Free Automated Malware Analysis Service - powered by Falcon Sandbox - Viewing online file analysis results for 'horsedeal.exe'

malicious

Threat Score: 100/100 AV Detection: 86% Labeled as: Trojan.Ransom.Outsider #Horsedeal #BigBossHorse #ransomware

horsedeal.exe

This report is generated from a file or URL submitted to this webservice on January 14th 2020 16:45:03 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by Falcon Sandbox v8.30 © Hybrid Analysis

Overview Sample unavailable Re-analyze Hash Seen Before Show Similar Samples Report False-Positive Request Report Deletion

Incident Response

Risk Assessment

Ransomware: Detected indicator that file is ransomware
Fingerprint: Queries kernel debugger information
Queries process information
Reads the active computer name
Reads the cryptographic machine GUID
Spreading: Opens the MountPointManager (often used to detect additional infection locations)

MITRE ATT&CK™ Techniques Detection

This report has 10 indicators that were mapped to 7 attack techniques and 5 tactics. View all details

Execution
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1035	Service Execution	Execution	Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. Learn more		1 confidential indicators
Persistence
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1215	Kernel Modules and Extensions	Persistence	Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. Learn more			Opens the Kernel Security Device Driver (KsecDD) of Windows
Defense Evasion
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1045	Software Packing	Defense Evasion	Software packing is a method of compressing or encrypting an executable. Learn more		PE file is packed with UPX	Matched Compiler/Packer signature
Discovery
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1046	Network Service Scanning	Discovery	Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Learn more		Detected increased number of ARP broadcast requests (network device lookup)
T1012	Query Registry	Discovery	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software. Learn more		Reads the cryptographic machine GUID Monitors specific registry key for changes Reads the active computer name
T1057	Process Discovery	Discovery	Adversaries may attempt to get information about running processes on a system. Learn more		Queries process information
Collection
ATT&CK ID	Name	Tactics	Description	Malicious Indicators	Suspicious Indicators	Informative Indicators
T1114	Email Collection	Collection	Adversaries may target user email to collect sensitive information from a target. Learn more		1 confidential indicators

Indicators

Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.

Malicious Indicators 3
External Systems
- Sample was identified as malicious by a large number of Antivirus engines
  
  details
  
  30/69 Antivirus vendors marked sample as malicious (43% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
- Sample was identified as malicious by at least one Antivirus engine
  
  details
  
  30/69 Antivirus vendors marked sample as malicious (43% detection rate)
  
  source
  
  External System
  
  relevance
  
  8/10
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version

Suspicious Indicators 23
Anti-Detection/Stealthyness
- Queries kernel debugger information
  
  details
  
  "horsedeal.exe" at 00028587-00001132-00000105-9016619274
  
  source
  
  API Call
  
  relevance
  
  6/10
- Queries process information
  
  details
  
  "horsedeal.exe" queried SystemProcessInformation at 00028587-00001132-00000105-8974367876
  
  source
  
  API Call
  
  relevance
  
  4/10
  
  ATT&CK ID
  
  T1057 (Show technique in the MITRE ATT&CK™ matrix)
Anti-Reverse Engineering
- PE file has unusual entropy sections
  
  details
  
  UPX1
  .rsrc with unusual entropies 7.94055665984
  7.40381589448
  
  source
  
  Static Parser
  
  relevance
  
  10/10
- PE file is packed with UPX
  
  details
  
  "f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin" has a section named "UPX0"
  "f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin" has a section named "UPX1"
  
  source
  
  Static Parser
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1045 (Show technique in the MITRE ATT&CK™ matrix)
Environment Awareness
- Reads the active computer name
  
  details
  
  "horsedeal.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
  
  source
  
  Registry Access
  
  relevance
  
  5/10
  
  ATT&CK ID
  
  T1012 (Show technique in the MITRE ATT&CK™ matrix)
- Reads the cryptographic machine GUID
  
  details
  
  "horsedeal.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
  
  source
  
  Registry Access
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1012 (Show technique in the MITRE ATT&CK™ matrix)
External Systems
- Found an IP/URL artifact that was identified as malicious by at least one reputation engine
  
  details
  
  1/72 reputation engines marked "https://pidgin.im" as malicious (1% detection rate)
  1/72 reputation engines marked "https://pidgin.im/download/windows/" as malicious (1% detection rate)
  1/72 reputation engines marked "https://www.youtube.com" as malicious (1% detection rate)
  
  source
  
  External System
  
  relevance
  
  10/10
General
- Reads configuration files
  
  details
  
  "horsedeal.exe" read file "C:\$Recycle.Bin\S-1-5-21-2092356043-4041700817-663127204-1001\desktop.ini"
  "horsedeal.exe" read file "%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini"
  "horsedeal.exe" read file "%PROGRAMFILES%\Adobe\Acrobat Reader DC\Reader\Legal\ENU\eula.ini"
  
  source
  
  API Call
  
  relevance
  
  4/10
Installation/Persistance
- Creates new processes
  
  details
  
  "horsedeal.exe" is creating a new process
  
  source
  
  API Call
  
  relevance
  
  8/10
- Monitors specific registry key for changes
  
  details
  
  "horsedeal.exe" monitors "\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NetworkProvider\HwOrder" (Filter: 4; Subtree: 0)
  
  source
  
  API Call
  
  relevance
  
  4/10
  
  ATT&CK ID
  
  T1012 (Show technique in the MITRE ATT&CK™ matrix)
- Opens the MountPointManager (often used to detect additional infection locations)
  
  details
  
  "horsedeal.exe" opened "\Device\MountPointManager"
  
  source
  
  API Call
  
  relevance
  
  5/10
Network Related
- Detected increased number of ARP broadcast requests (network device lookup)
  
  details
  
  Attempt to find devices in networks: "192.168.240.107/32, ..."
  
  source
  
  Network Traffic
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1046 (Show technique in the MITRE ATT&CK™ matrix)
Ransomware/Banking
- Detected indicator that file is ransomware
  
  details
  
  "All your files have been ENCRYPTED!!!" (Source: #Decryption#.txt, Indicator: "files have been encrypted")
  "All your files have been ENCRYPTED!!!
  Write to our ICQ https://icq.im/bigbosshorse
  Or contact us via jabber - bigbosshorse@xmpp.jp
  Jabber client installation instructions:
  Download the jabber (Pidgin) client from https://pidgin.im/download/windows/
  
  Af" (Source: 00028587-00001132-0000018C-6159158567, Indicator: "files have been encrypted")
  
  source
  
  File/Memory
  
  relevance
  
  7/10
- The input sample dropped very many files
  
  details
  
  The input sample dropped 2000 files (often an indicator for ransomware)
  
  source
  
  Binary File
  
  relevance
  
  5/10
Spyware/Information Retrieval
- Found an instant messenger related domain
  
  details
  
  "Download the jabber (Pidgin) client from https://pidgin.im/download/windows/" (Indicator: "pidgin.im"; File: "#Decryption#.txt")
  "All your files have been ENCRYPTED!!!
  Write to our ICQ https://icq.im/bigbosshorse
  Or contact us via jabber - bigbosshorse@xmpp.jp
  Jabber client installation instructions:
  Download the jabber (Pidgin) client from https://pidgin.im/download/windows/
  
  Af" (Indicator: "pidgin.im")
  
  source
  
  File/Memory
  
  relevance
  
  10/10
System Destruction
- Opens file with deletion access rights
  
  details
  
  "horsedeal.exe" opened "C:\$Recycle.Bin\S-1-5-21-2092356043-4041700817-663127204-1001\desktop.ini" with delete access
  "horsedeal.exe" opened "C:\autoexec.bat" with delete access
  "horsedeal.exe" opened "C:\config.sys" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.msi" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.msi" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.msi" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.msi" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.msi" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.msi" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.cab" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OnoteLR.cab" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\dwintl20.dll" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\DW20.EXE" with delete access
  "horsedeal.exe" opened "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\setup.chm" with delete access
  "horsedeal.exe" opened "%SAMPLEDIR%\1579020316362$MAPFAILURE" with delete access
  "horsedeal.exe" opened "%SAMPLEDIR%\1579020316362$OK" with delete access
  
  source
  
  API Call
  
  relevance
  
  7/10
Unusual Characteristics
- Entrypoint in PE header is within an uncommon section
  
  details
  
  "f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin" has an entrypoint in section "UPX1"
  
  source
  
  Static Parser
  
  relevance
  
  10/10
- Imports suspicious APIs
  
  details
  
  VirtualProtect
  GetProcAddress
  LoadLibraryA
  ShellExecuteW
  
  source
  
  Static Parser
  
  relevance
  
  1/10
Hiding 5 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version

Informative 9
Anti-Reverse Engineering
- PE file contains zero-size sections
  
  details
  
  Raw size of "UPX0" is zero
  
  source
  
  Static Parser
  
  relevance
  
  10/10
General
- Overview of unique CLSIDs touched in registry
  
  details
  
  "horsedeal.exe" touched "Computer" (Path: "HKCU\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\SHELLFOLDER")
  
  source
  
  Registry Access
  
  relevance
  
  3/10
Installation/Persistance
- Connects to LPC ports
  
  details
  
  "horsedeal.exe" connecting to "\ThemeApiPort"
  
  source
  
  API Call
  
  relevance
  
  1/10
- Dropped files
  
  details
  
  "#Decryption#.txt" has type "ASCII text with very long lines with CRLF line terminators"
  
  source
  
  Binary File
  
  relevance
  
  3/10
- Touches files in the Windows directory
  
  details
  
  "horsedeal.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
  "horsedeal.exe" touched file "%WINDIR%\sysnative\cmd.exe"
  "horsedeal.exe" touched file "%WINDIR%\System32\rsaenh.dll"
  "horsedeal.exe" touched file "%WINDIR%\System32\crypt32.dll"
  
  source
  
  API Call
  
  relevance
  
  7/10
Network Related
- Found potential URL in binary/memory
  
  details
  
  Pattern match: "icq.im/bigbosshors"
  Heuristic match: "GoodFon.ru"
  Heuristic match: "*%5 .tp"
  Pattern match: "https://icq.im/bigbosshorse"
  Heuristic match: "Or contact us via jabber - bigbosshorse@xmpp.jp"
  Pattern match: "https://pidgin.im/download/windows/"
  Heuristic match: "In the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im"
  Pattern match: "https://www.youtube.com/results?search_query=pidgin+jabber+install"
  
  source
  
  File/Memory
  
  relevance
  
  10/10
Spyware/Information Retrieval
- Found a reference to a known community page
  
  details
  
  "If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install" (Indicator: "youtube")
  
  source
  
  File/Memory
  
  relevance
  
  7/10
System Security
- Opens the Kernel Security Device Driver (KsecDD) of Windows
  
  details
  
  "horsedeal.exe" opened "\Device\KsecDD"
  
  source
  
  API Call
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1215 (Show technique in the MITRE ATT&CK™ matrix)
Unusual Characteristics
- Matched Compiler/Packer signature
  
  details
  
  "f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin" was detected as "Netopsystems FEAD Optimizer 1"
  
  source
  
  Static Parser
  
  relevance
  
  10/10
  
  ATT&CK ID
  
  T1045 (Show technique in the MITRE ATT&CK™ matrix)

File Details

All Details:

horsedeal.exe

Filename: horsedeal.exe
Size: 1.6MiB (1723392 bytes)
Type: peexe executable
Description: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
Architecture
: WINDOWS
SHA256
: f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a
MD5
: e2fc5651081ca53ebb208202fa4d733a
SHA1
: 5a37fd94e215a8c70c2ca7f890b373136afcb537
ssdeep
: 49152:huyCquB+EnabTH9Gey7Wm5iPc0dZSIycIMHZRaEXJJI94:hY+EnMH2rQPcPQRaIjI
imphash
: 42a4b12d2880145c3c3f8926eca4cd26
authentihash
: 3155c7eced78881fe901855ffc344dc37490a1b4474f3b6c8befe65ff7f8d557
Compiler/Packer
: Netopsystems FEAD Optimizer 1

Resources

Language
: NEUTRAL
Icon

Visualization

Input File (PortEx)

Version Info

LegalCopyright: Copyright (C) 2012
InternalName: avgdiagex.exe
FileVersion: 14.0.1001.380
CompanyName: AVG Technologies, sro
Comments: Local Build
ProductName: AVG Diagnostics
ProductVersion: 14.0.1001.380
FileDescription: AVG Diagnostics
OriginalFilename: avgdiagex.exe
Translation: 0x0405 0x04b0

Classification (TrID)

61.2% (.EXE) UPX compressed Win32 Executable
14.8% (.DLL) Win32 Dynamic Link Library (generic)
10.2% (.EXE) Win32 Executable (generic)
4.5% (.EXE) OS/2 Executable (generic)
4.5% (.EXE) Generic Win/DOS Executable

File Metadata

1 .OBJ Files (COFF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 28314)
2 .OBJ Files (OMF) linked with LINK.EXE 5.10 (Visual Studio 5) (build: 28314)
4 .BAS Files compiled with C2.EXE 5.0 (Visual Basic 6) (build: 28314)

13 .LIB Files generated with LIB.EXE 9.00 (Visual Studio 2008) (build: 30729)

File contains Visual Basic code
File appears to contain raw COFF/OMF content
File is the product of a small codebase (4 files)

File Sections

Details	Name	Entropy	Virtual Address	Virtual Size	Raw Size	MD5	Characteristics
Name UPX0 Entropy 0 Virtual Address 0x1000 Virtual Size 0x6c000 Raw Size 0x0 MD5 d41d8cd98f00b204e9800998ecf8427e	UPX0	0	0x1000	0x6c000	0x0	d41d8cd98f00b204e9800998ecf8427e	-
Name UPX1 Entropy 7.94055665984 Virtual Address 0x6d000 Virtual Size 0x18f000 Raw Size 0x18f000 MD5 47e2a1b2bf75d0a9faab0cf215c2d480	UPX1	7.94055665984	0x6d000	0x18f000	0x18f000	47e2a1b2bf75d0a9faab0cf215c2d480	-
Name .rsrc Entropy 7.40381589448 Virtual Address 0x1fc000 Virtual Size 0x16000 Raw Size 0x15800 MD5 32bce1b80089f432287f212c543839a5	.rsrc	7.40381589448	0x1fc000	0x16000	0x15800	32bce1b80089f432287f212c543839a5	-

File Resources

Details	Name	RVA	Size	Type	Language
Name RT_ICON RVA 0x1fc29c Size 0x128 Type GLS_BINARY_LSB_FIRST Language Neutral	RT_ICON	0x1fc29c	0x128	GLS_BINARY_LSB_FIRST	Neutral
Name RT_ICON RVA 0x1fc3c8 Size 0x568 Type GLS_BINARY_LSB_FIRST Language Neutral	RT_ICON	0x1fc3c8	0x568	GLS_BINARY_LSB_FIRST	Neutral
Name RT_ICON RVA 0x1fc934 Size 0x2e8 Type data Language Neutral	RT_ICON	0x1fc934	0x2e8	data	Neutral
Name RT_ICON RVA 0x1fcc20 Size 0x8a8 Type data Language Neutral	RT_ICON	0x1fcc20	0x8a8	data	Neutral
Name RT_ICON RVA 0x1fd4cc Size 0xb6d0 Type PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced Language Neutral	RT_ICON	0x1fd4cc	0xb6d0	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Neutral
Name RT_ICON RVA 0x208ba0 Size 0x468 Type GLS_BINARY_LSB_FIRST Language Neutral	RT_ICON	0x208ba0	0x468	GLS_BINARY_LSB_FIRST	Neutral
Name RT_ICON RVA 0x20900c Size 0x988 Type data Language Neutral	RT_ICON	0x20900c	0x988	data	Neutral
Name RT_ICON RVA 0x209998 Size 0x10a8 Type data Language Neutral	RT_ICON	0x209998	0x10a8	data	Neutral
Name RT_ICON RVA 0x20aa44 Size 0x25a8 Type data Language Neutral	RT_ICON	0x20aa44	0x25a8	data	Neutral
Name RT_ICON RVA 0x20cff0 Size 0x4228 Type dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 224, next used block 0 Language Neutral	RT_ICON	0x20cff0	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 224, next used block 0	Neutral
Name RT_GROUP_ICON RVA 0x21121c Size 0x92 Type MS Windows icon resource - 10 icons, 16x16, 16 colors Language Neutral	RT_GROUP_ICON	0x21121c	0x92	MS Windows icon resource - 10 icons, 16x16, 16 colors	Neutral
Name RT_VERSION RVA 0x2112b4 Size 0x328 Type data Language Czech	RT_VERSION	0x2112b4	0x328	data	Czech

File Imports

CryptGenKey

ExitProcess

GetProcAddress

LoadLibraryA

VirtualProtect

WNetOpenEnumW

ShellExecuteW

StrStrW

SystemParametersInfoW

Screenshots

Loading content, please wait...

Hybrid Analysis

Tip: Click an analysed process below to view more details.

Analysed 1 process in total (System Resource Monitor).

horsedeal.exe (PID: 1132) 30/69

Logged Script Calls	Logged Stdout	Extracted Streams	Memory Dumps
Reduced Monitoring	Network Activityy	Network Error	Multiscan Match

Network Analysis

DNS Requests

No relevant DNS requests were made.

Contacted Hosts

No relevant hosts were contacted.

HTTP Traffic

No relevant HTTP requests were made.

Extracted Strings

!!!!%%%(((((((((((

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!!!%%%((((((((!(

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!!%%(((()))).).))

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!!%(()0uvz{{{{{{y

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!%xLApLP|

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!This program cannot be run in DOS mode.$

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"!!"(%())0))((!!!!

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"""""""")

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"%!((()01uvyxyy10

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"%%%%()).001111

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"%%()1x{{~

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

",muZ<_\.

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

$&i,-Cn6bF

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

$3XS040|I

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

$Drives".n6rstAW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

$X9z=i#Z]j

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

%!d}r2$:[

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

%(0uyyyyu0)(!!

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

%GUID:"Computer"%

Unicode based on Runtime Data (horsedeal.exe )

)B nGi}H`

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

)D|$${R"<

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

)q>W0yE<e)bU

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

)X{B*aH|v

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

*%5 .tp

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

*- S@xmpp.jp`

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

*8EV^wkAW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

*_PaEKbl_3

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

*LY6Qk,Pf

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

+@_\|P$gCo

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

+ACA2Q(Cn

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

+HX_H=Yx(

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

+nqyvZtgpjCy

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

+w@Wi"exd

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

,b $F))%

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

,fGYTQiI4

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

,Hlt<ElNzK

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

,lK/[zR.F

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

-W2x0dE~r

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

-YQl`aN`E

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

.$fi%bwm"

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

.AvbKm%~U

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

.d)DjL6.hdP

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

.l|l@@@;Q

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

.YY_U"{t\

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

/c'm8r(E6A

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

/Vsm0Q54TuzURiLO

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

00060101.00060101

Unicode based on Runtime Data (horsedeal.exe )

0E?dGEm(HO

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

0uO%C'|W<

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

1"HzPzj&HH

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

14.0.1001.380

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

1g[m}EH%Q0

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

2$uoQ->yMx

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

2SAm@zx=dKR

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

3!=OD]_q`&

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

3456789+/

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

3aAlJmixgXqqYGXWTN

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

4gA9oCrqzfpk7dnRjcVGvQbqZeqCLF8P|+

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

4JI#xjt SN

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

4r8AM3zW841

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

4rFC+)_-a5@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

4~8n)L+HxLP

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

5(q>$'rmI

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

5*ElkBFsr8]qt

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

50u$\#ARv

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

66;;;;AAAHJGC

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

6;WWWWWSQP;E

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

6_1$ ~:$:I

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

6SZWZZZ[ZWWTSR@EG

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

7SZfggggg[[bYYTmH

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

7uhJCtMX1+

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

8:l51r2RZ

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

8Qo`~fXm$@0(

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

:Y%NeW&tmk

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

:z":Mj>_@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

;;;;;9@EEGC

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

;Q-G!#~.2

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

<\&]-kWo`d

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

<d>*kVdFE

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

=8y#N6{(b5|+x3}-

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

=DM0j">Ab"|

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

=G@T"WJe}

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

=owR@'oU(

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

>Zk~'dJ`6

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

>}e\]IuL^M

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

?__;?,___gq_,9,

Ansi based on Image Processing (screen_0.png)

@ 4b0ESfZ

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

@CY$ "fYZ,

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

@T*cDQnFh

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

@V,NX2|H(rN

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (horsedeal.exe )

\ThemeApiPort

Unicode based on Runtime Data (horsedeal.exe )

\vc# $$t0

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

\XLhKI*ht

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

^&PP,CYH9>

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

^_`abcdefghijklmnopq

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

_61>vlVdDX

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

_?__?_?v?______

Ansi based on Image Processing (screen_0.png)

_GW)$Vx)|

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

_qu&y=S+~

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

`\??\Volume{dcbfaac3-d863-11e7-b9ff-806e6f6e6963}

Unicode based on Runtime Data (horsedeal.exe )

`\??\Volume{dcbfaac4-d863-11e7-b9ff-806e6f6e6963}

Unicode based on Runtime Data (horsedeal.exe )

`\??\Volume{dcbfaac7-d863-11e7-b9ff-806e6f6e6963}

Unicode based on Runtime Data (horsedeal.exe )

`R(@h'IG?vka

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

A$:qh`lB8:

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

A8x!Z6z%r4|)

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

a>imMG~VfzS

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ADVAPI32.dll

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

AEQAfUDvrYL7lF1XhXKge33OT

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

aForMLip*Obj

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

After installation, the Pidgin client will prompt you to create a new account.

Ansi based on Dropped File (#Decryption#.txt)

aI8J4e|H_

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

All your files have been EN

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

All your files have been ENCRYPTED!!!

Ansi based on Dropped File (#Decryption#.txt)

Ansi based on Runtime Data (horsedeal.exe )

All your files have been ENCRYPTED!!!Write to our ICQ https://icq.im/bigbosshorse Or contact us via jabber - bigbosshorse@xmpp.jpJabber client installation instructions:Download the jabber (Pidgin) client from https://pidgin.im/download/windows/ After installation, the Pidgin client will prompt you to create a new account. Click - AddIn the -Protocol field, select XMPP In -Username - come up with any name In the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im Create a passwordAt the bottom, put a tick -Create account Click add If you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data: User password You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below) If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install If you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq Attention!Do not rename encrypted files. Do not try to decrypt your data using third party software, it may cause permanent data loss. Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam. tell your unique IDG5GeGuVi9514lJ+lzWsecw2pNdfHIZkMpdXOZUhcrrRestACPM3EvLC+xhRBpi3FVbnu1ohy9o+lauc5zzwA0XeW0TGshYIWKhdJ7T5hWvQHdCHmKm71DrQgw7Tk/DIVXX7uV1CDoqhWp0jmCthGxpBLfcYVQKUxZ6wlbi60k50i+g+5pqqefwO2uwd9K9g8R4IKZxGlHEvWiOJimVufTFpQZL95xgMO/eyaCKZ6w3MPpKkgxYIBpnvNa+XF3jn7xLFUfu4holvBPBexdFfuuMItn5bsswe/gOYAPel7cTnqFvHBDj5Nlj+E20VrCjcRhV2fJ1nM6KU8WzqkriKtyUAvLKmPuBSfoIXiF0qfMtRI2uKEH0SVbfS6O+oR966pBdOkye5y4nS4Ux4KUt6u9mox7KcdxOnKqzgZoh+Hgq/iOzDUmWHP1qiA3lIroAEJgTFV69Yno84YElf1MjLULo0LiiYESAr7qO1XZlTFtC78qZammliuCstZ43BpBC+9S0gowFyUKeC/isJ74na1QJlweuhGz1uTStAX8eNzr3TaFmpOL9MIDTj9LJ21vGSzzsJP1V0Rh1yywaRE2y8TF+9fVX13rmDckI9Qa0WmkUo86VzBJ1spFn5lTAmpm4S7+tuTfdfjI/fwVh5CNBE9P1LjU0AjGd/HFelhrFxM6xeVLKpSX1KgqIIKBdUo3ubCZ0kXD1CEbMdtXVOUoGyDXLZtH56o7RxeFxkJragytcxl6XSRTnprOikdw1hE6TEqs0JJsgX/chgW/OzATR4q7eBHnzRRjmlUn8w2/6KUhfnbuQSJqvAQl8Lh3X+ApXathkoV2kP4AEceXiICTKP/qa8BcyQle3vNTPKXSdjkIf+Z32K1VhI1WKDUess3wzx1o6M1gN63szTXkUPJZf9iuNsP6Uy0/iyK2zhwtW8xMY1guLetTCFzOpQRACJ0vcggv8MndleTMC/z4fDw1inZvlUPQ0NKlmOumy43rPoZx/UbZuPTDq/YKw+79Jah/xUtTg5MLnbt6eW2gwI54p8xaEbKpFezxd+wg0vXaSuEcuexpaabnC2COFdpZXLE8lzFXkdxepBG8QzW3FrbE50868Df0pmIrwGEmEOzwg0pfXqF12iy8BcLgwYjHH4o6Qfi7+TGNCsFq1rA08wDvXzK4H0RRc+fWyn5bh5+HYq+qS+QQ0HxNaEq6H8lre3NvHRdQBWvA0ssStk+b+CvZMKLijXXSf9rwvEBuMpvMfJXvvjHAn5gta51VBBIOIab2cuxG+U1EMDko/jVLKnlyjWDyDFj4/8h6pZk6l2K7q2PQzqfdJThmM6Ivpd4omfgU+881/TD1y8J6gVrhinu0uj2jA==

Ansi based on Dropped File (#Decryption#.txt)

AlwaysShowExt

Unicode based on Runtime Data (horsedeal.exe )

aPDBKBtrhStq2

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

At the bottom, put a tick -Create account

Ansi based on Dropped File (#Decryption#.txt)

Attention!

Ansi based on Dropped File (#Decryption#.txt)

Attributes

Unicode based on Runtime Data (horsedeal.exe )

AutoCheckSelect

Unicode based on Runtime Data (horsedeal.exe )

AVG Diagnostics

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

AVG Technologies, sro

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

avgdiagex.exe

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

AWh@(7 yPg

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

A}X0"V3EN

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

B'Tjh,pE<

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

BB#J&kSBR

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

blhL]p2?):xM

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

BrowseInPlace

Unicode based on Runtime Data (horsedeal.exe )

C$n&v0kJt,Qa

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

CallForAttributes

Unicode based on Runtime Data (horsedeal.exe )

Cbg`?Wr|+/

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

CEIPEnable

Unicode based on Runtime Data (horsedeal.exe )

cKKN$Cdbc[

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ClassicShell

Unicode based on Runtime Data (horsedeal.exe )

Click - Add

Ansi based on Dropped File (#Decryption#.txt)

Click add

Ansi based on Dropped File (#Decryption#.txt)

CompanyName

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

CompatDll

Unicode based on Runtime Data (horsedeal.exe )

ComputerName

Unicode based on Runtime Data (horsedeal.exe )

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

CQPttps://icq.im/bigbosshors

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Create a password

Ansi based on Dropped File (#Decryption#.txt)

CRYPTED!Writ0to UI

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

CryptGenKey

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

CWDIllegalInDLLSearch

Unicode based on Runtime Data (horsedeal.exe )

D-x3or?njI

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

DCaHWuYM/@.7J5h

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Ansi based on Dropped File (#Decryption#.txt)

DEFGHIJKLMNOPQRSTUVW?XYZ[\]l

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Description

Unicode based on Runtime Data (horsedeal.exe )

DevicePath

Unicode based on Runtime Data (horsedeal.exe )

DiDRzA)E=

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

DisableMetaFiles

Unicode based on Runtime Data (horsedeal.exe )

DisableUserModeCallbackFilter

Unicode based on Runtime Data (horsedeal.exe )

DMpH)l=TT

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Do not rename encrypted files.

Ansi based on Dropped File (#Decryption#.txt)

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Ansi based on Dropped File (#Decryption#.txt)

DocObject

Unicode based on Runtime Data (horsedeal.exe )

DontPrettyPath

Unicode based on Runtime Data (horsedeal.exe )

DontShowSuperHidden

Unicode based on Runtime Data (horsedeal.exe )

Download the jabber (Pidgin) client from https://pidgin.im/download/windows/

Ansi based on Dropped File (#Decryption#.txt)

DriveMask

Unicode based on Runtime Data (horsedeal.exe )

DsufIgPCR

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

dSXC{Rf<1S

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

DYr)){;?q

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

DZCR00iCi3uIXdUFRaw

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

D}+P@\?"?~

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

EbF!MAJJDx

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

EE99AAARUUULLJJKO

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

EhbGBD#$"

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

eK(25~[W#

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

EnableShellExecuteHooks

Unicode based on Runtime Data (horsedeal.exe )

ExitProcess

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

F1_n~07IP(

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

FileDescription

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

FileVersion

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

FipsAlgorithmPolicy

Unicode based on Runtime Data (horsedeal.exe )

FolderTypeID

Unicode based on Runtime Data (horsedeal.exe )

fR848diM<

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

fromCp7>{kIdu/w

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

fvoc{{3XCUs

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Ansi based on Runtime Data (horsedeal.exe )

G5GeGuVi9514lJ+lzWsecw2pNdfHIZkMpdXOZUhcrrRestACPM3EvLC+xhRBpi3FVbnu1ohy9o+lauc5zzwA0XeW0TGshYIWKhdJ7T5hWvQHdCHmKm71DrQgw7Tk/DIVXX7uV1CDoqhWp0jmCthGxpBLfcYVQKUxZ6wlbi60k50i+g+5pqqefwO2uwd9K9g8R4IKZxGlHEvWiOJimVufTFpQZL95xgMO/eyaCKZ6w3MPpKkgxYIBpnvNa+XF3jn7xLFUfu4holvBPBexdFfuuMItn5bsswe/gOYAPel7cTnqFvHBDj5Nlj+E20VrCjcRhV2fJ1nM6KU8WzqkriKtyUAvLKmPuBSfoIXiF0qfMtRI2uKEH0SVbfS6O+oR966pBdOkye5y4nS4Ux4KUt6u9mox7KcdxOnKqzgZoh+Hgq/iOzDUmWHP1qiA3lIroAEJgTFV69Yno84YElf1MjLULo0LiiYESAr7qO1XZlTFtC78qZammliuCstZ43BpBC+9S0gowFyUKeC/isJ74na1QJlweuhGz1uTStAX8eNzr3TaFmpOL9MIDTj9LJ21vGSzzsJP1V0Rh1yywaRE2y8TF+9fVX13rmDckI9Qa0WmkUo86VzBJ1spFn5lTAmpm4S7+tuTfdfjI/fwVh5CNBE9P1LjU0AjGd/HFelhrFxM6xeVLKpSX1KgqIIKBdUo3ubCZ0kXD1CEbMdtXVOUoGyDXLZtH56o7RxeFxkJragytcxl6XSRTnprOikdw1hE6TEqs0JJsgX/chgW/OzATR4q7eBHnzRRjmlUn8w2/6KUhfnbuQSJqvAQl8Lh3X+ApXathkoV2kP4AEceXiICTKP/qa8BcyQle3vNTPKXSdjkIf+Z32K1VhI1WKDUess3wzx1o6M1gN63szTXkUPJZf9iuNsP6Uy0/iyK2zhwtW8xMY1guLetTCFzOpQRACJ0vcggv8MndleTMC/z4fDw1inZvlUPQ0NKlmOumy43rPoZx/UbZuPTDq/YKw+79Jah/xUtTg5MLnbt6eW2gwI54p8xaEbKpFezxd+wg0vXaSuEcuexpaabnC2COFdpZXLE8lzFXkdxepBG8QzW3FrbE50868Df0pmIrwGEmEOzwg0pfXqF12iy8BcLgwYjHH4o6Qfi7+TGNCsFq1rA08wDvXzK4H0RRc+fWyn5bh5+HYq+qS+QQ0HxNaEq6H8lre3NvHRdQBWvA0ssStk+b+CvZMKLijXXSf9rwvEBuMpvMfJXvvjHAn5gta51VBBIOIab2cuxG+U1EMDko/jVLKnlyjWDyDFj4/8h6pZk6l2K7q2PQzqfdJThmM6Ivpd4omfgU+881/TD1y8J6gVrhinu0uj2jA==

Ansi based on Dropped File (#Decryption#.txt)

Generation

Unicode based on Runtime Data (horsedeal.exe )

GetProcAddress

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

GHLnppsssspqMNKB

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

GJMqsttttttqrNDO

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

gkllllklihdbbYT

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

GoodFon.ru

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

gYy0ZDOhsWwBJW0B8cSFWvg

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

h64BCZE19Y

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

HasNavigationEnum

Unicode based on Runtime Data (horsedeal.exe )

hc,/1Z@Bei

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

hGRUzr`9?

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

HideFileExt

Unicode based on Runtime Data (horsedeal.exe )

HideFolderVerbs

Unicode based on Runtime Data (horsedeal.exe )

HideIcons

Unicode based on Runtime Data (horsedeal.exe )

HideInWebView

Unicode based on Runtime Data (horsedeal.exe )

HideOnDesktopPerUser

Unicode based on Runtime Data (horsedeal.exe )

i6A_hArE5i

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

I6ThICDA%

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

i9Nlt-QDC

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

IA*A9hkY?K

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

IconsOnly

Unicode based on Runtime Data (horsedeal.exe )

Idh0lOz3W4C35xRKNbQW7Xt

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install

Ansi based on Dropped File (#Decryption#.txt)

If you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq

Ansi based on Dropped File (#Decryption#.txt)

If you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data:

Ansi based on Dropped File (#Decryption#.txt)

Image Path

Unicode based on Runtime Data (horsedeal.exe )

In -Username - come up with any name

Ansi based on Dropped File (#Decryption#.txt)

In the -Protocol field, select XMPP

Ansi based on Dropped File (#Decryption#.txt)

In the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im

Ansi based on Dropped File (#Decryption#.txt)

InitFolderHandler

Unicode based on Runtime Data (horsedeal.exe )

INPJ^@Aa:

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

InternalName

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

iQNJ^E=lA

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

IsShortcut

Unicode based on Runtime Data (horsedeal.exe )

Iu1F.WPSkWz8Q

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

IxX{8dBgBx

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

iZ0I+f|mh,

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

I|mB&*tB]

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

J_#&v)?&,lG2~

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Jabber client installation instructions:

Ansi based on Dropped File (#Decryption#.txt)

jDVLY+XEu9JJ8qt57

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

jtZX]d% ],

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Jxze9</g,n

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Jz!(G}&>D

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

J{"(H}%6F

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ke8rQ$^[8|p@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

KERNEL32.DLL

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

l>,)<a`9$

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

L\OHcontact u

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

l`rd48RZ(

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

LanmanWorkstation

Unicode based on Runtime Data (horsedeal.exe )

LegalCopyright

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

LmG!oJZ`f

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

LoadAppInit_DLLs

Unicode based on Runtime Data (horsedeal.exe )

LoadLibraryA

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Local Build

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

LocalizedName

Unicode based on Runtime Data (horsedeal.exe )

LocalRedirectOnly

Unicode based on Runtime Data (horsedeal.exe )

lsxPzI.zZFG

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ltd/0`!S;.

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Lx?=gP%Q'

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

l}gOoebj2

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

MachineGuid

Unicode based on Runtime Data (horsedeal.exe )

MachinePreferredUILanguages

Unicode based on Runtime Data (horsedeal.exe )

MapNetDriveVerbs

Unicode based on Runtime Data (horsedeal.exe )

MapNetDrvBtn

Unicode based on Runtime Data (horsedeal.exe )

MaximizeApps

Unicode based on Runtime Data (horsedeal.exe )

MaxRpcSize

Unicode based on Runtime Data (horsedeal.exe )

mKXZ.%(Apf

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

mPDAARPR:

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

MPP K-U$rnamVvc

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

mTP~08jS<

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

nEUOXADx/fwMxGj0Lp+g

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

NeverShowExt

Unicode based on Runtime Data (horsedeal.exe )

NJGZ,hHbE

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

nm:tSHlgsJTerm

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

NoCommonGroups

Unicode based on Runtime Data (horsedeal.exe )

NoControlPanel

Unicode based on Runtime Data (horsedeal.exe )

NoFileFolderJunction

Unicode based on Runtime Data (horsedeal.exe )

NoInternetIcon

Unicode based on Runtime Data (horsedeal.exe )

NoNetCrawling

Unicode based on Runtime Data (horsedeal.exe )

NoPropertiesMyComputer

Unicode based on Runtime Data (horsedeal.exe )

NoPropertiesRecycleBin

Unicode based on Runtime Data (horsedeal.exe )

NoSetFolders

Unicode based on Runtime Data (horsedeal.exe )

NoSimpleStartMenu

Unicode based on Runtime Data (horsedeal.exe )

NoWebView

Unicode based on Runtime Data (horsedeal.exe )

Np"NShh$k

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

O3$h! 3\F

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

OOBEInProgress

Unicode based on Runtime Data (horsedeal.exe )

Or contact us via jabber - bigbosshorse@xmpp.jp

Ansi based on Dropped File (#Decryption#.txt)

OriginalFilename

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Oï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (horsedeal.exe )

P0te$tfnR

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

p`$M ~)<J

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

P`@.PSOH@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

PageAllocatorSystemHeapIsPrivate

Unicode based on Runtime Data (horsedeal.exe )

PageAllocatorUseSystemHeap

Unicode based on Runtime Data (horsedeal.exe )

ParentFolder

Unicode based on Runtime Data (horsedeal.exe )

ParsingName

Unicode based on Runtime Data (horsedeal.exe )

pDyR|NQ-@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

PGy!hE|$|C~'

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

PhlYxoHs9

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

PinToNameSpaceTree

Unicode based on Runtime Data (horsedeal.exe )

PreCreate

Unicode based on Runtime Data (horsedeal.exe )

PreferExternalManifest

Unicode based on Runtime Data (horsedeal.exe )

PreferredUILanguages

Unicode based on Runtime Data (horsedeal.exe )

PrivateKeyLifetimeSeconds

Unicode based on Runtime Data (horsedeal.exe )

PrivKeyCacheMaxItems

Unicode based on Runtime Data (horsedeal.exe )

PrivKeyCachePurgeIntervalSeconds

Unicode based on Runtime Data (horsedeal.exe )

pRlMH,j,~

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ProductName

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ProductVersion

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ProviderOrder

Unicode based on Runtime Data (horsedeal.exe )

ProviderPath

Unicode based on Runtime Data (horsedeal.exe )

PublishExpandedPath

Unicode based on Runtime Data (horsedeal.exe )

qk4R:NS/&

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

QKJZ .$JX

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

QueryForInfoTip

Unicode based on Runtime Data (horsedeal.exe )

QueryForOverlay

Unicode based on Runtime Data (horsedeal.exe )

qwA>B7i!=

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

r0VBc|D9A%f

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

RBhv@XEI@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ReadFileI

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

RelativePath

Unicode based on Runtime Data (horsedeal.exe )

ReoRBhdU1h

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

RestrictedAttributes

Unicode based on Runtime Data (horsedeal.exe )

ROx%)t#r&C

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

rq=F=R9m?H

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

RyrtM[FOX

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

S"c'C1$IN"p$

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

S7EjJFbd!

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

S`_qF2D`dz

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

SafeDllSearchMode

Unicode based on Runtime Data (horsedeal.exe )

SafeProcessSearchMode

Unicode based on Runtime Data (horsedeal.exe )

SeparateProcess

Unicode based on Runtime Data (horsedeal.exe )

SHELL32.dll

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ShellExecuteW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ShellState

Unicode based on Runtime Data (horsedeal.exe )

SHLWAPI.dll

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ShowCompColor

Unicode based on Runtime Data (horsedeal.exe )

ShowInfoTip

Unicode based on Runtime Data (horsedeal.exe )

ShowSuperHidden

Unicode based on Runtime Data (horsedeal.exe )

ShowTypeOverlay

Unicode based on Runtime Data (horsedeal.exe )

SizeEx=Nex;l

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

SourcePath

Unicode based on Runtime Data (horsedeal.exe )

SQMServiceList

Unicode based on Runtime Data (horsedeal.exe )

StreamResource

Unicode based on Runtime Data (horsedeal.exe )

StreamResourceType

Unicode based on Runtime Data (horsedeal.exe )

StringFileInfo

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

sysnative

Unicode based on Runtime Data (horsedeal.exe )

SystemParametersInfoW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

SystemSetupInProgress

Unicode based on Runtime Data (horsedeal.exe )

T'S}R02A\d

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

t1Ml$eh1M'

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

t5ThW+Z8C

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

t@Z@4A29F

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

tell your unique ID

Ansi based on Dropped File (#Decryption#.txt)

ThemeApiConnectionRequest

Unicode based on Runtime Data (horsedeal.exe )

Tmjku7nYX0WS6g

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Translation

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

TransparentEnabled

Unicode based on Runtime Data (horsedeal.exe )

tSzmH8ML-l2U

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

TTWl7k5hbf49hgnZUYRDlM+H/YQ89U

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

tyP958*tPs

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

U$P NI"?t

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

uG=@e9mAHF

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

uM9mfBUib

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

UO`$'.tHC

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

UoXGdDXeM9CdwKL4tF6+B3oT0zYe4

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

uQCWh7I2I4Klq

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Us*Defaul?

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

UseDropHandler

Unicode based on Runtime Data (horsedeal.exe )

USER32.dll

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

v<dLRJ~+v

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

v@^iv((VR7D

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

VarFileInfo

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

vhmb!U@`VV

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

VirtualProtect

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

VS_VERSION_INFO

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

WAhz"vvy`6

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

WantsAliasedNotifications

Unicode based on Runtime Data (horsedeal.exe )

WantsFORDISPLAY

Unicode based on Runtime Data (horsedeal.exe )

WantsFORPARSING

Unicode based on Runtime Data (horsedeal.exe )

WantsParseDisplayName

Unicode based on Runtime Data (horsedeal.exe )

WantsUniversalDelegate

Unicode based on Runtime Data (horsedeal.exe )

WNetOpenEnumW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Write to our ICQ https://icq.im/bigbosshorse

Ansi based on Dropped File (#Decryption#.txt)

wSiik`V_`iiiidbZW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

wUsIJNjSEHg0K

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

xl/qg3kKz

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

xpJ+W[&xM

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

xQ67=BegB

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

XVf>[h$zcQ

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)

Ansi based on Dropped File (#Decryption#.txt)

Yr[H<9i>E

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Z/IR,n$5@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Zdqv*jfTD9OAbtIk88fjh5A

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ZG.($PTf(,0

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

zx4 d?%Mo0

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Zz^i70C"o

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

|$}rstuvwxyz{$>?@ABC

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

|>ah-[P6\4P

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

|?Jxs2"27

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

|xPdOsYje1UhuP+"

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

}:BLA;`L#

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

~ifxrtLs 0

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!!!!%%%(((((((((((

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!!!%%%((((((((!(

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!!%%(((()))).).))

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!!%(()0uvz{{{{{{y

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"!!"(%())0))((!!!!

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"%!((()01uvyxyy10

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"%%%%()).001111

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"%%()1x{{~

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

%!d}r2$:[

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

%(0uyyyyu0)(!!

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

%GUID:"Computer"%

Unicode based on Runtime Data (horsedeal.exe )

*%5 .tp

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

*- S@xmpp.jp`

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

.l|l@@@;Q

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

6;WWWWWSQP;E

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

=8y#N6{(b5|+x3}-

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (horsedeal.exe )

\ThemeApiPort

Unicode based on Runtime Data (horsedeal.exe )

`\??\Volume{dcbfaac3-d863-11e7-b9ff-806e6f6e6963}

Unicode based on Runtime Data (horsedeal.exe )

`\??\Volume{dcbfaac4-d863-11e7-b9ff-806e6f6e6963}

Unicode based on Runtime Data (horsedeal.exe )

`\??\Volume{dcbfaac7-d863-11e7-b9ff-806e6f6e6963}

Unicode based on Runtime Data (horsedeal.exe )

After installation, the Pidgin client will prompt you to create a new account.

Ansi based on Dropped File (#Decryption#.txt)

All your files have been ENCRYPTED!!!

Ansi based on Dropped File (#Decryption#.txt)

Ansi based on Runtime Data (horsedeal.exe )

avgdiagex.exe

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

CompanyName

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

CompatDll

Unicode based on Runtime Data (horsedeal.exe )

ComputerName

Unicode based on Runtime Data (horsedeal.exe )

CQPttps://icq.im/bigbosshors

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

CryptGenKey

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Ansi based on Dropped File (#Decryption#.txt)

Description

Unicode based on Runtime Data (horsedeal.exe )

Download the jabber (Pidgin) client from https://pidgin.im/download/windows/

Ansi based on Dropped File (#Decryption#.txt)

EnableShellExecuteHooks

Unicode based on Runtime Data (horsedeal.exe )

ExitProcess

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

FileDescription

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

FileVersion

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

GetProcAddress

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

GoodFon.ru

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install

Ansi based on Dropped File (#Decryption#.txt)

If you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq

Ansi based on Dropped File (#Decryption#.txt)

If you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data:

Ansi based on Dropped File (#Decryption#.txt)

In -Username - come up with any name

Ansi based on Dropped File (#Decryption#.txt)

In the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im

Ansi based on Dropped File (#Decryption#.txt)

Jabber client installation instructions:

Ansi based on Dropped File (#Decryption#.txt)

Local Build

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

LocalizedName

Unicode based on Runtime Data (horsedeal.exe )

LocalRedirectOnly

Unicode based on Runtime Data (horsedeal.exe )

NoCommonGroups

Unicode based on Runtime Data (horsedeal.exe )

NoPropertiesMyComputer

Unicode based on Runtime Data (horsedeal.exe )

NoPropertiesRecycleBin

Unicode based on Runtime Data (horsedeal.exe )

Or contact us via jabber - bigbosshorse@xmpp.jp

Ansi based on Dropped File (#Decryption#.txt)

PrivateKeyLifetimeSeconds

Unicode based on Runtime Data (horsedeal.exe )

PrivKeyCacheMaxItems

Unicode based on Runtime Data (horsedeal.exe )

PrivKeyCachePurgeIntervalSeconds

Unicode based on Runtime Data (horsedeal.exe )

ProductVersion

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

QueryForInfoTip

Unicode based on Runtime Data (horsedeal.exe )

SafeProcessSearchMode

Unicode based on Runtime Data (horsedeal.exe )

SeparateProcess

Unicode based on Runtime Data (horsedeal.exe )

ShellExecuteW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ShowCompColor

Unicode based on Runtime Data (horsedeal.exe )

ShowInfoTip

Unicode based on Runtime Data (horsedeal.exe )

SQMServiceList

Unicode based on Runtime Data (horsedeal.exe )

StringFileInfo

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

SystemParametersInfoW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ThemeApiConnectionRequest

Unicode based on Runtime Data (horsedeal.exe )

VarFileInfo

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

VS_VERSION_INFO

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Write to our ICQ https://icq.im/bigbosshorse

Ansi based on Dropped File (#Decryption#.txt)

wUsIJNjSEHg0K

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!!!!%%%(((((((((((

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!!!%%%((((((((!(

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!!%%(((()))).).))

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!!%(()0uvz{{{{{{y

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!%xLApLP|

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

!This program cannot be run in DOS mode.$

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"!!"(%())0))((!!!!

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"""""""")

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"%!((()01uvyxyy10

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"%%%%()).001111

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

"%%()1x{{~

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

",muZ<_\.

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

$&i,-Cn6bF

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

$3XS040|I

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

$Drives".n6rstAW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

$X9z=i#Z]j

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

%!d}r2$:[

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

%(0uyyyyu0)(!!

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

)B nGi}H`

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

)D|$${R"<

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

)q>W0yE<e)bU

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

)X{B*aH|v

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

*%5 .tp

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

*- S@xmpp.jp`

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

*8EV^wkAW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

*_PaEKbl_3

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

*LY6Qk,Pf

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

+@_\|P$gCo

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

+ACA2Q(Cn

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

+HX_H=Yx(

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

+nqyvZtgpjCy

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

+w@Wi"exd

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

,b $F))%

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

,fGYTQiI4

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

,Hlt<ElNzK

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

,lK/[zR.F

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

-W2x0dE~r

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

-YQl`aN`E

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

.$fi%bwm"

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

.AvbKm%~U

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

.d)DjL6.hdP

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

.l|l@@@;Q

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

.YY_U"{t\

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

/c'm8r(E6A

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

/Vsm0Q54TuzURiLO

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

0E?dGEm(HO

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

0uO%C'|W<

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

1"HzPzj&HH

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

14.0.1001.380

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

1g[m}EH%Q0

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

2$uoQ->yMx

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

2SAm@zx=dKR

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

3!=OD]_q`&

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

3456789+/

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

3aAlJmixgXqqYGXWTN

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

4gA9oCrqzfpk7dnRjcVGvQbqZeqCLF8P|+

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

4JI#xjt SN

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

4r8AM3zW841

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

4rFC+)_-a5@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

4~8n)L+HxLP

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

5(q>$'rmI

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

5*ElkBFsr8]qt

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

50u$\#ARv

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

66;;;;AAAHJGC

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

6;WWWWWSQP;E

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

6_1$ ~:$:I

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

6SZWZZZ[ZWWTSR@EG

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

7SZfggggg[[bYYTmH

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

7uhJCtMX1+

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

8:l51r2RZ

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

8Qo`~fXm$@0(

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

:Y%NeW&tmk

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

:z":Mj>_@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

;;;;;9@EEGC

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

;Q-G!#~.2

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

<\&]-kWo`d

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

<d>*kVdFE

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

=8y#N6{(b5|+x3}-

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

=DM0j">Ab"|

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

=G@T"WJe}

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

=owR@'oU(

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

>Zk~'dJ`6

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

>}e\]IuL^M

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

@ 4b0ESfZ

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

@CY$ "fYZ,

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

@T*cDQnFh

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

@V,NX2|H(rN

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

\vc# $$t0

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

\XLhKI*ht

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

^&PP,CYH9>

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

^_`abcdefghijklmnopq

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

_61>vlVdDX

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

_GW)$Vx)|

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

_qu&y=S+~

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

`R(@h'IG?vka

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

A$:qh`lB8:

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

A8x!Z6z%r4|)

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

a>imMG~VfzS

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ADVAPI32.dll

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

AEQAfUDvrYL7lF1XhXKge33OT

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

aForMLip*Obj

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

aI8J4e|H_

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

All your files have been EN

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

aPDBKBtrhStq2

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

AVG Diagnostics

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

AVG Technologies, sro

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

avgdiagex.exe

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

AWh@(7 yPg

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

A}X0"V3EN

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

B'Tjh,pE<

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

BB#J&kSBR

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

blhL]p2?):xM

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

C$n&v0kJt,Qa

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Cbg`?Wr|+/

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

cKKN$Cdbc[

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

CompanyName

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

CQPttps://icq.im/bigbosshors

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

CRYPTED!Writ0to UI

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

CryptGenKey

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

D-x3or?njI

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

DCaHWuYM/@.7J5h

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

DEFGHIJKLMNOPQRSTUVW?XYZ[\]l

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

DiDRzA)E=

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

DMpH)l=TT

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

DsufIgPCR

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

dSXC{Rf<1S

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

DYr)){;?q

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

DZCR00iCi3uIXdUFRaw

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

D}+P@\?"?~

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

EbF!MAJJDx

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

EE99AAARUUULLJJKO

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

EhbGBD#$"

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

eK(25~[W#

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ExitProcess

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

F1_n~07IP(

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

FileDescription

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

FileVersion

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

fR848diM<

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

fromCp7>{kIdu/w

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

fvoc{{3XCUs

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

GetProcAddress

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

GHLnppsssspqMNKB

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

GJMqsttttttqrNDO

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

gkllllklihdbbYT

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

GoodFon.ru

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

gYy0ZDOhsWwBJW0B8cSFWvg

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

h64BCZE19Y

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

hc,/1Z@Bei

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

hGRUzr`9?

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

i6A_hArE5i

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

I6ThICDA%

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

i9Nlt-QDC

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

IA*A9hkY?K

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Idh0lOz3W4C35xRKNbQW7Xt

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

INPJ^@Aa:

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

InternalName

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

iQNJ^E=lA

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Iu1F.WPSkWz8Q

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

IxX{8dBgBx

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

iZ0I+f|mh,

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

I|mB&*tB]

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

J_#&v)?&,lG2~

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

jDVLY+XEu9JJ8qt57

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

jtZX]d% ],

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Jxze9</g,n

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Jz!(G}&>D

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

J{"(H}%6F

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ke8rQ$^[8|p@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

KERNEL32.DLL

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

l>,)<a`9$

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

L\OHcontact u

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

l`rd48RZ(

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

LegalCopyright

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

LmG!oJZ`f

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

LoadLibraryA

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Local Build

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

lsxPzI.zZFG

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ltd/0`!S;.

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Lx?=gP%Q'

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

l}gOoebj2

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

mKXZ.%(Apf

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

mPDAARPR:

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

MPP K-U$rnamVvc

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

mTP~08jS<

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

nEUOXADx/fwMxGj0Lp+g

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

NJGZ,hHbE

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

nm:tSHlgsJTerm

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Np"NShh$k

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

O3$h! 3\F

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

OriginalFilename

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

P0te$tfnR

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

p`$M ~)<J

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

P`@.PSOH@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

pDyR|NQ-@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

PGy!hE|$|C~'

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

PhlYxoHs9

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

pRlMH,j,~

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ProductName

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ProductVersion

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

qk4R:NS/&

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

QKJZ .$JX

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

qwA>B7i!=

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

r0VBc|D9A%f

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

RBhv@XEI@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ReadFileI

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ReoRBhdU1h

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ROx%)t#r&C

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

rq=F=R9m?H

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

RyrtM[FOX

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

S"c'C1$IN"p$

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

S7EjJFbd!

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

S`_qF2D`dz

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

SHELL32.dll

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ShellExecuteW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

SHLWAPI.dll

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

SizeEx=Nex;l

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

StringFileInfo

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

SystemParametersInfoW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

T'S}R02A\d

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

t1Ml$eh1M'

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

t5ThW+Z8C

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

t@Z@4A29F

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Tmjku7nYX0WS6g

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Translation

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

tSzmH8ML-l2U

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

TTWl7k5hbf49hgnZUYRDlM+H/YQ89U

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

tyP958*tPs

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

U$P NI"?t

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

uG=@e9mAHF

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

uM9mfBUib

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

UO`$'.tHC

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

UoXGdDXeM9CdwKL4tF6+B3oT0zYe4

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

uQCWh7I2I4Klq

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Us*Defaul?

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

USER32.dll

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

v<dLRJ~+v

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

v@^iv((VR7D

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

VarFileInfo

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

vhmb!U@`VV

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

VirtualProtect

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

VS_VERSION_INFO

Unicode based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

WAhz"vvy`6

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

WNetOpenEnumW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

wSiik`V_`iiiidbZW

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

wUsIJNjSEHg0K

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

xl/qg3kKz

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

xpJ+W[&xM

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

xQ67=BegB

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

XVf>[h$zcQ

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Yr[H<9i>E

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Z/IR,n$5@

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Zdqv*jfTD9OAbtIk88fjh5A

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

ZG.($PTf(,0

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

zx4 d?%Mo0

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

Zz^i70C"o

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

|$}rstuvwxyz{$>?@ABC

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

|>ah-[P6\4P

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

|?Jxs2"27

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

|xPdOsYje1UhuP+"

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

}:BLA;`L#

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

~ifxrtLs 0

Ansi based on Memory/File Scan (f961ded251814ed0cbbc17f7f1594988f49a3e69f678aa7ec6bf197c2832256a.bin)

%GUID:"Computer"%

Unicode based on Runtime Data (horsedeal.exe )

00060101.00060101

Unicode based on Runtime Data (horsedeal.exe )

\Sessions\1\Windows\ApiPort

Unicode based on Runtime Data (horsedeal.exe )

\ThemeApiPort

Unicode based on Runtime Data (horsedeal.exe )

`\??\Volume{dcbfaac3-d863-11e7-b9ff-806e6f6e6963}

Unicode based on Runtime Data (horsedeal.exe )

`\??\Volume{dcbfaac4-d863-11e7-b9ff-806e6f6e6963}

Unicode based on Runtime Data (horsedeal.exe )

`\??\Volume{dcbfaac7-d863-11e7-b9ff-806e6f6e6963}

Unicode based on Runtime Data (horsedeal.exe )

Ansi based on Runtime Data (horsedeal.exe )

AlwaysShowExt

Unicode based on Runtime Data (horsedeal.exe )

Attributes

Unicode based on Runtime Data (horsedeal.exe )

AutoCheckSelect

Unicode based on Runtime Data (horsedeal.exe )

BrowseInPlace

Unicode based on Runtime Data (horsedeal.exe )

CallForAttributes

Unicode based on Runtime Data (horsedeal.exe )

CEIPEnable

Unicode based on Runtime Data (horsedeal.exe )

ClassicShell

Unicode based on Runtime Data (horsedeal.exe )

CompatDll

Unicode based on Runtime Data (horsedeal.exe )

ComputerName

Unicode based on Runtime Data (horsedeal.exe )

CWDIllegalInDLLSearch

Unicode based on Runtime Data (horsedeal.exe )

Description

Unicode based on Runtime Data (horsedeal.exe )

DevicePath

Unicode based on Runtime Data (horsedeal.exe )

DisableMetaFiles

Unicode based on Runtime Data (horsedeal.exe )

DisableUserModeCallbackFilter

Unicode based on Runtime Data (horsedeal.exe )

DocObject

Unicode based on Runtime Data (horsedeal.exe )

DontPrettyPath

Unicode based on Runtime Data (horsedeal.exe )

DontShowSuperHidden

Unicode based on Runtime Data (horsedeal.exe )

DriveMask

Unicode based on Runtime Data (horsedeal.exe )

EnableShellExecuteHooks

Unicode based on Runtime Data (horsedeal.exe )

FipsAlgorithmPolicy

Unicode based on Runtime Data (horsedeal.exe )

FolderTypeID

Unicode based on Runtime Data (horsedeal.exe )

Ansi based on Runtime Data (horsedeal.exe )

Generation

Unicode based on Runtime Data (horsedeal.exe )

HasNavigationEnum

Unicode based on Runtime Data (horsedeal.exe )

HideFileExt

Unicode based on Runtime Data (horsedeal.exe )

HideFolderVerbs

Unicode based on Runtime Data (horsedeal.exe )

HideIcons

Unicode based on Runtime Data (horsedeal.exe )

HideInWebView

Unicode based on Runtime Data (horsedeal.exe )

HideOnDesktopPerUser

Unicode based on Runtime Data (horsedeal.exe )

IconsOnly

Unicode based on Runtime Data (horsedeal.exe )

Image Path

Unicode based on Runtime Data (horsedeal.exe )

InitFolderHandler

Unicode based on Runtime Data (horsedeal.exe )

IsShortcut

Unicode based on Runtime Data (horsedeal.exe )

LanmanWorkstation

Unicode based on Runtime Data (horsedeal.exe )

LoadAppInit_DLLs

Unicode based on Runtime Data (horsedeal.exe )

LocalizedName

Unicode based on Runtime Data (horsedeal.exe )

LocalRedirectOnly

Unicode based on Runtime Data (horsedeal.exe )

MachineGuid

Unicode based on Runtime Data (horsedeal.exe )

MachinePreferredUILanguages

Unicode based on Runtime Data (horsedeal.exe )

MapNetDriveVerbs

Unicode based on Runtime Data (horsedeal.exe )

MapNetDrvBtn

Unicode based on Runtime Data (horsedeal.exe )

MaximizeApps

Unicode based on Runtime Data (horsedeal.exe )

MaxRpcSize

Unicode based on Runtime Data (horsedeal.exe )

NeverShowExt

Unicode based on Runtime Data (horsedeal.exe )

NoCommonGroups

Unicode based on Runtime Data (horsedeal.exe )

NoControlPanel

Unicode based on Runtime Data (horsedeal.exe )

NoFileFolderJunction

Unicode based on Runtime Data (horsedeal.exe )

NoInternetIcon

Unicode based on Runtime Data (horsedeal.exe )

NoNetCrawling

Unicode based on Runtime Data (horsedeal.exe )

NoPropertiesMyComputer

Unicode based on Runtime Data (horsedeal.exe )

NoPropertiesRecycleBin

Unicode based on Runtime Data (horsedeal.exe )

NoSetFolders

Unicode based on Runtime Data (horsedeal.exe )

NoSimpleStartMenu

Unicode based on Runtime Data (horsedeal.exe )

NoWebView

Unicode based on Runtime Data (horsedeal.exe )

OOBEInProgress

Unicode based on Runtime Data (horsedeal.exe )

Oï¿½ï¿½ï¿½ï¿½ï¿½

Ansi based on Runtime Data (horsedeal.exe )

PageAllocatorSystemHeapIsPrivate

Unicode based on Runtime Data (horsedeal.exe )

PageAllocatorUseSystemHeap

Unicode based on Runtime Data (horsedeal.exe )

ParentFolder

Unicode based on Runtime Data (horsedeal.exe )

ParsingName

Unicode based on Runtime Data (horsedeal.exe )

PinToNameSpaceTree

Unicode based on Runtime Data (horsedeal.exe )

PreCreate

Unicode based on Runtime Data (horsedeal.exe )

PreferExternalManifest

Unicode based on Runtime Data (horsedeal.exe )

PreferredUILanguages

Unicode based on Runtime Data (horsedeal.exe )

PrivateKeyLifetimeSeconds

Unicode based on Runtime Data (horsedeal.exe )

PrivKeyCacheMaxItems

Unicode based on Runtime Data (horsedeal.exe )

PrivKeyCachePurgeIntervalSeconds

Unicode based on Runtime Data (horsedeal.exe )

ProviderOrder

Unicode based on Runtime Data (horsedeal.exe )

ProviderPath

Unicode based on Runtime Data (horsedeal.exe )

PublishExpandedPath

Unicode based on Runtime Data (horsedeal.exe )

QueryForInfoTip

Unicode based on Runtime Data (horsedeal.exe )

QueryForOverlay

Unicode based on Runtime Data (horsedeal.exe )

RelativePath

Unicode based on Runtime Data (horsedeal.exe )

RestrictedAttributes

Unicode based on Runtime Data (horsedeal.exe )

SafeDllSearchMode

Unicode based on Runtime Data (horsedeal.exe )

SafeProcessSearchMode

Unicode based on Runtime Data (horsedeal.exe )

SeparateProcess

Unicode based on Runtime Data (horsedeal.exe )

ShellState

Unicode based on Runtime Data (horsedeal.exe )

ShowCompColor

Unicode based on Runtime Data (horsedeal.exe )

ShowInfoTip

Unicode based on Runtime Data (horsedeal.exe )

ShowSuperHidden

Unicode based on Runtime Data (horsedeal.exe )

ShowTypeOverlay

Unicode based on Runtime Data (horsedeal.exe )

SourcePath

Unicode based on Runtime Data (horsedeal.exe )

SQMServiceList

Unicode based on Runtime Data (horsedeal.exe )

StreamResource

Unicode based on Runtime Data (horsedeal.exe )

StreamResourceType

Unicode based on Runtime Data (horsedeal.exe )

sysnative

Unicode based on Runtime Data (horsedeal.exe )

SystemSetupInProgress

Unicode based on Runtime Data (horsedeal.exe )

ThemeApiConnectionRequest

Unicode based on Runtime Data (horsedeal.exe )

TransparentEnabled

Unicode based on Runtime Data (horsedeal.exe )

UseDropHandler

Unicode based on Runtime Data (horsedeal.exe )

WantsAliasedNotifications

Unicode based on Runtime Data (horsedeal.exe )

WantsFORDISPLAY

Unicode based on Runtime Data (horsedeal.exe )

WantsFORPARSING

Unicode based on Runtime Data (horsedeal.exe )

WantsParseDisplayName

Unicode based on Runtime Data (horsedeal.exe )

WantsUniversalDelegate

Unicode based on Runtime Data (horsedeal.exe )

?__;?,___gq_,9,

Ansi based on Image Processing (screen_0.png)

_?__?_?v?______

Ansi based on Image Processing (screen_0.png)

After installation, the Pidgin client will prompt you to create a new account.

Ansi based on Dropped File (#Decryption#.txt)

All your files have been ENCRYPTED!!!

Ansi based on Dropped File (#Decryption#.txt)

At the bottom, put a tick -Create account

Ansi based on Dropped File (#Decryption#.txt)

Attention!

Ansi based on Dropped File (#Decryption#.txt)

Click - Add

Ansi based on Dropped File (#Decryption#.txt)

Click add

Ansi based on Dropped File (#Decryption#.txt)

Create a password

Ansi based on Dropped File (#Decryption#.txt)

Decryption of your files with the help of third parties may cause increased price (they add their fee to our) or you can become a victim of a scam.

Ansi based on Dropped File (#Decryption#.txt)

Do not rename encrypted files.

Ansi based on Dropped File (#Decryption#.txt)

Do not try to decrypt your data using third party software, it may cause permanent data loss.

Ansi based on Dropped File (#Decryption#.txt)

Download the jabber (Pidgin) client from https://pidgin.im/download/windows/

Ansi based on Dropped File (#Decryption#.txt)

If you don't understand our Pidgin client installation instructions, you can find many installation tutorials on youtube - https://www.youtube.com/results?search_query=pidgin+jabber+install

Ansi based on Dropped File (#Decryption#.txt)

If you have not received a response from us then we may have technical problems and please write to us using Jaber here bigbosshorse@xmpp.jp or on icq

Ansi based on Dropped File (#Decryption#.txt)

If you selected -domain - exploit.im, then a new window should appear in which you will need to re-enter your data:

Ansi based on Dropped File (#Decryption#.txt)

In -Username - come up with any name

Ansi based on Dropped File (#Decryption#.txt)

In the -Protocol field, select XMPP

Ansi based on Dropped File (#Decryption#.txt)

In the field -domain - enter any jabber-server, there are a lot of them, for example - exploit.im

Ansi based on Dropped File (#Decryption#.txt)

Jabber client installation instructions:

Ansi based on Dropped File (#Decryption#.txt)

Or contact us via jabber - bigbosshorse@xmpp.jp

Ansi based on Dropped File (#Decryption#.txt)

tell your unique ID

Ansi based on Dropped File (#Decryption#.txt)

Write to our ICQ https://icq.im/bigbosshorse

Ansi based on Dropped File (#Decryption#.txt)

You will need to follow the link to the captcha (there you will see the characters that you need to enter in the field below)

Ansi based on Dropped File (#Decryption#.txt)

Extracted Files

Displaying 19 extracted file(s). The remaining 1981 file(s) are available in the full version and XML/JSON reports.

Informative Selection 1
- #Decryption#.txt
  
  Download Disabled Hash Seen Before
  
  Size
  2.8KiB (2893 bytes)
  
  Type
  text
  
  Description
  ASCII text, with very long lines, with CRLF line terminators
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  f568ed952c5d4b887762ea024030aaf0
  
  SHA1
  
  b28c863f0117f2ff6a73577666e45f91d679d9c5
  
  SHA256
  
  1d0cb7be06326402f13ec710852f21bd0d2345d77b55792bb303e69f8c01fc6a

Informative 18
- 001.png
  
  Download Disabled Hash Seen Before
  
  Size
  5.3KiB (5392 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  a179f182dbc885200893034a45ed60b6
  
  SHA1
  
  826768a615bb7e3411e4f9373c32d62f2b7f7da1
  
  SHA256
  
  67debf6638cc8884df01b77f40b15e5c7a78a55939ef95be244e09581ade5ef3
- 007.png
  
  Download Disabled Hash Seen Before
  
  Size
  3.1KiB (3154 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  2acea92a32d18a21a76708d0d65c47f2
  
  SHA1
  
  46a9c338a9c9df885484cb84e76e2b9ac23df797
  
  SHA256
  
  0f88f3a3c663ac9c6616bb6a75b85ff086fa39b24c2e5dce59647142d356974d
- 013.png
  
  Download Disabled Hash Seen Before
  
  Size
  6.5KiB (6610 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  c16091ad37117742ee40c17c513bcbbf
  
  SHA1
  
  95af015b5d81cbf3ca262715dd1c185c0fb3de84
  
  SHA256
  
  941dd27beee9f7430bac8214acea1a5deae6f4477d6943bb28cbed9efd9d6a44
- 011.png
  
  Download Disabled Hash Seen Before
  
  Size
  4.8KiB (4959 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  15dd6d6b28b0b2d0d5b58110786973f1
  
  SHA1
  
  62d9179acda71b12a8055ecb86a06cbdfdf88318
  
  SHA256
  
  9089ef22388605fed784726fc6cd2d9202b7d80bfe295f4df73f0084267704cb
- 002.png
  
  Download Disabled Hash Seen Before
  
  Size
  5KiB (5136 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  94398287b9f1a4c5693f46e13f967e3f
  
  SHA1
  
  ddc356d7e6eea59312eea6d98b22427cc99f0fe1
  
  SHA256
  
  1cb2f9b6ef96e4e9f4f802588d73c3d91db156c16b13175b475aa48816b10d56
- 004.png
  
  Download Disabled Hash Seen Before
  
  Size
  3.3KiB (3428 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  f405611e8593fa25271a88614b75e866
  
  SHA1
  
  e5a50d1b4259540a8263132037f76decd9f96eae
  
  SHA256
  
  7f40f2ba476ee6488b46dbe47b13d2a59a84e9c344c419a286959a9eb9d21b18
- .lock
  
  Download Disabled Hash Seen Before
  
  Size
  132B (132 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  2b59e532f360b28645aa32eefeade512
  
  SHA1
  
  fc23ed39d3ad86634aee381124e15c1ff0b2c376
  
  SHA256
  
  f06bbe40f49f48b0e940723923b7441b168f2552d5c12f45843bcd9950a4ff7f
- 012.png
  
  Download Disabled Hash Seen Before
  
  Size
  6.3KiB (6499 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  aabc11f48b1b5391c8a9fb39e3649eaa
  
  SHA1
  
  c777dab45fea0ffe4fa67b6af8996164e19adad7
  
  SHA256
  
  654ce9088bce476f0cbea435b120e708c28c7a13a10015832ffe3fa3281a3c9f
- 010.png
  
  Download Disabled Hash Seen Before
  
  Size
  4.2KiB (4280 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  a40e084475118a4fbfe4b29137f652d6
  
  SHA1
  
  1d36b37f0024e36094fb3cabaf42038c0631750c
  
  SHA256
  
  e230cdf8e3dcf5ce3ed45e9d9cac13abb5b22cb1a507f3d7f0f98da68dc89efb
- 005.png
  
  Download Disabled Hash Seen Before
  
  Size
  4.8KiB (4873 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  c4b7832b8643b99db6f3cba49fc79f8a
  
  SHA1
  
  bcdba7f2ffd28f1dfe1cade8f2f6e6874e6e598a
  
  SHA256
  
  4754b7035a2bbbc2c4e8c54a584dcfc163d17b06c74b668e683a3cfb98618811
- 003.png
  
  Download Disabled Hash Seen Before
  
  Size
  4.5KiB (4563 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  960c6addf2fb18bc006719decf4b00ba
  
  SHA1
  
  ebe555c9bee7a306038bcbcb7cbe1d77c6058696
  
  SHA256
  
  f1b3a0fe90c84bb0fa3826d135ebad8bbbc3952d883a9623a8db8ebb6d1d3f2d
- 008.png
  
  Download Disabled Hash Seen Before
  
  Size
  3.9KiB (3985 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  256bfce566d9d2b33a1a0e4c481def8c
  
  SHA1
  
  cf0a2c739ca3996fdded2e50aa884bb6a0be284f
  
  SHA256
  
  57a0c6c9228e83f00395ef6003f8651e9b8987c716434a375e08ee32e56c681e
- 017.png
  
  Download Disabled Hash Seen Before
  
  Size
  3KiB (3050 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  5c7290f24859b12d28fd80b86b6b2fdf
  
  SHA1
  
  a26f003a16c7d509ed38580eedcc135dc94f7a91
  
  SHA256
  
  cfc51e31b8729b2cfa0165628973ef81e33e9a6d661b74b80370512bb546fa08
- 015.png
  
  Download Disabled Hash Seen Before
  
  Size
  2.3KiB (2404 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  518e402822e5abbd496cdbfdfb61b9af
  
  SHA1
  
  f097379ee85ad398de641260e9ba8b552bea81cc
  
  SHA256
  
  59ddd33d08ded8e00eed2fadbd163d6158827f5e2401668cdd49eaa868d56920
- 006.png
  
  Download Disabled Hash Seen Before
  
  Size
  6.3KiB (6434 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  5c61e53d492fe2dec38f58ffea6b7ab0
  
  SHA1
  
  af335c0a8db888f0b7b4b8a85d1e411b833ebd2c
  
  SHA256
  
  644e3b5de5d2e9691b81b03d216588f6e4c9dbf9f68e40014ade153b96453fd2
- 016.png
  
  Download Disabled Hash Seen Before
  
  Size
  4.4KiB (4541 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  450589db6209c14d59adbb8a06851dbd
  
  SHA1
  
  9c8f419141d8fc1e23d5ee0488fa0f8cdc4258ce
  
  SHA256
  
  de51652521bf4330bcb05dc6e495d4e5902ca61a28b33abfbf026b1f889c111f
- 009.png
  
  Download Disabled Hash Seen Before
  
  Size
  6.4KiB (6524 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  ffdf3ed9393e3e64f579ba04b8b3b2ea
  
  SHA1
  
  7fa9496027b20f8c2240af8dab0d9356a0d4c808
  
  SHA256
  
  a307b16bbc31521c82f397b69abe12545e608f7a175de4241ef777a6cb67a968
- 014.png
  
  Download Disabled Hash Seen Before
  
  Size
  4.3KiB (4399 bytes)
  
  Runtime Process
  horsedeal.exe (PID: 1132)
  
  MD5
  
  f591e42b1f6e030571838de8f932243b
  
  SHA1
  
  a3cd6244e6ea6a55d5f176b37c895ff476e58d95
  
  SHA256
  
  cf6b309e7b24280677b5ef66e3d68ed013c3c5e5604dd42fd5f9e4af914dba3d

Notifications

Runtime

Not all IP/URL string resources were checked online

Not all sources for indicator ID "api-25" are available in the report

Not all sources for indicator ID "binary-0" are available in the report

Not all sources for indicator ID "binary-10" are available in the report

Some low-level data is hidden, as this is only a slim report

Touched the maximum number of extracted files (2000), report might not contain information about some extracted files

Community

BleepingComputer commented 4 years ago updated

#Horsedeal #BigBossHorse #Ransomware

You must be logged in to submit a comment.

horsedeal.exe

Incident Response

Risk Assessment

MITRE ATT&CK™ Techniques Detection

Indicators

Malicious Indicators 3

Suspicious Indicators 23

Informative 9

File Details

horsedeal.exe

Resources

Visualization

Version Info

Classification (TrID)

File Metadata

File Sections

File Resources

File Imports

Screenshots

System Resource Monitor

Hybrid Analysis

Network Analysis

DNS Requests

Contacted Hosts

HTTP Traffic

Extracted Strings

Extracted Files

Informative Selection 1

#Decryption#.txt

Informative 18

001.png

007.png

013.png

011.png

Notifications

Runtime

Community

BleepingComputer commented 4 years ago updated

Latest News

Vetting required

Request Report Deletion

Link