevance: .1, Instructions: 101COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5e2f8a8e044d6ecad0df7d9a61700746658515a77fd52134a4a12bd48eb8b031
                  • Instruction ID: 7fa3e6ecb83632291a506dfe0cdb9331c718180683fc5333a6a0154217984eda
                  • Opcode Fuzzy Hash: 5e2f8a8e044d6ecad0df7d9a61700746658515a77fd52134a4a12bd48eb8b031
                  • Instruction Fuzzy Hash: 3E31F631D1CA5E9FEB49EB18C4459A9BBE1FF19710F0501ADE04DD3293DE24A846CB50
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3C88 Relevance: .1, Instructions: 100COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2e020943ba376fa017900c3bd118df98e784fd937243b5e0d12008d9108c4529
                  • Instruction ID: 1612dca77c6a1945d9ce5ced73f6a7ad59dcb2b513a7fc08f9e3ffe71dfc6ae3
                  • Opcode Fuzzy Hash: 2e020943ba376fa017900c3bd118df98e784fd937243b5e0d12008d9108c4529
                  • Instruction Fuzzy Hash: D7316D34A0892E8FDF84EF58C440AFAB7E1FF98340F1445B6D45DE3291DA34A941CB61
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C21D9 Relevance: .1, Instructions: 100COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0f4972be1d145d1868ff938e7ba80e985b3f727cb6eb780833afc3ab8dd43fd8
                  • Instruction ID: 9bbebfeac24955b630d7f6366c000b3376ff76c182c5ce94c52e3cdbcc98d7e8
                  • Opcode Fuzzy Hash: 0f4972be1d145d1868ff938e7ba80e985b3f727cb6eb780833afc3ab8dd43fd8
                  • Instruction Fuzzy Hash: F2316E31A08A2D8FDB85EB6884546FCB7F1FF48311F5800BAD40DE7292DE39A946C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C37A1 Relevance: .1, Instructions: 94COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: e40265b4430c90b4d228db24012a6c6013d46739c4d0482d89f45bebae962ae1
                  • Instruction ID: 1d7a4c1babac0a620cea3707e75d1cb21a4ac3244f02206870c9977c26ec7f2c
                  • Opcode Fuzzy Hash: e40265b4430c90b4d228db24012a6c6013d46739c4d0482d89f45bebae962ae1
                  • Instruction Fuzzy Hash: 2C214971A0891D4FEF84EB6C84596EDB7E2FFA8311F550176E40DE3292DE289842C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3D79 Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 20499ed6db62daedcee0aec33b2ceb666794d22acf45c017f6590a5019f76ead
                  • Instruction ID: 3ed421cb8e468face195c491683c2b74f20bd82ec1e730a2a198f1b1421ce134
                  • Opcode Fuzzy Hash: 20499ed6db62daedcee0aec33b2ceb666794d22acf45c017f6590a5019f76ead
                  • Instruction Fuzzy Hash: 15210631A5C96E4FEB41F728A8056F9BBE5FF86314F0802B7E01CC7182DE196916C3A1
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3A65 Relevance: .1, Instructions: 91COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c4f479d8f577253b1ecbcfdd71c102a3c8e2ab7b19f39d9da7f3b7949d0934d3
                  • Instruction ID: 2e90d540a3216cd5cb1d241594f935f33c2add9e7e0af6af8443f3c751c9e936
                  • Opcode Fuzzy Hash: c4f479d8f577253b1ecbcfdd71c102a3c8e2ab7b19f39d9da7f3b7949d0934d3
                  • Instruction Fuzzy Hash: 05214F10B1C96E4FE788F72C846A7B9A7D2EF99650F0941B6E00DC72D3DC18AC45C761
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3F15 Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9123405c51c34ab7796da634823f81bdc82ad29e72d154991d2ce53bae24cba8
                  • Instruction ID: e0a54f678dd57ccde13ab7ddb42ca199bb69d0fd0e0918cfeea91f2e0f192f25
                  • Opcode Fuzzy Hash: 9123405c51c34ab7796da634823f81bdc82ad29e72d154991d2ce53bae24cba8
                  • Instruction Fuzzy Hash: B7F0A95184D6EB0FE75653341C520F57F70DB02610B0A44E7D189C7493D80D2993C3A6
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3FC1 Relevance: .0, Instructions: 43COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c85bbb076511c236df558b2b431bde57e0ab6ccf9f2e7170f18c74497c76cf60
                  • Instruction ID: b955f6dfb981405789acca0367503d71a048f52acb7a3a3f5a4ea88284b98c79
                  • Opcode Fuzzy Hash: c85bbb076511c236df558b2b431bde57e0ab6ccf9f2e7170f18c74497c76cf60
                  • Instruction Fuzzy Hash: 15F0B451F1D9AE8FEFA9FB2808652B9A691EF59B10B4104F9D10DC31D2DD481C0A8351
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C4151 Relevance: .0, Instructions: 29COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2f4ececc5244531094c46b4696fa34661d8d6bfe6e285aee48df644cf9e16b54
                  • Instruction ID: 81e33bae2b44c240fd9d76ed45f5245adcfca820412b02ccb213dba80104a9f7
                  • Opcode Fuzzy Hash: 2f4ececc5244531094c46b4696fa34661d8d6bfe6e285aee48df644cf9e16b54
                  • Instruction Fuzzy Hash: C4E0D81184D7E90FD762A33950910E3BFA0DF4621070501DAD088CA193E8899886C351
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C4113 Relevance: .0, Instructions: 28COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 11f3aa87d43327fb0aa305d6ffbcb77faa26f25805456818549f1ca6f81777d5
                  • Instruction ID: 7028fa6c74af3121c8946729c353702b64ae500872bee7270bca1ac779983872
                  • Opcode Fuzzy Hash: 11f3aa87d43327fb0aa305d6ffbcb77faa26f25805456818549f1ca6f81777d5
                  • Instruction Fuzzy Hash: 24E0860171CC1E0BAA88F66D689127DD2C3EBC93317A44679E01DC63DACD5868499350
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C3867 Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a5934ba6a8ea3e1fbedbcbbefc28d96f65b84ccf8e34fa4c8a9eb2e1c528b0f2
                  • Instruction ID: 7ae908fc9688240b1c75ecbc60762f63724075c57dc5644993510bbbf01f306c
                  • Opcode Fuzzy Hash: a5934ba6a8ea3e1fbedbcbbefc28d96f65b84ccf8e34fa4c8a9eb2e1c528b0f2
                  • Instruction Fuzzy Hash: 37D02B3194550C5B8700FB679C444D777A8FB8C319F01052AE40CC3100D6265151C360
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C405D Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0a5e38a0272789ab1f3639931ac5e477a8dcee07bf94141b0d0034a759145f1e
                  • Instruction ID: 5c295b0578526326397d2d55d6a48eb81f342fd93af5e75c4b84c1b8efda4e6f
                  • Opcode Fuzzy Hash: 0a5e38a0272789ab1f3639931ac5e477a8dcee07bf94141b0d0034a759145f1e
                  • Instruction Fuzzy Hash: 36E0D82284D2DD8FDB13937408500E5BFA0FF46100F4901E6D58AC7093EC59191AC392
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFC012C4025 Relevance: .0, Instructions: 21COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.531511372.00007FFC012C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFC012C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_7ffc012c0000_svchost.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c2d3215f810c3479eac832f213807cc20d89de5cc51067f68dbc5e2118f7ec31
                  • Instruction ID: 27df77e8b20e9c820676cd256e4c762df3cb0ba0b75da7b665b3298f836ba9da
                  • Opcode Fuzzy Hash: c2d3215f810c3479eac832f213807cc20d89de5cc51067f68dbc5e2118f7ec31
                  • Instruction Fuzzy Hash: B9D05BA185E7910FD7818725897D6413F51FF56120F5583FBC0858F2A3D62954078B51
                  Uniqueness

                  Uniqueness Score: -1.00%